Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0672 | 1 Popozure | 1 Pz-linkcard | 2025-04-01 | N/A | 7.1 HIGH |
|
The Pz-LinkCard WordPress plugin through 2.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-0673 | 1 Popozure | 1 Pz-linkcard | 2025-04-01 | N/A | 6.1 MEDIUM |
|
The Pz-LinkCard WordPress plugin through 2.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-51190 | 1 Trendnet | 6 Tew-651br, Tew-651br Firmware, Tew-652brp and 3 more | 2025-04-01 | N/A | 4.8 MEDIUM |
|
TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the ptRule_ApplicationName_1.1.6.0.0 parameter on the /special_ap.htm page.
|
|||||
| CVE-2024-51189 | 1 Trendnet | 6 Tew-651br, Tew-651br Firmware, Tew-652brp and 3 more | 2025-04-01 | N/A | 4.8 MEDIUM |
|
TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the macList_Name_1.1.1.0.0 parameter on the /filters.htm page.
|
|||||
| CVE-2024-51188 | 1 Trendnet | 6 Tew-651br, Tew-651br Firmware, Tew-652brp and 3 more | 2025-04-01 | N/A | 4.8 MEDIUM |
|
TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the vsRule_VirtualServerName_1.1.10.0.0 parameter on the /virtual_server.htm page.
|
|||||
| CVE-2024-51187 | 1 Trendnet | 6 Tew-651br, Tew-651br Firmware, Tew-652brp and 3 more | 2025-04-01 | N/A | 4.8 MEDIUM |
|
TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the firewallRule_Name_1.1.1.0.0 parameter on the /firewall_setting.htm page.
|
|||||
| CVE-2022-4092 | 1 Gitlab | 1 Gitlab | 2025-04-01 | N/A | 5.7 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.
|
|||||
| CVE-2024-2170 | 1 Vektor-inc | 1 Vk All In One Expansion Unit | 2025-04-01 | N/A | 6.4 MEDIUM |
|
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient input sanitization and output escaping on user supplied attributes such as 'className.' This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-29660 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 5.3 MEDIUM |
|
Cross Site Scripting vulnerability in DedeCMS v.5.7 allows a local attacker to execute arbitrary code via a crafted payload to the stepselect_main.php component.
|
|||||
| CVE-2024-34959 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 5.5 MEDIUM |
|
DedeCMS V5.7.113 is vulnerable to Cross Site Scripting (XSS) via sys_data_replace.php.
|
|||||
| CVE-2024-4776 | 1 Mozilla | 1 Firefox | 2025-04-01 | N/A | 8.2 HIGH |
|
A file dialog shown while in full-screen mode could have resulted in the window remaining disabled. This vulnerability affects Firefox < 126.
|
|||||
| CVE-2024-29808 | 1 10web | 1 Photo Gallery | 2025-04-01 | N/A | 5.4 MEDIUM |
|
The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.
|
|||||
| CVE-2024-29809 | 1 10web | 1 Photo Gallery | 2025-04-01 | N/A | 5.4 MEDIUM |
|
The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.
|
|||||
| CVE-2024-29473 | 1 Zhyd | 1 Oneblog | 2025-04-01 | N/A | 6.1 MEDIUM |
|
OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Role Management module.
|
|||||
| CVE-2024-10566 | 1 10web | 1 Slider | 2025-04-01 | N/A | 6.1 MEDIUM |
|
The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13122 | 1 Advancedformintegration | 1 Advanced Form Integration | 2025-04-01 | N/A | 3.5 LOW |
|
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-13123 | 1 Advancedformintegration | 1 Advanced Form Integration | 2025-04-01 | N/A | 3.5 LOW |
|
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2022-47073 | 1 Small Crm Project | 1 Small Crm | 2025-04-01 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Create Ticket page of Small CRM v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Subject parameter.
|
|||||
| CVE-2022-46957 | 1 Online Graduate Tracer System Project | 1 Online Graduate Tracer System | 2025-04-01 | N/A | 6.1 MEDIUM |
|
Sourcecodester.com Online Graduate Tracer System V 1.0.0 is vulnerable to Cross Site Scripting (XSS).
|
|||||
| CVE-2022-46624 | 1 Online Graduate Tracer System Project | 1 Online Graduate Tracer System | 2025-04-01 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Online Graduate Tracer System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
|
|||||
| CVE-2022-45730 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-04-01 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Doctor Appointment Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search function.
|
|||||
| CVE-2024-1487 | 1 Contest-gallery | 1 Contest Gallery | 2025-04-01 | N/A | 5.4 MEDIUM |
|
The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2024-0559 | 1 Inisev | 1 Enhanced Text Widget | 2025-04-01 | N/A | 6.5 MEDIUM |
|
The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-25868 | 1 Codeastro | 1 Membership Management System | 2025-04-01 | N/A | 6.1 MEDIUM |
|
A Cross Site Scripting (XSS) vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via the membershipType parameter in the add_type.php component.
|
|||||
| CVE-2023-6923 | 1 Matomo | 1 Matomo | 2025-04-01 | N/A | 6.1 MEDIUM |
|
The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-27083 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-04-01 | N/A | 4.3 MEDIUM |
|
Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. This issue was introduced on 4.1.4 and patched on 4.2.1.
|
|||||
| CVE-2024-27092 | 1 Hoppscotch | 1 Hoppscotch | 2025-04-01 | N/A | 5.4 MEDIUM |
|
Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6.
|
|||||
| CVE-2023-24494 | 1 Tenable | 1 Tenable.sc | 2025-04-01 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session.
|
|||||
| CVE-2022-46128 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-04-01 | N/A | 6.1 MEDIUM |
|
phpgurukul Doctor Appointment Management System V 1.0.0 is vulnerable to Cross Site Scripting (XSS) via searchdata=.
|
|||||
| CVE-2022-25847 | 1 Serve-lite Project | 1 Serve-lite | 2025-04-01 | N/A | 5.4 MEDIUM |
|
All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.
|
|||||
| CVE-2020-22327 | 1 Hfish Project | 1 Hfish | 2025-04-01 | N/A | 6.1 MEDIUM |
|
An issue was discovered in HFish 0.5.1. When a payload is inserted where the name is entered, XSS code is triggered when the administrator views the information.
|
|||||
| CVE-2024-33371 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to execute arbitrary code via the typeid parameter in the makehtml_list_action.php component.
|
|||||
| CVE-2024-33401 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 4.4 MEDIUM |
|
Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to run arbitrary code via the mnum parameter.
|
|||||
| CVE-2021-36686 | 1 Ymfe | 1 Yapi | 2025-04-01 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page.
|
|||||
| CVE-2024-28679 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 6.1 MEDIUM |
|
DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via Photo Collection.
|
|||||
| CVE-2024-28680 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 6.1 MEDIUM |
|
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/diy_add.php.
|
|||||
| CVE-2024-28683 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 6.1 MEDIUM |
|
DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via create file.
|
|||||
| CVE-2024-1437 | 1 Adsplugin | 1 Adsmonetizer | 2025-04-01 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in José Fernandez Adsmonetizer allows Reflected XSS.This issue affects Adsmonetizer: from n/a through 3.1.2.
|
|||||
| CVE-2024-28671 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 8.8 HIGH |
|
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/stepselect_main.php.
|
|||||
| CVE-2024-28676 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 6.1 MEDIUM |
|
DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via /dede/article_edit.php.
|
|||||