Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31102 | 2025-03-28 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel allows Reflected XSS. This issue affects Hostel: from n/a through 1.1.5.5.
|
|||||
| CVE-2025-2878 | 2025-03-28 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability was found in Kentico CMS up to 13.0.178. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /CMSInstall/install.aspx of the component Additional Database Installation Wizard. The manipulation of the argument new database leads to cross site scripting. The attack can be launched remotely. Upgrading to version 13.0.179 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2024-12772 | 1 Wpmanageninja | 1 Ninja Tables | 2025-03-28 | N/A | 5.4 MEDIUM |
|
The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scripting vulnerability.
|
|||||
| CVE-2024-57175 | 1 Phpgurukul | 1 Online Birth Certificate System | 2025-03-28 | N/A | 5.4 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the PHPGURUKUL Online Birth Certificate System v1.0 via the profile name to /user/certificate-form.php.
|
|||||
| CVE-2024-25898 | 1 Churchcrm | 1 Churchcrm | 2025-03-28 | N/A | 6.1 MEDIUM |
|
A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php.
|
|||||
| CVE-2023-22971 | 1 Hughes | 10 Hn7000s, Hn7000s Firmware, Hn9460 and 7 more | 2025-03-28 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application.
|
|||||
| CVE-2022-48013 | 1 Opencats | 1 Opencats | 2025-03-28 | N/A | 5.4 MEDIUM |
|
Opencats v0.9.7 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /opencats/index.php?m=calendar. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description or Title text fields.
|
|||||
| CVE-2022-48012 | 1 Opencats | 1 Opencats | 2025-03-28 | N/A | 6.1 MEDIUM |
|
Opencats v0.9.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /opencats/index.php?m=settings&a=ajax_tags_upd.
|
|||||
| CVE-2022-48007 | 1 Piwigo | 1 Piwigo | 2025-03-28 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.
|
|||||
| CVE-2024-44918 | 1 Seacms | 1 Seacms | 2025-03-28 | N/A | 3.5 LOW |
|
A cross-site scripting (XSS) vulnerability in the component admin_datarelate.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-29474 | 1 Zhyd | 1 Oneblog | 2025-03-28 | N/A | 5.4 MEDIUM |
|
OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Management module.
|
|||||
| CVE-2024-29470 | 1 Zhyd | 1 Oneblog | 2025-03-28 | N/A | 6.1 MEDIUM |
|
OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component {{rootpath}}/links.
|
|||||
| CVE-2024-29469 | 1 Zhyd | 1 Oneblog | 2025-03-28 | N/A | 6.1 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in OneBlog v2.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category List parameter under the Lab module.
|
|||||
| CVE-2024-55100 | 1 Phpgurukul | 1 Online Nurse Hiring System | 2025-03-28 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Online Nurse Hiring System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the fullname parameter.
|
|||||
| CVE-2024-1588 | 1 Pressified | 1 Sendpress | 2025-03-28 | N/A | 6.8 MEDIUM |
|
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-24065 | 1 Nosh Chartingsystem Project | 1 Nosh Chartingsystem | 2025-03-28 | N/A | 5.4 MEDIUM |
|
NOSH 4a5cfdb allows stored XSS via the create user page. For example, a first name (of a physician, assistant, or billing user) can have a JavaScript payload that is executed upon visiting the /users/2/1 page. This may allow attackers to steal Protected Health Information because the product is for health charting.
|
|||||
| CVE-2023-22333 | 1 Mubag | 1 Easymail | 2025-03-28 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in EasyMail 2.00.130 and earlier allows a remote unauthenticated attacker to inject an arbitrary script.
|
|||||
| CVE-2022-48118 | 1 Jorani | 1 Jorani | 2025-03-28 | N/A | 6.1 MEDIUM |
|
Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Acronym parameter.
|
|||||
| CVE-2022-46087 | 1 Cloudschool Project | 1 Cloudschool | 2025-03-28 | N/A | 5.4 MEDIUM |
|
CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS). A normal user can steal session cookies of the admin users through notification received by the admin user.
|
|||||
| CVE-2022-45179 | 1 Liveboxcloud | 1 Vdesk | 2025-03-28 | N/A | 5.4 MEDIUM |
|
An issue was discovered in LIVEBOX Collaboration vDesk through v031. A basic XSS vulnerability exists under the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter and /dashboard/reminders. A remote user (authenticated to the product) can store arbitrary HTML code in the reminder section title in order to corrupt the web page (for example, by creating phishing sections to exfiltrate victims' credentials).
|
|||||
| CVE-2024-27625 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-03-28 | N/A | 4.8 MEDIUM |
|
CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field.
|
|||||
| CVE-2025-2164 | 1 Pixelstats | 1 Pixelstats | 2025-03-28 | N/A | 6.1 MEDIUM |
|
The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-13497 | 1 Tripetto | 1 Tripetto | 2025-03-28 | N/A | 7.2 HIGH |
|
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
|
|||||
| CVE-2025-1773 | 1 Shinecommerce | 1 Traveler | 2025-03-28 | N/A | 6.1 MEDIUM |
|
The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2023-49977 | 1 Oretnom23 | 1 Customer Support System | 2025-03-28 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer.
|
|||||
| CVE-2023-49976 | 1 Oretnom23 | 1 Customer Support System | 2025-03-28 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket.
|
|||||
| CVE-2023-49974 | 1 Oretnom23 | 1 Customer Support System | 2025-03-28 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list.
|
|||||
| CVE-2023-51281 | 1 Oretnom23 | 1 Customer Support System | 2025-03-28 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in Customer Support System v.1.0 allows a remote attacker to escalate privileges via a crafted script firstname, "lastname", "middlename", "contact" and address parameters.
|
|||||
| CVE-2024-27743 | 1 Mayurik | 1 Petrol Pump Management | 2025-03-28 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Petrol Pump Mangement Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the Address parameter in the add_invoices.php component.
|
|||||
| CVE-2024-27744 | 1 Mayurik | 1 Petrol Pump Management | 2025-03-28 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Petrol Pump Mangement Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the image parameter in the profile.php component.
|
|||||
| CVE-2025-0281 | 1 Lunary | 1 Lunary | 2025-03-28 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of `window.location.href` without proper validation or sanitization. This vulnerability allows the attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft ...
Show More |
|||||
| CVE-2024-27558 | 1 Codelyfe | 1 Stupid Simple Cms | 2025-03-28 | N/A | 6.1 MEDIUM |
|
Stupid Simple CMS 1.2.4 is vulnerable to Cross Site Scripting (XSS) within the blog title of the settings.
|
|||||
| CVE-2025-20205 | 1 Cisco | 1 Identity Services Engine | 2025-03-28 | N/A | 4.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit cou ...
Show More |
|||||
| CVE-2025-20204 | 1 Cisco | 1 Identity Services Engine | 2025-03-28 | N/A | 4.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit cou ...
Show More |
|||||
| CVE-2024-21724 | 1 Joomla | 1 Joomla\! | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
|
|||||
| CVE-2025-2361 | 2025-03-27 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-29419 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-03-27 | N/A | 5.4 MEDIUM |
|
There is a Cross-site scripting (XSS) vulnerability in the Wireless settings under the Easy Setup Page of TOTOLINK X2000R before v1.0.0-B20231213.1013.
|
|||||
| CVE-2024-28156 | 1 Jenkins | 1 Build Monitor View | 2025-03-27 | N/A | 5.4 MEDIUM |
|
Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.
|
|||||
| CVE-2024-26454 | 2025-03-27 | N/A | 5.4 MEDIUM | ||
|
A Cross Site Scripting vulnerability in Healthcare-Chatbot through 9b7058a can occur via a crafted payload to the email1 or pwd1 parameter in login.php.
|
|||||
| CVE-2024-24389 | 1 Xunruicms | 1 Xunruicms | 2025-03-27 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in XunRuiCMS up to v4.6.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Add Column Name parameter.
|
|||||