Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23077 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
|
|||||
| CVE-2023-23075 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.
|
|||||
| CVE-2023-23074 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
|
|||||
| CVE-2023-23073 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
|
|||||
| CVE-2022-4898 | 1 Octopus | 1 Octopus Server | 2025-03-27 | N/A | 5.4 MEDIUM |
|
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS
|
|||||
| CVE-2022-47701 | 1 Comfast Project | 2 Cf-wr623n, Cf-wr623n Firmware | 2025-03-27 | N/A | 6.1 MEDIUM |
|
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS).
|
|||||
| CVE-2022-44897 | 1 Apollotheme | 1 Ap Pagebuilder | 2025-03-27 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in ApolloTheme AP PageBuilder component through 2.4.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the show_number parameter.
|
|||||
| CVE-2024-26299 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-03-27 | N/A | 6.6 MEDIUM |
|
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2024-26300 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-03-27 | N/A | 6.6 MEDIUM |
|
A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2024-25399 | 1 Intelliants | 1 Subrion Cms | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Subrion CMS 4.2.1 is vulnerable to Cross Site Scripting (XSS) via adminer.php.
|
|||||
| CVE-2024-26281 | 1 Mozilla | 1 Firefox | 2025-03-27 | N/A | 4.7 MEDIUM |
|
Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. This vulnerability affects Firefox for iOS < 123.
|
|||||
| CVE-2023-39612 | 1 Filebrowser | 1 Filebrowser | 2025-03-27 | N/A | 9.0 CRITICAL |
|
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.
|
|||||
| CVE-2025-30345 | 1 Openslides | 1 Openslides | 2025-03-27 | N/A | 3.5 LOW |
|
An issue was discovered in OpenSlides before 4.2.5. When creating new chats via the chat_group.create action, the user is able to specify the name of the chat. Some HTML elements such as SCRIPT are filtered, whereas others are not. In most cases, HTML entities are encoded properly, but not when deleting chats or deleting messages in these chats. This potentially allows attackers to interfere with the layout of the rendered website, but it is unlikely that victims would click on deleted chats or ...
Show More |
|||||
| CVE-2025-30342 | 1 Openslides | 1 Openslides | 2025-03-27 | N/A | 5.4 MEDIUM |
|
An XSS issue was discovered in OpenSlides before 4.2.5. When submitting descriptions such as Moderator Notes or Agenda Topics, an editor is shown that allows one to format the submitted text. This allows insertion of various HTML elements. When trying to insert a SCRIPT element, it is properly encoded when reflected; however, adding attributes to links is possible, which allows the injection of JavaScript via the onmouseover attribute and others. When a user moves the mouse over such a prepared ...
Show More |
|||||
| CVE-2024-50053 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcentre Plus | 2025-03-27 | N/A | 6.3 MEDIUM |
|
Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.
|
|||||
| CVE-2024-13739 | 1 Tribulant | 1 Newsletters | 2025-03-27 | N/A | 6.1 MEDIUM |
|
The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link.
|
|||||
| CVE-2023-23022 | 1 Oretnom23 | 1 Employees Payroll Management System | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Cross site scripting (XSS) vulnerability in sourcecodester oretnom23 employee's payroll management system 1.0, allows attackers to execute arbitrary code via the code, title, from_date and to_date inputs in file Main.php.
|
|||||
| CVE-2024-45625 | 1 Incsub | 1 Forminator | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator.
|
|||||
| CVE-2024-39242 | 1 Skycaiji | 1 Skycaiji | 2025-03-26 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in skycaiji v2.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload using eval(String.fromCharCode()).
|
|||||
| CVE-2022-48085 | 1 Softr | 1 Softr | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Softr v2.0 was discovered to contain a HTML injection vulnerability via the Work Space Name parameter.
|
|||||
| CVE-2023-24197 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Online Food Ordering System v2 was discovered to contain a SQL injection vulnerability via the id parameter at view_order.php.
|
|||||
| CVE-2023-24195 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the page parameter in index.php.
|
|||||
| CVE-2023-24194 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the page parameter in navbar.php.
|
|||||
| CVE-2023-24192 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the redirect parameter in login.php.
|
|||||
| CVE-2023-24191 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the redirect parameter in signup.php.
|
|||||
| CVE-2023-23636 | 1 Jellyfin | 1 Jellyfin | 2025-03-26 | N/A | 5.4 MEDIUM |
|
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
|
|||||
| CVE-2023-23635 | 1 Jellyfin | 1 Jellyfin | 2025-03-26 | N/A | 5.4 MEDIUM |
|
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
|
|||||
| CVE-2022-48140 | 1 Dedecms | 1 Dedecms | 2025-03-26 | N/A | 5.4 MEDIUM |
|
DedeCMS v5.7.97 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /file_manage_view.php?fmdo=edit&filename.
|
|||||
| CVE-2021-37518 | 1 Vimium Project | 1 Vimium | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Universal Cross Site Scripting (UXSS) vulnerability in Vimium Extension 1.66 and earlier allows remote attackers to run arbitrary code via omnibar feature.
|
|||||
| CVE-2021-37502 | 1 Automad | 1 Automad | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows remote attackers to run arbitrary code via the user name field when adding a user.
|
|||||
| CVE-2021-37378 | 1 Teradke | 4 Cube, Cube Firmware, Cube Pro and 1 more | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Teradek Cube and Cube Pro firmware version 7.3.x and earlier allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.
|
|||||
| CVE-2021-37373 | 1 Teradek | 2 Slice, Slice Firmware | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Teradek Slice 1st generation firmware 7.3.x and earlier allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.
|
|||||
| CVE-2025-2623 | 1 Westboy | 1 Cicadascms | 2025-03-26 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in westboy CicadasCMS 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /system/cms/content/save. The manipulation of the argument title/content/laiyuan leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-1802 | 1 Hasthemes | 1 Ht Mega | 2025-03-26 | N/A | 6.4 MEDIUM |
|
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulner ...
Show More |
|||||
| CVE-2021-36712 | 1 Yzmcms | 1 Yzmcms | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in yzmcms 6.1 allows attackers to steal user cookies via image clipping function.
|
|||||
| CVE-2021-36545 | 1 Tpcms Project | 1 Tpcms | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in tpcms 3.2 allows remote attackers to run arbitrary code via the cfg_copyright or cfg_tel field in Site Configuration page.
|
|||||
| CVE-2021-36538 | 1 Gurock | 1 Testrail | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Gurock TestRail before 7.1.2 allows remote authenticated attackers to run arbitrary code via the reference field in milestones or description fields in reports.
|
|||||
| CVE-2022-47131 | 1 Creativeitem | 1 Academy Lms | 2025-03-26 | N/A | 4.8 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page.
|
|||||
| CVE-2024-4149 | 1 Premio | 1 Floating Chat Widget | 2025-03-26 | N/A | 4.8 MEDIUM |
|
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2021-37374 | 1 Teradek | 2 Clip, Clip Firmware | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Teradek Clip all firmware versions allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.
|
|||||