Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0144 | 1 Mage-people | 1 Event Manager And Tickets Selling For Woocommerce | 2025-03-26 | N/A | 5.4 MEDIUM |
|
The Event Manager and Tickets Selling Plugin for WooCommerce WordPress plugin before 3.8.0 does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-4824 | 1 Essentialplugin | 1 Wp Blog And Widget | 2025-03-26 | N/A | 5.4 MEDIUM |
|
The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
|||||
| CVE-2022-4577 | 1 Goldplugins | 1 Easy Testimonials | 2025-03-26 | N/A | 5.4 MEDIUM |
|
The Easy Testimonials WordPress plugin before 3.9.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
|||||
| CVE-2022-48311 | 1 Hp | 2 Deskjet 2540 A9u23b, Deskjet 2540 A9u23b Firmware | 2025-03-26 | N/A | 9.0 CRITICAL |
|
**UNSUPPORTED WHEN ASSIGNED** Cross Site Scripting (XSS) in HP Deskjet 2540 series printer Firmware Version CEP1FN1418BR and Product Model Number A9U23B allows authenticated attacker to inject their own script into the page via HTTP configuration page. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2024-27680 | 1 Flusity | 1 Flusity | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the "Contact form."
|
|||||
| CVE-2024-10033 | 1 Redhat | 4 Ansible Automation Platform, Ansible Developer, Ansible Inside and 1 more | 2025-03-26 | N/A | 6.1 MEDIUM |
|
A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.
|
|||||
| CVE-2023-0174 | 1 Rextheme | 1 Wp Vr | 2025-03-25 | N/A | 5.4 MEDIUM |
|
The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-4838 | 1 Codection | 1 Clean Login | 2025-03-25 | N/A | 5.4 MEDIUM |
|
The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
|||||
| CVE-2023-23849 | 1 Synopsys | 1 Coverity | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Any web service hosted on the same sub domain can set a cookie for the whole subdomain which can be used to bypass other mitigations in place for malicious purposes. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C
|
|||||
| CVE-2025-29782 | 1 Wegia | 1 Wegia | 2025-03-25 | N/A | 5.4 MEDIUM |
|
WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_tipo_docs_atendido.php` endpoint in versions of the WeGIA application prior to 3.2.17. This vulnerability allows attackers to inject malicious scripts into the `tipo` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Version 3.2.17 contains a patch ...
Show More |
|||||
| CVE-2025-2325 | 1 Boopathirajan | 1 Wp Test Email | 2025-03-25 | N/A | 7.2 HIGH |
|
The WP Test Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-26318 | 1 Serenity | 1 Serenity | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.
|
|||||
| CVE-2023-22849 | 1 Apache | 1 Sling Cms | 2025-03-25 | N/A | 6.1 MEDIUM |
|
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.
Upgrade to Apache Sling App CMS >= 1.1.6
|
|||||
| CVE-2024-3992 | 1 Joshua Vandercar | 1 Amen | 2025-03-25 | N/A | 4.8 MEDIUM |
|
The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-26279 | 1 Joomla | 1 Joomla\! | 2025-03-25 | N/A | 6.1 MEDIUM |
|
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
|
|||||
| CVE-2024-4860 | 1 Rebelcode | 1 Rss Aggregator | 2025-03-25 | N/A | 5.4 MEDIUM |
|
The 'WordPress RSS Aggregator' WordPress Plugin, versions < 4.23.9 are affected by a Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization of the 'notice_id' GET parameter.
|
|||||
| CVE-2024-35167 | 1 Envothemes | 1 Envo\'s Elementor Templates \& Widgets For Woocommerce | 2025-03-25 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnvoThemes Envo's Elementor Templates & Widgets for WooCommerce allows Stored XSS.This issue affects Envo's Elementor Templates & Widgets for WooCommerce: from n/a through 1.4.8.
|
|||||
| CVE-2024-7790 | 1 Stitionai | 1 Devika | 2025-03-25 | N/A | 6.5 MEDIUM |
|
A stored cross site scripting vulnerabilities exists in DevikaAI from commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2 onwards via improperly decoded user input.
|
|||||
| CVE-2024-7524 | 1 Mozilla | 2 Firefox, Firefox Esr | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
|
|||||
| CVE-2024-48706 | 1 O-dyn | 1 Collabtive | 2025-03-25 | N/A | 5.4 MEDIUM |
|
Collabtive 3.1 is vulnerable to Cross-site scripting (XSS) via the title parameter with action=add or action=editform within the (a) managemessage.php file and (b) managetask.php file respectively.
|
|||||
| CVE-2024-47048 | 1 Rocket.chat | 1 Rocket.chat | 2025-03-25 | N/A | 5.4 MEDIUM |
|
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.
|
|||||
| CVE-2024-46934 | 1 Rocket.chat | 1 Rocket.chat | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.
|
|||||
| CVE-2024-46372 | 1 Dedecms | 1 Dedecms | 2025-03-25 | N/A | 6.1 MEDIUM |
|
DedeCMS 5.7.115 is vulnerable to Cross Site Scripting (XSS) via the advertisement code box in the advertisement management module.
|
|||||
| CVE-2024-45836 | 1 Planex | 10 Cs-qr10, Cs-qr10 Firmware, Cs-qr20 and 7 more | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability exists in the web management page of PLANEX COMMUNICATIONS network cameras. If a logged-in user accesses a specific file, an arbitrary script may be executed on the web browser of the user.
|
|||||
| CVE-2024-43025 | 1 Rws | 1 Multitrans | 2025-03-25 | N/A | 6.1 MEDIUM |
|
An HTML injection vulnerability in RWS MultiTrans v7.0.23324.2 and earlier allows attackers to alter the HTML-layout and possibly execute a phishing attack via a crafted payload injected into a sent e-mail.
|
|||||
| CVE-2024-43024 | 1 Rws | 1 Multitrans | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-41482 | 1 Typora | 1 Typora | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Typora before 1.9.3 Markdown editor has a cross-site scripting (XSS) vulnerability via the MathJax component.
|
|||||
| CVE-2024-34312 | 1 Moodle | 1 Virtual Programming Lab | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.
|
|||||
| CVE-2024-33536 | 1 Zimbra | 1 Collaboration | 2025-03-25 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits ...
Show More |
|||||
| CVE-2024-28710 | 1 Limesurvey | 1 Limesurvey | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
|
|||||
| CVE-2024-28709 | 1 Limesurvey | 1 Limesurvey | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.
|
|||||
| CVE-2024-28153 | 1 Jenkins | 1 Owasp Dependency-check | 2025-03-25 | N/A | 5.4 MEDIUM |
|
Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2024-21729 | 1 Joomla | 1 Joomla\! | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
|
|||||
| CVE-2024-1434 | 1 Jordymeow | 1 Media Alt Renamer | 2025-03-25 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jordy Meow Media Alt Renamer allows Stored XSS.This issue affects Media Alt Renamer: from n/a through 0.0.1.
|
|||||
| CVE-2024-26490 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Addon JD Simple module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title text field.
|
|||||
| CVE-2024-26491 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Addon JD Flusity 'Media Gallery with description' module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Gallery name text field.
|
|||||
| CVE-2024-45429 | 1 Wpengine | 1 Advanced Custom Fields | 2025-03-25 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.
|
|||||
| CVE-2024-33328 | 2025-03-25 | N/A | 6.1 MEDIUM | ||
|
A cross-site scripting (XSS) vulnerability in the component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the pageId parameter.
|
|||||
| CVE-2023-48432 | 1 Zimbra | 1 Collaboration | 2025-03-25 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. XSS, with resultant session stealing, can occur via JavaScript code in a link (for a webmail redirection endpoint) within en email message, e.g., if a victim clicks on that link within Zimbra webmail.
|
|||||
| CVE-2024-47227 | 1 Iredmail | 1 Iredadmin | 2025-03-25 | N/A | 6.1 MEDIUM |
|
iRedAdmin before 2.6 allows XSS, e.g., via order_name.
|
|||||