Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38454 | 1 Expressionengine | 1 Expressionengine | 2025-03-17 | N/A | 6.1 MEDIUM |
|
ExpressionEngine before 7.4.11 allows XSS.
|
|||||
| CVE-2024-13578 | 1 Infinitescript | 1 Wp-bibtex | 2025-03-17 | N/A | 6.4 MEDIUM |
|
The WP-BibTeX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'WpBibTeX' shortcode in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-2366 | 2025-03-17 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability, which was classified as problematic, was found in gougucms 4.08.18. This affects the function add of the file /admin/department/add of the component Add Department Page. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2354 | 2025-03-17 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability has been found in VAM Virtual Airlines Manager 2.6.2 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vam/index.php. The manipulation of the argument registry_id/plane_icao/hub_id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in ...
Show More |
|||||
| CVE-2025-2335 | 2025-03-16 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-26972 | 2025-03-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
|
|||||
| CVE-2025-26895 | 2025-03-15 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maennchen1.de m1.DownloadList allows DOM-Based XSS. This issue affects m1.DownloadList: from n/a through 0.19.
|
|||||
| CVE-2025-26556 | 2025-03-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zzmaster WP AntiDDOS allows Reflected XSS. This issue affects WP AntiDDOS: from n/a through 2.0.
|
|||||
| CVE-2025-26555 | 2025-03-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Debug-Bar-Extender allows Reflected XSS. This issue affects Debug-Bar-Extender: from n/a through 0.5.
|
|||||
| CVE-2025-26554 | 2025-03-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Discord Post allows Reflected XSS. This issue affects WP Discord Post: from n/a through 2.1.0.
|
|||||
| CVE-2025-26553 | 2025-03-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spring Devs Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin allows Reflected XSS. This issue affects Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin: from n/a through 2.2.
|
|||||
| CVE-2025-26548 | 2025-03-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Random Image Selector allows Reflected XSS. This issue affects Random Image Selector: from n/a through 2.4.
|
|||||
| CVE-2025-23744 | 2025-03-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dvs11 Random Posts, Mp3 Player + ShareButton allows Reflected XSS. This issue affects Random Posts, Mp3 Player + ShareButton: from n/a through 1.4.1.
|
|||||
| CVE-2025-26202 | 2025-03-14 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Scripting (XSS) vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page
|
|||||
| CVE-2025-29771 | 2025-03-14 | N/A | N/A | ||
|
HtmlSanitizer is a client-side HTML Sanitizer. Versions prior to 2.0.3 have a cross-site scripting vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. The issue is patched in version 2.0.3.
|
|||||
| CVE-2024-25226 | 1 Code-projects | 1 Simple Admin Panel | 2025-03-14 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Simple Admin Panel App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter under the Add Category function.
|
|||||
| CVE-2023-7233 | 1 Tri | 1 Gigpress | 2025-03-14 | N/A | 4.8 MEDIUM |
|
The GigPress WordPress plugin through 2.3.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-24081 | 1 Go-redrock | 1 Tutortrac | 2025-03-14 | N/A | 5.4 MEDIUM |
|
Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page.
|
|||||
| CVE-2024-40602 | 1 Mediawiki | 1 Mediawiki | 2025-03-14 | N/A | 4.8 MEDIUM |
|
An issue was discovered in the Tempo skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
|
|||||
| CVE-2025-1888 | 2025-03-14 | N/A | 4.6 MEDIUM | ||
|
The Leica Web Viewer within the Aperio Eslide Manager Application is vulnerable to reflected cross-site scripting (XSS). An authenticated user can access the slides within a project and injecting malicious JavaScript into the "memo" field. The memo field has a hover over action that will display a Microsoft Tool Tip which a user can use to quickly view the memo associated with the slide and execute the JavaScript.
|
|||||
| CVE-2024-25090 | 1 Apache | 1 Roller | 2025-03-14 | N/A | 5.4 MEDIUM |
|
Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3.
This issue aff ...
Show More |
|||||
| CVE-2024-21178 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2025-03-14 | N/A | 6.1 MEDIUM |
|
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.59, 8.60 and 8.61. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact ad ...
Show More |
|||||
| CVE-2024-6517 | 1 Dotsquares | 1 Contact Form 7 Math Captcha | 2025-03-14 | N/A | 6.1 MEDIUM |
|
The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users.
|
|||||
| CVE-2024-44930 | 1 Serilog-contrib | 1 Serilog-enrichers-clientinfo | 2025-03-14 | N/A | 6.5 MEDIUM |
|
Serilog before v2.1.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.
|
|||||
| CVE-2024-44682 | 1 Shopxo | 1 Shopxo | 2025-03-14 | N/A | 6.1 MEDIUM |
|
ShopXO 6.2 is vulnerable to Cross Site Scripting (XSS) in the backend that allows attackers to execute code by changing POST parameters.
|
|||||
| CVE-2024-41591 | 1 Draytek | 48 Vigor1000b, Vigor1000b Firmware, Vigor165 and 45 more | 2025-03-14 | N/A | 6.1 MEDIUM |
|
DrayTek Vigor3910 devices through 4.3.2.6 allow unauthenticated DOM-based reflected XSS.
|
|||||
| CVE-2024-37671 | 1 Tessi | 1 Docubase | 2025-03-14 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page parameter.
|
|||||
| CVE-2024-33209 | 1 Flatpress | 1 Flatpress | 2025-03-14 | N/A | 5.4 MEDIUM |
|
FlatPress v1.3 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into the "Add New Entry" section, which allows them to execute arbitrary code in the context of a victim's web browser.
|
|||||
| CVE-2024-40737 | 1 Netbox | 1 Netbox | 2025-03-14 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/add.
|
|||||
| CVE-2024-40510 | 1 Openpetra | 1 Openpetra | 2025-03-14 | N/A | 8.2 HIGH |
|
Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMCommon.asmx function.
|
|||||
| CVE-2024-40605 | 1 Mediawiki | 1 Mediawiki | 2025-03-14 | N/A | 4.8 MEDIUM |
|
An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
|
|||||
| CVE-2022-4784 | 1 Presscustomizr | 1 Hueman Addons | 2025-03-14 | N/A | 5.4 MEDIUM |
|
The Hueman Addons WordPress plugin through 2.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2025-26626 | 2025-03-14 | N/A | 6.5 MEDIUM | ||
|
The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue.
|
|||||
| CVE-2025-2166 | 2025-03-14 | N/A | 6.1 MEDIUM | ||
|
The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-25973 | 1 Frentix | 1 Openolat | 2025-03-14 | N/A | 5.4 MEDIUM |
|
The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload. Furthermore, attackers with the permissions to create or rename a catalog (sub-category) can enter unfiltered input in the name field. In addition, attackers who are allowed to create curriculums can also enter unfiltered input in the name field. This allows an attacker to execute st ...
Show More |
|||||
| CVE-2024-4005 | 1 Labschool | 1 Social Pixel | 2025-03-13 | N/A | 4.8 MEDIUM |
|
The Social Pixel WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-8035 | 2 Google, Microsoft | 2 Chrome, Windows | 2025-03-13 | N/A | 4.3 MEDIUM |
|
Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
|
|||||
| CVE-2024-45621 | 1 Rocket.chat | 1 Rocket.chat | 2025-03-13 | N/A | 5.4 MEDIUM |
|
The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents.
|
|||||
| CVE-2024-33533 | 1 Zimbra | 1 Collaboration | 2025-03-13 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file and crafting a URL containing its locati ...
Show More |
|||||
| CVE-2024-3800 | 1 Conceptintermedia | 1 S\@m Cms | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in requested file names.
Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears.
|
|||||