Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21188 | 1 Oracle | 1 Financial Services Revenue Management And Billing | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: Chatbot). Supported versions that are affected are 6.0.0.0.0 and 6.1.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is i ...
Show More |
|||||
| CVE-2023-0540 | 1 Gsplugins | 1 Gs Filterable Portfolio | 2025-03-13 | N/A | 5.4 MEDIUM |
|
The GS Filterable Portfolio WordPress plugin before 1.6.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-0371 | 1 Embedsocial | 1 Embedsocial | 2025-03-13 | N/A | 5.4 MEDIUM |
|
The EmbedSocial WordPress plugin before 1.1.28 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2022-4786 | 1 Video.js Project | 1 Video.js | 2025-03-13 | N/A | 5.4 MEDIUM |
|
The Video.js WordPress plugin through 4.5.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2022-4752 | 1 Opening Hours Project | 1 Opening Hours | 2025-03-13 | N/A | 5.4 MEDIUM |
|
The Opening Hours WordPress plugin through 2.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2025-23072 | 2025-03-13 | N/A | 5.4 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - RefreshSpecial Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
|
|||||
| CVE-2024-4424 | 2025-03-13 | N/A | 6.1 MEDIUM | ||
|
The access control in CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.
|
|||||
| CVE-2024-41333 | 1 Phpgurukul | 1 Tourism Management System | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the uname parameter.
|
|||||
| CVE-2024-4381 | 1 Wielebenwir | 1 Commonsbooking | 2025-03-13 | N/A | 4.8 MEDIUM |
|
The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-44819 | 1 Zzcms | 1 Zzcms | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in ZZCMS v.2023 and before allows a remote attacker to obtain sensitive information via a crafted script to the pagename parameter of the admin/del.php component.
|
|||||
| CVE-2024-31847 | 1 Italtel | 1 Embrace | 2025-03-13 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. This reflects/stores the user input without sanitization.
|
|||||
| CVE-2024-29472 | 1 Zhyd | 1 Oneblog | 2025-03-13 | N/A | 5.4 MEDIUM |
|
OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Privilege Management module.
|
|||||
| CVE-2024-29318 | 1 Personal-management-system | 1 Personal Management System | 2025-03-13 | N/A | 5.4 MEDIUM |
|
Volmarg Personal Management System 1.4.64 is vulnerable to stored cross site scripting (XSS) via upload of a SVG file with embedded javascript code.
|
|||||
| CVE-2024-28761 | 1 Ibm | 1 App Connect Enterprise | 2025-03-13 | N/A | 5.4 MEDIUM |
|
IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 through 12.0.12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 285245.
|
|||||
| CVE-2024-26489 | 1 Flusity | 1 Flusity | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Addon JD Flusity 'Social block links' module of flusity-CMS v2.33 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Profile Name text field.
|
|||||
| CVE-2024-13431 | 1 Nsquared | 1 Appointment Booking Calendar | 2025-03-13 | N/A | 6.1 MEDIUM |
|
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the accent_color and background parameter in all versions up to, and including, 1.6.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-9502 | 1 Master-addons | 1 Master Addons | 2025-03-13 | N/A | 6.4 MEDIUM |
|
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Tooltip module in all versions up to, and including, 2.0.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute wheneve ...
Show More |
|||||
| CVE-2024-34577 | 1 Elecom | 6 Wrc-x3000gs2-b, Wrc-x3000gs2-b Firmware, Wrc-x3000gs2-w and 3 more | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Cross-site scripting vulnerability exists in WRC-X3000GS2-B, WRC-X3000GS2-W, and WRC-X3000GS2A-B due to improper processing of input values in easysetup.cgi. If a user views a malicious web page while logged in to the product, an arbitrary script may be executed on the user's web browser.
|
|||||
| CVE-2024-25412 | 1 Flatpress | 1 Flatpress | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email field.
|
|||||
| CVE-2024-25300 | 1 Redaxo | 1 Redaxo | 2025-03-13 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Redaxo v5.15.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Template section.
|
|||||
| CVE-2024-22277 | 1 Vmware | 1 Cloud Director | 2025-03-13 | N/A | 6.4 MEDIUM |
|
VMware Cloud Director Availability contains an HTML injection vulnerability.
A
malicious actor with network access to VMware Cloud Director
Availability can craft malicious HTML tags to execute within replication
tasks.
|
|||||
| CVE-2024-2324 | 1 Fileorganizer | 1 Fileorganizer | 2025-03-13 | N/A | 4.4 MEDIUM |
|
The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. For the free version, this is limited to administrators. The pro version is also vulnerable and exploi ...
Show More |
|||||
| CVE-2021-29669 | 3 Ibm, Linux, Microsoft | 3 Jazz Foundation, Linux Kernel, Windows | 2025-03-13 | N/A | 5.4 MEDIUM |
|
IBM Jazz Foundation 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2024-46453 | 1 Honeywell | 2 Iq3xcite, Iq3xcite Firmware | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the component /test/ of iq3xcite v2.31 to v3.05 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-42918 | 1 Adonesevangelista | 1 Online Accreditation Management System | 2025-03-13 | N/A | 5.4 MEDIUM |
|
itsourcecode Online Accreditation Management System contains a Cross Site Scripting vulnerability, which allows an attacker to execute arbitrary code via a crafted payload to the SCHOOLNAME, EMAILADDRES, CONTACTNO, COMPANYNAME and COMPANYCONTACTNO parameters in controller.php.
|
|||||
| CVE-2024-42008 | 1 Roundcube | 1 Webmail | 2025-03-13 | N/A | 9.3 CRITICAL |
|
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
|
|||||
| CVE-2024-40478 | 1 Jayesh | 1 Online Exam System | 2025-03-13 | N/A | 5.4 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability was found in "/admin/afeedback.php" in Kashipara Online Exam System v1.0, which allows remote attackers to execute arbitrary code via "rname" and "email" parameter fields
|
|||||
| CVE-2024-39094 | 1 Friendica | 1 Friendica | 2025-03-13 | N/A | 5.4 MEDIUM |
|
Friendica 2024.03 is vulnerable to Cross Site Scripting (XSS) in settings/profile via the homepage, xmpp, and matrix parameters.
|
|||||
| CVE-2024-26278 | 1 Joomla | 1 Joomla\! | 2025-03-13 | N/A | 6.1 MEDIUM |
|
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
|
|||||
| CVE-2024-25801 | 1 Skinsoft | 1 S-museum | 2025-03-13 | N/A | 6.1 MEDIUM |
|
SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file.
|
|||||
| CVE-2024-21584 | 1 Pleasanter | 1 Pleasanter | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Pleasanter 1.3.49.0 and earlier contains a cross-site scripting vulnerability. If an attacker tricks the user to access the product with a specially crafted URL and perform a specific operation, an arbitrary script may be executed on the web browser of the user.
|
|||||
| CVE-2025-2086 | 1 Starsea99 | 1 Starsea-mall | 2025-03-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in StarSea99 starsea-mall 1.0. This vulnerability affects unknown code of the file /admin/indexConfigs/update. The manipulation of the argument redirectUrl leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2087 | 1 Starsea99 | 1 Starsea-mall | 2025-03-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in StarSea99 starsea-mall 1.0. This issue affects some unknown processing of the file /admin/goods/update. The manipulation of the argument goodsName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2085 | 1 Starsea99 | 1 Starsea-mall | 2025-03-13 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in StarSea99 starsea-mall 1.0. This affects an unknown part of the file /admin/carousels/save. The manipulation of the argument redirectUrl leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-23081 | 2025-03-13 | N/A | 6.1 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
|
|||||
| CVE-2025-22775 | 2025-03-13 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in idIA Tech Catalog Importer, Scraper & Crawler allows Reflected XSS.This issue affects Catalog Importer, Scraper & Crawler: from n/a through 5.1.3.
|
|||||
| CVE-2024-44717 | 1 Dedebiz | 1 Dedebiz | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in DedeBIZ v6.3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2024-42904 | 1 Syspass | 1 Syspass | 2025-03-13 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.
|
|||||
| CVE-2024-36450 | 1 Webmin | 1 Webmin | 2025-03-13 | N/A | 5.4 MEDIUM |
|
Cross-site scripting vulnerability exists in sysinfo.cgi of Webmin versions prior to 1.910. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a session ID may be obtained, a webpage may be altered, or a server may be halted.
|
|||||
| CVE-2024-21731 | 1 Joomla | 1 Joomla\! | 2025-03-13 | N/A | 6.1 MEDIUM |
|
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
|
|||||