Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2124 | 2025-03-09 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/change_password of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-12460 | 2025-03-08 | N/A | 6.4 MEDIUM | ||
|
The Years Since – Timeless Texts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'years-since' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-27826 | 2025-03-07 | N/A | 6.4 MEDIUM | ||
|
An XSS issue was discovered in the Bootstrap Lite theme before 1.x-1.4.5 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.
|
|||||
| CVE-2025-27825 | 2025-03-07 | N/A | 6.4 MEDIUM | ||
|
An XSS issue was discovered in the Bootstrap 5 Lite theme before 1.x-1.0.3 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.
|
|||||
| CVE-2025-27824 | 2025-03-07 | N/A | 6.4 MEDIUM | ||
|
An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn't sufficiently sanitize input before displaying results to the screen. This vulnerability is mitigated by the fact that an attacker must have the ability to create content containing an iFrame field.
|
|||||
| CVE-2025-27823 | 2025-03-07 | N/A | 6.4 MEDIUM | ||
|
An issue was discovered in the Mail Disguise module before 1.x-1.0.5 for Backdrop CMS. It enables a website to obfuscate email addresses, and should prevent spambots from collecting them. The module doesn't sufficiently validate the data attribute value on links, potentially leading to a Cross Site Scripting (XSS) vulnerability. This is mitigated by the fact an attacker must be able to insert link (<a>) HTML elements containing data attributes into the page.
|
|||||
| CVE-2023-22438 | 1 Ec-cube | 1 Ec-cube | 2025-03-07 | N/A | 5.4 MEDIUM |
|
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
|
|||||
| CVE-2025-0555 | 1 Gitlab | 1 Gitlab | 2025-03-07 | N/A | 7.7 HIGH |
|
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions.
|
|||||
| CVE-2023-22778 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2025-03-07 | N/A | 4.8 MEDIUM |
|
A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2022-4901 | 1 Sophos | 1 Connect | 2025-03-07 | N/A | 3.3 LOW |
|
Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim.
|
|||||
| CVE-2025-26994 | 1 Softdiscover | 1 Zigaform | 2025-03-07 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform – Price Calculator & Cost Estimation Form Builder Lite allows Stored XSS. This issue affects Zigaform – Price Calculator & Cost Estimation Form Builder Lite: from n/a through 7.4.2.
|
|||||
| CVE-2025-26989 | 1 Softdiscover | 1 Zigaform | 2025-03-07 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform – Form Builder Lite allows Stored XSS. This issue affects Zigaform – Form Builder Lite: from n/a through 7.4.2.
|
|||||
| CVE-2025-26984 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2025-03-07 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8.
|
|||||
| CVE-2024-0976 | 1 Wp-eventmanager | 1 Wp Event Manager | 2025-03-07 | N/A | 6.1 MEDIUM |
|
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the plugin parameter in all versions up to, and including, 3.1.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-56472 | 1 Ibm | 1 Aspera Shares | 2025-03-07 | N/A | 6.4 MEDIUM |
|
IBM Aspera Shares 1.9.0 through 1.10.0 PL6 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2024-38318 | 1 Ibm | 1 Aspera Shares | 2025-03-07 | N/A | 4.8 MEDIUM |
|
IBM Aspera Shares 1.9.0 through 1.10.0 PL6 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
|
|||||
| CVE-2024-38317 | 1 Ibm | 1 Aspera Shares | 2025-03-07 | N/A | 4.8 MEDIUM |
|
IBM Aspera Shares 1.9.0 through 1.10.0 PL6 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2024-12467 | 1 Grafreak | 1 Payment By Redsys | 2025-03-07 | N/A | 6.1 MEDIUM |
|
The Pago por Redsys plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'Ds_MerchantParameters' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2023-38333 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-03-07 | N/A | 6.1 MEDIUM |
|
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
|
|||||
| CVE-2021-36399 | 1 Moodle | 1 Moodle | 2025-03-07 | N/A | 5.4 MEDIUM |
|
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
|
|||||
| CVE-2021-36398 | 1 Moodle | 1 Moodle | 2025-03-07 | N/A | 5.4 MEDIUM |
|
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
|
|||||
| CVE-2021-36401 | 1 Moodle | 1 Moodle | 2025-03-07 | N/A | 4.8 MEDIUM |
|
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
|
|||||
| CVE-2024-43133 | 1 Themify | 1 Themify Shortcodes | 2025-03-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themify Themify Shortcodes allows Stored XSS.This issue affects Themify Shortcodes: from n/a through 2.1.1.
|
|||||
| CVE-2024-47630 | 1 Elementinvader | 1 Elementinvader Addons For Elementor | 2025-03-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ElementInvader ElementInvader Addons for Elementor allows Stored XSS.This issue affects ElementInvader Addons for Elementor: from n/a through 1.2.7.
|
|||||
| CVE-2024-38705 | 1 Elementinvader | 1 Elementinvader Addons For Elementor | 2025-03-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ElementInvader ElementInvader Addons for Elementor allows Stored XSS.This issue affects ElementInvader Addons for Elementor: from n/a through 1.2.4.
|
|||||
| CVE-2025-1571 | 1 Exclusiveaddons | 1 Exclusive Addons For Elementor | 2025-03-07 | N/A | 6.4 MEDIUM |
|
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Image Comparison Widgets in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-36997 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-03-07 | N/A | 8.1 HIGH |
|
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit.
|
|||||
| CVE-2024-45292 | 1 Phpoffice | 1 Phpspreadsheet | 2025-03-07 | N/A | 5.4 MEDIUM |
|
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
|
|||||
| CVE-2025-27518 | 2025-03-07 | N/A | N/A | ||
|
Cognita is a RAG (Retrieval Augmented Generation) Framework for building modular, open source applications for production by TrueFoundry. An insecure CORS configuration in the Cognita backend server allows arbitrary websites to send cross site requests to the application. This vulnerability is fixed in commit 75079c3d3cf376381489b9a82ee46c69024e1a15.
|
|||||
| CVE-2021-36713 | 1 Sprymedia | 1 Datatables | 2025-03-07 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in the DataTables plug-in 1.9.2 for jQuery allows attackers to run arbitrary code via the sBaseName parameter to function _fnCreateCookie. NOTE: 1.9.2 is a version from 2012.
|
|||||
| CVE-2024-9221 | 1 Tainacan | 1 Tainacan | 2025-03-07 | N/A | 6.1 MEDIUM |
|
The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.21.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-10266 | 1 Leap13 | 1 Premium Addons For Elementor | 2025-03-07 | N/A | 6.4 MEDIUM |
|
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-47374 | 1 Litespeedtech | 1 Litespeed Cache | 2025-03-07 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 6.5.0.2.
|
|||||
| CVE-2024-47373 | 1 Litespeedtech | 1 Litespeed Cache | 2025-03-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 6.5.0.2.
|
|||||
| CVE-2024-9169 | 1 Litespeedtech | 1 Litespeed Cache | 2025-03-07 | N/A | 5.5 MEDIUM |
|
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html ...
Show More |
|||||
| CVE-2024-7791 | 1 Wpxpro | 1 Xpro Addons For Elementor | 2025-03-07 | N/A | 6.4 MEDIUM |
|
The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arrow’ parameter within the Post Grid widget in all versions up to, and including, 1.4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-34445 | 1 Sktthemes | 1 Skt Addons For Elementor | 2025-03-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SKT Themes SKT Addons for Elementor allows Stored XSS.This issue affects SKT Addons for Elementor: from n/a through 1.8.
|
|||||
| CVE-2024-34436 | 1 Sktthemes | 1 Skt Addons For Elementor | 2025-03-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SKT Themes SKT Addons for Elementor allows Stored XSS.This issue affects SKT Addons for Elementor: from n/a through 1.8.
|
|||||
| CVE-2024-34570 | 1 Wpxpro | 1 Xpro Addons For Elementor | 2025-03-07 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons allows Stored XSS.This issue affects Xpro Elementor Addons: from n/a through 1.4.3.
|
|||||
| CVE-2024-43150 | 1 Wpxpro | 1 Xpro Addons For Elementor | 2025-03-07 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons allows Stored XSS.This issue affects Xpro Elementor Addons: from n/a through 1.4.4.2.
|
|||||