Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1615 | 1 Fiberhome | 2 An5506-01-a, An5506-01-a Firmware | 2025-02-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic was found in FiberHome AN5506-01A ONU GPON RP2511. Affected by this vulnerability is an unknown functionality of the component NAT Submenu. The manipulation of the argument Description leads to cross site scripting. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-1613 | 1 Fiberhome | 2 An5506-01-a, An5506-01-a Firmware | 2025-02-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in FiberHome AN5506-01A ONU GPON RP2511. It has been rated as problematic. This issue affects some unknown processing of the file /goform/URL_filterCfg of the component URL Filtering Submenu. The manipulation of the argument url_IP leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-1614 | 1 Fiberhome | 2 An5506-01-a, An5506-01-a Firmware | 2025-02-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic has been found in FiberHome AN5506-01A ONU GPON RP2511. Affected is an unknown function of the file /goform/portForwardingCfg of the component Port Forwarding Submenu. The manipulation of the argument pf_Description leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-1592 | 1 Mayurik | 1 Best Employee Management System | 2025-02-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Best Employee Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/Operations/Role.php of the component Add Role Page. The manipulation of the argument assign_name/description leads to cross site scripting. The attack may be launched remotely.
|
|||||
| CVE-2025-1597 | 1 Mayurik | 1 Best Church Management Software | 2025-02-28 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/redirect.php. The manipulation of the argument a leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-20049 | 2025-02-28 | N/A | 5.8 MEDIUM | ||
|
The Dario Health portal service application is vulnerable to XSS, which could allow an attacker to obtain sensitive information.
|
|||||
| CVE-2024-53408 | 2025-02-28 | N/A | 5.4 MEDIUM | ||
|
AVE System Web Client v2.1.131.13992 was discovered to contain a cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2025-1776 | 2025-02-28 | N/A | 6.1 MEDIUM | ||
|
Cross-Site Scripting (XSS) vulnerability in Soteshop, versions prior to 8.3.4, which could allow remote attackers to execute arbitrary code via the ‘query’ parameter in /app-google-custom-search/searchResults. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
|
|||||
| CVE-2025-27139 | 1 Combodo | 1 Itop | 2025-02-28 | N/A | 6.8 MEDIUM |
|
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue.
|
|||||
| CVE-2025-1174 | 1 1000projects | 1 Bookstore Management System | 2025-02-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability has been found in 1000 Projects Bookstore Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file process_book_add.php of the component Add Book Page. The manipulation of the argument Book Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
|
|||||
| CVE-2025-0560 | 1 Campcodes | 1 School Management Software | 2025-02-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in CampCodes School Management Software 1.0. Affected is an unknown function of the file /photo-gallery of the component Photo Gallery Page. The manipulation of the argument Description leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-0559 | 1 Campcodes | 1 School Management Software | 2025-02-28 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in Campcodes School Management Software 1.0. This issue affects some unknown processing of the file /create-id-card of the component Create Id Card Page. The manipulation of the argument ID Card Title leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-27093 | 1 My-blog Project | 1 My-blog | 2025-02-27 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability found in My-Blog allows attackers to cause a denial of service via the Post function.
|
|||||
| CVE-2025-24438 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-02-27 | N/A | 8.7 HIGH |
|
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impac ...
Show More |
|||||
| CVE-2023-27069 | 1 Totaljs | 1 Openplatform | 2025-02-27 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the account name field.
|
|||||
| CVE-2021-27788 | 1 Hcltech | 1 Verse | 2025-02-27 | N/A | 8.3 HIGH |
|
HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability. By tricking a user into clicking a crafted URL, a remote unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information.
|
|||||
| CVE-2024-12232 | 1 Code-projects | 1 Simple Crud Functionality | 2025-02-27 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability has been found in code-projects Simple CRUD Functionality 1.0 and classified as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument newtitle/newdescr leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8962 | 1 Wpbits | 1 Wpbits Addons For Elementor Page Builder | 2025-02-27 | N/A | 6.4 MEDIUM |
|
The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
|
|||||
| CVE-2025-27108 | 1 Ryansolid | 1 Dom Expressions | 2025-02-27 | N/A | 7.3 HIGH |
|
dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and cont ...
Show More |
|||||
| CVE-2023-27070 | 1 Totaljs | 1 Openplatform | 2025-02-27 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field.
|
|||||
| CVE-2023-26912 | 1 S-mall-ssm Project | 1 S-mall-ssm | 2025-02-27 | N/A | 4.8 MEDIUM |
|
Cross site scripting (XSS) vulnerability in xenv S-mall-ssm thru commit 3d9e77f7d80289a30f67aaba1ae73e375d33ef71 on Feb 17, 2020, allows local attackers to execute arbitrary code via the evaluate button.
|
|||||
| CVE-2022-48111 | 1 Siri-informatica | 1 Wi400 | 2025-02-27 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the check_login function of SIPE s.r.l WI400 between version 8 and 11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the f parameter.
|
|||||
| CVE-2024-44045 | 1 Kevonadonis | 1 Wp Abstracts | 2025-02-27 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kevon Adonis WP Abstracts allows Stored XSS.This issue affects WP Abstracts: from n/a through 2.6.5.
|
|||||
| CVE-2024-44042 | 1 Androidbubbles | 1 Wp Datepicker | 2025-02-27 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Fahad Mahmood WP Datepicker allows Stored XSS.This issue affects WP Datepicker: from n/a through 2.1.1.
|
|||||
| CVE-2023-23326 | 1 Avantfax | 1 Avantfax | 2025-02-27 | N/A | 5.4 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session.
|
|||||
| CVE-2025-23687 | 2025-02-27 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in simonhunter Woo Store Mode allows Reflected XSS. This issue affects Woo Store Mode: from n/a through 1.0.1.
|
|||||
| CVE-2024-9285 | 2025-02-27 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in Tu Yafeng Via Browser up to 5.9.0 on Android. It has been rated as problematic. This issue affects some unknown processing of the component Javascript Bridge. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
|
|||||
| CVE-2024-4293 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-02-27 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file appointment-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262225 was assigned to this vulnerability.
|
|||||
| CVE-2024-3490 | 1 Bootstrapped | 1 Wp Recipe Maker | 2025-02-27 | N/A | 6.4 MEDIUM |
|
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2765 | 1 Ultimatemember | 1 Ultimate Member | 2025-02-27 | N/A | 5.4 MEDIUM |
|
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesse ...
Show More |
|||||
| CVE-2023-0844 | 1 Kibokolabs | 1 Namaste\! Lms | 2025-02-27 | N/A | 4.8 MEDIUM |
|
The Namaste! LMS WordPress plugin before 2.6 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-0538 | 1 Campaign Url Builder Project | 1 Campaign Url Builder | 2025-02-27 | N/A | 5.4 MEDIUM |
|
The Campaign URL Builder WordPress plugin before 1.8.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2023-0172 | 1 Saas.group | 1 Juicer | 2025-02-27 | N/A | 5.4 MEDIUM |
|
The Juicer WordPress plugin before 1.11 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2023-0073 | 1 Client Logo Carousel Project | 1 Client Logo Carousel | 2025-02-27 | N/A | 5.4 MEDIUM |
|
The Client Logo Carousel WordPress plugin through 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2022-4661 | 1 Themelocation | 1 Widgets For Woocommerce Products On Elementor | 2025-02-27 | N/A | 5.4 MEDIUM |
|
The Widgets for WooCommerce Products on Elementor WordPress plugin before 1.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2022-4466 | 1 Connekthq | 1 Ajax Load More | 2025-02-27 | N/A | 5.4 MEDIUM |
|
The WordPress Infinite Scroll WordPress plugin before 5.6.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2023-25593 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | N/A | 7.1 HIGH |
|
Vulnerabilities within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2023-25592 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | N/A | 7.1 HIGH |
|
Vulnerabilities within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2024-30430 | 1 Wpmanageninja | 1 Fluentcrm | 2025-02-27 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Email Newsletter Team - FluentCRM Fluent CRM allows Stored XSS.This issue affects Fluent CRM: from n/a through 2.8.44.
|
|||||
| CVE-2024-1571 | 1 Bootstrapped | 1 Wp Recipe Maker | 2025-02-27 | N/A | 4.4 MEDIUM |
|
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the recipe dashboard (which is administrator-only by default but can be assigned to arbitrary capabilities), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||