Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12519 | 2025-01-11 | N/A | 6.4 MEDIUM | ||
|
The TCBD Auto Refresher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbd_auto_refresh' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12412 | 2025-01-11 | N/A | 6.1 MEDIUM | ||
|
The Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘active_tab’ parameter in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12407 | 2025-01-11 | N/A | 6.1 MEDIUM | ||
|
The Push Notification for Post and BuddyPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pushnotificationid' parameter in all versions up to, and including, 2.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-11892 | 2025-01-11 | N/A | 6.4 MEDIUM | ||
|
The Accordion Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'accordion_slider' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-11874 | 2025-01-11 | N/A | 6.4 MEDIUM | ||
|
The Grid Accordion Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'grid_accordion' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-11758 | 2025-01-11 | N/A | 6.4 MEDIUM | ||
|
The WP SPID Italia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-11386 | 2025-01-11 | N/A | 6.4 MEDIUM | ||
|
The GatorMail SmartForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gatormailsmartform' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12505 | 2025-01-11 | N/A | 6.4 MEDIUM | ||
|
The Trackserver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tsmap' shortcode in all versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-13141 | 1 Osuuu | 1 Lightpicture | 2025-01-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in osuuu LightPicture up to 1.2.2. This vulnerability affects unknown code of the file /api/upload of the component SVG File Upload Handler. The manipulation of the argument file leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-3889 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-01-10 | N/A | 6.4 MEDIUM |
|
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Accordion widget in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes like 'accordion_title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected ...
Show More |
|||||
| CVE-2024-2799 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-01-10 | N/A | 6.4 MEDIUM |
|
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid & Advanced Text widget HTML tags in all versions up to, and including, 1.3.96 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-2798 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-01-10 | N/A | 6.5 MEDIUM |
|
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget containers in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12846 | 1 Emlog | 1 Emlog | 2025-01-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in Emlog Pro up to 2.4.1. Affected by this issue is some unknown functionality of the file /admin/link.php. The manipulation of the argument siteurl/icon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13140 | 1 Emlog | 1 Emlog | 2025-01-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in Emlog Pro up to 2.4.3. Affected is an unknown function of the file /admin/article.php?action=upload_cover of the component Cover Upload Handler. The manipulation of the argument image leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-3645 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2025-01-10 | N/A | 6.4 MEDIUM |
|
The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Counter widget in all versions up to, and including, 5.8.11 due to insufficient input sanitization and output escaping on user supplied attributes such as 'title_html_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12783 | 1 Angeljudesuarez | 1 Vehicle Management System | 2025-01-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in itsourcecode Vehicle Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /billaction.php. The manipulation of the argument extra-cost leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-12883 | 1 Anisha | 1 Job Recruitment | 2025-01-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in code-projects Job Recruitment 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /_email.php. The manipulation of the argument email leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13137 | 1 Wangl1989 | 1 Mysiteforme | 2025-01-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in wangl1989 mysiteforme 1.0. It has been classified as problematic. This affects the function RestResponse of the file src/main/java/com/mysiteforme/admin/controller/system/SiteController. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-0228 | 1 Code-projects | 1 Local Storage Todo App | 2025-01-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability has been found in code-projects Local Storage Todo App 1.0 and classified as problematic. This vulnerability affects unknown code of the file /js-todo-app/index.html. The manipulation of the argument Add leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-41752 | 1 Ibm | 1 Cognos Analytics | 2025-01-10 | N/A | 5.4 MEDIUM |
|
IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
|
|||||
| CVE-2024-25042 | 1 Ibm | 1 Cognos Analytics | 2025-01-10 | N/A | 5.4 MEDIUM |
|
IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3
is potentially vulnerable to Cross Site Scripting (XSS). A remote attacker could execute malicious commands due to improper validation of column headings in Cognos Explorations.
|
|||||
| CVE-2023-3026 | 1 Diagrams | 1 Drawio | 2025-01-10 | N/A | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
|
|||||
| CVE-2022-45938 | 1 Xfinity | 1 Comcast Defined Technologies Microeisbss | 2025-01-10 | N/A | 9.0 CRITICAL |
|
An issue was discovered in Comcast Defined Technologies microeisbss through 2021. An attacker can inject a stored XSS payload in the Device ID field under Inventory Management to achieve Remote Code Execution and privilege escalation..
|
|||||
| CVE-2024-50339 | 1 Glpi-project | 1 Glpi | 2025-01-10 | N/A | 5.3 MEDIUM |
|
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
|
|||||
| CVE-2023-2470 | 1 Add To Feedly Project | 1 Add To Feedly | 2025-01-10 | N/A | 4.8 MEDIUM |
|
The Add to Feedly WordPress plugin through 1.2.11 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2023-2296 | 1 Loginizer | 1 Loginizer | 2025-01-10 | N/A | 6.1 MEDIUM |
|
The Loginizer WordPress plugin before 1.7.9 does not escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-2256 | 1 Themeisle | 1 Product Addons \& Fields For Woocommerce | 2025-01-10 | N/A | 6.1 MEDIUM |
|
The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.7 does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting.
|
|||||
| CVE-2023-2223 | 1 12net | 1 Login Rebuilder | 2025-01-10 | N/A | 4.8 MEDIUM |
|
The Login rebuilder WordPress plugin before 2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-12024 | 1 Metagauss | 1 Eventprime | 2025-01-10 | N/A | 7.2 HIGH |
|
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the em_ticket_category_data and em_ticket_individual_data parameters in all versions up to, and including, 4.0.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
Note: this vulnerability req ...
Show More |
|||||
| CVE-2024-13142 | 1 Zerowdd | 1 Studentmanager | 2025-01-10 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in ZeroWdd studentmanager 1.0. It has been declared as problematic. This vulnerability affects the function submitAddRole of the file src/main/java/com/zero/system/controller/RoleController. java. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely.
|
|||||
| CVE-2023-31548 | 1 Churchcrm | 1 Churchcrm | 2025-01-10 | N/A | 5.4 MEDIUM |
|
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2023-33287 | 1 Actonic | 1 Inline Table Editing | 2025-01-10 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Inline Table Editing application before 3.8.0 for Confluence allows attackers to store and execute arbitrary JavaScript via a crafted payload injected into the tables.
|
|||||
| CVE-2023-33736 | 1 Dcatadmin | 1 Dcat Admin | 2025-01-10 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter.
|
|||||
| CVE-2023-33732 | 1 Escanav | 1 Escan Management Console | 2025-01-10 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) in the New Policy form in Microworld Technologies eScan management console 14.0.1400.2281 allows a remote attacker to inject arbitrary code via the vulnerable parameters type, txtPolicyType, and Deletefileval.
|
|||||
| CVE-2024-34697 | 1 Freescout | 1 Freescout | 2025-01-10 | N/A | 7.6 HIGH |
|
FreeScout is a free, self-hosted help desk and shared mailbox. A stored HTML Injection vulnerability has been identified in the Email Receival Module of the Freescout Application. The vulnerability allows attackers to inject malicious HTML content into emails sent to the application's mailbox. This vulnerability arises from improper handling of HTML content within incoming emails, allowing attackers to embed malicious HTML code in the context of the application's domain. Unauthenticated attacker ...
Show More |
|||||
| CVE-2024-29184 | 1 Freescout | 1 Freescout | 2025-01-10 | N/A | 8.0 HIGH |
|
FreeScout is a self-hosted help desk and shared mailbox. A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application prior to version 1.8.128. Stored XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, the Support Agent User can inject malicious scripts into their signa ...
Show More |
|||||
| CVE-2024-10086 | 1 Hashicorp | 1 Consul | 2025-01-10 | N/A | 6.1 MEDIUM |
|
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
|
|||||
| CVE-2023-28120 | 2025-01-09 | N/A | 5.3 MEDIUM | ||
|
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
|
|||||
| CVE-2023-23754 | 1 Joomla | 1 Joomla\! | 2025-01-09 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
|
|||||
| CVE-2023-28651 | 1 Contec | 1 Conprosys Hmi System | 2025-01-09 | N/A | 4.8 MEDIUM |
|
Cross-site scripting vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. If a user who can access the affected product with an administrative privilege configures specially crafted settings, an arbitrary script may be executed on the web browser of the other user who is accessing the affected product with an administrative privilege.
|
|||||