Total
34046 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-29099 | 1 Evergreencontentposter | 1 Evergreen Content Poster | 2025-02-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Evergreen Content Poster allows Reflected XSS.This issue affects Evergreen Content Poster: from n/a through 1.4.1. | ||||
| CVE-2024-29127 | 1 Vasyltech | 1 Advanced Access Manager | 2025-02-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager allows Reflected XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20. | ||||
| CVE-2024-2247 | 1 Jfrog | 1 Artifactory | 2025-02-27 | 8.8 High |
| JFrog Artifactory versions below 7.77.7, 7.82.1, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism. | ||||
| CVE-2025-23366 | 1 Redhat | 3 Jboss Data Grid, Jboss Enterprise Application Platform, Jbosseapxp | 2025-02-27 | 6.5 Medium |
| A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. | ||||
| CVE-2024-12463 | 1 Arena.im | 1 Arena.im | 2025-02-27 | 6.4 Medium |
| The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arena_embed_amp' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-34192 | 1 Zimbra | 1 Collaboration | 2025-02-27 | 9.0 Critical |
| Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. | ||||
| CVE-2023-5354 | 1 Getawesomesupport | 1 Awesome Support | 2025-02-26 | 6.1 Medium |
| The Awesome Support WordPress plugin before 6.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2023-5228 | 1 Wpeverest | 1 User Registration | 2025-02-26 | 4.8 Medium |
| The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-5181 | 1 Sarveshmrao | 1 Wp Discord Invite | 2025-02-26 | 4.8 Medium |
| The WP Discord Invite WordPress plugin before 2.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-4858 | 1 Topcode | 1 Simple Table Manager | 2025-02-26 | 4.8 Medium |
| The Simple Table Manager WordPress plugin through 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-4810 | 1 Wpdarko | 1 Responsive Pricing Table | 2025-02-26 | 4.8 Medium |
| The Responsive Pricing Table WordPress plugin before 5.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-1395 | 1 Yoga Class Registration System Project | 1 Yoga Class Registration System | 2025-02-26 | 3.5 Low |
| A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been declared as problematic. This vulnerability affects the function query of the file admin/user/list.php. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222982 is the identifier assigned to this vulnerability. | ||||
| CVE-2022-43874 | 1 Ibm | 1 App Connect Enterprise Certified Container | 2025-02-26 | 6.1 Medium |
| IBM App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1, 6.2, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 239963. | ||||
| CVE-2023-1429 | 1 Pimcore | 1 Pimcore | 2025-02-26 | 5.4 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. | ||||
| CVE-2023-29623 | 1 Purchase Order Management Project | 1 Purchase Order Management | 2025-02-26 | 6.1 Medium |
| Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php. | ||||
| CVE-2023-28607 | 1 Misp-project | 1 Malware Information Sharing Platform | 2025-02-26 | 6.1 Medium |
| js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip. | ||||
| CVE-2023-1025 | 1 Simplefilelist | 1 Simple File List | 2025-02-26 | 4.8 Medium |
| The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-35225 | 2 Jupyter, Jupyterhub | 2 Jupyter Server Proxy, Jupyter Server Proxy | 2025-02-26 | 9.7 Critical |
| Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting (XSS) issue. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/<host>`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/<host>`, which runs the custom JavaScript contained in `host` set by the actor. As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. Patches are included in versions 4.2.0 and 3.2.4. As a workaround, server operators who are unable to upgrade can disable the `jupyter-server-proxy` extension. | ||||
| CVE-2024-34791 | 1 Wpbean | 1 Wpb Elementor Addons | 2025-02-26 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpbean WPB Elementor Addons allows Stored XSS.This issue affects WPB Elementor Addons: from n/a through 1.0.9. | ||||
| CVE-2023-27059 | 1 Churchcrm | 1 Churchcrm | 2025-02-26 | 7.8 High |
| A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field. | ||||