Total
34410 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-40510 | 1 Openpetra | 1 Openpetra | 2025-03-14 | 8.2 High |
| Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMCommon.asmx function. | ||||
| CVE-2024-40605 | 1 Mediawiki | 1 Mediawiki | 2025-03-14 | 4.8 Medium |
| An issue was discovered in the Foreground skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. | ||||
| CVE-2022-4784 | 1 Presscustomizr | 1 Hueman Addons | 2025-03-14 | 5.4 Medium |
| The Hueman Addons WordPress plugin through 2.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2025-2166 | 2025-03-14 | 6.1 Medium | ||
| The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-1559 | 2025-03-14 | 6.4 Medium | ||
| The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-26626 | 2025-03-14 | 6.5 Medium | ||
| The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue. | ||||
| CVE-2024-26278 | 1 Joomla | 1 Joomla\! | 2025-03-14 | 4.6 Medium |
| The Custom Fields component not correctly filter inputs, leading to a XSS vector. | ||||
| CVE-2024-21731 | 1 Joomla | 1 Joomla\! | 2025-03-14 | 6.1 Medium |
| Improper handling of input could lead to an XSS vector in the StringHelper::truncate method. | ||||
| CVE-2024-25973 | 1 Frentix | 1 Openolat | 2025-03-14 | 5.4 Medium |
| The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload. Furthermore, attackers with the permissions to create or rename a catalog (sub-category) can enter unfiltered input in the name field. In addition, attackers who are allowed to create curriculums can also enter unfiltered input in the name field. This allows an attacker to execute stored JavaScript code with the permissions of the victim in the context of the user's browser. | ||||
| CVE-2024-2301 | 2025-03-14 | 7.6 High | ||
| Certain HP LaserJet Pro devices are potentially vulnerable to a Cross-Site Scripting (XSS) attack via the web management interface of the device. | ||||
| CVE-2024-4005 | 1 Labschool | 1 Social Pixel | 2025-03-13 | 5.4 Medium |
| The Social Pixel WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-22718 | 2025-03-13 | 9.6 Critical | ||
| Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary code via the client_id parameter in the application URL. | ||||
| CVE-2024-8035 | 2 Google, Microsoft | 2 Chrome, Windows | 2025-03-13 | 4.3 Medium |
| Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2024-45621 | 1 Rocket.chat | 1 Rocket.chat | 2025-03-13 | 5.4 Medium |
| The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents. | ||||
| CVE-2024-33533 | 1 Zimbra | 1 Collaboration | 2025-03-13 | 5.4 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file and crafting a URL containing its location in the packages parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed. | ||||
| CVE-2024-35768 | 1 Livecomposerplugin | 1 Live-composer-page-builder | 2025-03-13 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. | ||||
| CVE-2024-41358 | 1 Phpipam | 1 Phpipam | 2025-03-13 | 6.1 Medium |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php. | ||||
| CVE-2024-3800 | 1 Conceptintermedia | 1 S\@m Cms | 2025-03-13 | 6.1 Medium |
| Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in requested file names. Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears. | ||||
| CVE-2024-21188 | 1 Oracle | 1 Financial Services Revenue Management And Billing | 2025-03-13 | 6.1 Medium |
| Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: Chatbot). Supported versions that are affected are 6.0.0.0.0 and 6.1.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Revenue Management and Billing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized read access to a subset of Oracle Financial Services Revenue Management and Billing accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | ||||
| CVE-2023-0540 | 1 Gsplugins | 1 Gs Filterable Portfolio | 2025-03-13 | 5.4 Medium |
| The GS Filterable Portfolio WordPress plugin before 1.6.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||