Total
34410 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25172 | 1 Discourse | 1 Discourse | 2025-02-25 | 4.4 Medium |
| Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse. | ||||
| CVE-2023-27592 | 1 Miniflux Project | 1 Miniflux | 2025-02-25 | 4.8 Medium |
| Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security Policy header added to valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. by a message in the alt text) to open the broken image. An attacker can execute arbitrary JavaScript in the context of a victim Miniflux user when they open a broken image in a crafted RSS feed. This can be used to perform actions on the Miniflux instance as that user and gain administrative access to the Miniflux instance if it is reachable and the victim is an administrator. A patch is available in version 2.0.43. As a workaround sisable image proxy; default value is `http-only`. | ||||
| CVE-2023-28429 | 1 Pimcore | 1 Pimcore | 2025-02-25 | 6.1 Medium |
| Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 10.5.19 or, as a workaround, apply the patch manually. | ||||
| CVE-2025-27145 | 2025-02-25 | 3.6 Low | ||
| copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Version 1.16.15 contains a fix. | ||||
| CVE-2024-13749 | 1 Era404 | 1 Stafflist | 2025-02-25 | 6.1 Medium |
| The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-13701 | 1 Stklcode | 1 Liveticker | 2025-02-25 | 6.4 Medium |
| The Liveticker (by stklcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'liveticker' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13735 | 1 Hurrytimer | 1 Hurrytimer | 2025-02-25 | 6.4 Medium |
| The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.11.2 due to insufficient input sanitization and output escaping of a campaign name. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-1406 | 1 Imamura | 1 Newpost Catch | 2025-02-25 | 6.4 Medium |
| The Newpost Catch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's npc shortcode in all versions up to, and including, 1.3.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-1407 | 1 Amothemo | 1 Amo Team Showcase | 2025-02-25 | 6.4 Medium |
| The AMO Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's amoteam_skills shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-1410 | 1 Jonathanjernigan | 1 Pie Calendar | 2025-02-25 | 6.4 Medium |
| The Events Calendar Made Simple – Pie Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's piecal shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-12452 | 1 Oliverfriedmann | 1 Ziggeo | 2025-02-25 | 6.4 Medium |
| The Ziggeo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ziggeo_event' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13461 | 1 Patternsinthecloud | 1 Autoship Cloud | 2025-02-25 | 6.4 Medium |
| The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'autoship-create-scheduled-order-action' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13648 | 1 Icopydoc | 1 Maps For Wp | 2025-02-25 | 6.4 Medium |
| The Maps for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MapOnePoint' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13455 | 1 Igumbi | 1 Igumbi | 2025-02-25 | 6.4 Medium |
| The igumbi Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'igumbi_calendar' shortcode in all versions up to, and including, 1.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-37580 | 1 Zimbra | 1 Zimbra | 2025-02-25 | 6.1 Medium |
| Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. | ||||
| CVE-2025-26530 | 2025-02-24 | 8.3 High | ||
| The question bank filter required additional sanitizing to prevent a reflected XSS risk. | ||||
| CVE-2025-26529 | 2025-02-24 | 8.3 High | ||
| Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. | ||||
| CVE-2025-26528 | 2025-02-24 | 3.4 Low | ||
| The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. | ||||
| CVE-2024-10222 | 1 Benbodhi | 1 Svg Support | 2025-02-24 | 6.4 Medium |
| The SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. By default, this can only be exploited by administrators, but the ability to upload SVG files can be extended to authors. | ||||
| CVE-2024-6485 | 2 Getbootstrap, Redhat | 2 Bootstrap, Discovery | 2025-02-24 | 6.4 Medium |
| A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered. | ||||