Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13116 | 1 Crelly Slider Project | 1 Crelly Slider | 2025-05-13 | N/A | N/A |
| The Crelly Slider WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-23379 | 1 Dell | 1 Storage Manager | 2025-05-13 | N/A | 5.2 MEDIUM |
| Dell Storage Center - Dell Storage Manager, version(s) 21.0.20, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | |||||
| CVE-2022-2428 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 7.3 HIGH |
| A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests | |||||
| CVE-2022-43968 | 1 Concretecms | 1 Concrete Cms | 2025-05-13 | N/A | 6.1 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2022-43967 | 1 Concretecms | 1 Concrete Cms | 2025-05-13 | N/A | 6.1 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2022-2527 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 8.0 HIGH |
| An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests. | |||||
| CVE-2022-43695 | 1 Concretecms | 1 Concrete Cms | 2025-05-13 | N/A | 4.8 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2024-13124 | 1 10web | 1 Photo Gallery | 2025-05-13 | N/A | N/A |
| The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-51446 | 2025-05-13 | N/A | 6.5 MEDIUM | ||
| A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application. | |||||
| CVE-2024-13328 | 1 Tanng | 1 Giga Messenger | 2025-05-13 | N/A | N/A |
| The Giga Messenger WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-13330 | 1 Canaveralstudio | 1 Justrows Free | 2025-05-13 | N/A | N/A |
| The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-13331 | 1 Neoloki | 1 Wp Dream Carousel | 2025-05-13 | N/A | N/A |
| The WP Dream Carousel WordPress plugin through 1.0.1b does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2025-24966 | 1 Yogeshojha | 1 Rengine | 2025-05-13 | N/A | 5.4 MEDIUM |
| reNgine is an automated reconnaissance framework for web applications. HTML Injection occurs when an application improperly validates or sanitizes user inputs, allowing attackers to inject arbitrary HTML code. In this scenario, the vulnerability exists in the "Add Target" functionality of the application, where the Target Organization and Target Description fields accept HTML payloads. The injected HTML is rendered and executed in the target area, potentially leading to malicious actions. Exploitation of HTML Injection can compromise the application's integrity and user trust. Attackers can execute unauthorized actions, steal sensitive information, or trick users into performing harmful actions. The organization's reputation, customer trust, and regulatory compliance could be negatively affected. This issue affects all versions up to and including 2.2.0. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds. | |||||
| CVE-2025-24967 | 1 Yogeshojha | 1 Rengine | 2025-05-13 | N/A | 5.4 MEDIUM |
| reNgine is an automated reconnaissance framework for web applications. A stored cross-site scripting (XSS) vulnerability exists in the admin panel's user management functionality. An attacker can exploit this issue by injecting malicious payloads into the username field during user creation. This vulnerability allows unauthorized script execution whenever the admin views or interacts with the affected user entry, posing a significant risk to sensitive admin functionalities. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds. | |||||
| CVE-2024-13226 | 1 Tepelstreel | 1 A5 Custom Login Page | 2025-05-13 | N/A | N/A |
| The A5 Custom Login Page WordPress plugin through 2.8.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2022-42111 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | N/A | 5.4 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload. | |||||
| CVE-2021-29049 | 1 Liferay | 2 Digital Experience Platform, Dxp | 2025-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter. | |||||
| CVE-2021-33328 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. | |||||
| CVE-2021-29051 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter. | |||||
| CVE-2021-33339 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter. | |||||