Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46343 | 1 N8n | 1 N8n | 2025-05-09 | N/A | 5.4 MEDIUM |
| n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allows the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could send a request to change the user’s email address in their account settings, effectively enabling account takeover. This issue has been patched in version 1.90.0. | |||||
| CVE-2023-52059 | 1 Gestsup | 1 Gestsup | 2025-05-09 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Gestsup v3.2.46 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field. | |||||
| CVE-2022-34870 | 1 Apache | 1 Geode | 2025-05-09 | N/A | 5.4 MEDIUM |
| Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. | |||||
| CVE-2022-3391 | 1 Retain | 1 Retain Live Chat | 2025-05-09 | N/A | 4.8 MEDIUM |
| The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-24160 | 1 Mrcms | 1 Mrcms | 2025-05-09 | N/A | 5.4 MEDIUM |
| MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do. | |||||
| CVE-2024-13859 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-09 | N/A | 5.4 MEDIUM |
| The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bp_nouveau_ajax_media_save’ function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. | |||||
| CVE-2024-13860 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-09 | N/A | 5.4 MEDIUM |
| The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bbp_topic_title’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. | |||||
| CVE-2022-31468 | 1 Open-xchange | 1 Ox App Suite | 2025-05-09 | N/A | 6.1 MEDIUM |
| OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. | |||||
| CVE-2022-23179 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2025-05-09 | N/A | 4.8 MEDIUM |
| The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2024-0239 | 1 Ari-soft | 1 Contact Form 7 Connector | 2025-05-09 | N/A | 6.1 MEDIUM |
| The Contact Form 7 Connector WordPress plugin before 1.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. | |||||
| CVE-2024-3628 | 1 Dwalliance | 1 Easyevent | 2025-05-09 | N/A | N/A |
| The EasyEvent WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-43016 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback component. | |||||
| CVE-2022-43015 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter. | |||||
| CVE-2022-38901 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-09 | N/A | 5.4 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file. | |||||
| CVE-2022-43018 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function. | |||||
| CVE-2022-43017 | 1 Opencats | 1 Opencats | 2025-05-09 | N/A | 6.1 MEDIUM |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component. | |||||
| CVE-2024-2695 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 5.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insufficient input sanitization and output escaping on user supplied attributes such as 'borderradius' and 'timestamp'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-0966 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 5.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like 'info_text'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks the information icon. | |||||
| CVE-2024-1450 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 5.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6500 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 5.4 MEDIUM |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'secondarycolor' and 'maincolor'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||