Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41435 | 1 Openwrt | 1 Luci | 2025-05-05 | N/A | 5.4 MEDIUM |
| OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments. | |||||
| CVE-2022-42746 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 6.1 MEDIUM |
| CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | |||||
| CVE-2022-30615 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | N/A | 5.4 MEDIUM |
| "IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592. | |||||
| CVE-2022-42753 | 1 Salonerp Project | 1 Salonerp | 2025-05-05 | N/A | 6.1 MEDIUM |
| SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks. | |||||
| CVE-2022-42750 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 8.8 HIGH |
| CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user. | |||||
| CVE-2022-43372 | 1 Emlog | 1 Emlog | 2025-05-05 | N/A | 4.8 MEDIUM |
| Emlog Pro v1.7.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability at /admin/store.php. | |||||
| CVE-2025-4257 | 2025-05-05 | N/A | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, has been found in SeaCMS 13.2. This issue affects some unknown processing of the file /admin_pay.php. The manipulation of the argument cstatus leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3815 | 2025-05-03 | N/A | 6.4 MEDIUM | ||
| The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.12.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-4170 | 2025-05-03 | N/A | 6.4 MEDIUM | ||
| The Xavin's Review Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xrr' shortcode in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-4172 | 2025-05-03 | N/A | 6.4 MEDIUM | ||
| The VerticalResponse Newsletter Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'verticalresponse' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-3779 | 2025-05-03 | N/A | 6.4 MEDIUM | ||
| The Personizely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘widgetId’ parameter in all versions up to, and including, 0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-43982 | 1 Apache | 1 Airflow | 2025-05-02 | N/A | 6.1 MEDIUM |
| In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | |||||
| CVE-2022-35642 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-02 | N/A | 5.4 MEDIUM |
| "IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592." | |||||
| CVE-2022-40840 | 1 Ndk-design | 1 Ndkadvancedcustomizationfields | 2025-05-02 | N/A | 6.1 MEDIUM |
| ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Cross Site Scripting (XSS) via createPdf.php. | |||||
| CVE-2021-46846 | 2 Hp, Hpe | 45 3par Service Processor, Apollo R2000 Chassis, Integrated Lights-out 5 Firmware and 42 more | 2025-05-02 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Hewlett Packard Enterprise Integrated Lights-Out 5. | |||||
| CVE-2022-44724 | 1 Stiltsoft | 1 Handy Macros For Confluence | 2025-05-02 | N/A | 5.4 MEDIUM |
| The Handy Tip macro in Stiltsoft Handy Macros for Confluence Server/Data Center 3.x before 3.5.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-2904 | 1 Gitlab | 1 Gitlab | 2025-05-02 | N/A | 5.4 MEDIUM |
| A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. | |||||
| CVE-2022-3721 | 1 Froxlor | 1 Froxlor | 2025-05-02 | N/A | 4.6 MEDIUM |
| Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39. | |||||
| CVE-2021-39473 | 1 Hotelmanager Project | 1 Hotelmanager | 2025-05-02 | N/A | 5.4 MEDIUM |
| Saibamen HotelManager v1.2 is vulnerable to Cross Site Scripting (XSS) due to improper sanitization of comment and contact fields. | |||||
| CVE-2025-4100 | 2025-05-02 | N/A | 6.4 MEDIUM | ||
| The Nautic Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'np_marinetraffic_map' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||