Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25831 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2023-25830 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and before which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2022-45122 | 1 Sixapart | 1 Movable Type | 2025-04-23 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2022-45217 | 1 Book Store Management System Project | 1 Book Store Management System | 2025-04-23 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Level parameter under the Add New System User module. | |||||
| CVE-2024-55093 | 1 Phpipam | 1 Phpipam | 2025-04-23 | N/A | 4.7 MEDIUM |
| phpIPAM through 1.7.3 has a reflected Cross-Site Scripting (XSS) vulnerability in the install scripts. | |||||
| CVE-2022-45916 | 1 Ilias | 1 Ilias | 2025-04-23 | N/A | 5.4 MEDIUM |
| ILIAS before 7.16 allows XSS. | |||||
| CVE-2025-3788 | 1 Jsite | 1 Jsite | 2025-04-23 | N/A | 5.4 MEDIUM |
| A vulnerability was found in baseweb JSite 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /a/sys/user/save. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-45799 | 1 Rathena | 1 Fluxcp | 2025-04-23 | N/A | 6.1 MEDIUM |
| FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-4765 | 1 Pwrplugins | 1 Portfolio For Elementor | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Portfolio for Elementor WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2024-28199 | 1 Phlex | 1 Phlex | 2025-04-23 | N/A | 6.1 MEDIUM |
| phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`. | |||||
| CVE-2024-1720 | 1 Wpeverest | 1 User Registration \& Membership | 2025-04-23 | N/A | 6.1 MEDIUM |
| The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution. | |||||
| CVE-2022-43369 | 1 Phpgurukul | 1 Auto\/taxi Stand Management System | 2025-04-23 | N/A | 6.1 MEDIUM |
| AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php. | |||||
| CVE-2023-4390 | 1 Ays-pro | 1 Popup Box | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |||||
| CVE-2023-4823 | 1 Prasadkirpekar | 1 Wp Meta And Date Remover | 2025-04-23 | N/A | 5.4 MEDIUM |
| The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting. | |||||
| CVE-2023-5243 | 1 Login Screen Manager Project | 1 Login Screen Manager | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-5229 | 1 E2pdf | 1 E2pdf | 2025-04-23 | N/A | 4.8 MEDIUM |
| The E2Pdf WordPress plugin before 1.20.20 does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2023-3245 | 1 Premio | 1 Chaty | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-37519 | 1 Hcltech | 1 Bigfix Platform | 2025-04-23 | N/A | 6.1 MEDIUM |
| Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server. | |||||
| CVE-2020-36656 | 1 Brainstormforce | 1 Spectra | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks. | |||||
| CVE-2022-37406 | 1 Ricoh | 2 Aficio Sp 4210n, Aficio Sp 4210n Firmware | 2025-04-23 | N/A | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Aficio SP 4210N firmware versions prior to Web Support 1.05 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script. | |||||