Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45008 | 1 Online Leave Management System Project | 1 Online Leave Management System | 2025-04-23 | N/A | 4.8 MEDIUM |
| Online Leave Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /leave_system/admin/?page=maintenance/department. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted payload injected into the Name field under the Create New module. | |||||
| CVE-2025-1054 | 2025-04-23 | N/A | 6.4 MEDIUM | ||
| The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2345 | 1 Ninjateam | 1 Filebird | 2025-04-23 | N/A | 5.4 MEDIUM |
| The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the folder name parameter in all versions up to, and including, 5.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8488 | 1 Ays-pro | 1 Survey Maker | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2022-34297 | 1 Yiiframework | 1 Gii | 2025-04-22 | N/A | 5.4 MEDIUM |
| Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. | |||||
| CVE-2022-44213 | 1 Zkteco | 1 Automatic Data Master Server | 2025-04-22 | N/A | 4.8 MEDIUM |
| ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2021-41943 | 1 Logrhythm | 1 Logrhythm | 2025-04-22 | N/A | 6.1 MEDIUM |
| Logrhythm Web Console 7.4.9 allows for HTML tag injection through Contextualize Action -> Create a new Contextualize Action -> Inject your HTML tag in the name field. | |||||
| CVE-2022-44031 | 1 Redmine | 1 Redmine | 2025-04-22 | N/A | 6.1 MEDIUM |
| Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization of the blockquote syntax in Textile-formatted fields. | |||||
| CVE-2023-5211 | 1 Fattura24 | 1 Fattura24 | 2025-04-22 | N/A | 6.1 MEDIUM |
| The Fattura24 WordPress plugin before 6.2.8 does not sanitize or escape the 'id' parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting vulnerability. | |||||
| CVE-2023-5238 | 1 Metagauss | 1 Eventprime | 2025-04-22 | N/A | 6.1 MEDIUM |
| The EventPrime WordPress plugin before 3.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to an HTML Injection on the plugin in the search area of the website. | |||||
| CVE-2022-45756 | 1 Sens Project | 1 Sens | 2025-04-22 | N/A | 6.1 MEDIUM |
| SENS v1.0 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2023-5307 | 1 Contest-gallery | 1 Contest Gallery | 2025-04-22 | N/A | 6.1 MEDIUM |
| The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers. | |||||
| CVE-2022-46906 | 1 Websoft | 1 Websoft Hcm | 2025-04-22 | N/A | 5.4 MEDIUM |
| Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS. | |||||
| CVE-2023-5237 | 1 Strangerstudios | 1 Memberlite Shortcodes | 2025-04-22 | N/A | 5.4 MEDIUM |
| The Memberlite Shortcodes WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. | |||||
| CVE-2022-45970 | 1 Alist Project | 1 Alist | 2025-04-22 | N/A | 5.4 MEDIUM |
| Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board. | |||||
| CVE-2022-46904 | 1 Websoft | 1 Websoft Hcm | 2025-04-22 | N/A | 5.4 MEDIUM |
| Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Self-XSS. | |||||
| CVE-2022-46903 | 1 Websoft | 1 Websoft Hcm | 2025-04-22 | N/A | 5.4 MEDIUM |
| Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Stored XSS. | |||||
| CVE-2025-32961 | 2025-04-22 | N/A | N/A | ||
| The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 1.1.1. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2025-32960 | 2025-04-22 | N/A | N/A | ||
| The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 7.2.7. A workaround is provided on the Jmix documentation website. | |||||
| CVE-2022-46905 | 1 Websoft | 1 Websoft Hcm | 2025-04-22 | N/A | 6.1 MEDIUM |
| Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an unauthenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS. | |||||