Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-25898 | 1 Churchcrm | 1 Churchcrm | 2025-03-28 | N/A | 6.1 MEDIUM |
| A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php. | |||||
| CVE-2022-48012 | 1 Opencats | 1 Opencats | 2025-03-28 | N/A | 6.1 MEDIUM |
| Opencats v0.9.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /opencats/index.php?m=settings&a=ajax_tags_upd. | |||||
| CVE-2024-12983 | 1 Fabianros | 1 Hospital Management System | 2025-03-28 | N/A | 5.2 MEDIUM |
| A vulnerability classified as problematic has been found in code-projects Hospital Management System 1.0. This affects an unknown part of the file /hospital/hms/admin/manage-doctors.php of the component Edit Doctor Details Page. The manipulation of the argument Doctor Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2024-1588 | 1 Pressified | 1 Sendpress | 2025-03-28 | N/A | N/A |
| The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-45179 | 1 Liveboxcloud | 1 Vdesk | 2025-03-28 | N/A | 5.4 MEDIUM |
| An issue was discovered in LIVEBOX Collaboration vDesk through v031. A basic XSS vulnerability exists under the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter and /dashboard/reminders. A remote user (authenticated to the product) can store arbitrary HTML code in the reminder section title in order to corrupt the web page (for example, by creating phishing sections to exfiltrate victims' credentials). | |||||
| CVE-2022-46968 | 1 Revenue Collection System Project | 1 Revenue Collection System | 2025-03-28 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in /index.php?page=help of Revenue Collection System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into sent messages. | |||||
| CVE-2022-46087 | 1 Cloudschool Project | 1 Cloudschool | 2025-03-28 | N/A | 5.4 MEDIUM |
| CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS). A normal user can steal session cookies of the admin users through notification received by the admin user. | |||||
| CVE-2023-24065 | 1 Nosh Chartingsystem Project | 1 Nosh Chartingsystem | 2025-03-28 | N/A | 5.4 MEDIUM |
| NOSH 4a5cfdb allows stored XSS via the create user page. For example, a first name (of a physician, assistant, or billing user) can have a JavaScript payload that is executed upon visiting the /users/2/1 page. This may allow attackers to steal Protected Health Information because the product is for health charting. | |||||
| CVE-2022-48118 | 1 Jorani | 1 Jorani | 2025-03-28 | N/A | 6.1 MEDIUM |
| Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Acronym parameter. | |||||
| CVE-2023-22333 | 1 Mubag | 1 Easymail | 2025-03-28 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EasyMail 2.00.130 and earlier allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2025-2164 | 1 Pixelstats | 1 Pixelstats | 2025-03-28 | N/A | 6.1 MEDIUM |
| The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-13497 | 1 Tripetto | 1 Tripetto | 2025-03-28 | N/A | 6.1 MEDIUM |
| The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file. | |||||
| CVE-2025-1773 | 1 Shinecommerce | 1 Traveler | 2025-03-28 | N/A | 6.1 MEDIUM |
| The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-0281 | 1 Lunary | 1 Lunary | 2025-03-28 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of `window.location.href` without proper validation or sanitization. This vulnerability allows the attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions. The issue is fixed in version 1.7.10. | |||||
| CVE-2025-20205 | 1 Cisco | 1 Identity Services Engine | 2025-03-28 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | |||||
| CVE-2025-20204 | 1 Cisco | 1 Identity Services Engine | 2025-03-28 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | |||||
| CVE-2025-26874 | 2025-03-27 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MemberSpace allows Reflected XSS.This issue affects MemberSpace: from n/a through 2.1.13. | |||||
| CVE-2024-21724 | 1 Joomla | 1 Joomla\! | 2025-03-27 | N/A | 6.1 MEDIUM |
| Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions. | |||||
| CVE-2024-29419 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-03-27 | N/A | 5.4 MEDIUM |
| There is a Cross-site scripting (XSS) vulnerability in the Wireless settings under the Easy Setup Page of TOTOLINK X2000R before v1.0.0-B20231213.1013. | |||||
| CVE-2022-4793 | 1 Solwininfotech | 1 Blog Designer | 2025-03-27 | N/A | 5.4 MEDIUM |
| The Blog Designer WordPress plugin before 2.4.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. | |||||