Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0548 | 1 Kibokolabs | 1 Namaste\! Lms | 2025-03-10 | N/A | 4.8 MEDIUM |
| The Namaste! LMS WordPress plugin before 2.5.9.4 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-54001 | 1 Kanboard | 1 Kanboard | 2025-03-10 | N/A | 5.5 MEDIUM |
| Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user input which is reflected. The vulnerability can become xss if the user input is javascript code that bypass CSP. This vulnerability is fixed in 1.2.41. | |||||
| CVE-2024-49281 | 1 Ninjateam | 1 Click To Chat | 2025-03-10 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in NinjaTeam Click to Chat – WP Support All-in-One Floating Widget allows Stored XSS.This issue affects Click to Chat – WP Support All-in-One Floating Widget: from n/a through 2.3.3. | |||||
| CVE-2024-43291 | 1 Voidcoders | 1 Void Contact Form 7 Widget For Elementor Page Builder | 2025-03-10 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in voidCoders Void Contact Form 7 Widget For Elementor Page Builder allows Stored XSS.This issue affects Void Contact Form 7 Widget For Elementor Page Builder: from n/a through 2.4.1. | |||||
| CVE-2023-38536 | 1 Opentext | 1 Exceed Turbox | 2025-03-10 | N/A | 6.1 MEDIUM |
| HTML injection in OpenText™ Exceed Turbo X affecting version 12.5.1. The vulnerability could result in Cross site scripting. | |||||
| CVE-2024-10716 | 1 Pega | 1 Infinity | 2025-03-10 | N/A | 4.8 MEDIUM |
| Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search. | |||||
| CVE-2025-2124 | 2025-03-09 | N/A | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/change_password of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-12460 | 2025-03-08 | N/A | 6.4 MEDIUM | ||
| The Years Since – Timeless Texts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'years-since' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-22438 | 1 Ec-cube | 1 Ec-cube | 2025-03-07 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script. | |||||
| CVE-2025-0555 | 1 Gitlab | 1 Gitlab | 2025-03-07 | N/A | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser under specific conditions. | |||||
| CVE-2022-4901 | 1 Sophos | 1 Connect | 2025-03-07 | N/A | 6.1 MEDIUM |
| Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim. | |||||
| CVE-2023-22778 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2025-03-07 | N/A | 4.8 MEDIUM |
| A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | |||||
| CVE-2024-0976 | 1 Wp-eventmanager | 1 Wp Event Manager | 2025-03-07 | N/A | N/A |
| The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the plugin parameter in all versions up to, and including, 3.1.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-26989 | 1 Softdiscover | 1 Zigaform | 2025-03-07 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform – Form Builder Lite allows Stored XSS. This issue affects Zigaform – Form Builder Lite: from n/a through 7.4.2. | |||||
| CVE-2025-26994 | 1 Softdiscover | 1 Zigaform | 2025-03-07 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform – Price Calculator & Cost Estimation Form Builder Lite allows Stored XSS. This issue affects Zigaform – Price Calculator & Cost Estimation Form Builder Lite: from n/a through 7.4.2. | |||||
| CVE-2025-26984 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2025-03-07 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8. | |||||
| CVE-2024-38318 | 1 Ibm | 1 Aspera Shares | 2025-03-07 | N/A | 6.1 MEDIUM |
| IBM Aspera Shares 1.9.0 through 1.10.0 PL6 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | |||||
| CVE-2021-36398 | 1 Moodle | 1 Moodle | 2025-03-07 | N/A | 5.4 MEDIUM |
| In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk. | |||||
| CVE-2021-36399 | 1 Moodle | 1 Moodle | 2025-03-07 | N/A | 5.4 MEDIUM |
| In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. | |||||
| CVE-2023-38333 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-03-07 | N/A | 6.1 MEDIUM |
| Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. | |||||