Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7035 | 1 Davidlingren | 1 Media Library Assistant | 2025-07-23 | N/A | 5.4 MEDIUM |
| The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mla_tag_cloud and mla_term_list shortcodes in all versions up to, and including, 3.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7840 | 1 Campcodes | 1 Online Movie Theater Seat Reservation System | 2025-07-23 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Campcodes Online Movie Theater Seat Reservation System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=reserve of the component Reserve Your Seat Page. The manipulation of the argument Firstname/Lastname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-22855 | 1 Fortinet | 1 Forticlientems | 2025-07-23 | N/A | 4.8 MEDIUM |
| An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code. | |||||
| CVE-2019-16151 | 1 Fortinet | 1 Fortios | 2025-07-23 | N/A | 6.1 MEDIUM |
| An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context. This happens when the FortiGate has web filtering and category override enabled/configured. | |||||
| CVE-2025-20123 | 1 Cisco | 1 Crosswork Network Controller | 2025-07-23 | N/A | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by inserting malicious data into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. | |||||
| CVE-2021-1130 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco DNA Center software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need to have administrative credentials on the affected device. | |||||
| CVE-2020-3466 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco DNA Center software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerabilities exist because the web-based management interface on an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-15253 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.0.6 and 1.3.1.4. | |||||
| CVE-2019-1707 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco DNA Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco DNA Center versions prior to 1.2.5 are affected. | |||||
| CVE-2025-6261 | 2025-07-23 | N/A | 6.4 MEDIUM | ||
| The Fleetwire Fleet Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fleetwire_list shortcode in all versions up to, and including, 1.0.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5753 | 2025-07-23 | N/A | 6.4 MEDIUM | ||
| The Valuation Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-41425 | 2025-07-22 | N/A | N/A | ||
| DuraComm SPM-500 DP-10iN-100-MU is vulnerable to a cross-site scripting attack. This could allow an attacker to prevent legitimate users from accessing the web interface. | |||||
| CVE-2025-46959 | 1 Adobe | 1 Experience Manager | 2025-07-22 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page. | |||||
| CVE-2025-47053 | 1 Adobe | 1 Experience Manager | 2025-07-22 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page. | |||||
| CVE-2023-37933 | 1 Fortinet | 1 Fortiadc | 2025-07-22 | N/A | 6.1 MEDIUM |
| An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC GUI version 7.4.0, 7.2.0 through 7.2.1 and before 7.1.3 allows an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests. | |||||
| CVE-2024-27781 | 1 Fortinet | 1 Fortisandbox | 2025-07-22 | N/A | 9.0 CRITICAL |
| An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox at least versions 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2025-20273 | 1 Cisco | 1 Unified Intelligent Contact Management Enterprise | 2025-07-22 | N/A | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Intelligent Contact Management Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2025-8015 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image's 'Title' and 'Slide link' fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-2699 | 1 Getme | 1 Contenttools | 2025-07-22 | N/A | 5.4 MEDIUM |
| A vulnerability was found in GetmeUK ContentTools up to 1.6.16. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Image Handler. The manipulation of the argument onload leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4294 | 2025-07-22 | N/A | 4.8 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HotelRunner B2B allows Cross-Site Scripting (XSS).This issue affects B2B: before 04.06.2025. | |||||