Search Results (47251 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2014-4635 1 Emc 1 Documentum Wdk 2025-04-12 N/A
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum Web Development Kit (WDK) before 6.8 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-1475 1 Mylittleforum 1 My Little Forum 2025-04-12 N/A
Multiple cross-site scripting (XSS) vulnerabilities in my little forum 2.3.3, 2.2, and 1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) page or (2) category parameter to forum.php or the (3) page or (4) order parameter to (a) board_entry.php or (b) forum_entry.php.
CVE-2016-0927 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-0926 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or HTML via unspecified input that improperly interacts with the AngularJS framework.
CVE-2014-4645 1 Dlink 1 Dsl-2760u-e1 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in dhcpinfo.html in D-link DSL-2760U-E1 allows remote attackers to inject arbitrary web script or HTML via a hostname.
CVE-2015-1512 1 Fancyfon 1 Famoc 2025-04-12 N/A
Multiple cross-site scripting (XSS) vulnerabilities in FancyFon FAMOC before 3.17.4 allow remote attackers to inject arbitrary web script or HTML via the (1) LoginForm[username] to ui/system/login or the (2) order or (3) myorgs to index.php.
CVE-2015-6920 1 Sourceafrica Project 1 Sourceafrica 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in js/window.php in the sourceAFRICA plugin 0.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.
CVE-2015-4210 1 Cisco 1 Webex Meeting Center 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCur03806.
CVE-2014-4664 1 Wordfence Security Project 1 Wordfence Security 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the whoisval parameter on the WordfenceWhois page to wp-admin/admin.php.
CVE-2015-6466 1 Moxa 4 Eds-405a, Eds-405a Firmware, Eds-408a and 1 more 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the Diagnosis Ping feature in the administrative web interface on Moxa EDS-405A and EDS-408A switches with firmware before 3.6 allows remote attackers to inject arbitrary web script or HTML via an unspecified field.
CVE-2014-9182 1 Anchorcms 1 Anchor Cms 2025-04-12 N/A
models/comment.php in Anchor CMS 0.9.2 and earlier allows remote attackers to inject arbitrary headers into mail messages via a crafted Host: header.
CVE-2015-2349 1 Superwebmailer 1 Superwebmailer 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in defaultnewsletter.php in SuperWebMailer 5.60.0.01190 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTMLForm parameter.
CVE-2013-7064 1 Freelance-it-consultant 1 Eu Cookie Compliance 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the EU Cookie Compliance module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated administrators with the "Administer EU Cookie Compliance popup" permission to inject arbitrary web script or HTML via unspecified configuration values.
CVE-2015-2827 1 Broadcom 1 Spectrum 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and 9.3.x before 9.3 H02 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2023-21524 1 Microsoft 12 Windows 10 1607, Windows 10 1809, Windows 10 20h2 and 9 more 2025-04-12 7.8 High
Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
CVE-2025-27417 1 Wegia 1 Wegia 2025-04-11 6.1 Medium
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the adicionar_status_atendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the status parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.16.
CVE-2025-25187 1 Joplin Project 1 Joplin 2025-04-11 7.8 High
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses <kbd>ctrl</kbd>-<kbd>p</kbd> to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-37898 1 Joplin Project 1 Joplin 2025-04-11 8.2 High
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with <pre> and </pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening <pre> tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2022-47968 1 Linuxserver 1 Heimdall Application Dashboard 2025-04-11 5.4 Medium
Heimdall Application Dashboard through 2.5.4 allows reflected and stored XSS via "Application name" to the "Add application" page. The stored XSS will be triggered in the "Application list" page.
CVE-2022-23544 1 Metersphere 1 Metersphere 2025-04-11 7.2 High
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in `IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.