Search Results (47121 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-3548 1 Getshortcodes 1 Shortcodes Ultimate 2025-03-27 6.1 Medium
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2024-37680 2 Finesoft Project, Hangzhou Meisoft Information Technology 2 Finesoft, Finesoft 2025-03-27 6.3 Medium
Hangzhou Meisoft Information Technology Co., Ltd. FineSoft <=8.0 is affected by Cross Site Scripting (XSS) which allows remote attackers to execute arbitrary code. Enter any account and password, click Login, the page will report an error, and a controllable parameter will appear at the URL:weburl.
CVE-2024-27278 1 Openpne 1 Optimelineplugin 2025-03-27 5.4 Medium
OpenPNE Plugin "opTimelinePlugin" 1.2.11 and earlier contains a cross-site scripting vulnerability. On the site which uses the affected product, when a user configures the profile with some malicious contents, an arbitrary script may be executed on the web browsers of other users.
CVE-2024-25292 1 Martinbarker 1 Rendertune 2025-03-27 9.6 Critical
Cross-site scripting (XSS) vulnerability in RenderTune v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Upload Title parameter.
CVE-2024-22855 1 Itssglobal 1 Imlog 2025-03-27 5.4 Medium
A cross-site scripting (XSS) vulnerability in the User Maintenance section of ITSS iMLog v1.307 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Last Name parameter.
CVE-2023-7115 1 Pagelayer 1 Pagelayer 2025-03-27 4.8 Medium
The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2023-23132 1 Selfwealth 1 Selfwealth 2025-03-27 7.5 High
Selfwealth iOS mobile App 3.3.1 is vulnerable to Sensitive key disclosure. The application reveals hardcoded API keys.
CVE-2023-23078 1 Zohocorp 1 Manageengine Servicedesk Plus 2025-03-27 6.1 Medium
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.
CVE-2023-23077 1 Zohocorp 1 Manageengine Servicedesk Plus 2025-03-27 6.1 Medium
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
CVE-2023-23075 1 Zohocorp 1 Manageengine Assetexplorer 2025-03-27 6.1 Medium
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.
CVE-2023-23074 1 Zohocorp 1 Manageengine Servicedesk Plus 2025-03-27 6.1 Medium
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
CVE-2023-23073 1 Zohocorp 1 Manageengine Servicedesk Plus 2025-03-27 6.1 Medium
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
CVE-2022-4898 1 Octopus 1 Octopus Server 2025-03-27 5.4 Medium
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS
CVE-2022-47701 1 Comfast Project 2 Cf-wr623n, Cf-wr623n Firmware 2025-03-27 6.1 Medium
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS).
CVE-2022-44897 1 Apollotheme 1 Ap Pagebuilder 2025-03-27 6.1 Medium
A cross-site scripting (XSS) vulnerability in ApolloTheme AP PageBuilder component through 2.4.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the show_number parameter.
CVE-2024-26299 1 Arubanetworks 1 Clearpass Policy Manager 2025-03-27 6.6 Medium
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
CVE-2024-26300 1 Arubanetworks 1 Clearpass Policy Manager 2025-03-27 6.6 Medium
A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
CVE-2024-26281 1 Mozilla 1 Firefox 2025-03-27 4.7 Medium
Upon scanning a JavaScript URI with the QR code scanner, an attacker could have executed unauthorized scripts on the current top origin sites in the URL bar. This vulnerability affects Firefox for iOS < 123.
CVE-2023-39612 1 Filebrowser 1 Filebrowser 2025-03-27 9.0 Critical
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.
CVE-2025-30345 1 Openslides 1 Openslides 2025-03-27 3.5 Low
An issue was discovered in OpenSlides before 4.2.5. When creating new chats via the chat_group.create action, the user is able to specify the name of the chat. Some HTML elements such as SCRIPT are filtered, whereas others are not. In most cases, HTML entities are encoded properly, but not when deleting chats or deleting messages in these chats. This potentially allows attackers to interfere with the layout of the rendered website, but it is unlikely that victims would click on deleted chats or deleted messages.