Search Results (47116 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-0599 1 Rapid7 1 Metasploit 2025-03-25 6.1 Medium
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization.  Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.
CVE-2024-26318 1 Serenity 1 Serenity 2025-03-25 6.1 Medium
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.
CVE-2023-22849 1 Apache 1 Sling Cms 2025-03-25 6.1 Medium
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6
CVE-2017-20176 1 Share On Diaspora Project 1 Share On Diaspora 2025-03-25 3.5 Low
A vulnerability classified as problematic was found in ciubotaru share-on-diaspora 0.7.9. This vulnerability affects unknown code of the file new_window.php. The manipulation of the argument title/url leads to cross site scripting. The attack can be initiated remotely. The name of the patch is fb6fae2f8a9b146471450b5b0281046a17d1ac8d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-220204.
CVE-2024-3992 1 Joshua Vandercar 1 Amen 2025-03-25 4.8 Medium
The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-46433 1 Tenda 2 W18e, W18e Firmware 2025-03-25 8.8 High
A default credentials vulnerability in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to access the web management portal using the default rzadmin account with administrative privileges.
CVE-2024-4860 1 Rebelcode 1 Rss Aggregator 2025-03-25 5.4 Medium
The 'WordPress RSS Aggregator' WordPress Plugin, versions < 4.23.9 are affected by a Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization of the  'notice_id'  GET parameter.
CVE-2024-46436 1 Tenda 2 W18e, W18e Firmware 2025-03-25 8.3 High
Hardcoded credentials in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to gain root access to the device over the telnet service.
CVE-2022-21948 1 Opensuse 1 Paste 2025-03-25 4.3 Medium
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in paste allows remote attackers to place Javascript into SVG files. This issue affects: openSUSE paste paste version b57b9f87e303a3db9465776e657378e96845493b and prior versions.
CVE-2024-7790 1 Stitionai 1 Devika 2025-03-25 6.5 Medium
A stored cross site scripting vulnerabilities exists in DevikaAI from commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2 onwards via improperly decoded user input.
CVE-2024-7524 2 Mozilla, Redhat 8 Firefox, Firefox Esr, Enterprise Linux and 5 more 2025-03-25 6.1 Medium
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
CVE-2024-48706 1 O-dyn 1 Collabtive 2025-03-25 5.4 Medium
Collabtive 3.1 is vulnerable to Cross-site scripting (XSS) via the title parameter with action=add or action=editform within the (a) managemessage.php file and (b) managetask.php file respectively.
CVE-2024-47048 1 Rocket.chat 1 Rocket.chat 2025-03-25 5.4 Medium
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.
CVE-2024-46934 1 Rocket.chat 1 Rocket.chat 2025-03-25 6.1 Medium
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.
CVE-2024-46372 1 Dedecms 1 Dedecms 2025-03-25 6.1 Medium
DedeCMS 5.7.115 is vulnerable to Cross Site Scripting (XSS) via the advertisement code box in the advertisement management module.
CVE-2024-45836 1 Planex 10 Cs-qr10, Cs-qr10 Firmware, Cs-qr20 and 7 more 2025-03-25 6.1 Medium
Cross-site scripting vulnerability exists in the web management page of PLANEX COMMUNICATIONS network cameras. If a logged-in user accesses a specific file, an arbitrary script may be executed on the web browser of the user.
CVE-2024-43025 1 Rws 1 Multitrans 2025-03-25 6.1 Medium
An HTML injection vulnerability in RWS MultiTrans v7.0.23324.2 and earlier allows attackers to alter the HTML-layout and possibly execute a phishing attack via a crafted payload injected into a sent e-mail.
CVE-2024-43024 1 Rws 1 Multitrans 2025-03-25 6.1 Medium
Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2024-41482 1 Typora 1 Typora 2025-03-25 6.1 Medium
Typora before 1.9.3 Markdown editor has a cross-site scripting (XSS) vulnerability via the MathJax component.
CVE-2024-39838 1 Zexelon 2 Zwx-2000csw2-hn, Zwx-2000csw2-hn Firmware 2025-03-25 8.8 High
ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.