Export limit exceeded: 362577 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47032 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-32852 1 Count 1 Countly Server 2025-03-10 5.4 Medium
Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition. The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one. This issue is patched in version 21.11.
CVE-2021-32853 1 Erxes 1 Erxes 2025-03-10 6.1 Medium
Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known patches.
CVE-2021-32854 1 Textangular 1 Textangular 2025-03-10 6.1 Medium
textAngular is a text editor for Angular.js. Version 1.5.16 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. There are no known patches.
CVE-2021-32855 1 B3log 1 Vditor 2025-03-10 6.1 Medium
Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this issue.
CVE-2021-32856 1 Microweber 1 Microweber 2025-03-10 6.1 Medium
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted in versions 1.2.9 and 1.2.12, but it is incomplete.
CVE-2021-32857 1 Agentejo 1 Cockpit 2025-03-10 6.1 Medium
Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.
CVE-2021-32858 1 Esdoc 1 Esdoc-publish-html-plugin 2025-03-10 6.1 Medium
esdoc-publish-html-plugin is a plugin for the document maintenance software ESDoc. TheHTML sanitizer in esdoc-publish-html-plugin 1.1.2 and prior can be bypassed which may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.
CVE-2021-32859 1 Baremetrics 1 Date Range Picker 2025-03-10 6.1 Medium
The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted `placeholder` entries. An attacker who is able to influence the field `placeholder` when creating a `Calendar` instance is able to supply arbitrary `html` or `javascript` that will be rendered in the context of a user leading to XSS. There are no known patches for this issue.
CVE-2021-32860 1 Izimodal Project 1 Izimodal 2025-03-10 6.1 Medium
iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. An attacker who is able to influence the field `title` when creating a `iziModal` instance is able to supply arbitrary `html` or `javascript` code that will be rendered in the context of a user, potentially leading to `XSS`. Version 1.6.1 contains a patch for this issue
CVE-2023-25810 1 Uptime-kuma Project 1 Uptime-kuma 2025-03-10 6.3 Medium
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-25811 1 Uptime-kuma Project 1 Uptime-kuma 2025-03-10 6.3 Medium
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-25154 1 Misskey 1 Misskey 2025-03-10 7.1 High
Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not "view on remote" for untrusted instances.
CVE-2023-24811 1 Misskey 1 Misskey 2025-03-10 7.1 High
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.
CVE-2023-24810 1 Misskey 1 Misskey 2025-03-10 7.1 High
Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps.
CVE-2023-25823 1 Gradio Project 1 Gradio 2025-03-10 5.4 Medium
Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.
CVE-2023-25825 1 Zoneminder 1 Zoneminder 2025-03-10 7.7 High
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui. This issue is patched in version 1.36.33.
CVE-2023-1067 1 Pimcore 1 Pimcore 2025-03-10 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-0043 1 Add User Project 1 Add User 2025-03-10 6.1 Medium
The Custom Add User WordPress plugin through 2.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2024-27774 1 Unitronics 1 Unilogic 2025-03-10 7.5 High
Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-259: Use of Hard-coded Password may allow disclosing Sensitive Information Embedded inside Device's Firmware
CVE-2023-0548 1 Kibokolabs 1 Namaste\! Lms 2025-03-10 4.8 Medium
The Namaste! LMS WordPress plugin before 2.5.9.4 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).