Export limit exceeded: 46001 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46001 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-32343 | 1 Boidcms | 1 Boidcms | 2025-05-05 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in the Create Page of Boid CMS v2.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter. | ||||
| CVE-2022-24227 | 1 Boltwire | 1 Boltwire | 2025-05-05 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in BoltWire v7.10 and v 8.00 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the name and lastname parameters. | ||||
| CVE-2022-23808 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-05-05 | 6.1 Medium |
| An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection. | ||||
| CVE-2022-23599 | 1 Plone | 1 Plone | 2025-05-05 | 4.3 Medium |
| Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory. | ||||
| CVE-2022-21719 | 1 Glpi-project | 1 Glpi | 2025-05-05 | 6.1 Medium |
| GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds. | ||||
| CVE-2022-1094 | 1 Anmari | 1 Amr Users | 2025-05-05 | 4.8 Medium |
| The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-43523 | 2 Uclibc, Uclibc-ng Project | 2 Uclibc, Uclibc-ng | 2025-05-05 | 9.6 Critical |
| In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur. | ||||
| CVE-2021-38320 | 1 Simplesamlphp Authentication Project | 1 Simplesamlphp Authentication | 2025-05-05 | 6.1 Medium |
| The simpleSAMLphp Authentication WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simplesamlphp-authentication.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.0. | ||||
| CVE-2021-38321 | 1 Custom-sub-menus Project | 1 Custom-sub-menus | 2025-05-05 | 6.1 Medium |
| The Custom Menu Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the selected_menu parameter found in the ~/custom-menus.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.3. | ||||
| CVE-2021-38317 | 1 Kibokolabs | 1 Konnichiwa | 2025-05-05 | 6.1 Medium |
| The Konnichiwa! Membership WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the plan_id parameter in the ~/views/subscriptions.html.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.8.3. | ||||
| CVE-2021-38319 | 1 Windyroad | 1 More From Google | 2025-05-05 | 6.1 Medium |
| The More From Google WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/morefromgoogle.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2. | ||||
| CVE-2023-3954 | 1 Multiparcels | 1 Multiparcels Shipping For Woocommerce | 2025-05-05 | 6.1 Medium |
| The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-3721 | 1 Lesterchan | 1 Wp-email | 2025-05-05 | 4.8 Medium |
| The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2022-43084 | 1 Vehicle Booking System Project | 1 Vehicle Booking System | 2025-05-05 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v_name parameter. | ||||
| CVE-2022-43079 | 1 Train Scheduler App Project | 1 Train Scheduler App | 2025-05-05 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Train Scheduler App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter. | ||||
| CVE-2022-43078 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2025-05-05 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter. | ||||
| CVE-2022-43076 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2025-05-05 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in /admin/edit-admin.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtemail parameter. | ||||
| CVE-2022-3469 | 1 Marcomilesi | 1 Wp Attachments | 2025-05-05 | 4.8 Medium |
| The WP Attachments WordPress plugin before 5.0.5 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). | ||||
| CVE-2022-43361 | 1 Slims | 1 Senayan Library Management System | 2025-05-05 | 4.8 Medium |
| Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the component pop_chart.php. | ||||
| CVE-2022-43082 | 1 Fast Food Ordering System Project | 1 Fast Food Ordering System | 2025-05-05 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in /fastfood/purchase.php of Fast Food Ordering System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter. | ||||