Export limit exceeded: 46013 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46013 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-34560 | 1 Phpfox | 1 Phpfox | 2025-04-22 | 7.1 High |
| A cross-site scripting (XSS) vulnerability in PHPFox v4.8.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the History parameter. | ||||
| CVE-2022-34561 | 1 Phpfox | 1 Phpfox | 2025-04-22 | 4.3 Medium |
| A cross-site scripting (XSS) vulnerability in PHPFox v4.8.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the video description parameter. | ||||
| CVE-2022-34562 | 1 Phpfox | 1 Phpfox | 2025-04-22 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in PHPFox v4.8.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the status box. | ||||
| CVE-2024-7068 | 1 Munyweki | 1 Insurance Management System | 2025-04-22 | 3.5 Low |
| A vulnerability classified as problematic has been found in SourceCodester Insurance Management System 1.0. This affects an unknown part of the file /Script/admin/core/update_sub_category. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272349 was assigned to this vulnerability. | ||||
| CVE-2022-46147 | 1 Openedx | 1 Xblock-drag-and-drop-v2 | 2025-04-22 | 8.4 High |
| Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds. | ||||
| CVE-2022-46162 | 1 Discourse | 1 Discourse Bbcode | 2025-04-22 | 8.8 High |
| discourse-bbcode is the official BBCode plugin for Discourse. Prior to commit 91478f5, CSS injection can occur when rendering content generated with the discourse-bccode plugin. This vulnerability only affects sites which have the discourse-bbcode plugin installed and enabled. This issue is patched in commit 91478f5. As a workaround, ensure that the Content Security Policy is enabled and monitor any posts that contain bbcode. | ||||
| CVE-2022-23475 | 1 Daloradius | 1 Daloradius | 2025-04-22 | 8.8 High |
| daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy. | ||||
| CVE-2024-7916 | 2 Nafisulbari, Sourcecodester | 2 Life Insurance Management System, Insurance Management System | 2025-04-22 | 3.5 Low |
| A vulnerability classified as problematic was found in nafisulbari/itsourcecode Insurance Management System 1.0. Affected by this vulnerability is an unknown functionality of the file addNominee.php of the component Add Nominee Page. The manipulation of the argument Nominee-Client ID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-8209 | 2 Itsourcecode, Nafisulbari | 3 Insurance Management System, Insurance Management System, Life Insurance Management System | 2025-04-22 | 3.5 Low |
| A vulnerability was found in nafisulbari/itsourcecode Insurance Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file addClient.php. The manipulation of the argument CLIENT ID leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-8208 | 2 Itsourcecode, Nafisulbari | 3 Insurance Management System, Insurance Management System, Life Insurance Management System | 2025-04-22 | 3.5 Low |
| A vulnerability has been found in nafisulbari/itsourcecode Insurance Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file editClient.php. The manipulation of the argument AGENT ID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-54775 | 1 Dcatadmin | 1 Dcat Admin | 2025-04-22 | 4.8 Medium |
| Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions. | ||||
| CVE-2023-46951 | 1 Contribsys | 1 Sidekiq | 2025-04-22 | 6.1 Medium |
| Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted payload to the uniquejobs function. | ||||
| CVE-2024-27558 | 2 Codelyfe, Stupid Simple | 2 Stupid Simple Cms, Cms | 2025-04-22 | 6.1 Medium |
| Stupid Simple CMS 1.2.4 is vulnerable to Cross Site Scripting (XSS) within the blog title of the settings. | ||||
| CVE-2024-56314 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | ||||
| CVE-2024-56313 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | ||||
| CVE-2024-56312 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | ||||
| CVE-2022-46381 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2025-04-22 | 6.1 Medium |
| Certain Linear eMerge E3-Series devices are vulnerable to XSS via the type parameter (e.g., to the badging/badge_template_v0.php component). This affects 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e. | ||||
| CVE-2022-46058 | 1 Aerocms Project | 1 Aerocms | 2025-04-22 | 4.8 Medium |
| AeroCMS v0.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field. | ||||
| CVE-2022-44303 | 1 Resque-scheduler Project | 1 Resque-scheduler | 2025-04-22 | 6.1 Medium |
| Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side. | ||||
| CVE-2022-43996 | 1 Csaf Provider Project | 1 Csaf Provider | 2025-04-22 | 5.4 Medium |
| The csaf_provider package before 0.8.2 allows XSS via a crafted CSAF document uploaded as text/html. The endpoint upload allows valid CSAF advisories (JSON format) to be uploaded with Content-Type text/html and filenames ending in .html. When subsequently accessed via web browser, these advisories are served and interpreted as HTML pages. Such uploaded advisories can contain JavaScript code that will execute within the browser context of users inspecting the advisory. | ||||