Export limit exceeded: 46017 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46017 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-40000 | 1 Feehi | 1 Feehicms | 2025-04-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the username field of the admin log in page. | ||||
| CVE-2022-45033 | 1 Oretnom23 | 1 Expense Tracker | 2025-04-21 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in Expense Tracker 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat text field. | ||||
| CVE-2022-44235 | 1 Zed-3 | 1 Voip Simplicity Asg | 2025-04-21 | 6.1 Medium |
| Beijing Zed-3 Technologies Co.,Ltd VoIP simpliclty ASG 8.5.0.17807 (20181130-16:12) is vulnerable to Cross Site Scripting (XSS). | ||||
| CVE-2022-40373 | 1 Feehi | 1 Feehicms | 2025-04-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary code via upload of crafted XML file. | ||||
| CVE-2024-43005 | 1 Zzcms | 1 Zzcms | 2025-04-21 | 4.7 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the component dl_liuyan_save.php of ZZCMS v2023 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2024-43006 | 1 Zzcms | 2 Zzcms, Zzmcms | 2025-04-21 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in ZZCMS2023 in the ask/show.php file at line 21. An attacker can exploit this vulnerability by sending a specially crafted POST request to /user/ask_edit.php?action=add, which includes malicious JavaScript code in the 'content' parameter. When a user visits the ask/show_{newsid}.html page, the injected script is executed in the context of the user's browser, leading to potential theft of cookies, session tokens, or other sensitive information. | ||||
| CVE-2024-43009 | 1 Zzcms | 1 Zzcms | 2025-04-21 | 4.7 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in user/login.php at line 24 in ZZCMS 2023 and earlier. The application directly inserts the value of the HTTP_REFERER header into the HTML response without proper sanitization. An attacker can exploit this vulnerability by tricking a user into visiting a specially crafted URL, which includes a malicious Referer header. This can lead to the execution of arbitrary JavaScript code in the context of the victim's browser, potentially resulting in session hijacking, defacement, or other malicious activities. | ||||
| CVE-2024-40111 | 1 Automad | 1 Automad | 2025-04-21 | 4.8 Medium |
| A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum. | ||||
| CVE-2022-4837 | 1 Machothemes | 1 Cpo Companion | 2025-04-21 | 5.4 Medium |
| The CPO Companion WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | ||||
| CVE-2023-0097 | 1 Shapedplugin | 1 Smart Post Show | 2025-04-21 | 5.4 Medium |
| The Post Grid, Post Carousel, & List Category Posts WordPress plugin before 2.4.19 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2022-4699 | 1 Mediaelementjs | 1 Mediaelement.js | 2025-04-21 | 5.4 Medium |
| The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins. | ||||
| CVE-2022-4749 | 1 Infornweb | 1 Posts List Designer | 2025-04-21 | 5.4 Medium |
| The Posts List Designer by Category WordPress plugin before 3.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | ||||
| CVE-2022-4667 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2025-04-21 | 5.4 Medium |
| The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does not validate and escape some of its block options before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | ||||
| CVE-2025-2583 | 1 Simplemachines | 1 Simple Machines Forum | 2025-04-21 | 3.5 Low |
| A vulnerability was found in SimpleMachines SMF 2.1.4. It has been classified as problematic. This affects an unknown part of the file ManageNews.php. The manipulation of the argument subject/message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor does not declare this issue a security vulnerability due to authentication requirements before being able to access any feature in the software that allows file modification. | ||||
| CVE-2025-2582 | 1 Simplemachines | 1 Simple Machines Forum | 2025-04-21 | 3.5 Low |
| A vulnerability was found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this issue is some unknown functionality of the file ManageAttachments.php. The manipulation of the argument Notice leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor does not declare this issue a security vulnerability due to authentication requirements before being able to access any feature in the software that allows file modification. | ||||
| CVE-2016-8920 | 1 Ibm | 1 Kenexa Lms On Cloud | 2025-04-20 | N/A |
| IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2013-7451 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. | ||||
| CVE-2012-5636 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response. | ||||
| CVE-2014-2045 | 1 Viprinet | 2 Multichannel Vpn Router 300, Multichannel Vpn Router 300 Firmware | 2025-04-20 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the old and new interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the username when (1) logging in or (2) creating an account in the old interface, (3) username when creating an account in the new interface, (4) hostname in the old interface, (5) inspect parameter in the config module, (6) commands parameter in the atcommands tool, or (7) host parameter in the ping tool. | ||||
| CVE-2009-1198 | 1 Apache | 1 Juddi | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. | ||||