Export limit exceeded: 45578 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45578 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-39516 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2026-02-25 | 6.1 Medium |
| Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_sources.php` displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious data-source path, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the 'General Administration>Sites/Devices/Data' permissions can configure the data source path in Cacti. This configuration occurs through `http://<HOST>/cacti/data_sources.php`. The same page can be used for previewing the data source path. This issue has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should manually escape HTML output. | ||||
| CVE-2023-40460 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2026-02-25 | 7.1 High |
| The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted. | ||||
| CVE-2023-40461 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2026-02-25 | 8.1 High |
| The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored Cross-Site Scripting condition. | ||||
| CVE-2023-40464 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2026-02-25 | 8.1 High |
| Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server. | ||||
| CVE-2023-27990 | 1 Zyxel | 38 Atp100, Atp100 Firmware, Atp100w and 35 more | 2026-02-25 | 4.8 Medium |
| The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device. | ||||
| CVE-2023-6333 | 1 Controlbyweb | 6 X-301-24i, X-301-24i Firmware, X-301-i and 3 more | 2026-02-25 | 7.5 High |
| The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session. | ||||
| CVE-2025-46320 | 1 Claris | 1 Filemaker Server | 2026-02-25 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. | ||||
| CVE-2023-49088 | 1 Cacti | 1 Cacti | 2026-02-25 | 6.1 Medium |
| Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti. | ||||
| CVE-2022-4554 | 1 Idyazilim | 1 B2b Dealer Order System | 2026-02-25 | 5.4 Medium |
| B2B Customer Ordering System developed by ID Software Project and Consultancy Services before version 1.0.0.347 has an authenticated Reflected XSS vulnerability. This has been fixed in the version 1.0.0.347. | ||||
| CVE-2022-3214 | 1 Deltaww | 1 Diaenergie | 2026-02-25 | 9.8 Critical |
| Delta Industrial Automation's DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use of Hard-coded Credentials. Versions prior to 1.9.03.009 have this vulnerability. Executable files could be uploaded to certain directories using hard-coded bearer authorization, allowing remote code execution. | ||||
| CVE-2022-38106 | 1 Solarwinds | 1 Serv-u | 2026-02-25 | 5.4 Medium |
| This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | ||||
| CVE-2022-35226 | 1 Sap | 1 Data Services | 2026-02-25 | 6.1 Medium |
| SAP Data Services Management allows an attacker to copy the data from a request and echoed into the application's immediate response, it will lead to a Cross-Site Scripting vulnerability. The attacker would have to log in to the management console to perform such as an attack, only few of the pages are vulnerable in the DS management console. | ||||
| CVE-2023-30754 | 1 Wpfoxly | 1 Adfoxly | 2026-02-25 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt plugin <= 1.8.5 versions. | ||||
| CVE-2015-9354 | 1 Tri | 1 Gigpress | 2026-02-25 | 4.8 Medium |
| The gigpress plugin before 2.3.11 for WordPress has XSS. | ||||
| CVE-2024-22128 | 2 Sap, Sap Se | 2 Netweaver Business Client For Html, Sap Netweaver Business Client For Html | 2026-02-25 | 4.7 Medium |
| SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation. | ||||
| CVE-2021-23125 | 1 Joomla | 1 Joomla\! | 2026-02-25 | 6.1 Medium |
| An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors. | ||||
| CVE-2022-27910 | 1 Joomlatools | 1 Docman | 2026-02-25 | 6.1 Medium |
| In Joomla component 'Joomlatools - DOCman 3.5.13 (and likely most versions below)' are affected to an reflected Cross-Site Scripting (XSS) in an image upload function | ||||
| CVE-2022-23800 | 1 Joomla | 1 Joomla\! | 2026-02-25 | 6.1 Medium |
| An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components. | ||||
| CVE-2021-26035 | 1 Joomla | 1 Joomla\! | 2026-02-25 | 6.1 Medium |
| An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability. | ||||
| CVE-2021-23129 | 1 Joomla | 1 Joomla\! | 2026-02-25 | 6.1 Medium |
| An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues. | ||||