Export limit exceeded: 45979 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45979 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48875 | 1 Freescout | 1 Freescout | 2025-06-04 | 5.4 Medium |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of last_name and first_name during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.181. | ||||
| CVE-2024-12348 | 1 Jpress | 1 Jpress | 2025-06-04 | 3.5 Low |
| A vulnerability was found in Guizhou Xiaoma Technology jpress 5.1.2. It has been classified as problematic. Affected is the function AttachmentUtils.isUnSafe of the file /commons/attachment/upload of the component Attachment Upload Handler. The manipulation of the argument files[] leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-33526 | 1 Ilias | 1 Ilias | 2025-06-04 | 7.1 High |
| A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload. | ||||
| CVE-2024-33527 | 1 Ilias | 1 Ilias | 2025-06-04 | 5.4 Medium |
| A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload. | ||||
| CVE-2024-33528 | 1 Ilias | 1 Ilias | 2025-06-04 | 4.7 Medium |
| A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload. | ||||
| CVE-2024-48906 | 1 Sematell | 1 Replyone | 2025-06-04 | 6.1 Medium |
| Sematell ReplyOne 7.4.3.0 allows XSS via a ReplyDesk e-mail attachment name. | ||||
| CVE-2024-32674 | 2 Bestwebsoft, Heateor | 2 Social Login, Social Login | 2025-06-04 | 5.4 Medium |
| Heateor Social Login WordPress prior to 1.1.32 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. | ||||
| CVE-2024-27728 | 1 Friendica | 1 Friendica | 2025-06-04 | 6.1 Medium |
| Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the text parameter of the babel debug feature. | ||||
| CVE-2024-46278 | 1 Sismics | 1 Teedy | 2025-06-04 | 8.4 High |
| Teedy 1.11 is vulnerable to Cross Site Scripting (XSS) via the management console. | ||||
| CVE-2024-8521 | 1 Wavelog | 1 Wavelog | 2025-06-04 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in Wavelog up to 1.8.0. Affected is the function index of the file /qso of the component Live QSO. The manipulation of the argument manual leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.8.1 is able to address this issue. The patch is identified as b31002cec6b71ab5f738881806bb546430ec692e. It is recommended to upgrade the affected component. | ||||
| CVE-2024-10076 | 1 Automattic | 2 Jetpack, Jetpack Boost | 2025-06-04 | 5.9 Medium |
| The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks | ||||
| CVE-2024-13238 | 1 Typogrify Project | 1 Typogrify | 2025-06-04 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0. | ||||
| CVE-2024-13237 | 1 File Entity Project | 1 File Entity | 2025-06-04 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38. | ||||
| CVE-2024-8854 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | 5.4 Medium |
| The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup). | ||||
| CVE-2024-8851 | 1 Codepeople | 1 Polls Cp | 2025-06-04 | 5.4 Medium |
| The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup). | ||||
| CVE-2023-5932 | 1 Travelpayouts | 1 Travelpayouts | 2025-06-04 | 4.8 Medium |
| The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-5529 | 1 Pagevisitcounter | 1 Advanced Page Visit Counter | 2025-06-04 | 4.8 Medium |
| The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2025-3742 | 1 Dfactory | 1 Responsive Lightbox | 2025-06-04 | 6.8 Medium |
| The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-2870 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | 6.1 Medium |
| The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-2696 | 1 Swiftideas | 1 Swift Framework | 2025-06-04 | 4.8 Medium |
| The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||