Export limit exceeded: 12199 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 46000 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46000 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-22130 | 1 Sap | 1 Crm - Webclient Ui | 2025-05-09 | 7.6 High |
| Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation. | ||||
| CVE-2024-21396 | 1 Microsoft | 1 Dynamics 365 | 2025-05-09 | 7.6 High |
| Dynamics 365 Sales Spoofing Vulnerability | ||||
| CVE-2024-21327 | 1 Microsoft | 1 Dynamics 365 | 2025-05-09 | 7.6 High |
| Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | ||||
| CVE-2024-24160 | 1 Mrcms | 1 Mrcms | 2025-05-09 | 6.1 Medium |
| MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do. | ||||
| CVE-2022-31468 | 1 Open-xchange | 1 Ox App Suite | 2025-05-09 | 6.1 Medium |
| OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. | ||||
| CVE-2024-0557 | 1 Dedebiz | 1 Dedebiz | 2025-05-09 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in DedeBIZ 6.3.0. This affects an unknown part of the component Website Copyright Setting. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250725 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-22242 | 1 Juniper | 1 Junos | 2025-05-09 | 6.1 Medium |
| A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. This issue affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2. | ||||
| CVE-2024-3628 | 2 Dwalliance, Faktorystudios | 2 Easyevent, Easyevent | 2025-05-09 | 3.8 Low |
| The EasyEvent WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2024-0599 | 1 Ujcms | 1 Jspxcms | 2025-05-09 | 3.5 Low |
| A vulnerability was found in Jspxcms 10.2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file src\main\java\com\jspxcms\core\web\back\InfoController.java of the component Document Management Page. The manipulation of the argument title leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250837 was assigned to this vulnerability. | ||||
| CVE-2022-38901 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-09 | 5.4 Medium |
| A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file. | ||||
| CVE-2023-6067 | 1 Wpeventsmanager | 1 User Profile Avatar | 2025-05-09 | 5.4 Medium |
| The WP User Profile Avatar WordPress plugin through 1.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2025-24017 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 7.6 High |
| YesWiki is a wiki system written in PHP. Versions up to and including 4.4.5 are vulnerable to any end-user crafting a DOM based XSS on all of YesWiki's pages which is triggered when a user clicks on a malicious link. The vulnerability makes use of the search by tag feature. When a tag doesn't exist, the tag is reflected on the page and isn't properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client's side when clicked. This vulnerability allows any user to generate a malicious link that will trigger an account takeover when clicked, therefore allowing a user to steal other accounts, modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue. | ||||
| CVE-2025-24018 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 7.6 High |
| YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the `{{attach}}` component allowing users to attach files/medias to a page. When a file is attached using the `{{attach}}` component, if the resource contained in the `file` attribute doesn't exist, then the server will generate a file upload button containing the filename. This vulnerability allows any malicious authenticated user that has the right to create a comment or edit a page to be able to steal accounts and therefore modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue. | ||||
| CVE-2025-46550 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 4.3 Medium |
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-46549 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 4.3 Medium |
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-46350 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 3.5 Low |
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-46349 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 7.6 High |
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-46346 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 5.4 Medium |
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the application fails to properly sanitize or encode user input submitted to the comments. Notably, the application sanitizes or does not allow execution of `<script>` tags, but does not account for payloads obfuscated using JavaScript block comments like `/* JavaScriptPayload */`. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-45007 | 1 Phpgurukul | 1 Time Table Generator System | 2025-05-09 | 4.8 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the profile.php file of PHPGurukul Timetable Generator System v1.0. This vulnerability allows remote attackers to execute arbitrary JavaScript code via the adminname POST request parameter. | ||||
| CVE-2025-45015 | 1 Phpgurukul | 1 Park Ticketing Management System | 2025-05-09 | 6.1 Medium |
| A Cross-Site Scripting (XSS) vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. The vulnerability allows remote attackers to inject arbitrary JavaScript code via the fromdate and todate parameters. | ||||