Export limit exceeded: 44036 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44036 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67341 | 1 Jishenghua | 1 Jsherp | 2025-12-19 | 4.6 Medium |
| jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users. | ||||
| CVE-2025-14046 | 1 Github | 1 Enterprise Server | 2025-12-19 | 6.1 Medium |
| An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21. | ||||
| CVE-2025-66574 | 2 Compassplus, Compassplustechnologies | 2 Tranzaxis, Tranzaxis | 2025-12-19 | 5.4 Medium |
| TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges. | ||||
| CVE-2025-67495 | 1 Zitadel | 1 Zitadel | 2025-12-19 | 8 High |
| ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1. | ||||
| CVE-2024-27091 | 1 Geosolutionsgroup | 1 Geonode | 2025-12-19 | 6.1 Medium |
| GeoNode is a geospatial content management system, a platform for the management and publication of geospatial data. An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. The applications cookies are set securely, but it is possible to retrieve a victims CSRF token and issue a request to change another user's email address to perform a full account takeover. Due to the script element not impacting the CORS policy, requests will succeed. This vulnerability is fixed in 4.2.3. | ||||
| CVE-2024-5739 | 1 Linecorp | 1 Line | 2025-12-19 | 6.1 Medium |
| The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app browser. The in-app browser is usually opened by tapping on URLs contained in chat messages, and for the attack to be successful, the victim must trigger a click event on a malicious iframe. If an iframe embedded in any website can be controlled by an attacker, this vulnerability could be exploited to capture or alter content displayed in the top frame, as well as user session information. This vulnerability affects LINE client for iOS versions below 14.9.0 and does not affect other LINE clients such as LINE client for Android. Please update LINE client for iOS to version 14.9.0 or higher. | ||||
| CVE-2025-41696 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 4.6 Medium |
| An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. | ||||
| CVE-2025-41695 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2021-42193 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 6.1 Medium |
| nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires. | ||||
| CVE-2025-41749 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41747 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41746 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41748 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41750 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41751 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-41752 | 1 Phoenixcontact | 140 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 137 more | 2025-12-19 | 7.1 High |
| An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | ||||
| CVE-2025-65589 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 6.1 Medium |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | ||||
| CVE-2025-65590 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 5.4 Medium |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | ||||
| CVE-2025-65591 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 5.4 Medium |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | ||||
| CVE-2025-65592 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | 6.1 Medium |
| nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages. | ||||