Export limit exceeded: 45606 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45606 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-32584 | 1 Standalonetech | 1 Terawallet | 2025-02-05 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StandaloneTech TeraWallet – For WooCommerce allows Stored XSS.This issue affects TeraWallet – For WooCommerce: from n/a through 1.5.0. | ||||
| CVE-2023-2191 | 1 Azuracast | 1 Azuracast | 2025-02-05 | 4.8 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18. | ||||
| CVE-2023-22309 | 1 Tribe29 | 1 Checkmk Appliance Firmware | 2025-02-04 | 6.1 Medium |
| Reflective Cross-Site-Scripting in Webconf in Tribe29 Checkmk Appliance before 1.6.4. | ||||
| CVE-2023-29528 | 1 Xwiki | 1 Commons | 2025-02-04 | 9.1 Critical |
| XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix. | ||||
| CVE-2023-0542 | 1 Blackbirdi | 1 Custom Post Type List Shortcode | 2025-02-04 | 5.4 Medium |
| The Custom Post Type List Shortcode WordPress plugin through 1.4.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-0514 | 1 Membership Database Project | 1 Membership Database | 2025-02-04 | 6.1 Medium |
| The Membership Database WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-0280 | 1 Topdigitaltrends | 1 Ultimate Carousel For Elementor | 2025-02-04 | 5.4 Medium |
| The Ultimate Carousel For Elementor WordPress plugin through 2.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2022-47509 | 1 Solarwinds | 1 Orion Platform | 2025-02-04 | 6.1 Medium |
| The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML. | ||||
| CVE-2024-29113 | 1 Metagauss | 1 Registrationmagic | 2025-02-04 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through 5.2.5.9. | ||||
| CVE-2023-2139 | 1 3ds | 1 Delmia Apriso | 2025-02-04 | 5.4 Medium |
| A reflected Cross-site Scripting (XSS) Vulnerability in DELMIA Apriso Release 2017 through Release 2022 allows an attacker to execute arbitrary script code. | ||||
| CVE-2023-0948 | 1 Artisanworkshop | 1 Japanized For Woocommerce | 2025-02-04 | 6.1 Medium |
| The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting | ||||
| CVE-2023-1875 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-02-04 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||||
| CVE-2023-30788 | 1 Monicahq | 1 Monica | 2025-02-04 | 5.4 Medium |
| MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter. | ||||
| CVE-2022-45291 | 1 Pwsdashboard | 1 Personal Weather Station Dashboard | 2025-02-04 | 7.2 High |
| PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022. | ||||
| CVE-2023-51544 | 1 Metagauss | 1 Registrationmagic | 2025-02-04 | 5.3 Medium |
| Improper Control of Interaction Frequency vulnerability in Metagauss RegistrationMagic allows Functionality Misuse.This issue affects RegistrationMagic: from n/a through 5.2.5.0. | ||||
| CVE-2025-0844 | 1 Needyamin | 1 Library Card System | 2025-02-04 | 4.3 Medium |
| A vulnerability was found in needyamin Library Card System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file signup.php of the component Registration Page. The manipulation of the argument firstname/lastname/email/borrow/user_address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | ||||
| CVE-2023-29848 | 1 Hockeycomputindo | 1 Bang Resto | 2025-02-04 | 4.8 Medium |
| Bang Resto 1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the itemName parameter in the admin/menu.php Add New Menu function. | ||||
| CVE-2023-26061 | 1 Nokia | 1 Netact | 2025-02-04 | 6.8 Medium |
| An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | ||||
| CVE-2023-26059 | 1 Nokia | 1 Netact | 2025-02-04 | 6.8 Medium |
| An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user. | ||||
| CVE-2023-25347 | 1 Churchcrm | 1 Churchcrm | 2025-02-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php. | ||||