Total
37697 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-45206 | 1 Zimbra | 1 Collaboration | 2025-05-07 | N/A | 6.1 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. Through the help document endpoint in webmail, an attacker can inject JavaScript or HTML code that leads to cross-site scripting (XSS). (Adding an adequate message to avoid malicious code will mitigate this issue.) | |||||
| CVE-2023-5005 | 1 Codesmade | 1 Autocomplete Location Field Contact Form 7 | 2025-05-07 | N/A | 4.8 MEDIUM |
| The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-49489 | 1 Kodcloud | 1 Kodexplorer | 2025-05-07 | N/A | 6.1 MEDIUM |
| Reflective Cross Site Scripting (XSS) vulnerability in KodExplorer version 4.51, allows attackers to obtain sensitive information and escalate privileges via the APP_HOST parameter at config/i18n/en/main.php. | |||||
| CVE-2023-46344 | 1 Solar-log | 2 2000 Pm\+, 2000 Pm\+ Firmware | 2025-05-07 | N/A | 5.4 MEDIUM |
| A vulnerability in Solar-Log Base 15 Firmware 6.0.1 Build 161, and possibly other Solar-Log Base products, allows an attacker to escalate their privileges by exploiting a stored cross-site scripting (XSS) vulnerability in the switch group function under /#ilang=DE&b=c_smartenergy_swgroups in the web portal. The vulnerability can be exploited to gain the rights of an installer or PM, which can then be used to gain administrative access to the web portal and execute further attacks. NOTE: The vendor states that this vulnerability has been fixed with 3.0.0-60 11.10.2013 for SL 200, 500, 1000 / not existing for SL 250, 300, 1200, 2000, SL 50 Gateway, SL Base. | |||||
| CVE-2022-38162 | 1 Withsecure | 1 F-secure Policy Manager | 2025-05-07 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a malicious input. | |||||
| CVE-2022-35739 | 1 Paessler | 1 Prtg Network Monitor | 2025-05-07 | N/A | 5.3 MEDIUM |
| PRTG Network Monitor through 22.2.77.2204 does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. When the device page loads, the arbitrary Cascading Style Sheets (CSS) data is inserted into the style tag, loading malicious content. Due to PRTG Network Monitor preventing “characters, and from modern browsers disabling JavaScript support in style tags, this vulnerability could not be escalated into a Cross-Site Scripting vulnerability. | |||||
| CVE-2024-53255 | 1 Boidcms | 1 Boidcms | 2025-05-07 | N/A | 5.4 MEDIUM |
| BoidCMS is a free and open-source flat file CMS for building simple websites and blogs, developed using PHP and uses JSON as a database. In affected versions a reflected Cross-site Scripting (XSS) vulnerability exists in the /admin?page=media endpoint in the file parameter, allowing an attacker to inject arbitrary JavaScript code. This code could be used to steal the user's session cookie, perform phishing attacks, or deface the website. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-36783 | 1 Algosec | 1 Fireflow | 2025-05-07 | N/A | 6.5 MEDIUM |
| AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) A malicious user injects JavaScript code into a parameter called IntersectudRule on the search/result.html page. The malicious user changes the request from POST to GET and sends the URL to another user (victim). JavaScript code is executed on the browser of the other user. | |||||
| CVE-2024-13381 | 1 Codepeople | 1 Calculated Fields Form | 2025-05-07 | N/A | 4.8 MEDIUM |
| The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-0709 | 1 Dcatadmin | 1 Dcat Admin | 2025-05-07 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in Dcat-Admin 2.2.1-beta. It has been rated as problematic. This issue affects some unknown processing of the file /admin/auth/roles of the component Roles Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1749 | 1 Opencart | 1 Opencart | 2025-05-07 | N/A | 4.7 MEDIUM |
| HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher. | |||||
| CVE-2025-1748 | 1 Opencart | 1 Opencart | 2025-05-07 | N/A | 4.7 MEDIUM |
| HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register. | |||||
| CVE-2025-1747 | 1 Opencart | 1 Opencart | 2025-05-07 | N/A | 4.7 MEDIUM |
| HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login. | |||||
| CVE-2025-1746 | 1 Opencart | 1 Opencart | 2025-05-07 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | |||||
| CVE-2024-13569 | 1 Etoilewebdesign | 1 Front End Users | 2025-05-07 | N/A | 7.1 HIGH |
| The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2025-46225 | 1 Migaweb | 1 Post In Page For Elementor | 2025-05-07 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS. This issue affects Post in page for Elementor: from n/a through 1.0.1. | |||||
| CVE-2025-46226 | 1 Mpl-publisher | 1 Mpl-publisher | 2025-05-07 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher allows Stored XSS. This issue affects MPL-Publisher: from n/a through 2.18.0. | |||||
| CVE-2025-46227 | 1 Brechtvds | 1 Custom Related Posts | 2025-05-07 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts allows Stored XSS. This issue affects Custom Related Posts: from n/a through 1.7.4. | |||||
| CVE-2024-13326 | 1 Ibuildapp | 1 Ibuildapp | 2025-05-07 | N/A | 6.1 MEDIUM |
| The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2025-45751 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-05-07 | N/A | 6.1 MEDIUM |
| SourceCodester Web Based Pharmacy Product Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add-admin.php via the Fullname text field. | |||||