Total
39271 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52624 | 1 Hcltech | 1 Aion | 2025-10-24 | N/A | 5.4 MEDIUM |
| A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0. | |||||
| CVE-2025-25245 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | N/A | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. | |||||
| CVE-2025-62597 | 1 Wegia | 1 Wegia | 2025-10-24 | N/A | 6.1 MEDIUM |
| WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to version 3.5.1, a reflected cross-site scripting (XSS) vulnerability was identified in the editar_info_pessoal.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the sql parameter. The vulnerable endpoint is GET /WeGIA/html/pessoa/editar_info_pessoal.php?sql=1. This issue has been patched in version 3.5.1. | |||||
| CVE-2025-42920 | 1 Sap | 1 Supplier Relationship Management | 2025-10-24 | N/A | 6.1 MEDIUM |
| Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected. | |||||
| CVE-2025-52367 | 1 Pivotx | 1 Pivotx | 2025-10-24 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field. | |||||
| CVE-2019-18426 | 1 Whatsapp | 1 Whatsapp | 2025-10-24 | 5.8 MEDIUM | 8.2 HIGH |
| A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message. | |||||
| CVE-2025-34281 | 1 Thingsboard | 1 Thingsboard | 2025-10-24 | N/A | 5.4 MEDIUM |
| ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files. | |||||
| CVE-2025-62421 | 1 Dataease | 1 Dataease | 2025-10-24 | N/A | 5.4 MEDIUM |
| DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/{fileId} that uses a URL path parameter where both the filename and extension of uploaded files are controllable by users. During permission validation, the TokenFilter invokes the WhitelistUtils#match method to determine if the URL path is in the allowlist. If the requestURI ends with .js or similar extensions, it is directly deemed safe and bypasses permission checks. This allows an attacker to access "upload/1.js" while specifying arbitrary file extensions, enabling the upload of HTML files containing malicious JavaScript. The vulnerability is fixed in version 2.10.14. No known workarounds exist. | |||||
| CVE-2025-55321 | 1 Microsoft | 1 Azure Monitor | 2025-10-23 | N/A | 9.3 CRITICAL |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2024-34687 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 6.5 MEDIUM |
| SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system. | |||||
| CVE-2025-0339 | 1 Fabian | 1 Online Bike Rental System | 2025-10-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic has been found in code-projects Online Bike Rental 1.0. Affected is an unknown function of the file /vehical-details.php of the component HTTP GET Request Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. | |||||
| CVE-2024-12790 | 1 Fabian | 1 Hostel Management System | 2025-10-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in code-projects Hostel Management Site 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file room-details.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-11124 | 1 Fabian | 1 Project Monitoring System | 2025-10-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in code-projects Project Monitoring System 1.0. Affected is an unknown function of the file /onlineJobSearchEngine/postjob.php. Such manipulation of the argument txtapplyto leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2025-2061 | 1 Fabian | 1 Online Ticket Reservation System | 2025-10-23 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in code-projects Online Ticket Reservation System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /passenger.php. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-12983 | 1 Fabian | 1 Hospital Management System | 2025-10-23 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in code-projects Hospital Management System 1.0. This affects an unknown part of the file /hospital/hms/admin/manage-doctors.php of the component Edit Doctor Details Page. The manipulation of the argument Doctor Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2025-8501 | 1 Fabian | 1 Human Resource Integrated System | 2025-10-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic has been found in code-projects Human Resource Integrated System 1.0. Affected is an unknown function of the file /insert-and-view/action.php. The manipulation of the argument content leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-7108 | 1 Fabian | 1 E-commerce Website | 2025-10-23 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in code-projects E-Commerce Website 1.0. This affects an unknown part of the file user_signup.php. The manipulation of the argument firstname with the input <video/src=x onerror=alert(document.domain)> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249003. | |||||
| CVE-2025-0538 | 1 Fabian | 1 Tourism Management System | 2025-10-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, was found in code-projects Tourism Management System 1.0. Affected is an unknown function of the file /admin/manage-pages.php. The manipulation of the argument pgedetails leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1171 | 1 Fabian | 1 Real Estate Property Management System | 2025-10-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in code-projects Real Estate Property Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /Admin/CustomerReport.php. The manipulation of the argument Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-7124 | 1 Fabian | 1 E-commerce Site | 2025-10-23 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in code-projects E-Commerce Site 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument keyword with the input <video/src=x onerror=alert(document.cookie)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249096. | |||||