Total
450 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-52967 | 1 Fortinet | 1 Fortiportal | 2025-02-03 | 3.3 Low |
| An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection. | ||||
| CVE-2024-23522 | 1 Strategy11 | 1 Formidable Forms | 2025-02-03 | 5.3 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Strategy11 Form Builder Team Formidable Forms allows Code Injection.This issue affects Formidable Forms: from n/a through 6.7. | ||||
| CVE-2023-1384 | 2 Amazon, Bestbuy | 3 Fire Os, Fire Tv Stick 3rd Gen, Insignia Tv | 2025-01-30 | 4.3 Medium |
| The setMediaSource function on the amzn.thin.pl service does not sanitize the "source" parameter allowing for arbitrary javascript code to be run This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3. | ||||
| CVE-2024-35112 | 1 Ibm | 1 Control Center | 2025-01-27 | 5.4 Medium |
| IBM Control Center 6.2.1 and 6.3.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | ||||
| CVE-2025-24673 | 2025-01-24 | 6.5 Medium | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AyeCode Ltd Ketchup Shortcodes allows Stored XSS. This issue affects Ketchup Shortcodes: from n/a through 0.1.2. | ||||
| CVE-2025-24678 | 2025-01-24 | 6.5 Medium | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.4. | ||||
| CVE-2023-0007 | 1 Paloaltonetworks | 4 Pan-os, Panorama M-200, Panorama M-500 and 1 more | 2025-01-24 | 6.5 Medium |
| A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to store a JavaScript payload in the web interface that will execute in the context of another administrator’s browser when viewed. | ||||
| CVE-2023-30615 | 1 Dfir-iris | 1 Iris | 2025-01-16 | 6.3 Medium |
| Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations . The vulnerability in allows an attacker to inject malicious scripts into the application, which are then executed when a user visits the affected locations. This can lead to unauthorized access, data theft, or other malicious activities. An attacker need to be authenticated on the application to exploit this vulnerability. The issue was patched in version 2.2.1 of iris-web. | ||||
| CVE-2023-33197 | 1 Craftcms | 1 Craft Cms | 2025-01-14 | 5.5 Medium |
| Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. | ||||
| CVE-2023-33196 | 1 Craftcms | 1 Craft Cms | 2025-01-14 | 5.5 Medium |
| Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. | ||||
| CVE-2023-33194 | 2 Craftcms, Craftercms | 2 Craft Cms, Craftercms | 2025-01-14 | 3.7 Low |
| Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. | ||||
| CVE-2024-39363 | 2025-01-14 | 9.6 Critical | ||
| A cross-site scripting (xss) vulnerability exists in the login.cgi set_lang_CountryCode() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | ||||
| CVE-2024-41752 | 1 Ibm | 1 Cognos Analytics | 2025-01-10 | 5.4 Medium |
| IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | ||||
| CVE-2024-28108 | 2 Phpmyfaq, Thorsten | 2 Phpmyfaq, Phpmyfaq | 2025-01-09 | 4.7 Medium |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6. | ||||
| CVE-2024-49377 | 1 Octoprint | 1 Octoprint | 2024-12-18 | 5.5 Medium |
| OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out. | ||||
| CVE-2024-12127 | 2024-12-17 | 6.1 Medium | ||
| The Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 0.0.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-54223 | 1 Reputeinfosystems | 1 Arforms Form Builder | 2024-12-09 | 5.3 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Contact Form - Repute InfoSystems ARForms Form Builder allows Code Injection.This issue affects ARForms Form Builder: from n/a through 1.7.1. | ||||
| CVE-2022-1002 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 2 Low |
| Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. | ||||
| CVE-2024-54001 | 1 Kanboard | 1 Kanboard | 2024-12-05 | 5.5 Medium |
| Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user input which is reflected. The vulnerability can become xss if the user input is javascript code that bypass CSP. This vulnerability is fixed in 1.2.41. | ||||
| CVE-2024-2380 | 1 Checkmk | 1 Checkmk | 2024-12-04 | 4.6 Medium |
| Stored XSS in graph rendering in Checkmk <2.3.0b4. | ||||