Total
36489 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24433 | 1 Yukimichi | 1 Simple Sort\&search | 2025-06-02 | 5.4 Medium |
| The simple sort&search WordPress plugin through 0.0.3 does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor | ||||
| CVE-2024-35753 | 1 Templatesnext | 1 Onepager | 2025-06-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TemplatesNext TemplatesNext OnePager allows Stored XSS.This issue affects TemplatesNext OnePager: from n/a through 1.3.3. | ||||
| CVE-2024-21725 | 1 Joomla | 1 Joomla\! | 2025-06-02 | 6.1 Medium |
| Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. | ||||
| CVE-2024-23659 | 1 Spip | 1 Spip | 2025-06-02 | 6.1 Medium |
| SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js. | ||||
| CVE-2024-22877 | 1 Strangebee | 1 Thehive | 2025-06-02 | 5.4 Medium |
| StrangeBee TheHive 5.2.0 to 5.2.8 is vulnerable to Cross Site Scripting (XSS) in the case reporting functionality. This feature allows an attacker to insert malicious JavaScript code inside the template or its variables, that will be executed in the context of the TheHive application when the HTML report is opened. | ||||
| CVE-2024-20270 | 1 Cisco | 2 Broadworks Application Delivery Platform, Broadworks Xtended Services Platform | 2025-06-02 | 4.8 Medium |
| A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | ||||
| CVE-2024-0381 | 1 Bootstrapped | 1 Wp Recipe Maker | 2025-06-02 | 6.4 Medium |
| The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-0238 | 1 Myeventon | 1 Eventon | 2025-06-02 | 6.1 Medium |
| The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. | ||||
| CVE-2023-7151 | 1 Piwebsolution | 1 Product Enquiry For Woocommerce | 2025-06-02 | 6.1 Medium |
| The Product Enquiry for WooCommerce WordPress plugin before 3.2 does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-6732 | 1 Supsystic | 1 Ultimate Maps | 2025-06-02 | 4.8 Medium |
| The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2023-52069 | 1 Kodcloud | 1 Kodbox | 2025-06-02 | 5.4 Medium |
| kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter. | ||||
| CVE-2023-49943 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2025-06-02 | 5.4 Medium |
| Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet. | ||||
| CVE-2023-48858 | 1 Abocms | 1 Abo.cms | 2025-06-02 | 6.1 Medium |
| A Cross-site scripting (XSS) vulnerability in login page php code in Armex ABO.CMS 5.9 allows remote attackers to inject arbitrary web script or HTML via the login.php? URL part. | ||||
| CVE-2023-46952 | 1 Abocms | 1 Abo.cms | 2025-06-02 | 6.1 Medium |
| Cross Site Scripting vulnerability in ABO.CMS v.5.9.3 allows an attacker to execute arbitrary code via a crafted payload to the Referer header. | ||||
| CVE-2023-0769 | 1 Hiweb | 1 Migration Simple | 2025-06-02 | 6.1 Medium |
| The hiWeb Migration Simple WordPress plugin through 2.0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. | ||||
| CVE-2023-0376 | 1 Themeum | 1 Qubely | 2025-06-02 | 5.4 Medium |
| The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-0554 | 1 Xantech | 2 Wic1200, Wic1200 Firmware | 2025-06-02 | 5.5 Medium |
| A Cross-site scripting (XSS) vulnerability has been found on WIC1200, affecting version 1.1. An authenticated user could store a malicious javascript payload in the device model parameter via '/setup/diags_ir_learn.asp', allowing the attacker to retrieve the session details of another user. | ||||
| CVE-2024-22411 | 1 Avohq | 1 Avo | 2025-06-02 | 6.5 Medium |
| Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade. | ||||
| CVE-2023-51720 | 1 Skyworthdigital | 2 Cm5100, Cm5100 Firmware | 2025-06-02 | 6.9 Medium |
| This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 1 parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system. | ||||
| CVE-2023-51725 | 1 Skyworthdigital | 2 Cm5100, Cm5100 Firmware | 2025-06-02 | 6.9 Medium |
| This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Contact Email Address parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system. Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system. | ||||