Total
39130 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11450 | 1 Servicenow | 1 Servicenow | 2025-10-10 | N/A |
| ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link. ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so. | ||||
| CVE-2024-2135 | 1 Bdtask | 1 Hospital Automanager | 2025-10-10 | 2.4 Low |
| A vulnerability was found in Bdtask Hospita AutoManager up to 20240223 and classified as problematic. This issue affects some unknown processing of the file /hospital_activities/birth/form of the component Hospital Activities Page. The manipulation of the argument Description with the input <img src=a onerror=alert(1)> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255497 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-55321 | 1 Microsoft | 1 Azure Monitor | 2025-10-10 | 8.7 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-62240 | 1 Liferay | 2 Dxp, Portal | 2025-10-10 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field. | ||||
| CVE-2023-6710 | 2 Modcluster, Redhat | 3 Mod Proxy Cluster, Enterprise Linux, Jboss Core Services | 2025-10-10 | 5.4 Medium |
| A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. | ||||
| CVE-2025-40640 | 2025-10-10 | N/A | ||
| Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_invoice_submit.php”, using the “customerName_0” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | ||||
| CVE-2025-41088 | 2025-10-10 | N/A | ||
| Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and finally modify the 'Text' field in the section with the malicious payload. | ||||
| CVE-2025-41089 | 2025-10-10 | N/A | ||
| Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section. | ||||
| CVE-2025-62239 | 2025-10-10 | N/A | ||
| Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition. | ||||
| CVE-2025-62238 | 2025-10-10 | N/A | ||
| Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's “Name“ text field. | ||||
| CVE-2025-62237 | 2025-10-10 | N/A | ||
| Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field. | ||||
| CVE-2025-40626 | 1 Abantecart | 1 Abantecart | 2025-10-10 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/about_us?[XSS_PAYLOAD]". | ||||
| CVE-2025-40627 | 1 Abantecart | 1 Abantecart | 2025-10-10 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/eyes? [XSS_PAYLOAD]". | ||||
| CVE-2025-7781 | 2025-10-10 | 6.4 Medium | ||
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Stored Cross-Site Scripting via the ‘cs_job_title’ parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-61183 | 2 Vaahcms, Webreinvent | 2 Vaahcms, Vaahcms | 2025-10-10 | 6.1 Medium |
| Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php | ||||
| CVE-2025-60304 | 1 Code-projects | 1 Simple Scheduling System | 2025-10-10 | 6.1 Medium |
| code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Subject Description field. | ||||
| CVE-2025-9371 | 2 Muffingroup, Wordpress | 2 Betheme, Wordpress | 2025-10-10 | 6.4 Medium |
| The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-61532 | 1 Meeco | 1 Svx Portal | 2025-10-10 | 6.1 Medium |
| Cross Site Scripting vulnerability in SVX Portal v.2.7A to execute arbitrary code via the TG parameter on last_heard_page.php component | ||||
| CVE-2025-60302 | 1 Code-projects | 1 Client Details System | 2025-10-10 | 6.1 Medium |
| code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field. | ||||
| CVE-2025-59994 | 1 Juniper | 2 Junos, Junos Space | 2025-10-10 | 6.1 Medium |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Quick Template page that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R4. | ||||