Filtered by CWE-79
Total 45281 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-27680 1 Flusity 1 Flusity 2025-03-26 6.1 Medium
Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the "Contact form."
CVE-2024-26279 1 Joomla 1 Joomla\! 2025-03-26 6.1 Medium
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
CVE-2024-21729 1 Joomla 1 Joomla\! 2025-03-26 6.1 Medium
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
CVE-2023-0174 1 Rextheme 1 Wp Vr 2025-03-25 5.4 Medium
The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2022-4838 1 Codection 1 Clean Login 2025-03-25 5.4 Medium
The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVE-2023-23849 1 Synopsys 1 Coverity 2025-03-25 8.1 High
Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Any web service hosted on the same sub domain can set a cookie for the whole subdomain which can be used to bypass other mitigations in place for malicious purposes. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C
CVE-2025-29782 1 Wegia 1 Wegia 2025-03-25 5.4 Medium
WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_tipo_docs_atendido.php` endpoint in versions of the WeGIA application prior to 3.2.17. This vulnerability allows attackers to inject malicious scripts into the `tipo` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Version 3.2.17 contains a patch for the issue.
CVE-2023-0599 1 Rapid7 1 Metasploit 2025-03-25 6.1 Medium
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization.  Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.
CVE-2024-26318 1 Serenity 1 Serenity 2025-03-25 6.1 Medium
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.
CVE-2023-22849 1 Apache 1 Sling Cms 2025-03-25 6.1 Medium
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6
CVE-2017-20176 1 Share On Diaspora Project 1 Share On Diaspora 2025-03-25 3.5 Low
A vulnerability classified as problematic was found in ciubotaru share-on-diaspora 0.7.9. This vulnerability affects unknown code of the file new_window.php. The manipulation of the argument title/url leads to cross site scripting. The attack can be initiated remotely. The name of the patch is fb6fae2f8a9b146471450b5b0281046a17d1ac8d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-220204.
CVE-2024-3992 1 Joshua Vandercar 1 Amen 2025-03-25 4.8 Medium
The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-4860 1 Rebelcode 1 Rss Aggregator 2025-03-25 5.4 Medium
The 'WordPress RSS Aggregator' WordPress Plugin, versions < 4.23.9 are affected by a Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization of the  'notice_id'  GET parameter.
CVE-2022-21948 1 Opensuse 1 Paste 2025-03-25 4.3 Medium
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in paste allows remote attackers to place Javascript into SVG files. This issue affects: openSUSE paste paste version b57b9f87e303a3db9465776e657378e96845493b and prior versions.
CVE-2024-7790 1 Stitionai 1 Devika 2025-03-25 6.5 Medium
A stored cross site scripting vulnerabilities exists in DevikaAI from commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2 onwards via improperly decoded user input.
CVE-2024-7524 2 Mozilla, Redhat 8 Firefox, Firefox Esr, Enterprise Linux and 5 more 2025-03-25 6.1 Medium
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
CVE-2024-48706 1 O-dyn 1 Collabtive 2025-03-25 5.4 Medium
Collabtive 3.1 is vulnerable to Cross-site scripting (XSS) via the title parameter with action=add or action=editform within the (a) managemessage.php file and (b) managetask.php file respectively.
CVE-2024-47048 1 Rocket.chat 1 Rocket.chat 2025-03-25 5.4 Medium
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.
CVE-2024-46934 1 Rocket.chat 1 Rocket.chat 2025-03-25 6.1 Medium
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.
CVE-2024-46372 1 Dedecms 1 Dedecms 2025-03-25 6.1 Medium
DedeCMS 5.7.115 is vulnerable to Cross Site Scripting (XSS) via the advertisement code box in the advertisement management module.