Total
45240 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-42225 | 1 Fit2cloud | 1 Lina | 2025-01-17 | 5.4 Medium |
| Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's permission. | ||||
| CVE-2024-3428 | 1 Argie | 1 Online Courseware | 2025-01-17 | 3.5 Low |
| A vulnerability has been found in SourceCodester Online Courseware 1.0 and classified as problematic. This vulnerability affects unknown code of the file edit.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259600. | ||||
| CVE-2022-46733 | 1 Sewio | 1 Real-time Location System Studio | 2025-01-16 | 6.3 Medium |
| Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site scripting in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary commands. | ||||
| CVE-2023-23553 | 1 Controlbyweb | 2 X-400, X-400 Firmware | 2025-01-16 | 4.5 Medium |
| Control By Web X-400 devices are vulnerable to a cross-site scripting attack, which could result in private and session information being transferred to the attacker. | ||||
| CVE-2023-28648 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2025-01-16 | 7.5 High |
| Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site. | ||||
| CVE-2023-2587 | 1 Teltonika | 1 Remote Management System | 2025-01-16 | 7.5 High |
| Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices. | ||||
| CVE-2023-4523 | 1 Rtautomation | 6 460 Series Firmware, 460etcmm, 460mcbms and 3 more | 2025-01-16 | 9.4 Critical |
| Real Time Automation 460 Series products with versions prior to v8.9.8 are vulnerable to cross-site scripting, which could allow an attacker to run any JavaScript reference from the URL string. If this were to occur, the gateway's HTTP interface would redirect to the main page, which is index.htm. | ||||
| CVE-2024-56377 | 1 Vanderbilt | 1 Redcap | 2025-01-16 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts. | ||||
| CVE-2024-56376 | 1 Vanderbilt | 1 Redcap | 2025-01-16 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | ||||
| CVE-2024-28190 | 1 Contao | 1 Contao | 2025-01-16 | 5.4 Medium |
| Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users. | ||||
| CVE-2023-30615 | 1 Dfir-iris | 1 Iris | 2025-01-16 | 6.3 Medium |
| Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations . The vulnerability in allows an attacker to inject malicious scripts into the application, which are then executed when a user visits the affected locations. This can lead to unauthorized access, data theft, or other malicious activities. An attacker need to be authenticated on the application to exploit this vulnerability. The issue was patched in version 2.2.1 of iris-web. | ||||
| CVE-2024-22936 | 2 Genesisedu, Manuelaldape | 2 Parent Student Portal, Parents \& Student Portal | 2025-01-16 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in Parents & Student Portal in Genesis School Management Systems in Genesis AIMS Student Information Systems v.3053 allows remote attackers to inject arbitrary web script or HTML via the message parameter. | ||||
| CVE-2024-25831 | 1 F-logic | 1 Datacube3 | 2025-01-16 | 5.4 Medium |
| F-logic DataCube3 Version 1.0 is affected by a reflected cross-site scripting (XSS) vulnerability due to improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. | ||||
| CVE-2024-1977 | 1 Josephlopreste | 1 Restaurant Solutions - Checklist | 2025-01-16 | 4.4 Medium |
| The Restaurant Solutions – Checklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Checklist points in version 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-34081 | 1 Mantisbt | 1 Mantisbt | 2025-01-16 | 6.6 Medium |
| MantisBT (Mantis Bug Tracker) is an open source issue tracker. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when resolving or closing issues (`bug_change_status_page.php`) belonging to a project linking said custom field, viewing issues (`view_all_bug_page.php`) when the custom field is displayed as a column, or printing issues (`print_all_bug_page.php`) when the custom field is displayed as a column. Version 2.26.2 contains a patch for the issue. As a workaround, ensure Custom Field Names do not contain HTML tags. | ||||
| CVE-2023-33829 | 1 Cloudogu | 1 Scm Manager | 2025-01-16 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Cloudogu GmbH SCM Manager v1.2 to v1.60 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field. | ||||
| CVE-2023-25439 | 1 Squarepiginteractive | 1 Fusioninvoice | 2025-01-16 | 6.1 Medium |
| Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionInvoice 2023-1.0, allows attackers to execute arbitrary code via the description or content fields to the expenses, tasks, and customer details. | ||||
| CVE-2022-2040 | 1 Brizy | 1 Brizy | 2025-01-16 | 5.4 Medium |
| The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2022-2041 | 1 Brizy | 1 Brizy | 2025-01-16 | 5.4 Medium |
| The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-3650 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2025-01-16 | 6.4 Medium |
| The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions 3.0.7 through 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||