Total
39705 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34080 | 1 Contec | 1 Conprosys Hmi System | 2025-11-04 | N/A | 6.1 MEDIUM |
| The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7. | |||||
| CVE-2014-5411 | 2 Aveva, Schneider-electric | 2 Clearscada, Scada Expert Clearscada | 2025-11-04 | 4.9 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2025-53658 | 1 Jenkins | 1 Applitools Eyes | 2025-11-04 | N/A | 5.4 MEDIUM |
| Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2025-24854 | 1 Apache | 1 Jspwiki | 2025-11-04 | N/A | 6.1 MEDIUM |
| A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.3 or later. | |||||
| CVE-2025-24853 | 1 Apache | 1 Jspwiki | 2025-11-04 | N/A | 7.5 HIGH |
| A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later. | |||||
| CVE-2024-44088 | 1 Apache | 1 Geode | 2025-11-04 | N/A | 6.1 MEDIUM |
| Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information and even account takeover. This issue affects Apache Geode: all versions prior to 1.15.2 Users are recommended to upgrade to version 1.15.2, which fixes the issue. | |||||
| CVE-2024-41177 | 1 Apache | 1 Zeppelin | 2025-11-04 | N/A | 6.1 MEDIUM |
| Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue. | |||||
| CVE-2025-1585 | 1 Tale Project | 1 Tale | 2025-11-04 | 3.3 LOW | 2.4 LOW |
| A vulnerability, which was classified as problematic, has been found in otale tale up to 2.0.5. This issue affects the function OptionsService of the file src/main/resources/templates/themes/default/partial/header.html. The manipulation of the argument logo_url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-36248 | 1 Ibm | 1 Copy Services Manager | 2025-11-04 | N/A | 6.1 MEDIUM |
| IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2023-34354 | 1 Peplink | 2 Surf Soho, Surf Soho Firmware | 2025-11-04 | N/A | 3.4 LOW |
| A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2022-47197 | 1 Ghost | 1 Ghost | 2025-11-04 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post. | |||||
| CVE-2022-47196 | 1 Ghost | 1 Ghost | 2025-11-04 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post. | |||||
| CVE-2022-47195 | 1 Ghost | 1 Ghost | 2025-11-04 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user. | |||||
| CVE-2022-47194 | 1 Ghost | 1 Ghost | 2025-11-04 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user. | |||||
| CVE-2022-41313 | 1 Moxa | 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more | 2025-11-04 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can send an HTTP request to trigger this vulnerability.Form field id="switch_contact" | |||||
| CVE-2022-41312 | 1 Moxa | 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more | 2025-11-04 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can send an HTTP request to trigger this vulnerability.Form field id="Switch Description", name "switch_description" | |||||
| CVE-2022-41311 | 1 Moxa | 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more | 2025-11-04 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can send an HTTP request to trigger this vulnerability.Form field id="webLocationMessage_text" name="webLocationMessage_text" | |||||
| CVE-2025-1105 | 1 Siberiancms | 1 Siberiancms | 2025-11-04 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in SiberianCMS 4.20.6. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /app/sae/design/desktop/flat of the component HTTP GET Request Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2491 | 1 Ujcms | 1 Ujcms | 2025-11-04 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in Dromara ujcms 9.7.5. This affects the function update of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileTemplateController.java of the component Edit Template File Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2975 | 1 Gfi | 1 Kerio Connect | 2025-11-04 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in GFI KerioConnect 10.0.6 and classified as problematic. This issue affects some unknown processing of the file Settings/Email/Signature/EditHtmlSource of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||