Total
37583 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26659 | 2025-03-11 | N/A | 6.1 MEDIUM | ||
| SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim�s browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There is no impact on availability | |||||
| CVE-2025-25245 | 2025-03-11 | N/A | 5.4 MEDIUM | ||
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. | |||||
| CVE-2025-25242 | 2025-03-11 | N/A | 6.1 MEDIUM | ||
| SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity. | |||||
| CVE-2025-0062 | 2025-03-11 | N/A | 4.7 MEDIUM | ||
| SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. This code is then executed in the victim's browser each time the vulnerable page is visited by the victim. On successful exploitation, an attacker could cause limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. This vulnerability occurs only when script/html execution is enabled by the administrator in Central Management Console. | |||||
| CVE-2025-27924 | 2025-03-10 | N/A | 5.4 MEDIUM | ||
| Nintex Automation 5.6 and 5.7 before 5.8 has a stored XSS issue associated with the "Navigate to a URL" action. | |||||
| CVE-2025-1015 | 1 Mozilla | 1 Thunderbird | 2025-03-10 | N/A | 5.4 MEDIUM |
| The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135. | |||||
| CVE-2023-0535 | 1 Donation Block For Paypal Project | 1 Donation Block For Paypal | 2025-03-10 | N/A | 5.4 MEDIUM |
| The Donation Block For PayPal WordPress plugin before 2.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-0043 | 1 Add User Project | 1 Add User | 2025-03-10 | N/A | 6.1 MEDIUM |
| The Custom Add User WordPress plugin through 2.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2022-4829 | 1 Show-hide \/ Collapse-expand Project | 1 Show-hide \/ Collapse-expand | 2025-03-10 | N/A | 5.4 MEDIUM |
| The Show-Hide / Collapse-Expand WordPress plugin before 1.3.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2022-4757 | 1 List Pages Shortcode Project | 1 List Pages Shortcode | 2025-03-10 | N/A | 5.4 MEDIUM |
| The List Pages Shortcode WordPress plugin before 1.7.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2024-52812 | 2025-03-10 | N/A | 5.4 MEDIUM | ||
| LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to this service (e.g. admin) tries make any modifications with the rule (update, run, stop, delete), a payload acts in the victim's browser. Version 2.0.8 fixes the issue. | |||||
| CVE-2023-0548 | 1 Kibokolabs | 1 Namaste\! Lms | 2025-03-10 | N/A | 4.8 MEDIUM |
| The Namaste! LMS WordPress plugin before 2.5.9.4 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-0334 | 1 Shortpixel | 1 Shortpixel Adaptive Images | 2025-03-10 | N/A | 6.1 MEDIUM |
| The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin | |||||
| CVE-2023-0230 | 1 Vektor-inc | 1 Vk All In One Expansion Unit | 2025-03-10 | N/A | 5.4 MEDIUM |
| The VK All in One Expansion Unit WordPress plugin before 9.86.0.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2022-4795 | 1 Galleries By Angie Makes Project | 1 Galleries By Angie Makes | 2025-03-10 | N/A | 5.4 MEDIUM |
| The Galleries by Angie Makes WordPress plugin through 1.67 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2024-29925 | 1 Wpwax | 1 Post Grid\, Slider \& Carousel Ultimate | 2025-03-10 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate allows Stored XSS.This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through 1.6.6. | |||||
| CVE-2024-29921 | 1 Supsystic | 1 Photo Gallery | 2025-03-10 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic Photo Gallery by Supsystic allows Stored XSS.This issue affects Photo Gallery by Supsystic: from n/a through 1.15.16. | |||||
| CVE-2024-29759 | 1 Codepeople | 1 Calculated Fields Form | 2025-03-10 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Calculated Fields Form allows Reflected XSS.This issue affects Calculated Fields Form: from n/a through 1.2.54. | |||||
| CVE-2025-2124 | 2025-03-09 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/change_password of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-12460 | 2025-03-08 | N/A | 6.4 MEDIUM | ||
| The Years Since – Timeless Texts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'years-since' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||