Vulnerabilities (CVE)

Filtered by CWE-79
Total 36846 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-2103 1 Easyappointments 1 Easyappointments 2025-02-06 N/A 5.4 MEDIUM
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-2102 1 Easyappointments 1 Easyappointments 2025-02-06 N/A 4.8 MEDIUM
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-29774 1 Iteachyou 1 Dreamer Cms 2025-02-06 N/A 5.4 MEDIUM
Dreamer CMS 3.0.1 is vulnerable to stored Cross Site Scripting (XSS).
CVE-2023-27092 1 Jbootfly Project 1 Jbootfly 2025-02-06 N/A 6.1 MEDIUM
Cross Site Scripting vulnerability found in Jbootfly allows attackers to obtain sensitive information via the username parameter.
CVE-2023-1473 1 Metaslider 1 Slider\, Gallery\, And Carousel 2025-02-06 N/A 6.1 MEDIUM
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin 3.29.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2023-1282 1 Codedropz 1 Drag And Drop Multiple File Upload - Contact Form 7 2025-02-06 N/A 6.1 MEDIUM
The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.
CVE-2022-48178 1 X2crm 1 X2crm 2025-02-06 N/A 5.4 MEDIUM
X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI.
CVE-2022-48177 1 X2crm 1 X2crm 2025-02-06 N/A 5.4 MEDIUM
X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows attackers to create malicious JavaScript that will be executed by the victim user's browser.
CVE-2022-43696 1 Open-xchange 1 Ox App Suite 2025-02-06 N/A 6.1 MEDIUM
OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.
CVE-2023-47869 1 Gvectors 1 Wpforo Forum 2025-02-06 N/A 4.3 MEDIUM
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5.
CVE-2024-12581 1 Kadencewp 1 Gutenberg Blocks With Ai 2025-02-06 N/A 4.4 MEDIUM
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2024-13722 2025-02-06 N/A 5.4 MEDIUM
The "NagVis" component within Checkmk is vulnerable to reflected cross-site scripting. An attacker can craft a malicious link that will execute arbitrary JavaScript in the context of the browser once clicked. The attack can be performed on both authenticated and unauthenticated users.
CVE-2025-1076 2025-02-06 N/A 4.8 MEDIUM
A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality.
CVE-2024-10646 1 Fluentforms 1 Contact Form 2025-02-06 N/A 7.2 HIGH
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2023-46153 1 Monsterinsights 1 Userfeedback 2025-02-06 N/A 7.1 HIGH
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in UserFeedback Team User Feedback plugin <= 1.0.9 versions.
CVE-2024-1559 1 Ylefebvre 1 Link Library 2025-02-05 N/A 6.5 MEDIUM
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'll_reciprocal' parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-26140 1 Yetanalytics 2 Lrs, Sql Lrs 2025-02-05 N/A 4.6 MEDIUM
com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.
CVE-2024-26148 1 Pinterest 1 Querybook 2025-02-05 N/A 6.1 MEDIUM
Querybook is a user interface for querying big data. Prior to version 3.31.1, there is a vulnerability in Querybook's rich text editor that enables users to input arbitrary URLs without undergoing necessary validation. This particular security flaw allows the use of `javascript:` protocol which can potentially trigger arbitrary client-side execution. The most extreme exploit of this flaw could occur when an admin user unknowingly clicks on a cross-site scripting URL, thereby unintentionally compromising admin role access to the attacker. A patch to rectify this issue has been introduced in Querybook version `3.31.1`. The fix is backward compatible and automatically fixes existing DataDocs. There are no known workarounds for this issue, except for manually checking each URL prior to clicking on them.
CVE-2024-26151 1 Felixschwarz 1 Mjml-python 2025-02-05 N/A 8.2 HIGH
The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `&lt;script&gt;` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML.
CVE-2024-1810 1 Ericteubert 1 Archivist 2025-02-05 N/A 6.1 MEDIUM
The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode_attributes' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.