Total
36846 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-2103 | 1 Easyappointments | 1 Easyappointments | 2025-02-06 | N/A | 5.4 MEDIUM |
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||
CVE-2023-2102 | 1 Easyappointments | 1 Easyappointments | 2025-02-06 | N/A | 4.8 MEDIUM |
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||
CVE-2023-29774 | 1 Iteachyou | 1 Dreamer Cms | 2025-02-06 | N/A | 5.4 MEDIUM |
Dreamer CMS 3.0.1 is vulnerable to stored Cross Site Scripting (XSS). | |||||
CVE-2023-27092 | 1 Jbootfly Project | 1 Jbootfly | 2025-02-06 | N/A | 6.1 MEDIUM |
Cross Site Scripting vulnerability found in Jbootfly allows attackers to obtain sensitive information via the username parameter. | |||||
CVE-2023-1473 | 1 Metaslider | 1 Slider\, Gallery\, And Carousel | 2025-02-06 | N/A | 6.1 MEDIUM |
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin 3.29.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
CVE-2023-1282 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2025-02-06 | N/A | 6.1 MEDIUM |
The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. | |||||
CVE-2022-48178 | 1 X2crm | 1 X2crm | 2025-02-06 | N/A | 5.4 MEDIUM |
X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI. | |||||
CVE-2022-48177 | 1 X2crm | 1 X2crm | 2025-02-06 | N/A | 5.4 MEDIUM |
X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows attackers to create malicious JavaScript that will be executed by the victim user's browser. | |||||
CVE-2022-43696 | 1 Open-xchange | 1 Ox App Suite | 2025-02-06 | N/A | 6.1 MEDIUM |
OX App Suite before 7.10.6-rev20 allows XSS via upsell ads. | |||||
CVE-2023-47869 | 1 Gvectors | 1 Wpforo Forum | 2025-02-06 | N/A | 4.3 MEDIUM |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5. | |||||
CVE-2024-12581 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-02-06 | N/A | 4.4 MEDIUM |
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
CVE-2024-13722 | 2025-02-06 | N/A | 5.4 MEDIUM | ||
The "NagVis" component within Checkmk is vulnerable to reflected cross-site scripting. An attacker can craft a malicious link that will execute arbitrary JavaScript in the context of the browser once clicked. The attack can be performed on both authenticated and unauthenticated users. | |||||
CVE-2025-1076 | 2025-02-06 | N/A | 4.8 MEDIUM | ||
A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality. | |||||
CVE-2024-10646 | 1 Fluentforms | 1 Contact Form | 2025-02-06 | N/A | 7.2 HIGH |
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2023-46153 | 1 Monsterinsights | 1 Userfeedback | 2025-02-06 | N/A | 7.1 HIGH |
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in UserFeedback Team User Feedback plugin <= 1.0.9 versions. | |||||
CVE-2024-1559 | 1 Ylefebvre | 1 Link Library | 2025-02-05 | N/A | 6.5 MEDIUM |
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'll_reciprocal' parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-26140 | 1 Yetanalytics | 2 Lrs, Sql Lrs | 2025-02-05 | N/A | 4.6 MEDIUM |
com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist. | |||||
CVE-2024-26148 | 1 Pinterest | 1 Querybook | 2025-02-05 | N/A | 6.1 MEDIUM |
Querybook is a user interface for querying big data. Prior to version 3.31.1, there is a vulnerability in Querybook's rich text editor that enables users to input arbitrary URLs without undergoing necessary validation. This particular security flaw allows the use of `javascript:` protocol which can potentially trigger arbitrary client-side execution. The most extreme exploit of this flaw could occur when an admin user unknowingly clicks on a cross-site scripting URL, thereby unintentionally compromising admin role access to the attacker. A patch to rectify this issue has been introduced in Querybook version `3.31.1`. The fix is backward compatible and automatically fixes existing DataDocs. There are no known workarounds for this issue, except for manually checking each URL prior to clicking on them. | |||||
CVE-2024-26151 | 1 Felixschwarz | 1 Mjml-python | 2025-02-05 | N/A | 8.2 HIGH |
The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `<script>` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML. | |||||
CVE-2024-1810 | 1 Ericteubert | 1 Archivist | 2025-02-05 | N/A | 6.1 MEDIUM |
The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode_attributes' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |