Total
36867 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-26123 | 1 Raylib | 1 Raylib | 2025-02-06 | N/A | 6.1 MEDIUM |
Versions of the package raysan5/raylib before 4.5.0 are vulnerable to Cross-site Scripting (XSS) such that the SetClipboardText API does not properly escape the ' character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscripten_run_script function. **Note:** This vulnerability is present only when compiling raylib for PLATFORM_WEB. All the other Desktop/Mobile/Embedded platforms are not affected. | |||||
CVE-2022-43697 | 1 Open-xchange | 1 Ox App Suite | 2025-02-06 | N/A | 6.1 MEDIUM |
OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob. | |||||
CVE-2022-40490 | 2025-02-06 | N/A | 4.8 MEDIUM | ||
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file. | |||||
CVE-2018-17536 | 1 Gitlab | 1 Gitlab | 2025-02-06 | N/A | 5.4 MEDIUM |
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the merge request page via project import. | |||||
CVE-2018-17454 | 1 Gitlab | 1 Gitlab | 2025-02-06 | N/A | 5.4 MEDIUM |
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the issue details screen. | |||||
CVE-2023-47626 | 1 Combodo | 1 Itop | 2025-02-06 | N/A | 8.8 HIGH |
iTop is an IT service management platform. When displaying/editing the user's personal tokens, XSS attacks are possible. This vulnerability is fixed in 3.1.1. | |||||
CVE-2023-47622 | 1 Combodo | 1 Itop | 2025-02-06 | N/A | 8.8 HIGH |
iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and 3.1.1. | |||||
CVE-2023-47123 | 1 Combodo | 1 Itop | 2025-02-06 | N/A | 8.7 HIGH |
iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be performed when this object will displayed as an n:n relation item in another object. This vulnerability is fixed in 3.1.1 and 3.2.0. | |||||
CVE-2023-44396 | 1 Combodo | 1 Itop | 2025-02-06 | N/A | 6.8 MEDIUM |
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1. | |||||
CVE-2023-43790 | 1 Combodo | 1 Itop | 2025-02-06 | N/A | 5.7 MEDIUM |
iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0. | |||||
CVE-2024-52892 | 2025-02-06 | N/A | 6.1 MEDIUM | ||
IBM Jazz for Service Management 1.1.3 through 1.1.3.23 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
CVE-2022-28353 | 1 External Redirect Warning Project | 1 External Redirect Warning | 2025-02-06 | N/A | 6.1 MEDIUM |
In the External Redirect Warning Plugin 1.3 for MyBB, the redirect URL (aka external.php?url=) is vulnerable to XSS. | |||||
CVE-2024-39272 | 2025-02-06 | N/A | 9.0 CRITICAL | ||
A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an arbitrary html code. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
CVE-2023-6486 | 1 Brainstormforce | 1 Spectra | 2025-02-06 | N/A | 6.4 MEDIUM |
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS metabox in all versions up to and including 2.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-0598 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-02-06 | N/A | 4.4 MEDIUM |
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
CVE-2023-6961 | 1 Joomunited | 1 Wp Meta Seo | 2025-02-06 | N/A | 7.2 HIGH |
The WP Meta SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Referer’ header in all versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-2772 | 1 Fluentforms | 1 Contact Form | 2025-02-06 | N/A | 6.4 MEDIUM |
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 5.1.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Fluent Forms settings, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This can be chained with CVE-2024-2771 for a low-privileged user to inject malicious web scripts. | |||||
CVE-2024-4709 | 1 Fluentforms | 1 Contact Form | 2025-02-06 | N/A | 7.2 HIGH |
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ parameter in versions up to, and including, 5.1.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, and access granted by an administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2024-9528 | 1 Fluentforms | 1 Contact Form | 2025-02-06 | N/A | 4.9 MEDIUM |
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to edit forms (administrator by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
CVE-2025-24981 | 2025-02-06 | N/A | 9.3 CRITICAL | ||
MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the `javascript:` protocol scheme in the URL. The parsing logic implement in `props.ts` maintains a deny-list approach to filtering potential malicious payload. It does so by matching protocol schemes like `javascript:` and others. These security guards can be bypassed by an adversarial that provides JavaScript URLs with HTML entities encoded via hex string. Users who consume this library and perform markdown parsing from unvalidated sources could result in rendering vulnerable XSS anchor links. This vulnerability has been addressed in version 0.13.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |