Export limit exceeded: 352287 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46111 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5930 | 1 Simple Student Information System Project | 1 Simple Student Information System | 2025-02-27 | 3.5 Low |
| A vulnerability was found in Campcodes Simple Student Information System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/students/manage_academic.php. The manipulation of the argument student_id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-244330 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-6075 | 1 Phpgurukul | 1 Restaurant Table Booking System | 2025-02-27 | 3.5 Low |
| A vulnerability classified as problematic has been found in PHPGurukul Restaurant Table Booking System 1.0. Affected is an unknown function of the file index.php of the component Reservation Request Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-244944. | ||||
| CVE-2025-27108 | 1 Ryansolid | 1 Dom Expressions | 2025-02-27 | 7.3 High |
| dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. This issue has been addressed in version 0.39.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-27070 | 1 Totaljs | 1 Openplatform | 2025-02-27 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatform commit b80b09d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field. | ||||
| CVE-2023-26912 | 1 S-mall-ssm Project | 1 S-mall-ssm | 2025-02-27 | 4.8 Medium |
| Cross site scripting (XSS) vulnerability in xenv S-mall-ssm thru commit 3d9e77f7d80289a30f67aaba1ae73e375d33ef71 on Feb 17, 2020, allows local attackers to execute arbitrary code via the evaluate button. | ||||
| CVE-2022-48111 | 1 Siri-informatica | 1 Wi400 | 2025-02-27 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in the check_login function of SIPE s.r.l WI400 between version 8 and 11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the f parameter. | ||||
| CVE-2023-1359 | 1 Gadget Works Online Ordering System Project | 1 Gadget Works Online Ordering System | 2025-02-27 | 2.4 Low |
| A vulnerability has been found in SourceCodester Gadget Works Online Ordering System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /philosophy/admin/user/controller.php?action=add of the component Add New User. The manipulation of the argument U_NAME leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222862 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-23326 | 1 Avantfax | 1 Avantfax | 2025-02-27 | 5.4 Medium |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in AvantFAX 3.3.7. An authenticated low privilege user can inject arbitrary Javascript into their e-mail address which is executed when an administrator logs into AvantFAX to view the admin dashboard. This may result in stealing an administrator's session cookie and hijacking their session. | ||||
| CVE-2023-0746 | 1 Gigamon | 1 Gigavue-os | 2025-02-27 | 6.3 Medium |
| The help page in GigaVUE-FM, when using GigaVUE-OS software version 5.0 202, does not require an authenticated user. An attacker could enforce a user into inserting malicious JavaScript code into the URI, that could lead to a Reflected Cross site Scripting. | ||||
| CVE-2023-1320 | 1 Enhancesoft | 1 Osticket | 2025-02-27 | 6.1 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6. | ||||
| CVE-2023-0021 | 1 Sap | 1 Netweaver | 2025-02-27 | 6.1 Medium |
| Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application. | ||||
| CVE-2023-1536 | 1 Answer | 1 Answer | 2025-02-27 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7. | ||||
| CVE-2023-1527 | 1 Corebos | 1 Corebos | 2025-02-27 | 5.4 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository tsolucio/corebos prior to 8.0. | ||||
| CVE-2024-4293 | 1 Phpgurukul | 1 Doctor Appointment Management System | 2025-02-27 | 3.5 Low |
| A vulnerability classified as problematic was found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file appointment-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262225 was assigned to this vulnerability. | ||||
| CVE-2023-0844 | 1 Kibokolabs | 1 Namaste\! Lms | 2025-02-27 | 4.8 Medium |
| The Namaste! LMS WordPress plugin before 2.6 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-0538 | 1 Campaign Url Builder Project | 1 Campaign Url Builder | 2025-02-27 | 5.4 Medium |
| The Campaign URL Builder WordPress plugin before 1.8.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2023-0172 | 1 Saas.group | 1 Juicer | 2025-02-27 | 5.4 Medium |
| The Juicer WordPress plugin before 1.11 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2023-0073 | 1 Client Logo Carousel Project | 1 Client Logo Carousel | 2025-02-27 | 5.4 Medium |
| The Client Logo Carousel WordPress plugin through 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2022-4661 | 1 Themelocation | 1 Widgets For Woocommerce Products On Elementor | 2025-02-27 | 5.4 Medium |
| The Widgets for WooCommerce Products on Elementor WordPress plugin before 1.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2022-4466 | 1 Connekthq | 1 Ajax Load More | 2025-02-27 | 5.4 Medium |
| The WordPress Infinite Scroll WordPress plugin before 5.6.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||