Total
42029 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43439 | 1 Moodle | 1 Moodle | 2025-04-23 | N/A | 5.4 MEDIUM |
| A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk. | |||||
| CVE-2024-5520 | 1 Alkacon | 1 Opencms | 2025-04-23 | N/A | 6.4 MEDIUM |
| Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field. | |||||
| CVE-2023-25836 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 5.4 MEDIUM |
| There is a Cross-site Scripting vulnerability in Esri Portal for ArcGIS Sites in versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are low. | |||||
| CVE-2023-25831 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2023-25830 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and before which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2022-45217 | 1 Book Store Management System Project | 1 Book Store Management System | 2025-04-23 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Level parameter under the Add New System User module. | |||||
| CVE-2022-45122 | 1 Sixapart | 1 Movable Type | 2025-04-23 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2024-41356 | 1 Phpipam | 1 Phpipam | 2025-04-23 | N/A | 4.7 MEDIUM |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\firewall-zones\zones-edit-network.php. | |||||
| CVE-2024-41357 | 1 Phpipam | 1 Phpipam | 2025-04-23 | N/A | 7.1 HIGH |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php. | |||||
| CVE-2024-41353 | 1 Phpipam | 1 Phpipam | 2025-04-23 | N/A | 7.1 HIGH |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\groups\edit-group.php | |||||
| CVE-2024-41354 | 1 Phpipam | 1 Phpipam | 2025-04-23 | N/A | 7.1 HIGH |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/widgets/edit.php | |||||
| CVE-2024-55093 | 1 Phpipam | 1 Phpipam | 2025-04-23 | N/A | 5.4 MEDIUM |
| phpIPAM through 1.7.3 has a reflected Cross-Site Scripting (XSS) vulnerability in the install scripts. | |||||
| CVE-2022-45916 | 1 Ilias | 1 Ilias | 2025-04-23 | N/A | 5.4 MEDIUM |
| ILIAS before 7.16 allows XSS. | |||||
| CVE-2025-3788 | 1 Jsite | 1 Jsite | 2025-04-23 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in baseweb JSite 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /a/sys/user/save. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-41447 | 1 Alkacon | 1 Opencms | 2025-04-23 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function. | |||||
| CVE-2024-45799 | 1 Rathena | 1 Fluxcp | 2025-04-23 | N/A | 7.3 HIGH |
| FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-28199 | 1 Phlex | 1 Phlex | 2025-04-23 | N/A | 7.1 HIGH |
| phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`. | |||||
| CVE-2022-4765 | 1 Pwrplugins | 1 Portfolio For Elementor | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Portfolio for Elementor WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2025-29512 | 1 Nodebb | 1 Nodebb | 2025-04-23 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database. | |||||
| CVE-2024-1720 | 1 Wpeverest | 1 User Registration \& Membership | 2025-04-23 | N/A | 4.7 MEDIUM |
| The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution. | |||||