Total
41619 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41745 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 7.1 HIGH |
| An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | |||||
| CVE-2025-67342 | 1 Ruoyi | 1 Ruoyi | 2025-12-19 | N/A | 4.6 MEDIUM |
| RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability. | |||||
| CVE-2025-14580 | 1 Qualitor | 1 Qualitor | 2025-12-19 | 4.0 MEDIUM | 3.5 LOW |
| A security vulnerability has been detected in Qualitor up to 8.24.73. The impacted element is an unknown function of the file /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php. Such manipulation of the argument cdscript leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component. The vendor confirms the existence of the issue: "We became aware of the issue through an earlier direct notification from the original reporter, and our engineering team promptly investigated and implemented the necessary corrective measures. (...) Updated versions containing the fix have already been provided to our customer base". | |||||
| CVE-2025-36125 | 1 Ibm | 1 Hardware Management Console | 2025-12-19 | N/A | 6.4 MEDIUM |
| IBM Hardware Management Console - Power 10.3.1050.0 and 11.1.1110.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2023-53884 | 1 Webedition | 1 Webedition Cms | 2025-12-18 | N/A | 5.4 MEDIUM |
| Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users. | |||||
| CVE-2025-57202 | 1 Avtech | 2 Dgm1104, Dgm1104 Firmware | 2025-12-18 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field. | |||||
| CVE-2025-63401 | 1 Hcltech | 1 Dragon | 2025-12-18 | N/A | 5.5 MEDIUM |
| Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives | |||||
| CVE-2025-63499 | 1 Alinto | 1 Sogo | 2025-12-18 | N/A | 6.1 MEDIUM |
| Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. | |||||
| CVE-2025-56429 | 1 Fearlessgeekmedia | 1 Fearlesscms | 2025-12-18 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to obtain sensitive information via the login.php component. | |||||
| CVE-2025-67496 | 1 Wegia | 1 Wegia | 2025-12-18 | N/A | 4.3 MEDIUM |
| WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5. | |||||
| CVE-2025-68147 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-12-18 | N/A | 8.1 HIGH |
| Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration field. The application does not properly sanitize user input before saving it to the database or displaying it on receipts. An attacker with access to the "Store Configuration" (such as a rogue administrator or an account compromised via the separate CSRF vulnerability) can inject malicious JavaScript payloads into this field. These payloads are executed in the browser of any user (including other administrators and sales staff) whenever they view a receipt or complete a transaction. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The vulnerability has been patched in version 3.4.2 by ensuring the output is escaped using the `esc()` function in the receipt template. As a temporary mitigation, administrators should ensure the "Return Policy" field contains only plain text and strictly avoid entering any HTML tags. There is no code-based workaround other than applying the patch. | |||||
| CVE-2025-66924 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-12-18 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter. | |||||
| CVE-2025-66923 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-12-18 | N/A | 7.2 HIGH |
| A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter. | |||||
| CVE-2025-66921 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-12-18 | N/A | 7.2 HIGH |
| A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter. | |||||
| CVE-2025-68163 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | N/A | 3.5 LOW |
| In JetBrains TeamCity before 2025.11 stored XSS was possible on agentpushInstall page | |||||
| CVE-2025-68165 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | N/A | 5.4 MEDIUM |
| In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup | |||||
| CVE-2025-68166 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | N/A | 5.4 MEDIUM |
| In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab | |||||
| CVE-2025-67170 | 1 Ritecms | 1 Ritecms | 2025-12-18 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. | |||||
| CVE-2025-68268 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | N/A | 5.4 MEDIUM |
| In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page | |||||
| CVE-2025-67875 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | N/A | 5.4 MEDIUM |
| ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. The payload executes when the administrator views their own profile page, allowing the attacker to hijack the administrator's session, perform administrative actions, and achieve a full account takeover. This vulnerability is a combination of two separate flaws: an Insecure Direct Object Reference (IDOR) that allows any user to view any other user's profile, and a Broken Access Control vulnerability that allows a user with general edit permissions to modify any other user's record properties. Version 6.5.3 fixes the issue. | |||||