Total
35899 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-21327 | 1 Microsoft | 1 Dynamics 365 | 2025-05-09 | 7.6 High |
| Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | ||||
| CVE-2024-24160 | 1 Mrcms | 1 Mrcms | 2025-05-09 | 6.1 Medium |
| MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do. | ||||
| CVE-2024-13860 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-09 | 6.4 Medium |
| The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bbp_topic_title’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. | ||||
| CVE-2024-13859 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-09 | 6.4 Medium |
| The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bp_nouveau_ajax_media_save’ function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. | ||||
| CVE-2024-13858 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-09 | 6.4 Medium |
| The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘invitee_name’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. | ||||
| CVE-2022-31468 | 1 Open-xchange | 1 Ox App Suite | 2025-05-09 | 6.1 Medium |
| OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. | ||||
| CVE-2024-0239 | 1 Ari-soft | 1 Contact Form 7 Connector | 2025-05-09 | 6.1 Medium |
| The Contact Form 7 Connector WordPress plugin before 1.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. | ||||
| CVE-2022-23179 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2025-05-09 | 4.8 Medium |
| The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2024-0557 | 1 Dedebiz | 1 Dedebiz | 2025-05-09 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in DedeBIZ 6.3.0. This affects an unknown part of the component Website Copyright Setting. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250725 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-22242 | 1 Juniper | 1 Junos | 2025-05-09 | 6.1 Medium |
| A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. This issue affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2. | ||||
| CVE-2024-3628 | 2 Dwalliance, Faktorystudios | 2 Easyevent, Easyevent | 2025-05-09 | 3.8 Low |
| The EasyEvent WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2024-0599 | 1 Ujcms | 1 Jspxcms | 2025-05-09 | 3.5 Low |
| A vulnerability was found in Jspxcms 10.2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file src\main\java\com\jspxcms\core\web\back\InfoController.java of the component Document Management Page. The manipulation of the argument title leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250837 was assigned to this vulnerability. | ||||
| CVE-2022-43018 | 1 Opencats | 1 Opencats | 2025-05-09 | 6.1 Medium |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function. | ||||
| CVE-2022-43017 | 1 Opencats | 1 Opencats | 2025-05-09 | 6.1 Medium |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component. | ||||
| CVE-2022-43016 | 1 Opencats | 1 Opencats | 2025-05-09 | 6.1 Medium |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback component. | ||||
| CVE-2022-43015 | 1 Opencats | 1 Opencats | 2025-05-09 | 6.1 Medium |
| OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter. | ||||
| CVE-2022-38901 | 1 Liferay | 2 Dxp, Liferay Portal | 2025-05-09 | 5.4 Medium |
| A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file. | ||||
| CVE-2024-2695 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | 6.4 Medium |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insufficient input sanitization and output escaping on user supplied attributes such as 'borderradius' and 'timestamp'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-1450 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | 6.4 Medium |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-0966 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | 6.4 Medium |
| The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like 'info_text'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks the information icon. | ||||