Total
36728 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3392 | 1 Hailey888 | 1 Oa System | 2025-05-07 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in hailey888 oa_system up to 2025.01.01 and classified as problematic. Affected by this issue is the function Save of the file cn/gson/oasys/controller/mail/MailController.java of the component Backend. The manipulation of the argument MailNumberId leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-3583 | 1 Thenewsletterplugin | 1 Newsletter | 2025-05-07 | N/A | 4.8 MEDIUM |
| The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-39363 | 1 Alphaefficiencyteam | 1 Custom Login And Registration | 2025-05-07 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AlphaEfficiencyTeam Custom Login and Registration allows Stored XSS.This issue affects Custom Login and Registration: from n/a through 1.0.0. | |||||
| CVE-2025-3504 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 4.8 MEDIUM |
| The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-3503 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 4.8 MEDIUM |
| The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-3502 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 4.8 MEDIUM |
| The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-54998 | 1 Monicahq | 1 Monica | 2025-05-07 | N/A | 5.4 MEDIUM |
| MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create. | |||||
| CVE-2024-54996 | 1 Monicahq | 1 Monica | 2025-05-07 | N/A | 8.8 HIGH |
| MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create. | |||||
| CVE-2024-20367 | 1 Cisco | 1 Enterprise Chat And Email | 2025-05-07 | N/A | 5.4 MEDIUM |
| A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials. | |||||
| CVE-2024-54994 | 1 Monicahq | 1 Monica | 2025-05-07 | N/A | 6.5 MEDIUM |
| MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature. | |||||
| CVE-2022-2826 | 1 Gitlab | 1 Gitlab | 2025-05-07 | N/A | 2.7 LOW |
| An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO | |||||
| CVE-2020-10196 | 1 Sygnoos | 1 Popup Builder | 2025-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (which is visible in the source of the page in which the popup is inserted) and arbitrary JavaScript which will then be executed in the browsers of visitors to that page. Because the plugin functionality automatically adds script tags to data entered into these fields, this injection will typically bypass most WAF applications. | |||||
| CVE-2025-31121 | 1 Open-emr | 1 Openemr | 2025-05-07 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 7.0.3.1, the Patient Image feature in OpenEMR is vulnerable to cross-site scripting attacks via the EXIF title in an image. This vulnerability is fixed in 7.0.3.1. | |||||
| CVE-2024-51328 | 1 Projectworlds | 1 Travel Management System | 2025-05-07 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in addcategory.php in projectworld's Travel Management System v1.0 allows remote attacker to inject arbitrary code via the t2 parameter. | |||||
| CVE-2022-43170 | 1 Rukovoditel | 1 Rukovoditel | 2025-05-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". | |||||
| CVE-2022-40690 | 1 Bookstackapp | 1 Bookstack | 2025-05-07 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script. | |||||
| CVE-2022-36368 | 1 Ipfire | 1 Ipfire | 2025-05-07 | N/A | 4.8 MEDIUM |
| Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script. | |||||
| CVE-2024-28160 | 1 Jenkins | 1 Icescrum | 2025-05-07 | N/A | 8.8 HIGH |
| Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | |||||
| CVE-2025-0667 | 2025-05-07 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7. | |||||
| CVE-2025-0666 | 2025-05-07 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7. | |||||