Total
38254 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-6058 | 1 Microsoft | 1 Edge | 2025-04-12 | 4.3 MEDIUM | N/A |
| Microsoft Edge mishandles HTML attributes in HTTP responses, which allows remote attackers to bypass a cross-site scripting (XSS) protection mechanism via unspecified vectors, aka "Microsoft Edge XSS Filter Bypass." | |||||
| CVE-2016-9857 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2014-4116 | 1 Microsoft | 1 Sharepoint Foundation | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2010 SP2 allows remote authenticated users to inject arbitrary web script or HTML via a modified list, aka "SharePoint Elevation of Privilege Vulnerability." | |||||
| CVE-2015-2677 | 1 Ocportal | 1 Ocportal | 2025-04-12 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ocPortal before 9.0.17 allow remote authenticated users to inject arbitrary web script or HTML via the (1) title or (2) text field in the cms_calendar page to cms/index.php; unspecified fields in (3) the cms_polls page to cms/index.php or (4) a new topic in the topics page to forum/index.php; or (5) a new PT (private topic/private message) in the topics page to forum/index.php. | |||||
| CVE-2015-6337 | 1 Cisco | 1 Application Policy Infrastructure Controller Enterprise Module | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) 1.0.10 allows remote attackers to inject arbitrary web script or HTML via a crafted hostname in an SNMP response, aka Bug ID CSCuw47238. | |||||
| CVE-2016-2955 | 1 Ibm | 1 Connections | 2025-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-6126 | 1 Ibm | 1 Websphere Portal | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-8028 | 1 Cisco | 1 Secure Access Control System | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Secure Access Control System (ACS) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq79019. | |||||
| CVE-2015-2289 | 1 S9y | 1 Serendipity | 2025-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in templates/2k11/admin/entries.tpl in Serendipity before 2.0.1 allows remote authenticated editors to inject arbitrary web script or HTML via the serendipity[cat][name] parameter to serendipity_admin.php, when creating a new category. | |||||
| CVE-2014-9103 | 1 Kunena | 1 Kunena | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Kunena component before 3.0.6 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) index value of an array parameter or the filename parameter in the Content-Disposition header to the (2) file or (3) profile image upload functionality. | |||||
| CVE-2014-9230 | 1 Symantec | 1 Data Loss Prevention | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the administration console in the Enforce Server in Symantec Data Loss Prevention (DLP) before 12.5.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2024-29918 | 1 Ays-pro | 1 Survey Maker | 2025-04-11 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Reflected XSS.This issue affects Survey Maker: from n/a through 4.0.6. | |||||
| CVE-2025-27417 | 1 Wegia | 1 Wegia | 2025-04-11 | N/A | 6.1 MEDIUM |
| WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the adicionar_status_atendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the status parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.16. | |||||
| CVE-2025-25187 | 1 Joplin Project | 1 Joplin | 2025-04-11 | N/A | 7.8 HIGH |
| Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses <kbd>ctrl</kbd>-<kbd>p</kbd> to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-37898 | 1 Joplin Project | 1 Joplin | 2025-04-11 | N/A | 8.2 HIGH |
| Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with <pre> and </pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening <pre> tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-47968 | 1 Linuxserver | 1 Heimdall Application Dashboard | 2025-04-11 | N/A | 5.4 MEDIUM |
| Heimdall Application Dashboard through 2.5.4 allows reflected and stored XSS via "Application name" to the "Add application" page. The stored XSS will be triggered in the "Application list" page. | |||||
| CVE-2025-32809 | 2025-04-11 | N/A | 6.4 MEDIUM | ||
| W. W. Norton InQuizitive through 2025-04-08 allows students to conduct stored XSS attacks against educators via a bonus description, feedback.choice_fb[], or question_id. | |||||
| CVE-2024-35345 | 1 Dino Physics School Assistant Project | 1 Dino Physics School Assistant | 2025-04-11 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts unidentified code within the file /classes/Users.php. Manipulating the argument id results in cross-site scripting. | |||||
| CVE-2024-35351 | 1 Dino Physics School Assistant Project | 1 Dino Physics School Assistant | 2025-04-11 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in Diño Physics School Assistant version 2.3. This vulnerability impacts unidentified code within the file /classes/SystemSettings.php?f=update_settings. Manipulating the parameter name results in cross-site scripting. | |||||
| CVE-2025-26619 | 2 Vega-functions Project, Vega Project | 2 Vega-functions, Vega | 2025-04-11 | N/A | 6.1 MEDIUM |
| Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. | |||||