Total
38585 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8284 | 1 W3eden | 1 Download Manager | 2025-06-12 | 4.8 Medium |
| The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2024-11266 | 1 Pixeljar | 1 Geocache Stat Bar Widget | 2025-06-12 | 4.8 Medium |
| The Geocache Stat Bar Widget WordPress plugin through 0.911 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-24062 | 1 Aitangbao | 1 Springboot-manager | 2025-06-12 | 5.4 Medium |
| springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/role. | ||||
| CVE-2024-24060 | 1 Aitangbao | 1 Springboot-manager | 2025-06-12 | 5.4 Medium |
| springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/user. | ||||
| CVE-2023-5758 | 1 Mozilla | 1 Firefox | 2025-06-12 | 6.1 Medium |
| When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119. | ||||
| CVE-2024-11221 | 1 Mohsinrasool | 1 Full Screen \(page\) Background Image Slideshow | 2025-06-12 | 4.8 Medium |
| The Full Screen (Page) Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-42627 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-06-12 | 9.6 Critical |
| Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code. | ||||
| CVE-2023-3042 | 1 Dotcms | 1 Dotcms | 2025-06-12 | 5.3 Medium |
| In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+ | ||||
| CVE-2023-5699 | 1 Martmbithi | 1 Internet Banking System | 2025-06-12 | 3.5 Low |
| A vulnerability, which was classified as problematic, has been found in CodeAstro Internet Banking System 1.0. This issue affects some unknown processing of the file pages_view_client.php. The manipulation of the argument acc_name with the input Johnnie Reyes'"()&%<zzz><ScRiPt >alert(5646)</ScRiPt> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-243137 was assigned to this vulnerability. | ||||
| CVE-2023-3010 | 1 Grafana | 2 Grafana, Worldmap Panel | 2025-06-12 | 7.3 High |
| Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability. | ||||
| CVE-2023-5793 | 1 Fluisity | 1 Fluisity | 2025-06-12 | 3.5 Low |
| A vulnerability was found in flusity CMS and classified as problematic. This issue affects the function loadCustomBlocCreateForm of the file /core/tools/customblock.php of the component Dashboard. The manipulation of the argument customblock_place leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 81252bc764e1de2422e79e36194bba1289e7a0a5. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-243599. | ||||
| CVE-2024-11190 | 1 Jidaikobo | 1 Jwp-a11y | 2025-06-12 | 4.8 Medium |
| The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-11141 | 1 Jontasc | 1 Sailthru Triggermail | 2025-06-12 | 6.1 Medium |
| The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings and is missing CSRF protection which could allow subscribers to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-10818 | 1 Wvega | 1 Jsfiddle Shortcode | 2025-06-12 | 5.4 Medium |
| The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-10639 | 1 Klarned | 1 Auto Prune Posts | 2025-06-12 | 4.8 Medium |
| The Auto Prune Posts WordPress plugin before 3.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-10143 | 1 Deluxeblogtips | 1 Mb Custom Post Types \& Custom Taxonomies | 2025-06-12 | 4.8 Medium |
| The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-7086 | 1 Ablyperu | 1 Svg Uploads Support | 2025-06-12 | 5.4 Medium |
| The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | ||||
| CVE-2023-7088 | 1 Inventivo | 1 Inventivo | 2025-06-12 | 5.4 Medium |
| The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | ||||
| CVE-2025-44110 | 1 Fluxbb | 1 Fluxbb | 2025-06-12 | 5.4 Medium |
| FluxBB 1.5.11 is vulnerable to Cross Site Scripting (XSS) in via the Forum Description Field in admin_forums.php. | ||||
| CVE-2025-47885 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2025-06-12 | 8.8 High |
| Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. | ||||