Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-20192

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-16 Oct, 2024 | 06:43
Updated At-08 Apr, 2026 | 17:06
Rejected At-
Credits

Formidable Form Builder < 2.05.03 - Unauthenticated Stored Cross-Site Scripting

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:16 Oct, 2024 | 06:43
Updated At:08 Apr, 2026 | 17:06
Rejected At:
▼CVE Numbering Authority (CNA)
Formidable Form Builder < 2.05.03 - Unauthenticated Stored Cross-Site Scripting

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

Affected Products
Vendor
Strategy11strategy11team
Product
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Default Status
unaffected
Versions
Affected
  • From 0 before 2.05.03 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Jouko Pynnöne
Timeline
EventDate
Disclosed2017-11-13 00:00:00
Event: Disclosed
Date: 2017-11-13 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cve
N/A
https://klikki.fi/adv/formidable.html
N/A
https://wordpress.org/plugins/formidable/#developers
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cve
Resource: N/A
Hyperlink: https://klikki.fi/adv/formidable.html
Resource: N/A
Hyperlink: https://wordpress.org/plugins/formidable/#developers
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Strategy11strategy11
Product
formidable_forms
CPEs
  • cpe:2.3:a:strategy11:formidable_forms:*:*:*:*:*:wordpress:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 2.05.03 (semver)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:16 Oct, 2024 | 07:15
Updated At:23 Dec, 2025 | 15:47

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches

Strategy11
strategy11
>>formidable_form_builder>>Versions before 2.05.03(exclusive)
cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity@wordfence.com
CWE ID: CWE-79
Type: Secondary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://klikki.fi/adv/formidable.htmlsecurity@wordfence.com
Exploit
Third Party Advisory
https://wordpress.org/plugins/formidable/#developerssecurity@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://klikki.fi/adv/formidable.html
Source: security@wordfence.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://wordpress.org/plugins/formidable/#developers
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

10543Records found

CVE-2014-125096
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.55% / 41.79%
||
7 Day CHG~0.00%
Published-10 Apr, 2023 | 03:00
Updated-06 Aug, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fancy Gallery Plugin Options Page class.options.php cross site scripting

A vulnerability was found in Fancy Gallery Plugin 1.5.12 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file class.options.php of the component Options Page. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.13 is able to address this issue. The identifier of the patch is fdf1f9e5a1ec738900f962e69c6fa4ec6055ed8d. It is recommended to upgrade the affected component. The identifier VDB-225349 was assigned to this vulnerability.

Action-Not Available
Vendor-fancy_gallery_projectn/a
Product-fancy_galleryFancy Gallery Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26235
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 31.49%
||
7 Day CHG~0.00%
Published-20 Feb, 2023 | 00:00
Updated-17 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JD-GUI 1.6.6 allows XSS via util/net/InterProcessCommunicationUtil.java.

Action-Not Available
Vendor-jd-gui_projectn/a
Product-jd-guin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8106
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
ShareView Details
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
CVSS Score-5.9||MEDIUM
EPSS-0.16% / 5.93%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 21:18
Updated-11 May, 2026 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected HTML injection vulnerability in GitHub Enterprise Server Management Console login page allowed credential theft

A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.

Action-Not Available
Vendor-GitHub, Inc.
Product-enterprise_serverEnterprise Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27432
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.38% / 30.20%
||
7 Day CHG~0.00%
Published-21 Jun, 2023 | 13:02
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Manage Upload Limit Plugin <= 1.0.4 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WpSimpleTools Manage Upload Limit plugin <= 1.0.4 versions.

Action-Not Available
Vendor-manage_upload_limit_projectWpSimpleTools
Product-manage_upload_limitManage Upload Limit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-125092
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.53% / 40.98%
||
7 Day CHG~0.00%
Published-05 Mar, 2023 | 20:31
Updated-05 Mar, 2025 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MaxButtons Plugin maxbuttons-button.php maxbuttons_strip_px cross site scripting

A vulnerability was found in MaxButtons Plugin up to 1.26.0 on WordPress and classified as problematic. This issue affects the function maxbuttons_strip_px of the file includes/maxbuttons-button.php. The manipulation of the argument button_id leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.26.1 is able to address this issue. The patch is named e74564c9e3b7429808e317f4916bd1c26ef0b806. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222323.

Action-Not Available
Vendor-maxfoundryn/a
Product-maxbuttonsMaxButtons Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2804
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 14.57%
||
7 Day CHG+0.02%
Published-28 Mar, 2025 | 05:23
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
tagDiv Composer <= 5.3 - Reflected Cross-Site Scripting via 'account_id' and 'account_username'

The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'account_id' and 'account_username' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-tagDiv
Product-tagDiv Composer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27245
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 34.49%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 00:00
Updated-19 Feb, 2025 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in File Management Project 1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Edit User module.

Action-Not Available
Vendor-file_management_system_projectn/a
Product-file_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26140
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 37.67%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 05:00
Updated-02 Oct, 2024 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.

Action-Not Available
Vendor-excalidrawn/a
Product-excalidraw@excalidraw/excalidraw
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24701
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-6.79% / 93.21%
||
7 Day CHG~0.00%
Published-12 Jan, 2021 | 07:58
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

Action-Not Available
Vendor-n/aOpen-Xchange AG
Product-open-xchange_appsuiten/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2214
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.82% / 52.67%
||
7 Day CHG~0.00%
Published-22 Nov, 2019 | 18:39
Updated-06 Aug, 2024 | 10:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in POSH (aka Posh portal or Portaneo) 3.0 through 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) error parameter to /includes/plugins/mobile/scripts/login.php or (2) id parameter to portal/openrssarticle.php

Action-Not Available
Vendor-posh_projectn/a
Product-poshn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26291
Matching Score-4
Assigner-Forcepoint
ShareView Details
Matching Score-4
Assigner-Forcepoint
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 27.36%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 16:29
Updated-12 Feb, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_form.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_form.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.

Action-Not Available
Vendor-forcepointForcepoint
Product-web_securitycloud_security_gatewayCloud Security Gateway (CSG)Web Security
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23452
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 27.54%
||
7 Day CHG~0.00%
Published-05 Jul, 2023 | 00:00
Updated-26 Nov, 2024 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Selenium Grid v3.141.59 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hub parameter under the /grid/console page.

Action-Not Available
Vendor-seleniumn/a
Product-selenium_gridn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-22789
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.24% / 65.66%
||
7 Day CHG~0.00%
Published-28 Apr, 2021 | 20:43
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is executed when an administrator accesses the logs.

Action-Not Available
Vendor-safen/a
Product-fme_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2503
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 36.58%
||
7 Day CHG~0.00%
Published-05 Jun, 2023 | 13:38
Updated-08 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
10WebSocial < 1.2.9 - Reflected XSS

The 10Web Social Post Feed WordPress plugin before 1.2.9 does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-10web_social_post_feed10Web Social Post Feed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23835
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.4||MEDIUM
EPSS-2.29% / 81.11%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 16:40
Updated-04 Aug, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Tailor Management System v1.0 allows remote attackers to harvest keys pressed by an unauthenticated victim who clicks on a malicious URL and begins typing.

Action-Not Available
Vendor-tailor_management_system_projectn/a
Product-tailor_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-125035
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.58% / 43.43%
||
7 Day CHG~0.00%
Published-02 Jan, 2023 | 16:00
Updated-06 Aug, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jobs-Plugin cross site scripting

A vulnerability classified as problematic was found in Jobs-Plugin. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. The identifier of the patch is b8a56718b1d42834c6ec51d9c489c5dc20471d7b. It is recommended to apply a patch to fix this issue. The identifier VDB-217189 was assigned to this vulnerability.

Action-Not Available
Vendor-jobs-plugin_projectn/a
Product-jobs-pluginJobs-Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24442
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.1||MEDIUM
EPSS-1.48% / 70.78%
||
7 Day CHG~0.00%
Published-12 Nov, 2020 | 14:19
Updated-17 Sep, 2024 | 00:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross-Site Scripting (XSS) in Adobe Connect

Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-connectConnect
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23371
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.94% / 56.51%
||
7 Day CHG~0.00%
Published-10 May, 2021 | 22:13
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.

Action-Not Available
Vendor-5nonen/a
Product-nonecmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25553
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 31.14%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 20:38
Updated-05 Feb, 2025 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Action-Not Available
Vendor-Schneider Electric SE
Product-struxureware_data_center_expertStruxureWare Data Center Expert
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25439
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.25% / 80.75%
||
7 Day CHG~0.00%
Published-25 May, 2023 | 00:00
Updated-16 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionInvoice 2023-1.0, allows attackers to execute arbitrary code via the description or content fields to the expenses, tasks, and customer details.

Action-Not Available
Vendor-squarepiginteractiven/a
Product-fusioninvoicen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25614
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 30.83%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 03:20
Updated-20 Mar, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapNetWeaver AS ABAP (BSP Framework)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23041
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.72% / 49.28%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 19:20
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` exception-handling. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request.

Action-Not Available
Vendor-dropoutsn/a
Product-air_sharen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25593
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.1||HIGH
EPSS-0.47% / 37.52%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 14:52
Updated-27 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross Site Scripting Vulnerabilities (XSS) in ClearPass Policy Manager Web-Based Management Interface

Vulnerabilities within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Action-Not Available
Vendor-Aruba NetworksHewlett Packard Enterprise (HPE)
Product-clearpass_policy_managerAruba ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26046
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.54% / 41.28%
||
7 Day CHG~0.00%
Published-02 Mar, 2023 | 00:14
Updated-05 Mar, 2025 | 21:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
teler-waf subject to bypass of common web attack threat rule with HTML entities payload

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. The vulnerability exists due to teler-waf failure to properly sanitize and filter HTML entities in user input. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been fixed in version 0.1.1.

Action-Not Available
Vendor-kitabisakitabisa
Product-teler-wafteler-waf
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23849
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.69% / 48.36%
||
7 Day CHG~0.00%
Published-11 Jan, 2021 | 13:36
Updated-04 Aug, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript.

Action-Not Available
Vendor-jsoneditoronlinen/a
Product-jsoneditorn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24604
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.17% / 63.57%
||
7 Day CHG~0.00%
Published-02 Sep, 2020 | 14:40
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp

Action-Not Available
Vendor-igniterealtimen/a
Product-openfiren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-24966
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 31.84%
||
7 Day CHG~0.00%
Published-27 Apr, 2023 | 13:08
Updated-30 Jan, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server cross-site scripting

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 246904.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24609
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-9.81% / 94.97%
||
7 Day CHG~0.00%
Published-25 Aug, 2020 | 14:35
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TechKshetra Info Solutions Pvt. Ltd Savsoft Quiz 5.5 and earlier has XSS which can result in an attacker injecting the XSS payload in the User Registration section and each time the admin visits the manage user section from the admin panel, the XSS triggers and the attacker can steal the cookie via crafted payload.

Action-Not Available
Vendor-techkshetrainfon/a
Product-savsoft_quizn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24857
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 32.59%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 00:00
Updated-26 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerabilty found in IXPManager v.5.6.0 allows attackers to excute arbitrary code via the looking glass component.

Action-Not Available
Vendor-inexn/a
Product-ixp_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35226
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 38.90%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-25 Feb, 2026 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Data Services Management allows an attacker to copy the data from a request and echoed into the application's immediate response, it will lead to a Cross-Site Scripting vulnerability. The attacker would have to log in to the management console to perform such as an attack, only few of the pages are vulnerable in the DS management console.

Action-Not Available
Vendor-SAP SE
Product-data_servicesSAP Data Services Management Console
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26047
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 40.15%
||
7 Day CHG~0.00%
Published-03 Mar, 2023 | 22:44
Updated-25 Feb, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
teler-waf contains detection rule bypass via entities payload

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and horizontal tab is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been patched in version 0.2.0.

Action-Not Available
Vendor-kitabisakitabisa
Product-teler-wafteler-waf
CWE ID-CWE-692
Incomplete Denylist to Cross-Site Scripting
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2014-125095
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.55% / 41.79%
||
7 Day CHG~0.00%
Published-09 Apr, 2023 | 05:31
Updated-06 Aug, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BestWebSoft Contact Form Plugin bws_menu.php bws_add_menu_render cross site scripting

A vulnerability was found in BestWebSoft Contact Form Plugin 1.3.4 on WordPress and classified as problematic. Affected by this issue is the function bws_add_menu_render of the file bws_menu/bws_menu.php. The manipulation of the argument bwsmn_form_email leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.3.7 is able to address this issue. The name of the patch is 4d531f74b4a801c805dc80360d4ea1312e9a278f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225320.

Action-Not Available
Vendor-BestWebSoft
Product-contact_formContact Form Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2521
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.34% / 26.29%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 17:00
Updated-29 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NEXTU NEXT-7004N POST Request formFilter cross site scripting

A vulnerability was found in NEXTU NEXT-7004N 3.0.1. It has been classified as problematic. Affected is an unknown function of the file /boafrm/formFilter of the component POST Request Handler. The manipulation of the argument url with the input <svg onload=alert(1337)> leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-228012. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-ez-netNEXTU
Product-next-7004nnext-7004n_firmwareNEXT-7004N
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25551
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 31.70%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 20:37
Updated-12 Feb, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Action-Not Available
Vendor-Schneider Electric SE
Product-struxureware_data_center_expertStruxureWare Data Center Expert
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-22723
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.85%
||
7 Day CHG~0.00%
Published-18 Nov, 2020 | 21:20
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address.

Action-Not Available
Vendor-ljcmsshop_projectn/a
Product-ljcmsshopn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25598
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 32.89%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 00:00
Updated-17 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page. A successful exploit could allow an attacker to execute arbitrary scripts.

Action-Not Available
Vendor-n/aMitel Networks Corp.
Product-mivoice_connectn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2518
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.09% / 61.38%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 07:49
Updated-10 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Forms for Mailchimp < 6.8.9 - Reflected XSS

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-yikesincUnknown
Product-easy_forms_for_mailchimpEasy Forms for Mailchimp
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25830
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
ShareView Details
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 39.37%
||
7 Day CHG~0.00%
Published-09 May, 2023 | 16:31
Updated-10 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BUG-000154662 Reflected XSS vulnerability in Portal for ArcGIS

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and before which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

Action-Not Available
Vendor-Environmental Systems Research Institute, Inc. ("Esri")
Product-portal_for_arcgisPortal for ArcGIS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25154
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.43% / 34.49%
||
7 Day CHG~0.00%
Published-22 Feb, 2023 | 19:00
Updated-10 Mar, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross site scripting (XSS) of ActivityPub URI in misskey

Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not "view on remote" for untrusted instances.

Action-Not Available
Vendor-misskeymisskey-dev
Product-misskeymisskey
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24408
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.1||MEDIUM
EPSS-1.72% / 74.70%
||
7 Day CHG~0.00%
Published-16 Oct, 2020 | 14:03
Updated-17 Sep, 2024 | 03:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in customer address upload feature

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento Commerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-0183
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.66% / 47.14%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 19:20
Updated-06 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering.

Action-Not Available
Vendor-KatelloRed Hat, Inc.
Product-subscription_asset_managerKatello
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23226
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.43% / 82.29%
||
7 Day CHG~0.00%
Published-27 Aug, 2021 | 00:00
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.

Action-Not Available
Vendor-n/aDebian GNU/LinuxThe Cacti Group, Inc.
Product-cactidebian_linuxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25466
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.8||MEDIUM
EPSS-0.40% / 32.37%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 15:23
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Who Hit The Page – Hit Counter Plugin <= 1.4.14.3 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Mahlamusa Who Hit The Page – Hit Counter plugin <= 1.4.14.3 versions.

Action-Not Available
Vendor-mahlamusaMahlamusa
Product-who_hit_the_page_-_hit_counterWho Hit The Page – Hit Counter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-125027
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.52% / 40.50%
||
7 Day CHG~0.00%
Published-31 Dec, 2022 | 15:12
Updated-11 Apr, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Yuna Scatari TBDev usersearch.php get_user_icons cross site scripting

A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and classified as problematic. Affected by this vulnerability is the function get_user_icons of the file usersearch.php. The manipulation of the argument n/r/r2/em/ip/co/ma/d/d2/ul/ul2/ls/ls2/dl/dl2 leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.1.18 is able to address this issue. The patch is named 0ba3fd4be29dd48fa4455c236a9403b3149a4fd4. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217147.

Action-Not Available
Vendor-tbdev_projectYuna Scatari
Product-tbdevTBDev
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24145
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.00% / 58.45%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 13:37
Updated-04 Aug, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted deletescreenshot action.

Action-Not Available
Vendor-cmindsn/a
Product-cm_download_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15339
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.71% / 49.20%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 14:58
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-cloudcnm_secumanagern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2565
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.55% / 41.94%
||
7 Day CHG~0.00%
Published-07 May, 2023 | 15:00
Updated-02 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Multi Language Hotel Management Software POST Parameter ajax.php cross site scripting

A vulnerability has been found in SourceCodester Multi Language Hotel Management Software 1.0 and classified as problematic. This vulnerability affects unknown code of the file ajax.php of the component POST Parameter Handler. The manipulation of the argument complaint_type with the input <script>alert(document.cookie)</script> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-228172.

Action-Not Available
Vendor-multi_language_hotel_management_software_projectSourceCodester
Product-multi_language_hotel_management_softwareMulti Language Hotel Management Software
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23517
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-7.05% / 93.42%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 01:08
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm.

Action-Not Available
Vendor-aryanicn/a
Product-high_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23048
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.73%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 19:20
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24390
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.99% / 58.25%
||
7 Day CHG~0.00%
Published-27 Aug, 2020 | 15:24
Updated-04 Aug, 2024 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eonweb in EyesOfNetwork before 5.3-7 does not properly escape the username on the /module/admin_logs page, which might allow pre-authentication stored XSS during login/logout logs recording.

Action-Not Available
Vendor-eyesofnetworkn/a
Product-eyesofnetworkn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 210
  • 211
  • Next
Details not found