Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-20192

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-16 Oct, 2024 | 06:43
Updated At-08 Apr, 2026 | 17:06
Rejected At-
Credits

Formidable Form Builder < 2.05.03 - Unauthenticated Stored Cross-Site Scripting

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:16 Oct, 2024 | 06:43
Updated At:08 Apr, 2026 | 17:06
Rejected At:
▼CVE Numbering Authority (CNA)
Formidable Form Builder < 2.05.03 - Unauthenticated Stored Cross-Site Scripting

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

Affected Products
Vendor
Strategy11strategy11team
Product
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Default Status
unaffected
Versions
Affected
  • From 0 before 2.05.03 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Jouko Pynnöne
Timeline
EventDate
Disclosed2017-11-13 00:00:00
Event: Disclosed
Date: 2017-11-13 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cve
N/A
https://klikki.fi/adv/formidable.html
N/A
https://wordpress.org/plugins/formidable/#developers
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cve
Resource: N/A
Hyperlink: https://klikki.fi/adv/formidable.html
Resource: N/A
Hyperlink: https://wordpress.org/plugins/formidable/#developers
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Strategy11strategy11
Product
formidable_forms
CPEs
  • cpe:2.3:a:strategy11:formidable_forms:*:*:*:*:*:wordpress:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 2.05.03 (semver)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:16 Oct, 2024 | 07:15
Updated At:23 Dec, 2025 | 15:47

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches

Strategy11
strategy11
>>formidable_form_builder>>Versions before 2.05.03(exclusive)
cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity@wordfence.com
CWE ID: CWE-79
Type: Secondary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://klikki.fi/adv/formidable.htmlsecurity@wordfence.com
Exploit
Third Party Advisory
https://wordpress.org/plugins/formidable/#developerssecurity@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://klikki.fi/adv/formidable.html
Source: security@wordfence.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://wordpress.org/plugins/formidable/#developers
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

10543Records found

CVE-2023-1884
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.7||MEDIUM
EPSS-0.45% / 35.86%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-10 Feb, 2025 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Generic in thorsten/phpmyfaq

Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqthorsten/phpmyfaq
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1372
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.74% / 50.22%
||
7 Day CHG~0.00%
Published-13 Mar, 2023 | 12:20
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WH Testimonials <= 3.0.0 - Unauthenticated Stored Cross-Site Scripting

The WH Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters such as wh_homepage, wh_text_short, wh_text_full and in versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-webhostingswebhostings
Product-wh_testimonialsWH Testimonials
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1413
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 36.58%
||
7 Day CHG~0.00%
Published-17 Apr, 2023 | 12:17
Updated-23 Apr, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP VR < 8.2.9 - Reflected XSS

The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-rexthemeUnknown
Product-wp_vrWP VR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1500
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.52% / 40.28%
||
7 Day CHG~0.00%
Published-19 Mar, 2023 | 20:00
Updated-26 Feb, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Simple Art Gallery adminHome.php cross site scripting

A vulnerability, which was classified as problematic, has been found in code-projects Simple Art Gallery 1.0. Affected by this issue is some unknown functionality of the file adminHome.php. The manipulation of the argument about_info leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223400.

Action-Not Available
Vendor-Source Code & Projects
Product-simple_art_gallerySimple Art Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41640
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.58% / 43.32%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter.

Action-Not Available
Vendor-n/aamlpartners
Product-n/asurety_eco
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1395
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.60% / 44.58%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 14:33
Updated-26 Feb, 2025 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Yoga Class Registration System list.php query cross site scripting

A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been declared as problematic. This vulnerability affects the function query of the file admin/user/list.php. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222982 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-yoga_class_registration_system_projectSourceCodester
Product-yoga_class_registration_systemYoga Class Registration System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1593
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.39% / 30.77%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 10:00
Updated-02 Aug, 2024 | 05:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Automatic Question Paper Generator System cross site scripting

A vulnerability, which was classified as problematic, has been found in SourceCodester Automatic Question Paper Generator System 1.0. This issue affects some unknown processing of the file classes/Master.php?f=save_class. The manipulation of the argument description leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-223661 was assigned to this vulnerability.

Action-Not Available
Vendor-automatic_question_paper_generator_system_projectSourceCodester
Product-automatic_question_paper_generator_systemAutomatic Question Paper Generator System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11720
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.34% / 26.52%
||
7 Day CHG~0.00%
Published-14 Dec, 2024 | 08:26
Updated-08 Apr, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Stored Cross-Site Scripting

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is disabled by default.

Action-Not Available
Vendor-dynamiappsshabti
Product-frontend_adminFrontend Admin by DynamiApps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20019
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.59% / 43.83%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 01:38
Updated-02 Aug, 2024 | 08:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform, Cisco BroadWorks Application Server, and Cisco BroadWorks Xtended Services Platform could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-broadworks_application_delivery_platformbroadworks_application_serverbroadworks_xtended_services_platformCisco BroadWorks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1248
Matching Score-4
Assigner-OTRS AG
ShareView Details
Matching Score-4
Assigner-OTRS AG
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 34.65%
||
7 Day CHG~0.00%
Published-20 Mar, 2023 | 08:19
Updated-26 Feb, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible XSS in Ticket Actions

Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

Action-Not Available
Vendor-OTRS AG
Product-otrsOTRS((OTRS)) Community Edition
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41242
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.45% / 36.15%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-08 Aug, 2024 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Reflected Cross Site Scripting (XSS) vulnerability was found in /smsa/student_login.php in Kashipara Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via "error" parameter.

Action-Not Available
Vendor-lopalopan/aKashipara Group
Product-responsive_school_management_systemn/aresponsive_school_management_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41810
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.11% / 61.92%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 15:41
Updated-03 Nov, 2025 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML injection in HTTP redirect body

Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.

Action-Not Available
Vendor-twistedtwistedtwistedmatrix
Product-twistedtwistedtwisted
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2023-1567
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.59% / 43.82%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 13:31
Updated-14 Feb, 2025 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Student Study Center Desk Management System assign.php cross site scripting

A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/assign/assign.php. The manipulation of the argument sid leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223559.

Action-Not Available
Vendor-SourceCodesteroretnom23
Product-student_study_center_desk_management_systemStudent Study Center Desk Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1282
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.54% / 41.55%
||
7 Day CHG~0.00%
Published-17 Apr, 2023 | 12:17
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drag and Drop Multiple File Upload PRO - Reflected Cross-Site Scripting

The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.

Action-Not Available
Vendor-codedropzUnknown
Product-drag_and_drop_multiple_file_upload_-_contact_form_7Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage IntegrationsDrag and Drop Multiple File Upload PRO - Contact Form 7 Standard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41350
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.33% / 24.77%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 00:00
Updated-04 Sep, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

bjyadmin commit a560fd5 is vulnerable to Cross Site Scripting (XSS) via Public/statics/umeditor1_2_3/php/imageUp.php

Action-Not Available
Vendor-baijunyaon/abaijunyao
Product-bjyadminn/athinkphp-bjyadmin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1080
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-1.26% / 66.06%
||
7 Day CHG~0.00%
Published-28 Feb, 2023 | 12:52
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GN Publisher <= 1.5.5 - Reflected Cross-Site Scripting

The GN Publisher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-gnpublishergnpublisher
Product-gn_publisherGN Publisher: Google News Compatible RSS Feeds
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20058
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.49% / 38.75%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 01:38
Updated-25 Oct, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unified_contact_center_expressunified_contact_center_enterpriseunified_intelligence_centerpackaged_contact_center_enterpriseCisco Unified Intelligence CenterCisco Unified Contact Center EnterpriseCisco Packaged Contact Center EnterpriseCisco Unified Contact Center Express
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8473
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.3||MEDIUM
EPSS-0.26% / 17.56%
||
7 Day CHG~0.00%
Published-05 Sep, 2024 | 13:08
Updated-06 Sep, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL injection vulnerability in Job Portal

Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through user_email parameter in /jobportal/admin/login.php.

Action-Not Available
Vendor-PHPGurukul LLP
Product-job_portalJob Portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20074
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.39% / 31.08%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 16:53
Updated-26 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_firewall_management_centerCisco Firepower Management Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4149
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 34.28%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 06:00
Updated-26 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Floating Chat Widget < 3.2.3 - Admin+ Stored XSS

The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-premioUnknownpremio
Product-floating_chat_widgetFloating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button chaty
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20053
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.52% / 40.29%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 15:27
Updated-21 Nov, 2024 | 21:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-nexus_dashboardCisco Nexus Dashboard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-40742
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.45% / 36.12%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 00:00
Updated-02 Aug, 2024 | 04:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at /circuits/circuits/add.

Action-Not Available
Vendor-netboxn/anetbox
Product-netboxn/anetbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-26113
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.64% / 46.29%
||
7 Day CHG~0.00%
Published-25 Sep, 2020 | 05:40
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1356
Matching Score-4
Assigner-The Missing Link Australia (TML)
ShareView Details
Matching Score-4
Assigner-The Missing Link Australia (TML)
CVSS Score-7.5||HIGH
EPSS-0.44% / 35.63%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 10:28
Updated-17 Sep, 2024 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross-site Scripting In IDAttend’s IDWeb Application

Reflected cross-site scripting in the StudentSearch component in IDAttend’s IDWeb application 3.1.052 and earlier allows hijacking of a user’s browsing session by attackers who have convinced the said user to click on a malicious link.

Action-Not Available
Vendor-idattendIDAttend Pty Ltd
Product-idwebIDWeb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20041
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.39% / 31.08%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 16:52
Updated-26 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. In some cases, it is also possible to cause a temporary availability impact to portions of the FMC Dashboard.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_firewall_management_centerCisco Firepower Management Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0588
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 36.58%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 13:17
Updated-27 Nov, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Reflected XSS

The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.

Action-Not Available
Vendor-catalystconnectUnknown
Product-zoho_crm_client_portalCatalyst Connect Zoho CRM Client Portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41505
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 13.97%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 00:00
Updated-05 Jul, 2026 | 01:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the "Pessoas" (persons) section via the field "Profisso" (professor).

Action-Not Available
Vendor-jetimobn/a
Product-imobiliarian/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0527
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-6.17% / 92.62%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 10:32
Updated-02 Aug, 2024 | 05:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Security Guards Hiring System search-request.php cross site scripting

A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. The manipulation of the argument searchdata with the input "><script>alert(document.domain)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-219596.

Action-Not Available
Vendor-online_security_guards_hiring_system_projectPHPGurukul LLP
Product-online_security_guards_hiring_systemOnline Security Guards Hiring System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0602
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.85% / 53.76%
||
7 Day CHG~0.00%
Published-31 Jul, 2023 | 09:37
Updated-02 Aug, 2024 | 05:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Twittee Text Tweet <= 1.0.8 - Reflected XSS

The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.

Action-Not Available
Vendor-johnniejodelljrUnknown
Product-twittee_text_tweetTwittee Text Tweet
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0099
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-1.73% / 74.78%
||
7 Day CHG~0.00%
Published-13 Feb, 2023 | 14:32
Updated-13 Feb, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple URLs < 115 - Multiple Reflected XSS

The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-getlassoUnknown
Product-simple_urlsSimple URLs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41380
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 20.78%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 00:00
Updated-10 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php.

Action-Not Available
Vendor-n/aMicroweber (‘Microweber Academy’ Foundation)
Product-microwebern/amicroweber
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0942
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-1.21% / 64.84%
||
7 Day CHG~0.00%
Published-21 Feb, 2023 | 19:29
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Japanized For WooCommerce <= 2.5.4 - Reflected Cross-Site Scripting

The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-artisanworkshopshoheitanaka
Product-japanized_for_woocommerceJapanized for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0869
Matching Score-4
Assigner-The OpenNMS Group
ShareView Details
Matching Score-4
Assigner-The OpenNMS Group
CVSS Score-5.8||MEDIUM
EPSS-0.41% / 32.75%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 14:43
Updated-02 Aug, 2024 | 05:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site scripting in outage/list.htm

Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Action-Not Available
Vendor-opennmsThe OpenNMS Group
Product-meridianhorizonHorizonMeridian
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-20
Improper Input Validation
CVE-2023-1030
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.65% / 46.82%
||
7 Day CHG~0.00%
Published-24 Feb, 2023 | 19:36
Updated-03 Apr, 2025 | 09:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester/code-projects Online Boat Reservation System POST Parameter login.php cross site scripting

A vulnerability has been found in SourceCodester/code-projects Online Boat Reservation System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /boat/login.php of the component POST Parameter Handler. The manipulation of the argument un leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-online_boat_reservation_system_projectSourceCodesterSource Code & Projects
Product-online_boat_reservation_systemOnline Boat Reservation System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-8717
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 33.89%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 08:32
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip <= 2.3.32 - Reflected Cross-Site Scripting

The PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pdf_source' parameter in all versions up to, and including, 2.3.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-dearhive
Product-Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0769
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.48% / 37.74%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:56
Updated-02 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
hiWeb Migration Simple <= 2.0.0.1 Reflected Cross-Site Scripting

The hiWeb Migration Simple WordPress plugin through 2.0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.

Action-Not Available
Vendor-hiwebUnknown
Product-migration_simplehiWeb Migration Simple
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-40730
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 32.00%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 00:00
Updated-02 Aug, 2024 | 04:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/interfaces/{id}/edit/.

Action-Not Available
Vendor-netboxn/anetbox
Product-netboxn/anetbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0038
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.76% / 50.61%
||
7 Day CHG~0.00%
Published-03 Jan, 2023 | 13:58
Updated-08 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Survey Maker – Best WordPress Survey Plugin <= 3.1.3 - Unauthenticated Stored Cross-Site Scripting

The "Survey Maker – Best WordPress Survey Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via survey answers in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts when submitting quizzes that will execute whenever a user accesses the submissions page.

Action-Not Available
Vendor-AYS Pro Extensions
Product-survey_makerSurvey Maker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41347
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 19.64%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 00:00
Updated-26 Jan, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/settings.php

Action-Not Available
Vendor-jpatokaln/ajpatokal
Product-openflightsn/aopenflights
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1051
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 27.70%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 06:12
Updated-01 Jun, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in As Koc Web Report System

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in As Koc Energy Web Report System allows Reflected XSS. This issue affects Web Report System: before 23.03.10.

Action-Not Available
Vendor-askocAs Koc Energy
Product-web_report_systemWeb Report System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0867
Matching Score-4
Assigner-The OpenNMS Group
ShareView Details
Matching Score-4
Assigner-The OpenNMS Group
CVSS Score-6.7||MEDIUM
EPSS-0.42% / 34.15%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 14:49
Updated-02 Aug, 2024 | 05:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple stored and reflected Cross-site Scripting in webapp

Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Action-Not Available
Vendor-opennmsThe OpenNMS Group
Product-meridianhorizonHorizonMeridian
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-20
Improper Input Validation
CVE-2023-0325
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-6.1||MEDIUM
EPSS-0.69% / 48.18%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 00:00
Updated-13 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Uvdesk version 1.1.1 allows an unauthenticated remote attacker to exploit a stored XSS in the application. This is possible because the application does not correctly validate the message sent by the clients in the ticket.

Action-Not Available
Vendor-uvdeskn/a
Product-community-skeletonUvdesk
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0733
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.51% / 39.77%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 07:49
Updated-10 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS

The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-newsletter_popup_projectUnknown
Product-newsletter_popupNewsletter Popup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0428
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.63% / 45.88%
||
7 Day CHG~0.00%
Published-21 Feb, 2023 | 08:50
Updated-12 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Watu Quiz < 3.3.8.2 - Reflected XSS

The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-kibokolabsUnknown
Product-watu_quizWatu Quiz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0312
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.6||HIGH
EPSS-0.56% / 42.61%
||
7 Day CHG~0.00%
Published-15 Jan, 2023 | 00:00
Updated-07 Apr, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqthorsten/phpmyfaq
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0746
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.3||MEDIUM
EPSS-0.35% / 27.35%
||
7 Day CHG~0.00%
Published-10 Mar, 2023 | 00:00
Updated-27 Feb, 2025 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS Vulnerability in GigaVue-FM

The help page in GigaVUE-FM, when using GigaVUE-OS software version 5.0 202, does not require an authenticated user. An attacker could enforce a user into inserting malicious JavaScript code into the URI, that could lead to a Reflected Cross site Scripting.

Action-Not Available
Vendor-gigamonGigamon
Product-gigavue-osGigaVUE-FM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0677
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.4||MEDIUM
EPSS-0.45% / 35.89%
||
7 Day CHG~0.00%
Published-04 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Reflected in phpipam/phpipam

Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.

Action-Not Available
Vendor-phpipamphpipam
Product-phpipamphpipam/phpipam
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-40727
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 27.34%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 00:00
Updated-02 Aug, 2024 | 04:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/add/.

Action-Not Available
Vendor-netboxn/anetbox
Product-netboxn/anetbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-12097
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-6.1||MEDIUM
EPSS-1.01% / 58.97%
||
7 Day CHG-0.02%
Published-19 Jan, 2018 | 20:00
Updated-16 Sep, 2024 | 23:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable cross site scripting (XSS) vulnerability exists in the filter functionality of the delayed_job_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability.

Action-Not Available
Vendor-delayed_job_web_projectTalos (Cisco Systems, Inc.)
Product-delayed_job_webdelayed_job_web rails gem
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41345
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 17.70%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 00:00
Updated-26 Jan, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

openflights commit 5234b5b is vulnerable to Cross-Site Scripting (XSS) via php/trip.php

Action-Not Available
Vendor-jpatokaln/ajpatokal
Product-openflightsn/aopenflights
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • ...
  • 210
  • 211
  • Next
Details not found