Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-15159

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-28 Aug, 2020 | 21:55
Updated At-04 Aug, 2024 | 13:08
Rejected At-
Credits

Cross Site Scripting leading to RCE in baserCMS

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:28 Aug, 2020 | 21:55
Updated At:04 Aug, 2024 | 13:08
Rejected At:
▼CVE Numbering Authority (CNA)
Cross Site Scripting leading to RCE in baserCMS

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7.

Affected Products
Vendor
baserproject
Product
basercms
Versions
Affected
  • From unspecified before < 4.3.7 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79{"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Type: CWE
CWE ID: CWE-79
Description: {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Metrics
VersionBase scoreBase severityVector
3.17.6HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://basercms.net/security/20200827
x_refsource_MISC
https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
x_refsource_CONFIRM
https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d
x_refsource_MISC
Hyperlink: https://basercms.net/security/20200827
Resource:
x_refsource_MISC
Hyperlink: https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://basercms.net/security/20200827
x_refsource_MISC
x_transferred
https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
x_refsource_CONFIRM
x_transferred
https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d
x_refsource_MISC
x_transferred
Hyperlink: https://basercms.net/security/20200827
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:28 Aug, 2020 | 22:15
Updated At:03 Sep, 2020 | 14:20

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.6HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Secondary3.17.6HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Primary2.04.6MEDIUM
AV:N/AC:H/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 4.6
Base severity: MEDIUM
Vector:
AV:N/AC:H/Au:S/C:P/I:P/A:P
CPE Matches
basercms
basercms
>>basercms>>Versions up to 4.3.6(inclusive)
cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://basercms.net/security/20200827security-advisories@github.com
Vendor Advisory
https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66dsecurity-advisories@github.com
Patch
Third Party Advisory
https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpwsecurity-advisories@github.com
Patch
Third Party Advisory
Hyperlink: https://basercms.net/security/20200827
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

39Records found
CVE-2021-39136
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.66% / 70.16%
||
7 Day CHG~0.00%
Published-25 Aug, 2021 | 18:05
Updated-04 Aug, 2024 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site scripting vulnerability in file upload

baserCMS is an open source content management system with a focus on Japanese language support. In affected versions there is a cross-site scripting vulnerability in the file upload function of the management system of baserCMS. Users are advised to update as soon as possible. No workaround are available to mitigate this issue.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4877
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.32%
||
7 Day CHG~0.00%
Published-12 May, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-mailbasercmsbaserCMS plugin Mail
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-26128
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-1.75% / 81.81%
||
7 Day CHG~0.00%
Published-22 Feb, 2024 | 18:32
Updated-20 Dec, 2024 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baserCMS Cross-site Scripting vulnerability in Content Management

baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-18943
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.33% / 55.22%
||
7 Day CHG~0.00%
Published-05 Nov, 2018 | 08:00
Updated-05 Aug, 2024 | 11:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI.

Action-Not Available
Vendor-basercmsn/a
Product-basercmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-0574
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 49.13%
||
7 Day CHG~0.00%
Published-26 Jun, 2018 | 14:00
Updated-05 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-0570
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 41.61%
||
7 Day CHG~0.00%
Published-26 Jun, 2018 | 14:00
Updated-05 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-20681
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.35%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 08:50
Updated-03 Aug, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of JavaScript input in the page editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-39325
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.60% / 68.62%
||
7 Day CHG+0.12%
Published-25 Nov, 2022 | 00:00
Updated-23 Apr, 2025 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site scripting vulnerability in BaserCMS

BaserCMS is a content management system with a japanese language focus. In affected versions there is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. Users of baserCMS are advised to upgrade as soon as possible. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46994
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 42.11%
||
7 Day CHG+0.03%
Published-24 Oct, 2024 | 18:22
Updated-28 Oct, 2024 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baserCMS has Cross-site Scripting Vulnerability in Blog posts and Contents list Feature

baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in Blog posts and Contents list Feature. Version 5.1.2 fixes this issue.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46998
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.21% / 44.01%
||
7 Day CHG+0.03%
Published-24 Oct, 2024 | 18:52
Updated-28 Oct, 2024 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baserCMS has a Cross-site Scripting (XSS) Vulnerability in Edit Email Form Settings Feature

baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Edit Email Form Settings Feature. Version 5.1.2 fixes the issue.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29009
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.55% / 66.94%
||
7 Day CHG~0.00%
Published-27 Oct, 2023 | 19:30
Updated-09 Sep, 2024 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
basercms XSS Vulnerability via Favorites Feature

baserCMS is a website development framework with WebAPI that runs on PHP8 and CakePHP4. There is a XSS Vulnerability in Favorites Feature to baserCMS. This issue has been patched in version 4.8.0.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-44379
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.62% / 69.17%
||
7 Day CHG~0.00%
Published-22 Feb, 2024 | 14:47
Updated-22 Apr, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baserCMS Cross-site Scripting vulnerability in Site search Feature

baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-43647
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.57% / 67.66%
||
7 Day CHG~0.00%
Published-30 Oct, 2023 | 18:18
Updated-06 Sep, 2024 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baserCMS Cross-site Scripting vulnerability in File upload Feature

baserCMS is a website development framework. Prior to version 4.8.0, there is a cross-site scripting vulnerability in the file upload feature of baserCMS. Version 4.8.0 contains a patch for this issue.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15273
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.41% / 60.73%
||
7 Day CHG~0.00%
Published-30 Oct, 2020 | 19:10
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting in baserCMS

baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, subsite setting list, widget area edit, and feed list on the management screen. The issue was introduced in version 4.0.0. It is fixed in version 4.4.1.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-2673
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 48.61%
||
7 Day CHG~0.00%
Published-02 Oct, 2011 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in BaserCMS before 1.6.13.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-basercmsn/a
Product-basercmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4883
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.32%
||
7 Day CHG~0.00%
Published-12 May, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4880
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.32%
||
7 Day CHG~0.00%
Published-12 May, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS plugin Blog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42486
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.87% / 74.26%
||
7 Day CHG~0.00%
Published-07 Dec, 2022 | 00:00
Updated-23 Apr, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting vulnerability in User group management of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-41994
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.66% / 69.99%
||
7 Day CHG~0.00%
Published-07 Dec, 2022 | 00:00
Updated-23 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross-site scripting vulnerability in Permission Settings of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46996
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.24% / 46.86%
||
7 Day CHG+0.04%
Published-24 Oct, 2024 | 18:35
Updated-28 Oct, 2024 | 15:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baserCMS has a Cross-site Scripting (XSS) Vulnerability in Blog posts Feature

baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Blog posts feature. Version 5.1.2 fixes this issue.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-20683
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.35%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 08:50
Updated-03 Aug, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-46995
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 41.82%
||
7 Day CHG+0.03%
Published-24 Oct, 2024 | 18:31
Updated-28 Oct, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baserCMS has Cross-site Scripting Vulnerability in HTTP 400 Bad Request

baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in HTTP 400 Bad Request. Version 5.1.2 fixes this issue.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15276
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.59% / 68.25%
||
7 Day CHG~0.00%
Published-30 Oct, 2020 | 18:55
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Scripting in baserCMS

baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15155
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.87% / 74.24%
||
7 Day CHG~0.00%
Published-28 Aug, 2020 | 21:40
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting in baserCMS

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components is toolbar.php. The issue is fixed in version 4.3.7.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15154
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.78% / 72.80%
||
7 Day CHG~0.00%
Published-28 Aug, 2020 | 21:10
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Scripting in baserCMS

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7.

Action-Not Available
Vendor-basercmsbaserproject
Product-basercmsbasercms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-21637
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.08% / 25.09%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 05:49
Updated-17 Jun, 2025 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode

Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6.

Action-Not Available
Vendor-goauthentikgoauthentik
Product-authentikauthentik
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6365
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.02% / 2.20%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:05
Updated-02 Aug, 2024 | 08:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Device Groups

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6366
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.02% / 2.20%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:05
Updated-21 May, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Alert Center

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6367
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.03% / 6.17%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:05
Updated-02 Aug, 2024 | 08:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Roles

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6364
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.01% / 1.64%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:04
Updated-02 Aug, 2024 | 08:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Dashboard

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified.  It is possible for an attacker to craft a XSS payload and store that value within a dashboard component.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41789
Matching Score-4
Assigner-Pandora FMS
ShareView Details
Matching Score-4
Assigner-Pandora FMS
CVSS Score-7.6||HIGH
EPSS-0.08% / 25.48%
||
7 Day CHG~0.00%
Published-23 Nov, 2023 | 14:36
Updated-02 Aug, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Admin Account Takeover Via XSS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773.

Action-Not Available
Vendor-Pandora FMS S.L.U.
Product-pandora_fmsPandora FMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-27404
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.03% / 7.42%
||
7 Day CHG-0.03%
Published-26 Mar, 2025 | 14:21
Updated-01 Aug, 2025 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Icinga Web 2 DOM-based XSS vulnerability

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

Action-Not Available
Vendor-icingaIcinga
Product-icinga_web_2icingaweb2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-27405
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.03% / 7.42%
||
7 Day CHG-0.03%
Published-26 Mar, 2025 | 15:10
Updated-01 Aug, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Icinga Web 2 has XSS in embedded content

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

Action-Not Available
Vendor-icingaIcinga
Product-icinga_web_2icingaweb2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-27406
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.04% / 10.65%
||
7 Day CHG-0.04%
Published-26 Mar, 2025 | 15:49
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Icinga Reporting Stored XSS leads to SSRF

Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act on behalf of the user, if the template is being previewed; and act on behalf of the headless browser, if a report using the template is printed to PDF. This issue has been resolved in version 1.0.3 of Icinga Reporting. As a workaround, review all templates and remove suspicious settings.

Action-Not Available
Vendor-Icinga
Product-icingaweb2-module-reporting
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-7017
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-6.7||MEDIUM
EPSS-0.92% / 75.01%
||
7 Day CHG~0.00%
Published-27 Jul, 2020 | 18:00
Updated-04 Aug, 2024 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.

Action-Not Available
Vendor-Oracle CorporationElasticsearch BV
Product-communications_cloud_native_core_network_function_cloud_native_environmentkibanapeoplesoft_enterprise_peopletoolscommunications_billing_and_revenue_managementKibana
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11859
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.6||HIGH
EPSS-0.10% / 28.56%
||
7 Day CHG+0.01%
Published-06 Nov, 2024 | 14:10
Updated-08 Nov, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential Cross Site Scripting vulnerability in OpenText iManager

Improper Input Validation vulnerability in OpenText iManager allows Cross-Site Scripting (XSS). This issue affects iManager before 3.2.3

Action-Not Available
Vendor-Micro Focus International LimitedOpen Text Corporation
Product-imanageriManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1432
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.44% / 62.16%
||
7 Day CHG+0.03%
Published-18 May, 2022 | 10:10
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Generic in octoprint/octoprint

Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.

Action-Not Available
Vendor-octoprintoctoprint
Product-octoprintoctoprint/octoprint
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-27914
Matching Score-4
Assigner-Mautic
ShareView Details
Matching Score-4
Assigner-Mautic
CVSS Score-7.6||HIGH
EPSS-0.39% / 58.87%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 15:20
Updated-03 Aug, 2024 | 21:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript

Action-Not Available
Vendor-acquiaMautic
Product-mauticMautic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15179
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.43% / 61.84%
||
7 Day CHG~0.00%
Published-15 Sep, 2020 | 18:10
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML Injection in ScratchSig

The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.

Action-Not Available
Vendor-scratch-wikiInternationalScratchWiki
Product-scratchsigwiki-scratchsig
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details not found