Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-4049

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 Jun, 2020 | 16:00
Updated At-04 Aug, 2024 | 07:52
Rejected At-
Credits

Authenticated self-XSS via theme uploads in WordPress

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 Jun, 2020 | 16:00
Updated At:04 Aug, 2024 | 07:52
Rejected At:
▼CVE Numbering Authority (CNA)
Authenticated self-XSS via theme uploads in WordPress

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Affected Products
Vendor
WordPress.orgWordPress
Product
wordpress-develop
Versions
Affected
  • >= 5.4.0, < 5.4.2
  • >= 5.3.0, < 5.3.4
  • >= 5.2.0, < 5.2.7
  • >= 5.1.0, < 5.1.6
  • >= 5.0.0, < 5.0.10
  • >= 4.9.0, < 4.9.15
  • >= 4.8.0, < 4.8.14
  • >= 4.7.0, < 4.7.18
  • >= 4.6.0, < 4.6.19
  • >= 4.5.0, < 4.5.22
  • >= 4.4.0, < 4.4.23
  • >= 4.3.0, < 4.3.24
  • >= 4.2.0, < 4.2.28
  • >= 4.1.0, < 4.1.31
  • >= 4.0.0, < 4.0.31
  • >= 3.9.0, < 3.9.32
  • >= 3.8.0, < 3.8.34
  • >= 3.7.0, < 3.7.34
Problem Types
TypeCWE IDDescription
CWECWE-80CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Type: CWE
CWE ID: CWE-80
Description: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Metrics
VersionBase scoreBase severityVector
3.12.4LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 2.4
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
x_refsource_MISC
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
x_refsource_CONFIRM
https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
vendor-advisory
x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
vendor-advisory
x_refsource_FEDORA
https://www.debian.org/security/2020/dsa-4709
vendor-advisory
x_refsource_DEBIAN
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
mailing-list
x_refsource_MLIST
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
mailing-list
x_refsource_MLIST
Hyperlink: https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
Resource:
x_refsource_MISC
Hyperlink: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
Resource:
x_refsource_MISC
Hyperlink: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
Resource:
vendor-advisory
x_refsource_FEDORA
Hyperlink: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
Resource:
vendor-advisory
x_refsource_FEDORA
Hyperlink: https://www.debian.org/security/2020/dsa-4709
Resource:
vendor-advisory
x_refsource_DEBIAN
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
Resource:
mailing-list
x_refsource_MLIST
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
x_refsource_MISC
x_transferred
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
x_refsource_CONFIRM
x_transferred
https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
x_refsource_MISC
x_transferred
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
vendor-advisory
x_refsource_FEDORA
x_transferred
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
vendor-advisory
x_refsource_FEDORA
x_transferred
https://www.debian.org/security/2020/dsa-4709
vendor-advisory
x_refsource_DEBIAN
x_transferred
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
mailing-list
x_refsource_MLIST
x_transferred
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
Resource:
vendor-advisory
x_refsource_FEDORA
x_transferred
Hyperlink: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
Resource:
vendor-advisory
x_refsource_FEDORA
x_transferred
Hyperlink: https://www.debian.org/security/2020/dsa-4709
Resource:
vendor-advisory
x_refsource_DEBIAN
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Jun, 2020 | 16:15
Updated At:07 Nov, 2023 | 03:23

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.12.4LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Secondary3.12.4LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 2.4
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 2.4
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
WordPress.org
wordpress
>>wordpress>>Versions from 3.7(inclusive) to 3.7.34(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 3.8(inclusive) to 3.8.34(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 3.9(inclusive) to 3.9.32(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.0(inclusive) to 4.0.31(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.1(inclusive) to 4.1.31(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.2(inclusive) to 4.2.28(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.3(inclusive) to 4.3.24(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.4(inclusive) to 4.4.23(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.5(inclusive) to 4.5.22(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.6(inclusive) to 4.6.19(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.7(inclusive) to 4.7.18(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.8(inclusive) to 4.8.14(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 4.9(inclusive) to 4.9.15(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 5.0(inclusive) to 5.0.10(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 5.1(inclusive) to 5.1.6(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 5.2(inclusive) to 5.2.7(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 5.3.0(inclusive) to 5.3.4(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
WordPress.org
wordpress
>>wordpress>>Versions from 5.4(inclusive) to 5.4.2(exclusive)
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Fedora Project
fedoraproject
>>fedora>>31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Fedora Project
fedoraproject
>>fedora>>32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-80Primarysecurity-advisories@github.com
CWE-79Secondarynvd@nist.gov
CWE ID: CWE-80
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-79
Type: Secondary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148security-advisories@github.com
Patch
Third Party Advisory
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6psecurity-advisories@github.com
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.htmlsecurity-advisories@github.com
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.htmlsecurity-advisories@github.com
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/security-advisories@github.com
N/A
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/security-advisories@github.com
N/A
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/security-advisories@github.com
Vendor Advisory
https://www.debian.org/security/2020/dsa-4709security-advisories@github.com
Third Party Advisory
Hyperlink: https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
Source: security-advisories@github.com
Resource:
Third Party Advisory
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
Source: security-advisories@github.com
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
Source: security-advisories@github.com
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://www.debian.org/security/2020/dsa-4709
Source: security-advisories@github.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

7153Records found
CVE-2017-5490
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.95% / 75.48%
||
7 Day CHG~0.00%
Published-15 Jan, 2017 | 02:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

Action-Not Available
Vendor-n/aWordPress.org
Product-wordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-5938
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.63% / 69.40%
||
7 Day CHG~0.00%
Published-15 Mar, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.

Action-Not Available
Vendor-viewvcn/aopenSUSEDebian GNU/Linux
Product-debian_linuxviewvcleapn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-5240
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.1||LOW
EPSS-0.33% / 55.43%
||
7 Day CHG~0.00%
Published-18 Aug, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWordPress.org
Product-debian_linuxwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-4534
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.23%
||
7 Day CHG~0.00%
Published-02 Jul, 2014 | 20:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in videoplayer/autoplay.php in the HTML5 Video Player with Playlist plugin 2.4.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) theme or (2) playlistmod parameter.

Action-Not Available
Vendor-html5_video_player_with_playlist_plugin_projectn/aWordPress.org
Product-html5_video_player_with_playlist_pluginwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-3841
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 41.75%
||
7 Day CHG~0.00%
Published-22 May, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Contact Bank plugin before 2.0.20 for WordPress allows remote attackers to inject arbitrary web script or HTML via the Label field, related to form layout configuration. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-tech-bankern/aWordPress.org
Product-contact_bankwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-32862
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.60% / 68.54%
||
7 Day CHG~0.00%
Published-18 Aug, 2022 | 00:00
Updated-02 Sep, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

Action-Not Available
Vendor-jupyterjupyterDebian GNU/Linux
Product-nbconvertdebian_linuxnbconvert
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15562
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.86% / 74.16%
||
7 Day CHG~0.00%
Published-06 Jul, 2020 | 11:26
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.

Action-Not Available
Vendor-n/aRoundcube Webmail ProjectDebian GNU/Linux
Product-webmaildebian_linuxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-5612
Matching Score-6
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-6
Assigner-Debian GNU/Linux
CVSS Score-6.1||MEDIUM
EPSS-0.91% / 74.87%
||
7 Day CHG~0.00%
Published-30 Jan, 2017 | 04:24
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2315
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 41.92%
||
7 Day CHG~0.00%
Published-07 Mar, 2014 | 20:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Thank You Counter Button plugin 1.8.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) thanks_caption, (2) thanks_caption_style, or (3) thanks_style parameter to wp-admin/options.php.

Action-Not Available
Vendor-shinephpn/aWordPress.org
Product-thank_you_counter_buttonwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-4600
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.23%
||
7 Day CHG~0.00%
Published-02 Jul, 2014 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in contact/edit.php in the WP Ultimate Email Marketer plugin 1.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) listname or (2) contact parameter.

Action-Not Available
Vendor-wp_ultimate_email_marketer_projectn/aWordPress.org
Product-wp_ultimate_email_marketerwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-4603
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.23%
||
7 Day CHG~0.00%
Published-02 Jul, 2014 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in yupdates_application.php in the Yahoo! Updates for WordPress plugin 1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) secret, (2) key, or (3) appid parameter.

Action-Not Available
Vendor-yahoo\!_updates_for_wordpress_plugin_projectn/aWordPress.org
Product-wordpressyahoo\!_updates_for_wordpress_pluginn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-16145
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 71.17%
||
7 Day CHG~0.00%
Published-12 Aug, 2020 | 12:29
Updated-04 Aug, 2024 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

Action-Not Available
Vendor-n/aRoundcube Webmail ProjectFedora Project
Product-webmailfedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1530
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.76% / 72.29%
||
7 Day CHG~0.00%
Published-30 Apr, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation.

Action-Not Available
Vendor-n/aMozilla CorporationopenSUSESUSERed Hat, Inc.Fedora ProjectDebian GNU/LinuxCanonical Ltd.
Product-enterprise_linux_serverenterprise_linux_eusfirefoxenterprise_linux_server_eusthunderbirddebian_linuxenterprise_linux_server_ausfedoraseamonkeyfirefox_esrubuntu_linuxenterprise_linux_desktopopensusesuse_linux_enterprise_serverenterprise_linux_server_tusenterprise_linux_workstationn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1232
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 51.74%
||
7 Day CHG~0.00%
Published-08 Jan, 2014 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Foliopress WYSIWYG plugin before 2.6.8.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-foliovisionn/aWordPress.org
Product-foliopress_wysiwygwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-5124
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-6.1||MEDIUM
EPSS-34.13% / 96.83%
||
7 Day CHG~0.00%
Published-07 Feb, 2018 | 23:00
Updated-05 Aug, 2024 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page.

Action-Not Available
Vendor-n/aGoogle LLCDebian GNU/Linux
Product-chromedebian_linuxGoogle Chrome prior to 62.0.3202.62
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-4529
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.23%
||
7 Day CHG~0.00%
Published-02 Jul, 2014 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in fpg_preview.php in the Flash Photo Gallery plugin 0.7 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter.

Action-Not Available
Vendor-flash_photo_gallery_projectn/aWordPress.org
Product-wordpressflash_photo_galleryn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2006-2016
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.6||LOW
EPSS-19.52% / 95.18%
||
7 Day CHG~0.00%
Published-25 Apr, 2006 | 10:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in phpLDAPadmin 0.9.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dn parameter in (a) compare_form.php, (b) copy_form.php, (c) rename_form.php, (d) template_engine.php, and (e) delete_form.php; (2) scope parameter in (f) search.php; and (3) Container DN, (4) Machine Name, and (5) UID Number fields in (g) template_engine.php.

Action-Not Available
Vendor-phpldapadmin_projectn/aDebian GNU/Linux
Product-debian_linuxphpldapadminn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1573
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.73% / 71.80%
||
7 Day CHG~0.00%
Published-13 Oct, 2014 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name.

Action-Not Available
Vendor-n/aMozilla CorporationFedora Project
Product-fedorabugzillan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-30151
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-19.11% / 95.11%
||
7 Day CHG~0.00%
Published-06 Apr, 2021 | 00:00
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.

Action-Not Available
Vendor-contribsysn/aDebian GNU/Linux
Product-sidekiqdebian_linuxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15169
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-1.15% / 77.63%
||
7 Day CHG~0.00%
Published-11 Sep, 2020 | 15:50
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Action View

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.

Action-Not Available
Vendor-action_view_projectDebian GNU/LinuxFedora ProjectRuby on Rails
Product-debian_linuxaction_viewfedoraactionview
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-1888
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.49% / 64.61%
||
7 Day CHG~0.00%
Published-28 Feb, 2014 | 17:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889.

Action-Not Available
Vendor-buddypressn/aWordPress.org
Product-buddypresswordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2326
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.27% / 78.64%
||
7 Day CHG~0.00%
Published-27 Mar, 2014 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aopenSUSEFedora ProjectDebian GNU/LinuxThe Cacti Group, Inc.
Product-cactifedoraopensusedebian_linuxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-4967
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-6.1||MEDIUM
EPSS-0.60% / 68.44%
||
7 Day CHG~0.00%
Published-13 Jun, 2017 | 06:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.

Action-Not Available
Vendor-n/aBroadcom Inc.Debian GNU/LinuxVMware (Broadcom Inc.)
Product-rabbitmq_serverdebian_linuxrabbitmqPivotal RabbitMQ
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13964
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.87% / 74.31%
||
7 Day CHG~0.00%
Published-09 Jun, 2020 | 02:45
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

Action-Not Available
Vendor-n/aRoundcube Webmail ProjectDebian GNU/LinuxFedora Project
Product-webmaildebian_linuxfedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-7371
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.58% / 67.90%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 14:04
Updated-06 Aug, 2024 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)

Action-Not Available
Vendor-senchanode-connectDebian GNU/Linux
Product-connectdebian_linuxnode-connect
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6991
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 63.73%
||
7 Day CHG~0.00%
Published-02 Jan, 2014 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the WP-Cron Dashboard plugin 1.1.5 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the procname parameter to wp-admin/tools.php.

Action-Not Available
Vendor-wokamoton/aWordPress.org
Product-wp-cron_dashboardwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-7279
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 62.01%
||
7 Day CHG~0.00%
Published-08 Jan, 2014 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in views/video-management/preview_video.php in the S3 Video plugin before 0.983 for WordPress allows remote attackers to inject arbitrary web script or HTML via the base parameter.

Action-Not Available
Vendor-anthony_millsn/aWordPress.org
Product-wordpresss3_videon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6993
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 50.13%
||
7 Day CHG~0.00%
Published-02 Jan, 2014 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the key parameter in a delete action to wp-admin/tools.php.

Action-Not Available
Vendor-ad-minister_projectn/aWordPress.org
Product-wordpressad-ministern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-7370
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.08% / 76.97%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 13:55
Updated-06 Aug, 2024 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware

Action-Not Available
Vendor-senchan/aDebian GNU/LinuxRed Hat, Inc.openSUSE
Product-opensuseopenshiftdebian_linuxconnectn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12625
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-4.16% / 88.23%
||
7 Day CHG~0.00%
Published-04 May, 2020 | 01:57
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

Action-Not Available
Vendor-n/aRoundcube Webmail ProjectDebian GNU/LinuxopenSUSE
Product-webmaildebian_linuxbackports_sleleapn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-7276
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 56.15%
||
7 Day CHG~0.00%
Published-08 Jan, 2014 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in inc/raf_form.php in the Recommend to a friend plugin 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the current_url parameter.

Action-Not Available
Vendor-recommend_to_a_friend_projectn/aWordPress.org
Product-recommend_to_a_friendwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-5045
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-6.1||MEDIUM
EPSS-0.85% / 74.03%
||
7 Day CHG~0.00%
Published-24 Apr, 2017 | 23:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XSS Auditor in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed detection of a blocked iframe load, which allowed a remote attacker to brute force JavaScript variables via a crafted HTML page.

Action-Not Available
Vendor-n/aDebian GNU/LinuxLinux Kernel Organization, IncRed Hat, Inc.Apple Inc.Microsoft CorporationGoogle LLC
Product-chromeenterprise_linux_desktopenterprise_linux_workstationlinux_kernelwindowsenterprise_linux_serverdebian_linuxmacosandroidGoogle Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5918
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.23%
||
7 Day CHG~0.00%
Published-23 Sep, 2013 | 10:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.

Action-Not Available
Vendor-platinum_seo_projectn/aWordPress.org
Product-platinum_seo_pluginwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12137
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.49% / 64.71%
||
7 Day CHG~0.00%
Published-24 Apr, 2020 | 12:37
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

Action-Not Available
Vendor-n/aGNUFedora ProjectopenSUSECanonical Ltd.Debian GNU/Linux
Product-ubuntu_linuxdebian_linuxfedoramailmanbackports_sleleapn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6010
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 41.92%
||
7 Day CHG~0.00%
Published-03 Oct, 2013 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Comment Attachment plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Attachment field title."

Action-Not Available
Vendor-wearegumballn/aWordPress.org
Product-comment-attachmentwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5714
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 60.77%
||
7 Day CHG~0.00%
Published-09 Sep, 2013 | 17:00
Updated-20 Aug, 2025 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-videowhispern/aWordPress.org
Product-live_streaming_integration_pluginwordpressvideowhisper_live_streaming_integrationn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5612
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.74% / 71.97%
||
7 Day CHG~0.00%
Published-11 Dec, 2013 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header.

Action-Not Available
Vendor-n/aMozilla CorporationopenSUSESUSERed Hat, Inc.Fedora ProjectOracle CorporationCanonical Ltd.
Product-enterprise_linux_serversolarisenterprise_linux_eusfirefoxenterprise_linux_server_euslinux_enterprise_desktoplinux_enterprise_software_development_kitenterprise_linux_server_ausfedoraseamonkeyopensuseubuntu_linuxenterprise_linux_desktopenterprise_linux_server_tusenterprise_linux_workstationlinux_enterprise_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11082
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.45% / 62.82%
||
7 Day CHG~0.00%
Published-28 May, 2020 | 21:10
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting in Kaminari

In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.

Action-Not Available
Vendor-kaminari_projectkaminariDebian GNU/Linux
Product-kaminaridebian_linuxKaminari
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6364
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.29% / 84.09%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 13:43
Updated-06 Aug, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book

Action-Not Available
Vendor-n/aHorde LLCDebian GNU/Linux
Product-debian_linuxgroupwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-11023
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-21.55% / 95.50%
||
7 Day CHG~0.00%
Published-29 Apr, 2020 | 00:00
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-02-13||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Potential XSS vulnerability in jQuery

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Action-Not Available
Vendor-NetApp, Inc.The Drupal AssociationjQuery (OpenJS Foundation)Debian GNU/LinuxTenable, Inc.Fedora ProjectOracle Corporation
Product-blockchain_platformcommunications_element_managerh410sh500ecommunications_eagle_application_processorh410c_firmwaredebian_linuxstoragetek_acslssnap_creator_frameworkh300s_firmwareh300efedorabanking_enterprise_collectionscommunications_analyticsrest_data_serviceshyperion_financial_reportingh700eweblogic_serverhci_baseboard_management_controlleroncommand_insightfinancial_services_revenue_management_and_billing_analyticsbusiness_intelligenceh700scloud_backuplog_correlation_engineapplication_expresscommunications_session_report_managerh700e_firmwaresiebel_mobilecloud_insights_storage_workload_security_agenthealthcare_translational_researchactive_iq_unified_managerjqueryjd_edwards_enterpriseone_orchestratorpeoplesoft_enterprise_human_capital_management_resourcessnapcenter_serverjd_edwards_enterpriseone_toolsh410s_firmwareprimavera_gatewaycommunications_session_route_managercommunications_operations_monitorh700s_firmwarefinancial_services_regulatory_reporting_for_de_nederlandsche_bankwebcenter_sitesh500s_firmwarestoragetek_tape_analytics_sw_toolcommunications_services_gatekeepeross_support_toolshealth_sciences_informmax_datacommunications_interactive_session_recorderdrupalh300sh410ch500sh500e_firmwareoncommand_system_managerbanking_platformapplication_testing_suiteh300e_firmwarejQueryJQuery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4954
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.6||LOW
EPSS-4.92% / 89.21%
||
7 Day CHG~0.00%
Published-29 Jul, 2013 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New Registrations to set their own Password" is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) pass1 or (2) pass2 parameter in a register action. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-genetechsolutionsn/aWordPress.org
Product-pie-registerwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-4965
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-6.1||MEDIUM
EPSS-0.83% / 73.53%
||
7 Day CHG~0.00%
Published-13 Jun, 2017 | 06:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.

Action-Not Available
Vendor-n/aBroadcom Inc.Debian GNU/LinuxVMware (Broadcom Inc.)
Product-rabbitmq_serverdebian_linuxrabbitmqPivotal RabbitMQ
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5098
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 51.74%
||
7 Day CHG~0.00%
Published-09 Aug, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the sort parameter, a different vulnerability than CVE-2013-3262.

Action-Not Available
Vendor-mikejolleyn/aWordPress.org
Product-download_monitorwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4626
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 64.84%
||
7 Day CHG~0.00%
Published-26 Sep, 2013 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.

Action-Not Available
Vendor-marketpressn/aWordPress.org
Product-backwpup_pluginwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4944
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.6||LOW
EPSS-0.26% / 49.65%
||
7 Day CHG~0.00%
Published-29 Jul, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the BuddyPress Extended Friendship Request plugin before 1.0.2 for WordPress, when the "Friend Connections" component is enabled, allows remote attackers to inject arbitrary web script or HTML via the friendship_request_message parameter to wp-admin/admin-ajax.php. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-fusedpressn/aWordPress.org
Product-wordpressbuddypress-extended-frienship-requestn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11022
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-2.57% / 84.96%
||
7 Day CHG~0.00%
Published-29 Apr, 2020 | 00:00
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential XSS vulnerability in jQuery

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Action-Not Available
Vendor-jQuery (OpenJS Foundation)Tenable, Inc.The Drupal AssociationopenSUSEOracle CorporationNetApp, Inc.Fedora ProjectDebian GNU/Linux
Product-peoplesoft_enterprise_peopletoolsfinancial_services_data_foundationretail_back_officeinsurance_allocation_manager_for_enterprise_profitabilityfinancial_services_hedge_management_and_ifrs_valuationsh410c_firmwareh300s_firmwarehospitality_simphonystoragetek_acslsfinancial_services_loan_loss_forecasting_and_provisioningsnapcenterpolicy_automation_for_mobile_devicescommunications_application_session_controllerjqueryfedorafinancial_services_profitability_managementoncommand_system_managerh500s_firmwareleapfinancial_services_liquidity_risk_measurement_and_managementh300ebanking_digital_experiencefinancial_services_asset_liability_managementinsurance_accounting_analyzerretail_returns_managementfinancial_services_regulatory_reporting_for_us_federal_reservepolicy_automation_connector_for_siebeldebian_linuxweblogic_serverfinancial_services_liquidity_risk_managementinsurance_data_foundationsnap_creator_frameworkfinancial_services_market_risk_measurement_and_managementh410ccommunications_diameter_signaling_router_idih\h410spolicy_automationh300sfinancial_services_price_creation_and_discoveryh300e_firmwareblockchain_platformhealthcare_foundationmax_datafinancial_services_analytical_applications_infrastructurefinancial_services_balance_sheet_planningh500eh500e_firmwaredrupalh700eenterprise_manager_ops_centerapplication_testing_suitecommunications_services_gatekeeperfinancial_services_basel_regulatory_capital_internal_ratings_based_approachfinancial_services_data_governance_for_us_regulatory_reportinginsurance_insbridge_rating_and_underwritingretail_customer_management_and_segmentation_foundationoncommand_insightagile_product_lifecycle_management_for_processfinancial_services_basel_regulatory_capital_basiccommunications_billing_and_revenue_managementh500ssiebel_ui_frameworkfinancial_services_regulatory_reporting_for_european_banking_authorityhospitality_materials_controllog_correlation_enginefinancial_services_institutional_performance_analyticsenterprise_session_border_controllercommunications_webrtc_session_controllerfinancial_services_data_integration_hubh410s_firmwarecommunications_eagle_application_processorh700s_firmwarejdeveloperagile_product_supplier_collaboration_for_processfinancial_services_analytical_applications_reconciliation_frameworkh700e_firmwareh700sfinancial_services_funds_transfer_pricingjQuery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4625
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-8.89% / 92.23%
||
7 Day CHG~0.00%
Published-09 Aug, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.

Action-Not Available
Vendor-cory_lamlen/aWordPress.org
Product-duplicatorwordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-4752
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.93% / 75.14%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 16:07
Updated-06 Aug, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.

Action-Not Available
Vendor-sensiolabsn/aFedora Project
Product-fedorasymfonyn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-3254
Matching Score-6
Assigner-Flexera Software LLC
ShareView Details
Matching Score-6
Assigner-Flexera Software LLC
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 50.29%
||
7 Day CHG~0.00%
Published-10 May, 2013 | 10:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the commentid parameter in a wppa_manage_comments edit action.

Action-Not Available
Vendor-wppa.opajaapn/aWordPress.org
Product-wp-photo-album-pluswordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-3526
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-8.19% / 91.86%
||
7 Day CHG~0.00%
Published-10 May, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter.

Action-Not Available
Vendor-wptrafficanalyzern/aWordPress.org
Product-wordpresstrafficanalyzern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 5
  • 6
  • 7
  • ...
  • 143
  • 144
  • Next
Details not found