Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-43787

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-29 Nov, 2021 | 19:30
Updated At-04 Aug, 2024 | 04:03
Rejected At-
Credits

XSS via prototype pollution

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:29 Nov, 2021 | 19:30
Updated At:04 Aug, 2024 | 04:03
Rejected At:
▼CVE Numbering Authority (CNA)
XSS via prototype pollution

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Affected Products
Vendor
NodeBB
Product
NodeBB
Versions
Affected
  • >= 1.15.5, < 1.18.5
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWECWE-1321CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-1321
Description: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Metrics
VersionBase scoreBase severityVector
3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
x_refsource_CONFIRM
https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
x_refsource_MISC
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
x_refsource_MISC
https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
x_refsource_MISC
Hyperlink: https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
Resource:
x_refsource_MISC
Hyperlink: https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
Resource:
x_refsource_MISC
Hyperlink: https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
x_refsource_CONFIRM
x_transferred
https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
x_refsource_MISC
x_transferred
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
x_refsource_MISC
x_transferred
https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:29 Nov, 2021 | 20:15
Updated At:27 Oct, 2022 | 19:45

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
nodebb
nodebb
>>nodebb>>Versions from 1.15.5(inclusive) to 1.18.4(inclusive)
cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1321Primarynvd@nist.gov
CWE-79Primarynvd@nist.gov
CWE-1321Secondarysecurity-advisories@github.com
CWE-79Secondarysecurity-advisories@github.com
CWE ID: CWE-1321
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-1321
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-79
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/security-advisories@github.com
Exploit
Third Party Advisory
https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4csecurity-advisories@github.com
Patch
Third Party Advisory
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5security-advisories@github.com
Patch
Release Notes
Third Party Advisory
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fcsecurity-advisories@github.com
Patch
Third Party Advisory
Hyperlink: https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
Source: security-advisories@github.com
Resource:
Patch
Release Notes
Third Party Advisory
Hyperlink: https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

19233Records found
CVE-2015-3296
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.26% / 65.96%
||
7 Day CHG~0.00%
Published-21 Sep, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript: or (2) data: URLs.

Action-Not Available
Vendor-nodebbn/a
Product-nodebbn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9286
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.36% / 68.09%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 13:07
Updated-06 Aug, 2024 | 08:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.

Action-Not Available
Vendor-nodebbn/a
Product-nodebbn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15156
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.62% / 44.91%
||
7 Day CHG~0.00%
Published-26 Aug, 2020 | 19:10
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS due to lack of CSRF validation for replying/publishing

In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.

Action-Not Available
Vendor-nodebbpsychobunny
Product-blog_commentsnodebb-plugin-blog-comments
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-57041
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-26.08% / 97.72%
||
7 Day CHG+0.97%
Published-24 Jan, 2025 | 00:00
Updated-27 Jun, 2025 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.

Action-Not Available
Vendor-nodebbn/a
Product-nodebbn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-48115
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 32.77%
||
7 Day CHG~0.00%
Published-17 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The dropdown menu in jspreadsheet before v4.6.0 was discovered to be vulnerable to cross-site scripting (XSS).

Action-Not Available
Vendor-jspreadsheetn/a
Product-jspreadsheetn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15869
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.68% / 47.49%
||
7 Day CHG~0.00%
Published-31 Jul, 2020 | 19:49
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2).

Action-Not Available
Vendor-n/aSonatype, Inc.
Product-nexus_repository_manager_3n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.11% / 61.63%
||
7 Day CHG~0.00%
Published-23 Mar, 2010 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in view.php in Pulse CMS 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter.

Action-Not Available
Vendor-pulsecmsn/a
Product-pulse_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1395
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-4.3||MEDIUM
EPSS-2.93% / 85.31%
||
7 Day CHG~0.00%
Published-11 Jun, 2010 | 17:28
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving DOM constructor objects, related to a "scope management issue."

Action-Not Available
Vendor-n/aMicrosoft CorporationApple Inc.
Product-webkitwindows_7mac_os_xwindows_vistawindows_xpsafarimac_os_x_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-0817
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.3||MEDIUM
EPSS-28.71% / 97.89%
||
7 Day CHG~0.00%
Published-29 Apr, 2010 | 21:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 12.0.0.6421 and possibly earlier, and SharePoint Services 3.0 SP1 and SP2, versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter.

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-sharepoint_serversharepoint_servicesn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1275
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.06% / 60.23%
||
7 Day CHG~0.00%
Published-06 Apr, 2010 | 16:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in ShowPost.asp in BBSXP 2008 allows remote attackers to inject arbitrary web script or HTML via the ThreadID parameter.

Action-Not Available
Vendor-bbsxpn/a
Product-bbsxpn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-47928
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 33.06%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-23 Jun, 2026 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.

Action-Not Available
Vendor-misp-projectn/a
Product-mispn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2002-2343
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.47% / 70.30%
||
7 Day CHG~0.00%
Published-29 Oct, 2007 | 19:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in NOCC 0.9 through 0.9.5 allows remote attackers to inject arbitrary web script or HTML via email messages.

Action-Not Available
Vendor-noccn/a
Product-noccn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1742
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.72% / 74.52%
||
7 Day CHG~0.00%
Published-06 May, 2010 | 18:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in projects.php in Scratcher allows remote attackers to inject arbitrary web script or HTML via the show parameter.

Action-Not Available
Vendor-satyadeepn/a
Product-scratchern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1482
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.08% / 60.96%
||
7 Day CHG~0.00%
Published-12 May, 2010 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in admin/editprefs.php in the backend in CMS Made Simple (CMSMS) before 1.7.1 might allow remote attackers to inject arbitrary web script or HTML via the date_format_string parameter.

Action-Not Available
Vendor-n/aThe CMS Made Simple Foundation
Product-cms_made_simplen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1557
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.46% / 70.25%
||
7 Day CHG~0.00%
Published-14 May, 2010 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in HP Insight Control Server Migration before 6.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aHP Inc.
Product-insight_control_server_migration_for_windowsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1486
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.20% / 64.11%
||
7 Day CHG~0.00%
Published-22 Apr, 2010 | 14:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in _invoice.asp in CactuShop before 6.155 allow remote attackers to inject arbitrary web script or HTML via the (1) billing address or (2) shipping address.

Action-Not Available
Vendor-cactushopn/a
Product-cactushopn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8075
Matching Score-4
Assigner-Hanwha Vision Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Hanwha Vision Co., Ltd.
CVSS Score-5.8||MEDIUM
EPSS-0.18% / 7.76%
||
7 Day CHG~0.00%
Published-26 Dec, 2025 | 04:31
Updated-07 Jan, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation

Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

Action-Not Available
Vendor-hanwhavisionHanwha Vision Co., Ltd.
Product-xno-6120qnv-c8011r_firmwarexnd-8081rv_firmwarexnp-8250rxnv-6080rw_firmwarexnp-c9303rwxnd-8040r_firmwarepnm-9084rqz1_firmwaretnv-c8014rmxnd-9083rv_pnm-9000vq_firmwarexnf-8010rwpnm-9084qz_firmwarexnv-c9083rpnm-9084rqz_firmwareknp-2120hnqnv-c8083r_firmwareqne-c9013rlqnd-c8013r_firmwarexnd-8080rw_firmwarexnf-9010rspnm-7000vdxnp-6321_firmwarexnd-6081revpnm-9084qz1_firmwarexnf-9010rvknp-2550rhaqnp-6320h_firmwarexnv-c7083r_firmwarexno-6080rs_firmwarepnm-9081vqkno-2080rn_firmwareqnf-8010xnz-l6320axnv-6120pnm-9085rqzxnd-6085v_firmwareqnp-6250hxnf-8010rvmnbxnv-c9083r_firmwarexnp-6321h_firmwareqnp-6320r_firmwarexno-c8083rxnd-8080rxnv-6123r_firmwarexnd-9082rv_firmwareqnf-c9010qnp-6320_firmwarexnv-8080rsqnp-6230h_firmwarexno-6083rxnv-8080r_firmwarexnv-8081re_xnp-8300rw_firmwarexnf-9013rv_firmwarexnb-8002_firmwareqnv-c9083r_firmwarexnv-6083rzxnv-8080rsaxnd-l6080vxno-6123r_firmwarexnv-9082rxnv-6081_firmwarexnv-8083rzxnp-6120h_firmwarexnb-9003qnp-6320hxnz-6320apnm-7000vd_firmwarexnv-c6083rxnb-6000_firmwarexnd-8080rv_firmwarexnv-8020rxnb-9002_firmwarexnv-8083rx_xnp-c6403xnp-6371rhqnf-c9010_firmwarexnd-6081rev_firmwareknd-2020rnqnp-6250xnd-6085xnp-6250rhqnv-c6083rxnd-6083rvxnv-9083rzxnb-6005_firmwarexnv-8030r_firmwarexno-8040rxnd-8081revxnz-6320_firmwarexnv-6022rxnp-c6403rwqno-c9083rpnm-9084qz1xnd-l6080rvxnd-6081rfqne-c9013rl_firmwarexnd-l6080rxno-9082rzxnp-c9253r__firmwarexnv-6012xnv-8083rvx_firmwareknp-2320rh_firmwarexnv-6022rmknb-5000nxnp-6371rh_firmwarexnd-c9083rv_firmwarexnp-9300rw_firmwarexno-6120rs_firmwareqnp-6230xnv-c8083r_firmwarexnv-6120_firmwarexnp-c8303rwxnf-8010rpnm-9000vqxnv-6081r_firmwarexnf-9010rvmxnp-6341rh_firmwarexnd-9082rfxnp-9250_firmwarexnv-8083z_firmwarexnd-8081vzknp-2320rhxno-8020rknd-5020rnxno-c7083rkno-5020rn_firmwarexnd-8082rfxnp-6400rqnv-c8083rxnd-8080rvknp-2120hn_firmwarexnb-9002xnd-6081vz_firmwarepnm-9002vq_firmwareqno-c8013r_firmwarexnv-8081z_firmwarexnp-c8253_firmwarexnp-c6403r_pnm-9080vq_firmwarexnb-8003xnv-6083zxnv-8083rz_firmwarexnp-c6403_firmwarexnd-c6083rvxnd-6081vxnp-c9253_firmwarexnv-6012mxnd-6080rv_firmwarexnd-l6080va_firmwarexnv-8020rmnkno-5080rnxnf-9010rvm_firmwarexnv-c6083_firmwarexnv-l6080raxno-9082rz_firmwarexnp-c8253pnm-9085rqz_firmwarexnv-6123rxnp-c8253r__firmwarexnd-6011f_firmwarexnp-6341rhqnp-6230hxnd-6080xnp-c9303rw_firmwaretnv-c8011rw_firmwarexnd-8081rf_firmwarexnd-6081fzxnd-8081fz_firmwarekno-2120rn_firmwarexnd-6081rvxnv-6120rspnm-9320vqpxnv-6083z_firmwarexnd-6081rv_firmwarexnv-9083r_firmwarexnd-c9083rvtnv-c8011rwxnv-8081re__firmwarexnv-6012_firmwarexnv-6080_firmwarexnp-c9253r_xnv-6120rs_firmwarexnd-8030r_firmwarexnv-6011_firmwarexnd-6080v_firmwarexnp-6040h_firmwarexnv-c6083xnv-8040rxnv-8081r_firmwarexnv-6022rm_firmwarexnp-6250rh_firmwarekno-5080rn_firmwarexnd-9083rv__firmwarexnv-c7083rxnd-6085_firmwarexnd-c7083rvxnv-8083rvxpnm-9321vqp_firmwarexno-8020r_firmwarexnd-6010_firmwarexnp-c8303rw_firmwaretnv-c7013rcknd-2010_firmwarexnd-8020fxnd-8040rxnv-l6080a_firmwarexnd-6080rknb-2000_firmwarexnz-l6320_firmwarexnd-8081fzxnf-8010rvw_firmwareknp-2320rha_firmwarexnd-8083rv_knp-2550rha_firmwareqnp-6250h_firmwarexnd-8093rv_xno-8083rxnv-6081z_firmwarexnv-6081xnp-6400pnm-7002vd_firmwareqnp-6250_firmwarexnv-6120rqnv-c8011rxnd-8082rvxnd-l6020rxno-6083r_firmwarexno-6010r_firmwareknb-5000n_firmwareqnp-6230_firmwarexnb-6005xnv-8030rxnv-6085xnd-c6083rv_firmwarexno-8082rxnv-6085_firmwarexnv-6080rxnd-6085vknd-5020rn_firmwarexnd-6080r_firmwareknd-5080rn_firmwarexnv-c6083r_firmwarexnv-8082rxnd-8083rvx_firmwarexnv-9083rz_firmwarexnp-c8253r_qne-c8013rl_firmwarexnv-6120r_firmwareqnf-c9010vxnv-8080rsa_firmwarexnv-6010qnp-6250r_firmwarexnv-6020rxnv-9083rqnd-c8013rxnv-8083r_firmwarexnd-l6080r_firmwarexnv-6083rz_firmwarexno-6020rxnf-8010rvxnv-6081re_firmwarexnd-6020r_firmwarexnp-6040hxnp-9300rwxnv-c8083rxnd-8030rxnp-9250xnp-8250r_firmwarexnp-6320h_firmwarexnp-c7310r_xnd-8080rwxnv-6080rsa_firmwareknd-2010qnv-c6083r_firmwarexnv-6080rwxnv-l6080_firmwareqno-c8083r_firmwarexnp-c9253xnd-6081fz_firmwarexnv-6083rxnz-6320a_firmwarexnd-9082rvxno-8080rwxnb-6003_firmwarexnv-8093r_firmwarexno-8030rqnp-6320rtnv-c7013rc_firmwarexno-8030r_firmwarexnv-8020rmn_firmwarexnd-l6080v_firmwarexno-6123rqnv-c9011r_firmwarexnv-8083rx__firmwarexnd-6081rf_firmwarexnb-8003_firmwaretnb-6030xnd-8093rv__firmwarexnd-c8083rv_firmwareqnv-c8023rxno-8082r_firmwarexnp-6321hxnv-6081zxnd-8083rv__firmwarexnp-c9310r__firmwarexnp-c7310r__firmwarexnp-8250_firmwarexnd-l6080rva_firmwarexnd-l6020r_firmwarexnv-8080rxnd-l6080rvaxnp-6320hs_firmwarexnd-6080vxnf-8010rvmnb_firmwarexnb-6002xnd-k6080nxno-9083r_firmwarekno-2010rn_firmwarexnp-6400rwxnd-c8083rvxnd-8081rvxnp-c9310r_xnv-6081rexnv-l6080knd-5080rnxno-l6080rxnv-8020r_firmwarexnv-6080xnp-6320_firmwarexno-l6120rxno-c6083rxno-c8083r_firmwarexnv-8082r_firmwareqno-c6083rxnp-6120hxnv-6012m_firmwareqnd-c8023rqnv-c9083rxnd-6080rvxnd-6081fxno-8080r_firmwarexno-8040r_firmwarexnf-8010r_firmwarexnv-8081rqno-c8083rxno-8080rxno-6120rxnp-6321tnv-c8014rm_firmwarexnd-6011fqnv-c8013r_firmwarekno-5020rnqnv-c8012_firmwarexnv-6011xno-6080rxnv-6011w_firmwarexno-l6080ra_firmwarekno-2010rnxnp-6400_firmwarekno-2120rnpnm-9000vd_firmwarexnp-6550rh_firmwarexnd-8081vz_firmwarexnd-k6080n_firmwareqnv-c9011rxnp-6320hsxnd-6081vzqnd-c8023r_firmwarexnd-6010xnv-6083r_firmwareknp-2320rhaxnv-8081zxnp-6320htnb-6030_firmwarexno-6080rsxnb-8000_firmwarexno-6120_firmwarexnd-6081v_firmwareknd-2080rnxnd-6020rxnf-9010rs_firmwareqno-c8013rxno-9083rxnv-8020rmpxno-6120rsxnv-l6080ra_firmwaretnv-7010rcxnd-l6080vaxnv-6080rs_firmwaretnv-7010rc_firmwarexnb-6000qne-c8013rlqno-c8023rxnv-8080rwxno-c6083r_firmwarexnv-8080rw_firmwarexno-6080r_firmwarexnf-8010rvmxnp-c6403r__firmwarexnd-6080rwxnv-6080r_firmwarepnm-9084qzxnv-8040r_firmwarexnz-l6320a_firmwarepnm-9320vqp_firmwareknd-2020rn_firmwarexnv-6022r_firmwarexnp-6550rhqnv-c8023r_firmwarepnm-9081vq_firmwarexnv-8080rs_firmwarepnm-9084rqzxnv-8083zxno-6085rxnf-8010rvwxnp-6320rhxno-l6020r_firmwarexnd-8020rxno-c7083r_firmwarexnp-c6403rw_firmwarexnp-9250r_firmwarexno-6085r_firmwarexnz-l6320xnp-9250rxnv-6080rsaqnf-c9010v_firmwarexnd-c7083rv_firmwarepnm-9084rqz1xnp-6320rh_firmwarexnv-8020rmp_firmwarepnm-9085rqz1_firmwarekno-2080rnxnv-6011wxnv-9082r_firmwarexno-l6120r_firmwarexnd-8081rfxnz-6320knd-2080rn_firmwareqnp-6320xnb-6001xnd-6081f_firmwarexnv-6010_firmwarexnp-8250knb-2000xnd-8081rev_firmwarexnd-8082rf_firmwarexno-l6080r_firmwarexnv-l6080rxnd-8082rv_firmwarexnv-6013m_firmwarexno-c9083r_firmwareqnp-6250rxno-l6080raxno-c9083rxnb-6001_firmwarexnd-8020r_firmwarexnf-9013rvxnv-6020r_firmwarexnd-l6080rv_firmwareqno-c8023r_firmwarexnb-8002xnd-8020f_firmwarexnp-6320xnv-l6080r_firmwarexnv-8093rpnm-9002vqpnm-9322vqp_firmwarexnb-6002_firmwarexnb-9003_firmwaretnv-c8034rmxno-6020r_firmwareqnv-c8013rxnd-6083rv_firmwarepnm-9322vqpxnv-8083rxnd-6080_firmwarepnm-9321vqpxnp-6400rw_firmwarexno-l6020rxno-8083r_firmwarepnm-7002vdtnv-c8034rm_firmwarexnd-8080r_firmwarexnf-8010rv_firmwarexnf-8010rw_firmwarexno-6120r_firmwarepnm-9080vqxnv-6013mxnf-9010rv_firmwarexnd-6080rw_firmwarexnp-6400r_firmwarexnf-8010rvm_firmwarexnp-8300rwxnb-6003xnd-8083rvxxnv-6081rxnb-8000xnd-8020rw_firmwareqno-c6083r_firmwarexno-8080rw_firmwarexnd-8020rwxnv-l6080apnm-9085rqz1qno-c9083r_firmwarexnv-6080rsqnf-8010_firmwarepnm-9000vdxnd-9082rf_firmwareqnv-c8012xno-6010rQNV-C8012
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15676
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.57% / 72.28%
||
7 Day CHG~0.00%
Published-01 Oct, 2020 | 18:31
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.

Action-Not Available
Vendor-Debian GNU/LinuxopenSUSEMozilla Corporation
Product-thunderbirddebian_linuxfirefoxfirefox_esrleapFirefoxFirefox ESRThunderbird
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1164
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-2.23% / 80.52%
||
7 Day CHG~0.00%
Published-20 Apr, 2010 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.

Action-Not Available
Vendor-n/aAtlassian
Product-jiran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1048
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.45% / 69.96%
||
7 Day CHG~0.00%
Published-22 Mar, 2010 | 18:17
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in blog/index.php in Uiga Business Portal allows remote attackers to inject arbitrary web script or HTML via the textcomment parameter (aka the Comment Box) in a noentryid action. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-uigan/a
Product-business_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-47701
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 27.11%
||
7 Day CHG~0.00%
Published-31 Jan, 2023 | 00:00
Updated-27 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS).

Action-Not Available
Vendor-comfast_projectn/a
Product-cf-wr623n_firmwarecf-wr623nn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-6506
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-4.3||MEDIUM
EPSS-2.08% / 79.03%
||
7 Day CHG~0.00%
Published-03 Sep, 2015 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key.

Action-Not Available
Vendor-n/aBest Practical Solutions, LLC
Product-request_trackern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1195
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.71% / 74.39%
||
7 Day CHG+0.01%
Published-31 Mar, 2010 | 17:35
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the htmlscrubber component in ikiwiki 2.x before 2.53.5 and 3.x before 3.20100312 allows remote attackers to inject arbitrary web script or HTML via a crafted data:image/svg+xml URI.

Action-Not Available
Vendor-ikiwikin/a
Product-ikiwikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1104
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.93% / 77.43%
||
7 Day CHG~0.00%
Published-25 Mar, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Action-Not Available
Vendor-zopen/a
Product-zopen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-48012
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.37% / 68.37%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Opencats v0.9.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /opencats/index.php?m=settings&a=ajax_tags_upd.

Action-Not Available
Vendor-opencatsn/a
Product-opencatsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4771
Matching Score-4
Assigner-Hitachi Vantara
ShareView Details
Matching Score-4
Assigner-Hitachi Vantara
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 27.10%
||
7 Day CHG~0.00%
Published-03 Apr, 2023 | 18:58
Updated-11 Feb, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables. 

Action-Not Available
Vendor-Hitachi Vantara LLCHitachi, Ltd.
Product-vantara_pentaho_business_analytics_serverPentaho Business Analytics Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15870
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.68% / 47.49%
||
7 Day CHG~0.00%
Published-31 Jul, 2020 | 19:42
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2).

Action-Not Available
Vendor-n/aSonatype, Inc.
Product-nexus_repository_manager_3n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1667
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.90% / 77.01%
||
7 Day CHG~0.00%
Published-06 Jul, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aMahara
Product-maharan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1332
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.02% / 59.00%
||
7 Day CHG~0.00%
Published-09 Apr, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in PrettyBook PrettyFormMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-prettybookn/a
Product-prettyformmailn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1274
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.06% / 60.38%
||
7 Day CHG~0.00%
Published-06 Apr, 2010 | 16:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Emweb Wt before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to "insertions of the URL" that occur during a redirection.

Action-Not Available
Vendor-webtoolkitn/a
Product-wtn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-22936
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.56% / 41.95%
||
7 Day CHG~0.00%
Published-01 Feb, 2024 | 00:00
Updated-16 Jan, 2025 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Parents & Student Portal in Genesis School Management Systems in Genesis AIMS Student Information Systems v.3053 allows remote attackers to inject arbitrary web script or HTML via the message parameter.

Action-Not Available
Vendor-manuelaldapen/agenesisedu
Product-parents_\&_student_portaln/aparent_student_portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4876
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.51% / 39.45%
||
7 Day CHG~0.00%
Published-04 Jan, 2023 | 22:02
Updated-28 May, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kaltura mwEmbed DefaultSettings.php cross site scripting

A vulnerability was found in Kaltura mwEmbed up to 2.96.rc1 and classified as problematic. This issue affects some unknown processing of the file includes/DefaultSettings.php. The manipulation of the argument HTTP_X_FORWARDED_HOST leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.96.rc2 is able to address this issue. The patch is named 13b8812ebc8c9fa034eed91ab35ba8423a528c0b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217427.

Action-Not Available
Vendor-kalturaKaltura
Product-mwembedmwEmbed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1105
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.11% / 61.63%
||
7 Day CHG~0.00%
Published-25 Mar, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in cgi/index.php in AdvertisementManager 3.1.0 and 3.6 allows remote attackers to inject arbitrary web script or HTML via the usr parameter.

Action-Not Available
Vendor-advertisementmanagern/a
Product-advertisementmanagern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4822
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.51% / 39.57%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 20:47
Updated-17 May, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FlatPress Setup main.lib.php cross site scripting

A vulnerability, which was classified as problematic, has been found in FlatPress. This issue affects some unknown processing of the file setup/lib/main.lib.php of the component Setup. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1. It is recommended to apply a patch to fix this issue. The identifier VDB-217001 was assigned to this vulnerability.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressFlatPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1257
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.3||MEDIUM
EPSS-22.16% / 97.36%
||
7 Day CHG~0.00%
Published-08 Jun, 2010 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the toStaticHTML API, as used in Microsoft Office InfoPath 2003 SP3, 2007 SP1, and 2007 SP2; Office SharePoint Server 2007 SP1 and SP2; SharePoint Services 3.0 SP1 and SP2; and Internet Explorer 8 allows remote attackers to inject arbitrary web script or HTML via vectors related to sanitization.

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-internet_explorersharepoint_serviceswindows_7windows_server_2008windows_vistawindows_xpwindows_2003_serversharepoint_serveroffice_infopathn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1036
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-4.3||MEDIUM
EPSS-2.87% / 85.00%
||
7 Day CHG~0.00%
Published-28 Apr, 2010 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aHP Inc.
Product-systems_insight_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-1000143
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.56% / 87.84%
||
7 Day CHG~0.00%
Published-10 Oct, 2016 | 20:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected XSS in wordpress plugin photoxhibit v2.1.8

Action-Not Available
Vendor-photoxhibit_projectn/a
Product-photoxhibitn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1021
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.06% / 60.38%
||
7 Day CHG~0.00%
Published-19 Mar, 2010 | 18:35
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Typo3 Quixplorer (t3quixplorer) extension before 1.7.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-mads_brunnn/aTYPO3 Association
Product-t3quixplorertypo3n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15769
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.66% / 46.57%
||
7 Day CHG~0.00%
Published-18 Sep, 2020 | 13:10
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL.

Action-Not Available
Vendor-n/aGradle, Inc.
Product-enterprisen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-0963
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.06% / 60.37%
||
7 Day CHG~0.00%
Published-16 Mar, 2010 | 18:26
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in index.php in dl Download Ticket Service before 0.7 allows remote attackers to inject arbitrary web script or HTML via the t parameter, related to an invalid ticket ID. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-yuri_d\'elian/a
Product-dln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1186
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-4.73% / 90.68%
||
7 Day CHG~0.00%
Published-07 Apr, 2010 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter.

Action-Not Available
Vendor-alex_raben/aWordPress.org
Product-nextgen_gallerywordpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-48118
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 37.25%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Acronym parameter.

Action-Not Available
Vendor-joranin/a
Product-joranin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1193
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.66% / 73.55%
||
7 Day CHG+0.01%
Published-01 Apr, 2010 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in WebAccess in VMware Server 2.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON error messages.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-0927
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.01% / 58.77%
||
7 Day CHG~0.00%
Published-05 Mar, 2010 | 17:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in help/readme.nsf/Header in the Help component in IBM Lotus Domino 7.x before 7.0.4 and 8.x before 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the BaseTarget parameter in an OpenPage action. NOTE: this may overlap CVE-2010-0920.

Action-Not Available
Vendor-n/aIBM Corporation
Product-lotus_dominon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1629
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.03% / 59.36%
||
7 Day CHG~0.00%
Published-19 May, 2010 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Phorum before 5.2.15 allows remote attackers to inject arbitrary web script or HTML via an invalid email address.

Action-Not Available
Vendor-phorumn/a
Product-phorumn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1339
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.85% / 53.58%
||
7 Day CHG~0.00%
Published-09 Apr, 2010 | 18:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to inject arbitrary web script or HTML via the userid parameter in a modboard action, which is not properly handled in a forced SQL error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Action-Not Available
Vendor-robertottowoltlabn/a
Product-teamsite_hack_pluginburning_boardn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1619
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.67% / 73.77%
||
7 Day CHG~0.00%
Published-29 Apr, 2010 | 21:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodlen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-1707
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.90% / 55.07%
||
7 Day CHG~0.00%
Published-04 May, 2010 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.

Action-Not Available
Vendor-n/aPiwigo
Product-piwigon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2002-2255
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.44% / 69.70%
||
7 Day CHG~0.00%
Published-14 Oct, 2007 | 20:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 and possibly earlier versions allows remote attackers to inject arbitrary web script or HTML via the search_username parameter in searchuser mode.

Action-Not Available
Vendor-phpbbn/a
Product-phpbbn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2002-2348
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.45% / 69.96%
||
7 Day CHG~0.00%
Published-29 Oct, 2007 | 19:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in athcgi.exe in Authoria HR allows remote attackers to inject arbitrary web script or HTML via the command parameter.

Action-Not Available
Vendor-authorian/a
Product-authorian/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 384
  • 385
  • Next
Details not found