Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-24588

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-15 Feb, 2022 | 15:36
Updated At-03 Aug, 2024 | 04:13
Rejected At-
Credits

Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:15 Feb, 2022 | 15:36
Updated At:03 Aug, 2024 | 04:13
Rejected At:
▼CVE Numbering Authority (CNA)

Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/Nguyen-Trung-Kien/CVE
x_refsource_MISC
https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24588/CVE-2022-24588.pdf
x_refsource_MISC
Hyperlink: https://github.com/Nguyen-Trung-Kien/CVE
Resource:
x_refsource_MISC
Hyperlink: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24588/CVE-2022-24588.pdf
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/Nguyen-Trung-Kien/CVE
x_refsource_MISC
x_transferred
https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24588/CVE-2022-24588.pdf
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/Nguyen-Trung-Kien/CVE
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24588/CVE-2022-24588.pdf
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:15 Feb, 2022 | 16:15
Updated At:04 Mar, 2023 | 01:40

Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches

flatpress
flatpress
>>flatpress>>1.2.1
cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/Nguyen-Trung-Kien/CVEcve@mitre.org
Exploit
Third Party Advisory
https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24588/CVE-2022-24588.pdfcve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://github.com/Nguyen-Trung-Kien/CVE
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24588/CVE-2022-24588.pdf
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

14116Records found

CVE-2023-1147
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 37.90%
||
7 Day CHG~0.00%
Published-02 Mar, 2023 | 00:00
Updated-07 Mar, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1107
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 40.26%
||
7 Day CHG~0.00%
Published-02 Mar, 2023 | 00:00
Updated-07 Mar, 2025 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1146
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 37.89%
||
7 Day CHG~0.00%
Published-02 Mar, 2023 | 00:00
Updated-07 Mar, 2025 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Generic in flatpressblog/flatpress

Cross-site Scripting (XSS) - Generic in GitHub repository flatpressblog/flatpress prior to 1.3.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1104
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-0.60% / 44.39%
||
7 Day CHG~0.00%
Published-01 Mar, 2023 | 00:00
Updated-11 Mar, 2025 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4605
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6||MEDIUM
EPSS-0.53% / 41.20%
||
7 Day CHG~0.00%
Published-18 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-33210
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.60% / 44.62%
||
7 Day CHG~0.00%
Published-02 Oct, 2024 | 00:00
Updated-03 Jul, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability has been identified in Flatpress 1.3. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users.

Action-Not Available
Vendor-flatpressn/aflatpress
Product-flatpressn/aflatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-40047
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.43% / 69.82%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-33209
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.77% / 51.24%
||
7 Day CHG~0.00%
Published-02 Oct, 2024 | 00:00
Updated-14 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FlatPress v1.3 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into the "Add New Entry" section, which allows them to execute arbitrary code in the context of a victim's web browser.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-35241
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-2.15% / 79.87%
||
7 Day CHG~0.00%
Published-30 Dec, 2020 | 14:26
Updated-29 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41432
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.68% / 74.04%
||
7 Day CHG~0.00%
Published-22 Jun, 2022 | 18:21
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1148
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 41.05%
||
7 Day CHG~0.00%
Published-02 Mar, 2023 | 00:00
Updated-07 Mar, 2025 | 21:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in flatpressblog/flatpress

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1106
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.58% / 43.36%
||
7 Day CHG~0.00%
Published-02 Mar, 2023 | 00:00
Updated-07 Mar, 2025 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Reflected in flatpressblog/flatpress

Cross-site Scripting (XSS) - Reflected in GitHub repository flatpressblog/flatpress prior to 1.3.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4023
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-0.75% / 50.35%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:09
Updated-23 Jun, 2025 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in flatpressblog/flatpress

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin.

Action-Not Available
Vendor-flatpressflatpressblog
Product-flatpressflatpressblog/flatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4821
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.51% / 39.87%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 20:45
Updated-17 May, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FlatPress XML File Handler/MD File admin.uploader.php onupload cross site scripting

A vulnerability classified as problematic was found in FlatPress. This vulnerability affects the function onupload of the file admin/panels/uploader/admin.uploader.php of the component XML File Handler/MD File Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 3cc223dec5260e533a84b5cf5780d3a4fbf21241. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217000.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressFlatPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4820
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.52% / 40.22%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 20:42
Updated-17 May, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FlatPress Admin Area admin.entry.list.php cross site scripting

A vulnerability classified as problematic has been found in FlatPress. This affects an unknown part of the file admin/panels/entry/admin.entry.list.php of the component Admin Area. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is 229752b51025e678370298284d42f8ebb231f67f. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216999.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressFlatPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4755
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.52% / 40.22%
||
7 Day CHG~0.00%
Published-27 Dec, 2022 | 09:39
Updated-17 May, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FlatPress Media Manager Plugin panel.mediamanager.file.php main cross site scripting

A vulnerability was found in FlatPress and classified as problematic. This issue affects the function main of the file fp-plugins/mediamanager/panels/panel.mediamanager.file.php of the component Media Manager Plugin. The manipulation of the argument mm-newgallery-name leads to cross site scripting. The attack may be initiated remotely. The name of the patch is d3f329496536dc99f9707f2f295d571d65a496f5. It is recommended to apply a patch to fix this issue. The identifier VDB-216869 was assigned to this vulnerability.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressFlatPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-31835
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.7||MEDIUM
EPSS-0.93% / 56.27%
||
7 Day CHG~0.00%
Published-01 Oct, 2024 | 00:00
Updated-07 Oct, 2024 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in flatpress CMS Flatpress v1.3 allows a remote attacker to execute arbitrary code via a crafted payload to the file name parameter.

Action-Not Available
Vendor-flatpressn/aflatpress
Product-flatpressn/aflatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25412
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.95% / 56.97%
||
7 Day CHG+0.05%
Published-27 Sep, 2024 | 00:00
Updated-13 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email field.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4461
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.47% / 70.55%
||
7 Day CHG~0.00%
Published-30 Dec, 2009 | 19:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.909 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) contact.php, (2) login.php, and (3) search.php.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25460
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.50% / 39.45%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 00:00
Updated-12 Jun, 2025 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to improper input sanitization of the "TextArea" field in the blog entry submission form.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-25411
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.78%
||
7 Day CHG+0.04%
Published-27 Sep, 2024 | 00:00
Updated-10 Jul, 2025 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php.

Action-Not Available
Vendor-flatpressn/aflatpress
Product-flatpressn/aflatpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-100036
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.89% / 77.09%
||
7 Day CHG~0.00%
Published-13 Jan, 2015 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in FlatPress 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter to the default URI.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4822
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.51% / 39.87%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 20:47
Updated-17 May, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FlatPress Setup main.lib.php cross site scripting

A vulnerability, which was classified as problematic, has been found in FlatPress. This issue affects some unknown processing of the file setup/lib/main.lib.php of the component Setup. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1. It is recommended to apply a patch to fix this issue. The identifier VDB-217001 was assigned to this vulnerability.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressFlatPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-44108
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 19.89%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 00:00
Updated-12 Jun, 2025 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-29602
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 15.18%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 00:00
Updated-16 Jun, 2025 | 19:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4120
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.76% / 75.24%
||
7 Day CHG~0.00%
Published-29 Sep, 2008 | 17:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.804 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) pass parameter to login.php, or the (3) name parameter to contact.php.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4216
Matching Score-4
Assigner-PostgreSQL
ShareView Details
Matching Score-4
Assigner-PostgreSQL
CVSS Score-7.4||HIGH
EPSS-0.46% / 36.73%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 17:42
Updated-19 Sep, 2025 | 13:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS vulnerability in /settings/store API response json payload in pgAdmin 4

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.

Action-Not Available
Vendor-pgadminpgadmin.orgFedora ProjectThe PostgreSQL Global Development Group
Product-pgadmin_4fedorapgAdmin 4pgadmin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4268
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.49% / 38.77%
||
7 Day CHG~0.00%
Published-02 Jul, 2024 | 11:01
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Blocks – WordPress Blocks Plugin <= 3.1.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Multiple Blocks

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-37457 may be a duplicate of this issue.

Action-Not Available
Vendor-dotcampultimateblocks
Product-ultimate_blocksUltimate Blocks – 25+ Gutenberg Blocks for Block Editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22252
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 37.99%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 00:00
Updated-05 Mar, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AEM Reflected XSS Arbitrary code execution

Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-1679
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.91% / 55.69%
||
7 Day CHG~0.00%
Published-26 Mar, 2007 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages

Action-Not Available
Vendor-n/aHorde LLC
Product-groupwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17989
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.84% / 53.45%
||
7 Day CHG~0.00%
Published-01 Apr, 2019 | 20:48
Updated-05 Aug, 2024 | 11:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user's browser when "/cgi-bin/New_GUI/Acl.asp" is requested.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dsl-3782_firmwaredsl-3782n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-18872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.73% / 49.78%
||
7 Day CHG~0.00%
Published-13 May, 2019 | 13:04
Updated-05 Aug, 2024 | 11:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories URI.

Action-Not Available
Vendor-kieranoshean/a
Product-calendarn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-29231
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.62% / 45.32%
||
7 Day CHG~0.00%
Published-30 Dec, 2020 | 18:21
Updated-05 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers.

Action-Not Available
Vendor-n/aremyandrade
Product-user_registration_and_login_system_with_admin_paneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42834
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 37.09%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in the Create Customer API in Incognito Service Activation Center (SAC) UI v14.11 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the lastName parameter.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2143
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 23.89%
||
7 Day CHG+0.04%
Published-17 Jul, 2023 | 13:29
Updated-30 Oct, 2024 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enable SVG, WebP & ICO Upload <= 1.0.3 - Author+ Stored XSS

The Enable SVG, WebP & ICO Upload WordPress plugin through 1.0.3 does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-ideastocodeUnknown
Product-enable_svg\,_webp_\&_ico_uploadEnable SVG, WebP & ICO Upload
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-18741
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.53% / 41.15%
||
7 Day CHG~0.00%
Published-28 Oct, 2018 | 03:00
Updated-05 Aug, 2024 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Download.php?lgid=1 during editing.

Action-Not Available
Vendor-sem-cmsn/a
Product-semcmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-1250
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.66% / 47.10%
||
7 Day CHG~0.00%
Published-03 Jul, 2018 | 19:00
Updated-16 Sep, 2024 | 23:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force 124630.

Action-Not Available
Vendor-IBM Corporation
Product-rational_collaborative_lifecycle_managementrational_quality_managerRational Quality ManagerRational Collaborative Lifecycle Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41844
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 21.36%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 16:53
Updated-07 Oct, 2024 | 13:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41911
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 15.26%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 14:07
Updated-02 Oct, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The flaw does not properly neutralize input during a web page generation.

Action-Not Available
Vendor-HP Inc.
Product-poly_clariti_managerPoly Clariti Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-11441
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.51% / 39.82%
||
7 Day CHG~0.00%
Published-19 Jul, 2017 | 07:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297.

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-whmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4265
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.56% / 42.27%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.5.9 - Contributor+ Stored Cross-Site Scripting

The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 2.0.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-35688 is likely a duplicate of this issue.

Action-Not Available
Vendor-master-addonslitonice13
Product-master_addonsMaster Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22269
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 38.00%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 00:00
Updated-05 Mar, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AEM Reflected XSS Arbitrary code execution

Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4187
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-2.1||LOW
EPSS-0.23% / 13.63%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 20:28
Updated-15 Aug, 2024 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS vulnerability has been discovered in OpenText™ Filr. The vulnerability could cause users to not be warned when clicking links to external sites.

Stored XSS vulnerability has been discovered in OpenText™ Filr product, affecting versions 24.1.1 and 24.2. The vulnerability could cause users to not be warned when clicking links to external sites.

Action-Not Available
Vendor-Open Text Corporation
Product-filrFilr
CWE ID-CWE-356
Product UI does not Warn User of Unsafe Actions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9526
Matching Score-4
Assigner-Google LLC
ShareView Details
Matching Score-4
Assigner-Google LLC
CVSS Score-7.1||HIGH
EPSS-0.21% / 10.81%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 13:30
Updated-23 Jul, 2025 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in Kubeflow Pipeline View

There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a stored XSS. We recommend upgrading past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d

Action-Not Available
Vendor-kubeflowKubeflowkubeflow
Product-pipelinesKubeflow Pipeline Viewkubeflow_w_pipeline_view
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42763
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.41% / 33.41%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 00:00
Updated-06 May, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Reflected Cross Site Scripting (XSS) vulnerability was found in the "/schedule.php" page of the Kashipara Bus Ticket Reservation System v1.0, which allows remote attackers to execute arbitrary code via the "bookingdate" parameter.

Action-Not Available
Vendor-kjayvikn/aKashipara Group
Product-bus_ticket_reservation_systemn/abus_ticket_reservation_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41825
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-0.27% / 18.28%
||
7 Day CHG-0.01%
Published-22 Jul, 2024 | 14:50
Updated-07 Aug, 2024 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-29496
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-4.8||MEDIUM
EPSS-0.79% / 51.95%
||
7 Day CHG~0.00%
Published-04 Jan, 2021 | 21:15
Updated-17 Sep, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9173
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.29% / 20.83%
||
7 Day CHG+0.01%
Published-26 Sep, 2024 | 09:29
Updated-08 Apr, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GF Custom Style <= 2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The GF Custom Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-alefypimentelalefypf
Product-gf_custom_styleGF Custom Style
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2164
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.4||MEDIUM
EPSS-63.77% / 99.12%
||
7 Day CHG~0.00%
Published-01 Aug, 2023 | 23:36
Updated-20 Nov, 2025 | 04:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-27989
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-21.75% / 97.34%
||
7 Day CHG~0.00%
Published-16 Nov, 2020 | 16:56
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 282
  • 283
  • Next
Details not found