Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-24814

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-04 Apr, 2022 | 17:50
Updated At-23 Apr, 2025 | 18:41
Rejected At-
Credits

Cross-site Scripting in Directus

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:04 Apr, 2022 | 17:50
Updated At:23 Apr, 2025 | 18:41
Rejected At:
▼CVE Numbering Authority (CNA)
Cross-site Scripting in Directus

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.

Affected Products
Vendor
directus
Product
directus
Versions
Affected
  • < 9.7.0
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84
x_refsource_CONFIRM
https://github.com/directus/directus/pull/12020
x_refsource_MISC
https://github.com/directus/directus/releases/tag/v9.7.0
x_refsource_MISC
Hyperlink: https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/directus/directus/pull/12020
Resource:
x_refsource_MISC
Hyperlink: https://github.com/directus/directus/releases/tag/v9.7.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84
x_refsource_CONFIRM
x_transferred
https://github.com/directus/directus/pull/12020
x_refsource_MISC
x_transferred
https://github.com/directus/directus/releases/tag/v9.7.0
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/directus/directus/pull/12020
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/directus/directus/releases/tag/v9.7.0
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:04 Apr, 2022 | 18:15
Updated At:12 Apr, 2022 | 09:32

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
rangerstudio
rangerstudio
>>directus>>Versions before 9.7.0(exclusive)
cpe:2.3:a:rangerstudio:directus:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/directus/directus/pull/12020security-advisories@github.com
Issue Tracking
Patch
Third Party Advisory
https://github.com/directus/directus/releases/tag/v9.7.0security-advisories@github.com
Release Notes
Third Party Advisory
https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84security-advisories@github.com
Mitigation
Third Party Advisory
Hyperlink: https://github.com/directus/directus/pull/12020
Source: security-advisories@github.com
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://github.com/directus/directus/releases/tag/v9.7.0
Source: security-advisories@github.com
Resource:
Release Notes
Third Party Advisory
Hyperlink: https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84
Source: security-advisories@github.com
Resource:
Mitigation
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

17579Records found
CVE-2021-22814
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.81% / 73.34%
||
7 Day CHG~0.00%
Published-28 Jan, 2022 | 19:09
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists which could cause arbritrary script execution when a malicious file is read and displayed. Affected Products: 1-Phase Uninterruptible Power Supply (UPS) using NMC2 including Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J, AP9631/AP9631CH/AP9631J, AP9635/AP9635J (NMC2 AOS V6.9.8 and earlier), 3-Phase Uninterruptible Power Supply (UPS) using NMC2 including Symmetra PX 250/500 (SYPX) Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J, AP9631/AP9631CH/AP9631J, AP9635/AP9635J (NMC2 AOS V6.9.6 and earlier), 3-Phase Uninterruptible Power Supply (UPS) using NMC2 including Symmetra PX 48/96/100/160 kW UPS (PX2), Symmetra PX 20/40 kW UPS (SY3P), Gutor (SXW, GVX), and Galaxy (GVMTS, GVMSA, GVXTS, GVXSA, G7K, GFC, G9KCHU): AP9630/AP9630CH/AP9630J, AP9631/AP9631CH/AP9631J, AP9635/AP9635CH (NMC2 AOS V6.9.6 and earlier), 1-Phase Uninterruptible Power Supply (UPS) using NMC3 including Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 3 (NMC3): AP9640/AP9640J, AP9641/AP9641J, AP9643/AP9643J (NMC3 AOS V1.4.2.1 and earlier), APC Rack Power Distribution Units (PDU) using NMC2 2G Metered/Switched Rack PDUs with embedded NMC2: AP84XX, AP86XX, AP88XX, AP89XX (NMC2 AOS V6.9.6 and earlier), APC Rack Power Distribution Units (PDU) using NMC3 2G Metered/Switched Rack PDUs with embedded NMC3: APDU99xx (NMC3 AOS V1.4.0 and earlier), APC 3-Phase Power Distribution Products using NMC2 Galaxy RPP: GRPPIP2X84 (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P): PDPB150G6F (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for InfraStruxure 40/60kVA PDU (XPDU) PD40G6FK1-M, PD40F6FK1-M, PD40L6FK1-M, PDRPPNX10 M,PD60G6FK1, PD60F6FK1, PD60L6FK1, PDRPPNX10, PD40E5EK20-M, PD40H5EK20-M (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for Modular 150/175kVA PDU (XRDP): PDPM150G6F, PDPM150L6F, PDPM175G6H (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for 400 and 500 kVA (PMM): PMM400-ALA, PMM400-ALAX, PMM400-CUB, PMM500-ALA, PMM500-ALAX, PMM500-CUB (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 for Modular PDU (XRDP2G): PDPM72F-5U, PDPM138H-5U, PDPM144F, PDPM138H-R, PDPM277H, PDPM288G6H (NMC2 AOS V6.9.6 and earlier), Rack Automatic Transfer Switches (ATS) Embedded NMC2: Rack Automatic Transfer Switches - AP44XX (ATS4G) (NMC2 AOS V6.9.6 and earlier), Network Management Card 2 (NMC2) Cooling Products: InRow Cooling for series ACRP5xx, ACRP1xx, ACRD5xx, and ACRC5xx SKUs (ACRP2G), InRow Cooling for series ACRC10x SKUs (RC10X2G), InRow Cooling for series ACRD6xx and ACRC6xx SKUs (ACRD2G), InRow Cooling Display for series ACRD3xx (ACRC2G), InRow Cooling for series ACSC1xx SKUs (SC2G), InRow Cooling for series ACRD1xx and ACRD2xx (ACRPTK2G), Ecoflair IAEC25/50 Air Economizer Display (EB2G), Uniflair SP UCF0481I, UCF0341I (UNFLRSP), Uniflair LE DX Perimeter Cooling Display for SKUs: IDAV, IDEV, IDWV, IUAV, IUEV, IUWV, IXAV, IXEV, IXWV, LDAV, LDEV, and LDWV (LEDX2G), Refrigerant Distribution Unit: ACDA9xx (RDU) (NMC2 AOS V6.9.6 and earlier), Environmental Monitoring Unit with embedded NMC2 (NB250): NetBotz NBRK0250 (NMC2 AOS V6.9.6 and earlier), and Network Management Card 2 (NMC2): AP9922 Battery Management System (BM4) (NMC2 AOS V6.9.6 and earlier)

Action-Not Available
Vendor-n/a
Product-single-phase_symmetragalaxy_g9kchupdpm138h-5upd60f6fk1pdpm277hpd40e5ek20-mpd40l6fk1-msymmetra_px_20galaxy_gvmsapd60g6fk1gutor_gvxgalaxy_3500network_management_card_2_firmwarepdpm150g6fpdrppnx10pdpb150g6fpmm500-alaxgutor_sxwpdpm150l6fpdpm175g6hapc_rack_power_distribution_unitspd60l6fk1pdpm288g6hnetwork_management_card_3pdpm138h-rpdrppnx10mpd40f6fk1-mrack_automatic_transfer_switchessmart-upspd40h5ek20-mnetwork_management_card_2symmetra_px_160pmm400-alaxsymmetra_px_40symmetra_px_48netbotz_nbrk0250pmm400-alagalaxy_g7xnetwork_management_card_3_firmwarepdpm144fpmm400-cubgalaxy_gfcgalaxy_rpp_grppip2x84ap9922_battery_management_systemsymmetra_px_100symmetra_px_500galaxy_gcxsagalaxy_gvxtssymmetra_px_250symmetra_px_96pmm500-cubpd40g6fk1-mgalaxy_gvmtspmm500-alapdpm72f-5un/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20975
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.30% / 52.94%
||
7 Day CHG~0.00%
Published-20 Aug, 2019 | 12:14
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.

Action-Not Available
Vendor-fatfreecrmn/a
Product-fat_free_crmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20966
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-8.21% / 91.88%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:19
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.

Action-Not Available
Vendor-boostern/a
Product-booster_for_woocommercen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-0583
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-1.63% / 81.16%
||
7 Day CHG~0.00%
Published-10 Feb, 2011 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to inject arbitrary web script or HTML via the cfform tag.

Action-Not Available
Vendor-n/aAdobe Inc.
Product-coldfusionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20903
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 57.38%
||
7 Day CHG~0.00%
Published-01 Aug, 2019 | 14:21
Updated-05 Aug, 2024 | 12:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-0653
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.3||MEDIUM
EPSS-47.88% / 97.64%
||
7 Day CHG~0.00%
Published-15 Sep, 2011 | 10:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint Server 2010 Gold and SP1, and SharePoint Foundation 2010, allows remote attackers to inject arbitrary web script or HTML via the URI, aka "XSS in SharePoint Calendar Vulnerability."

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-sharepoint_serversharepoint_foundationn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-0741
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.34%
||
7 Day CHG~0.00%
Published-02 Feb, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in ModX Evolution before 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) installer or (2) image editor.

Action-Not Available
Vendor-modxcmsn/a
Product-evolutionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19614
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 58.10%
||
7 Day CHG~0.00%
Published-23 May, 2019 | 19:16
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XSS exists in the /cmdexec/cmdexe?cmd= function in Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers.

Action-Not Available
Vendor-westermon/a
Product-mr-260dr-250_firmwaredr-250mr-260_firmwaredr-260dr-260_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12724
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.29%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-11 Jun, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP DeskLite <= 1.0.0 - Reflected XSS

The WP DeskLite WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-codeflockUnknown
Product-wp_deskliteWP DeskLite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-0707
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-2.46% / 84.62%
||
7 Day CHG~0.00%
Published-22 Feb, 2011 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.

Action-Not Available
Vendor-n/aGNU
Product-mailmann/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20755
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.17%
||
7 Day CHG~0.00%
Published-06 Feb, 2019 | 17:00
Updated-05 Aug, 2024 | 12:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MODX Revolution through v2.7.0-pl allows XSS via the User Photo field.

Action-Not Available
Vendor-modxn/a
Product-modx_revolutionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-22706
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 51.62%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 10:41
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server.

Action-Not Available
Vendor-n/a
Product-evlink_city_evc1s22p4evlink_parking_evf2evlink_parking_evf2_firmwareevlink_parking_ev.2_firmwareevlink_parking_evw2evlink_city_evc1s22p4_firmwareevlink_city_evc1s7p4_firmwareevlink_smart_wallbox_evb1a_firmwareevlink_smart_wallbox_evb1aevlink_parking_evw2_firmwareevlink_parking_ev.2evlink_city_evc1s7p4EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 )
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19785
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.17%
||
7 Day CHG~0.00%
Published-01 Dec, 2018 | 00:00
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL field in index.php.

Action-Not Available
Vendor-php-proxyn/a
Product-php-proxyn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-1099
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 59.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2012 | 10:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.

Action-Not Available
Vendor-n/aRuby on Rails
Product-ruby_on_railsrailsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19916
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.91%
||
7 Day CHG~0.00%
Published-20 Dec, 2019 | 15:07
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Midori Browser 0.5.11 (on Windows 10), Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could result in script running where CSP should have blocked it, allowing for cross-site scripting (XSS) and other attacks when the product renders the content as HTML. Remediating this would also need to consider the polyglot case, e.g., a file that is a valid GIF image and also valid JavaScript.

Action-Not Available
Vendor-midori-browsern/aMicrosoft Corporation
Product-midoriwindows_10n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-0004
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.70% / 71.19%
||
7 Day CHG~0.00%
Published-10 Jan, 2011 | 19:18
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Piwik before 1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-matomon/a
Product-matomon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12599
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.05% / 13.41%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 04:21
Updated-28 Mar, 2025 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HT Mega – Absolute Addons For Elementor <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-HasTech IT Limited (HasThemes)
Product-ht_megaHT Mega – Absolute Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12586
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 10.97%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 06:00
Updated-23 May, 2025 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chalet Montagne Com Tools <= 2.7.8 - Reflected XSS

The Chalet-Montagne.com Tools WordPress plugin through 2.7.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-alpiumUnknown
Product-chalet-montagne.com_toolsChalet-Montagne.com Tools
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13224
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 8.76%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 06:00
Updated-12 May, 2025 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SlideDeck 1 Lite Content Slider <= 1.4.8 - Reflected XSS

The SlideDeck 1 Lite Content Slider WordPress plugin through 1.4.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-dtelepathyUnknown
Product-slidedeck_1_lite_content_sliderSlideDeck 1 Lite Content Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5275
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.56%
||
7 Day CHG~0.00%
Published-07 Oct, 2012 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in memcache_admin in the Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-memcache_projectn/aThe Drupal Association
Product-drupalmemcachen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-6079
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 62.80%
||
7 Day CHG~0.00%
Published-03 Oct, 2014 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Local Management Interface in IBM Security Access Manager for Web 7.x before 7.0.0-ISS-WGA-IF0009 and 8.x before 8.0.0-ISS-WGA-FP0005, and Security Access Manager for Mobile 8.x before 8.0.0-ISS-ISAM-FP0005, allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Action-Not Available
Vendor-n/aIBM Corporation
Product-security_access_manager_for_web_7.0_firmwaresecurity_access_manager_for_web_8.0_firmwaresecurity_access_manager_for_mobile_8.0_firmwaresecurity_access_manager_for_web_appliancesecurity_access_manager_for_mobile_appliancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19799
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.96% / 85.97%
||
7 Day CHG~0.00%
Published-26 Dec, 2018 | 20:00
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.

Action-Not Available
Vendor-n/aDolibarr ERP & CRM
Product-dolibarrn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13366
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.13% / 33.48%
||
7 Day CHG+0.01%
Published-17 Jan, 2025 | 07:01
Updated-12 Feb, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sandbox <= 0.4 - Reflected Cross-Site Scripting

The Sandbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'debug' parameter in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-barteled
Product-Sandbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19813
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 46.15%
||
7 Day CHG~0.00%
Published-17 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "/VPortal/mgtconsole/Subscribers.jsp" has reflected XSS via the ConnPoolName or GroupId parameter.

Action-Not Available
Vendor-infovistan/a
Product-vistaportaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-0486
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 61.57%
||
7 Day CHG~0.00%
Published-18 Jan, 2011 | 17:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in cognos.cgi in IBM Cognos 8 Business Intelligence (BI) 8.4.1 before FP1 allows remote attackers to inject arbitrary web script or HTML via the pathinfo parameter.

Action-Not Available
Vendor-n/aIBM Corporation
Product-cognos_8_business_intelligencen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12732
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 15.29%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-22 May, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AffiliateImporterEb <= 1.0.6 - Reflected XSS

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-cr1000Unknown
Product-affiliateimporterebAffiliateImporterEb
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12736
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.01% / 1.14%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 06:00
Updated-12 Jun, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BU Section Editing <= 0.9.9 - Reflected XSS

The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-buUnknown
Product-bu_section_editingBU Section Editing
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19921
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.29% / 78.85%
||
7 Day CHG~0.00%
Published-06 Dec, 2018 | 22:00
Updated-16 Sep, 2024 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_opmanagern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4504
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.24%
||
7 Day CHG~0.00%
Published-08 Dec, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in eSyndiCat Directory 2.3 allow remote attackers to inject arbitrary web script or HTML via the title parameter to (1) suggest-category.php and (2) suggest-listing.php.

Action-Not Available
Vendor-intelliantsn/a
Product-esyndicatn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19003
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 58.10%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 19:46
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB eSOMS: HTTPOnly flag not set

For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting.

Action-Not Available
Vendor-Hitachi Energy Ltd.ABB
Product-esomseSOMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-16
Not Available
CVE-2018-19955
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 60.82%
||
7 Day CHG~0.00%
Published-02 Nov, 2020 | 15:57
Updated-16 Sep, 2024 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-photo_stationPhoto Station
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2021-22993
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-8.8||HIGH
EPSS-0.82% / 73.48%
||
7 Day CHG~0.00%
Published-31 Mar, 2021 | 17:45
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, DOM-based XSS on DoS Profile properties page. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Action-Not Available
Vendor-n/aF5, Inc.
Product-big-ip_advanced_web_application_firewallbig-ip_application_security_managerBIG-IP Advanced WAF and BIG-IP ASM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4930
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-8.23% / 91.89%
||
7 Day CHG~0.00%
Published-09 Oct, 2011 | 10:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in index.php in @mail Webmail before 6.2.0 allows remote attackers to inject arbitrary web script or HTML via the MailType parameter in a mail/auth/processlogin action.

Action-Not Available
Vendor-atmailn/a
Product-webmailn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-5391
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 63.50%
||
7 Day CHG~0.00%
Published-11 Sep, 2014 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote attackers to inject arbitrary web script or HTML via the hash property (location.hash).

Action-Not Available
Vendor-sosn/a
Product-jobschedulern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19819
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 46.15%
||
7 Day CHG~0.00%
Published-17 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "/VPortal/mgtconsole/Rights.jsp" has reflected XSS via the ConnPoolName parameter.

Action-Not Available
Vendor-infovistan/a
Product-vistaportaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19835
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.17%
||
7 Day CHG~0.00%
Published-03 Dec, 2018 | 19:00
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter.

Action-Not Available
Vendor-metinfon/a
Product-metinfon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4555
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.68% / 70.56%
||
7 Day CHG~0.00%
Published-14 Jul, 2011 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors associated with the Index Order (aka options_order) page.

Action-Not Available
Vendor-n/aSquirrelMail
Product-squirrelmailn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4772
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.70%
||
7 Day CHG~0.00%
Published-23 Mar, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in blocks/lang.php in S-CMS 2.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter to viewforum.php.

Action-Not Available
Vendor-matteoiammarronen/a
Product-s-cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19772
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 46.15%
||
7 Day CHG~0.00%
Published-17 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "EditCurrentPresentSpace.jsp" has reflected XSS via the ConnPoolName, GroupId, and ParentId parameters.

Action-Not Available
Vendor-infovistan/a
Product-vistaportaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4949
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-3.05% / 86.17%
||
7 Day CHG~0.00%
Published-09 Oct, 2011 | 10:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the (1) FreiChat component before 2.1.2 for Joomla! and the (2) FreiChatPure component before 1.2.2 for Joomla! allows remote attackers to inject arbitrary web script or HTML by entering it in an unspecified window.

Action-Not Available
Vendor-evnixn/aJoomla!
Product-freichatjoomla\!freichatpuren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5054
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 48.62%
||
7 Day CHG~0.00%
Published-23 Nov, 2011 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Special:Login in JAMWiki before 0.8.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter.

Action-Not Available
Vendor-jamwikin/a
Product-jamwikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4880
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 48.62%
||
7 Day CHG~0.00%
Published-07 Oct, 2011 | 10:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in calendar.class.php in ApPHP Calendar (ApPHP CAL) allow remote attackers to inject arbitrary web script or HTML via the (1) category_name, (2) category_description, (3) event_name, or (4) event_description parameter.

Action-Not Available
Vendor-apphpn/a
Product-apphp_calendarn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5046
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-11.26% / 93.25%
||
7 Day CHG~0.00%
Published-23 Nov, 2011 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in admin.php in ecoCMS allows remote attackers to inject arbitrary web script or HTML via the p parameter.

Action-Not Available
Vendor-ecocmsn/a
Product-ecocmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5031
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 51.59%
||
7 Day CHG~0.00%
Published-02 Nov, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in index.php in fileNice 1.1 allows remote attackers to inject arbitrary web script or HTML via the sstring parameter (aka the Search Box). NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-filenicen/a
Product-filenicen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5005
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 49.44%
||
7 Day CHG~0.00%
Published-02 Nov, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in members/profileCommentsResponse.php in Rayzz Photoz allows remote attackers to inject arbitrary web script or HTML via the profileCommentTextArea parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Action-Not Available
Vendor-rayzzn/a
Product-photozn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5027
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-6.57% / 90.77%
||
7 Day CHG~0.00%
Published-02 Nov, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in winners.php in Science Fair In A Box (SFIAB) 2.0.6 and 2.2.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-sfiabn/a
Product-science_fair_in_a_boxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-19816
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 46.15%
||
7 Day CHG~0.00%
Published-17 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 11:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "/VPortal/mgtconsole/categorytree/ChooseCategory.jsp" has reflected XSS via the ConnPoolName parameter.

Action-Not Available
Vendor-infovistan/a
Product-vistaportaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5025
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-6.57% / 90.77%
||
7 Day CHG~0.00%
Published-02 Nov, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in manage/main.php in CuteSITE CMS 1.2.3 and 1.5.0 allows remote attackers to inject arbitrary web script or HTML via the fld_path parameter. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-cutesiten/a
Product-cutesite_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5042
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.80% / 73.06%
||
7 Day CHG~0.00%
Published-02 Nov, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the DJ-ArtGallery (com_djartgallery) component 0.9.1 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the cid[] parameter in an editItem action to administrator/index.php. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-blueconstantmedian/aJoomla!
Product-joomla\!com_djartgalleryn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-5051
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.41%
||
7 Day CHG~0.00%
Published-23 Nov, 2011 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in admin/core/admin_func.php in razorCMS 1.0 stable allows remote attackers to inject arbitrary web script or HTML via the content parameter in an edit action to admin/index.php.

Action-Not Available
Vendor-razorcmsn/a
Product-razorcmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • ...
  • 351
  • 352
  • Next
Details not found