Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-2628

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-03 Oct, 2022 | 13:45
Updated At-03 Aug, 2024 | 00:46
Rejected At-
Credits

DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting

The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:03 Oct, 2022 | 13:45
Updated At:03 Aug, 2024 | 00:46
Rejected At:
▼CVE Numbering Authority (CNA)
DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting

The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affected Products
Vendor
Unknown
Product
DSGVO All in one for WP
Versions
Affected
  • From 4.2 before 4.2 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-Site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-Site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Asif Nawaz Minhas
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/e712f83e-b437-4bc6-9511-2b0290ed315d
x_refsource_MISC
Hyperlink: https://wpscan.com/vulnerability/e712f83e-b437-4bc6-9511-2b0290ed315d
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/e712f83e-b437-4bc6-9511-2b0290ed315d
x_refsource_MISC
x_transferred
Hyperlink: https://wpscan.com/vulnerability/e712f83e-b437-4bc6-9511-2b0290ed315d
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:03 Oct, 2022 | 14:15
Updated At:05 Oct, 2022 | 13:05

The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CPE Matches

dsgvo-for-wp
dsgvo-for-wp
>>dsgvo_all_in_one_for_wp>>Versions before 4.2(exclusive)
cpe:2.3:a:dsgvo-for-wp:dsgvo_all_in_one_for_wp:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarycontact@wpscan.com
CWE ID: CWE-79
Type: Primary
Source: contact@wpscan.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://wpscan.com/vulnerability/e712f83e-b437-4bc6-9511-2b0290ed315dcontact@wpscan.com
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/e712f83e-b437-4bc6-9511-2b0290ed315d
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

3192Records found

CVE-2025-6050
Matching Score-4
Assigner-Checkmarx
ShareView Details
Matching Score-4
Assigner-Checkmarx
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 12.01%
||
7 Day CHG+0.01%
Published-17 Jun, 2025 | 11:06
Updated-30 Jul, 2025 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-Site Scripting (XSS) in Mezzanine CMS Admin Interface

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayable_links_js" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable_links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayable_links.js" endpoint, causing the malicious script to execute in their browser.

Action-Not Available
Vendor-jupojupo
Product-mezzaninemezzanine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1327
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.27% / 50.09%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 08:56
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Gallery - Grid Gallery < 1.1.6 - Admin+ Stored Cross-Site Scripting

The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Action-Not Available
Vendor-rich-webUnknown
Product-image_galleryImage Gallery – Grid Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5723
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.06% / 19.33%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 05:00
Updated-10 Jun, 2025 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Student Result Management System Classes Page classes cross site scripting

A vulnerability was found in SourceCodester Student Result Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /script/academic/classes of the component Classes Page. The manipulation of the argument Class Name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodestermunyweki
Product-student_result_management_systemStudent Result Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-43584
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.34% / 55.91%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 00:00
Updated-16 Jun, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DOM-based Cross Site Scripting (XSS vulnerability in 'Tail Event Logs' functionality in Nagios Nagios Cross-Platform Agent (NCPA) before 2.4.0 allows attackers to run arbitrary code via the name element when filtering for a log.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_cross_platform_agentn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1153
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.92%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 15:51
Updated-17 Mar, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting

The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Action-Not Available
Vendor-kreaturamediaUnknown
Product-layersliderLayerSlider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1226
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-3.5||LOW
EPSS-0.09% / 25.82%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:57
Updated-19 Nov, 2024 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) in phpipam/phpipam

A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.

Action-Not Available
Vendor-phpipamphpipamphpipam
Product-phpipamphpipam/phpipamphpipam
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5725
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 11.52%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 05:31
Updated-10 Jun, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Student Result Management System Grading System Page grading-system cross site scripting

A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /script/academic/grading-system of the component Grading System Page. The manipulation of the argument Remark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodestermunyweki
Product-student_result_management_systemStudent Result Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-43945
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 44.04%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 00:20
Updated-04 Oct, 2024 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.

Action-Not Available
Vendor-Atlassian
Product-data_centerjiraJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-6131
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 15.42%
||
7 Day CHG+0.01%
Published-16 Jun, 2025 | 17:00
Updated-18 Jul, 2025 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeAstro Food Ordering System POST Request Parameter edit cross site scripting

A vulnerability, which was classified as problematic, was found in CodeAstro Food Ordering System 1.0. Affected is an unknown function of the file /admin/store/edit/ of the component POST Request Parameter Handler. The manipulation of the argument Restaurant Name/Address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-CodeAstro
Product-food_ordering_systemFood Ordering System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-44076
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 61.08%
||
7 Day CHG~0.00%
Published-15 Sep, 2022 | 12:35
Updated-04 Aug, 2024 | 04:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.

Action-Not Available
Vendor-crushftpn/a
Product-crushftpn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-55107
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
ShareView Details
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 8.85%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:29
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BUG-000177335 ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability.

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Action-Not Available
Vendor-Environmental Systems Research Institute, Inc. ("Esri")
Product-Portal for ArcGIS Enterprise Sites
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43549
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 34.02%
||
7 Day CHG~0.00%
Published-18 Nov, 2021 | 14:18
Updated-16 Sep, 2024 | 23:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OSIsoft PI Web API

A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information.

Action-Not Available
Vendor-osisoftOSIsoft
Product-pi_web_apiPI Web API
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-55742
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.03% / 7.05%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 15:36
Updated-22 Aug, 2025 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UnoPim Stored XSS via SVG MIME/Sanitizer Bypass

UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, UnoPim contains a stored cross-site scripting vulnerability via SVG MIME/sanitizer bypass in the /admin/settings/users/create endpoint. This vulnerability is fixed in 0.2.1.

Action-Not Available
Vendor-Webkul Software Pvt. Ltd.
Product-unopimunopim
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-53924
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 17.44%
||
7 Day CHG+0.01%
Published-16 Jul, 2025 | 13:55
Updated-18 Jul, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Emlog vulnerable to stored Cross-site Scripting in links functionality

Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the siteurl parameter. It is possible to inject malicious code into siteurl parameter resulting in Stored XSS. When someone clicks on the link the malicious code is executed. As of time of publication, no known patched versions exist.

Action-Not Available
Vendor-emlogemlog
Product-emlogemlog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0659
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.19% / 41.71%
||
7 Day CHG~0.00%
Published-14 Mar, 2022 | 14:41
Updated-02 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sync iCloud COS < 2.0.1 - Admin+ Stored Cross-Site Scripting

The Sync QCloud COS WordPress plugin before 2.0.1 does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-sync_qcloud_cos_projectUnknown
Product-sync_qcloud_cosSync QCloud COS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35585
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.23% / 45.71%
||
7 Day CHG+0.15%
Published-12 Aug, 2022 | 15:55
Updated-03 Aug, 2024 | 09:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter

Action-Not Available
Vendor-fork-cmsn/a
Product-fork_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-18414
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 15.31%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 00:00
Updated-04 Dec, 2024 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross site scripting (XSS) vulnerability in Chaoji CMS v2.18 that allows attackers to execute arbitrary code via /index.php?admin-master-webset.

Action-Not Available
Vendor-chaoji_cms_projectn/a
Product-chaoji_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42866
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 44.86%
||
7 Day CHG~0.00%
Published-31 Mar, 2022 | 17:52
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting vulnerabilty exists in Pixelimity 1.0 via the Site Description field in pixelimity/admin/setting.php

Action-Not Available
Vendor-pixelimityn/a
Product-pixelimityn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-55104
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
ShareView Details
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 6.41%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:28
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BUG-000173918 - ArcGIS Enterprise Sites has a security vulnerability.

A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser.

Action-Not Available
Vendor-Environmental Systems Research Institute, Inc. ("Esri")
Product-Portal for ArcGIS Enterprise Sites
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42868
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 44.86%
||
7 Day CHG~0.00%
Published-31 Mar, 2022 | 17:53
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting (XSS) vulnerability exists in Chikista Patient Management Software 2.0.2 in the first_name parameter in (1) patient/insert, (2) patient_report, (3) appointment_report, (4) visit_report, and (5) bill_detail_report pages. .

Action-Not Available
Vendor-chikitsan/a
Product-patient_management_softwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-55105
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
ShareView Details
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 8.85%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:29
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BUG-000177336 - ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability.

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Action-Not Available
Vendor-Environmental Systems Research Institute, Inc. ("Esri")
Product-Portal for ArcGIS Enterprise Experience Sites
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-18404
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 14.82%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 00:00
Updated-04 Dec, 2024 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in espcms version P8.18101601. There is a cross site scripting (XSS) vulnerability that allows arbitrary code to be executed via the title parameter.

Action-Not Available
Vendor-ecispn/a
Product-espcmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42365
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 61.29%
||
7 Day CHG~0.00%
Published-29 Nov, 2021 | 18:10
Updated-13 Feb, 2025 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Asgaros Forums <= 1.15.13 Authenticated Stored XSS

The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Action-Not Available
Vendor-asgarosAsgaros Forums
Product-asgaros_forumAsgaros Forums
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41952
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.18%
||
7 Day CHG~0.00%
Published-14 Mar, 2022 | 14:53
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG. An attacker can send malicious files to victims and steals victim's cookie leads to account takeover. The person viewing the image of a contact can be victim of XSS.

Action-Not Available
Vendor-tribalsystemsn/a
Product-zenarion/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41962
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.03%
||
7 Day CHG~0.00%
Published-16 Dec, 2021 | 17:43
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Owner fullname parameter in a Send Service Request in vehicle_service.

Action-Not Available
Vendor-vehicle_service_management_system_projectn/a
Product-vehicle_service_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-18785
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.2||MEDIUM
EPSS-0.03% / 8.18%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 14:23
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by XSS. This affects D3600 before 1.0.0.67, D6000 before 1.0.0.67, D6100 before 1.0.0.56, D6200 before 1.1.00.24, D6220 before 1.0.0.32, D6400 before 1.0.0.66, D7000 before 1.0.1.52, D7000v2 before 1.0.0.44, D7800 before 1.0.1.30, D8500 before 1.0.3.35, DGN2200v4 before 1.0.0.96, DGN2200Bv4 before 1.0.0.96, EX2700 before 1.0.1.28, EX6100v2 before 1.0.1.54, EX6150v2 before 1.0.1.54, EX6200v2 before 1.0.1.52, EX6400 before 1.0.1.72, EX7300 before 1.0.1.72, EX8000 before 1.0.0.102, JNR1010v2 before 1.1.0.44, JWNR2010v5 before 1.1.0.44, PR2000 before 1.0.0.20, R6020 before 1.0.0.26, R6080 before 1.0.0.26, R6100 before 1.0.1.20, R6250 before 1.0.4.16, R6300v2 before 1.0.4.18, R6400 before 1.0.1.32, R6400v2 before 1.0.2.46, R6700 before 1.0.1.36, R6800 before 1.2.0.12, R6900v2 before 1.2.0.12, R6700v2 before 1.2.0.12, R6900 before 1.0.1.34, R6900P before 1.3.0.8, R7000 before 1.0.9.18, R7000P before 1.3.0.8, R7100LG before 1.0.0.34, R7300DST before 1.0.0.58, R7500 before 1.0.0.118, R7500v2 before 1.0.3.24, R7800 before 1.0.2.40, R7900 before 1.0.2.4, R7900P before 1.1.5.14, R8000 before 1.0.4.4, R8000P before 1.1.5.14, R8500 before 1.0.2.110, R8300 before 1.0.2.110, R9000 before 1.0.2.52, WN2000RPTv3 before 1.0.1.8, WN3000RPv3 before 1.0.2.50, WN3100RPv2 before 1.0.0.42, WNDR3400v3 before 1.0.1.16, WNDR3700v4 before 1.0.2.94, WNDR4300 before 1.0.2.96, WNDR4300v2 before 1.0.0.50, WNDR4500v3 before 1.0.0.50, WNR1000v4 before 1.1.0.44, WNR2000v5 before 1.0.0.62, WNR2020 before 1.1.0.44, WNR2050 before 1.1.0.44, and WNR3500Lv2 before 1.2.0.46.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wn2000rpt_firmwarewnr2020_firmwarewndr3700pr2000r6080_firmwarer6400_firmwareex6200r7100lgwn3100rp_firmwarewndr4300_firmwarer6900p_firmwared6220r7500_firmwarer7100lg_firmwarer8500_firmwarer7300dst_firmwarer8300r7000_firmwarer6020wndr4500d3600r7300dstd6220_firmwarer6300_firmwared8500_firmwaredgn2200b_firmwarer7900pr6020_firmwareex7300wn3000rp_firmwared7000r9000_firmwared8500r6080dgn2200br6700wndr3700_firmwarer7000wnr2000_firmwarewnr3500l_firmwared6000ex6200_firmwareex6150d6400r7500r9000wn2000rptr6900_firmwarer7800r7900_firmwareex2700_firmwared6200r7800_firmwarer6700_firmwarer7900p_firmwarer6800_firmwarewnr2000ex6150_firmwarer8000_firmwarer6250ex6400jnr1010_firmwarewn3000rpd6000_firmwareex6400_firmwarewnr2020ex7300_firmwarer8000r6900pd7800jwnr2010r6100_firmwarer7900r8000pex8000wndr3400d3600_firmwarer6800wnr1000_firmwarewn3100rpdgn2200pr2000_firmwarer8000p_firmwared6100_firmwared6400_firmwarer6100r6250_firmwareex6100r7000p_firmwared7800_firmwarer8500ex8000_firmwarewndr3400_firmwared7000_firmwarer8300_firmwarewnr1000wndr4500_firmwareex2700r6900r7000pwnr3500ld6200_firmwaredgn2200_firmwarewnr2050ex6100_firmwared6100wnr2050_firmwarer6300jnr1010wndr4300r6400jwnr2010_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5543
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.09% / 26.23%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 22:31
Updated-06 Jun, 2025 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK X2000R Parent Controls Page cross site scripting

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Parent Controls Page. The manipulation of the argument Device Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-x2000rx2000r_firmwareX2000R
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2017-18825
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.2||MEDIUM
EPSS-0.28% / 51.27%
||
7 Day CHG~0.00%
Published-20 Apr, 2020 | 16:41
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-m4300-52g_firmwarem4300-52gm4300-12x12f_firmwarem4300-28gm4300-28g-poe\+m4300-48x_firmwarem4300-48xm4200m4300-52g-poe\+_firmwarem4300-8x8fm4300-24x_firmwarem4300-28g-poe\+_firmwarem4300-28g_firmwarem4300-52g-poe\+m4300-12x12fm4300-8x8f_firmwarem4200_firmwarem4300-24x24f_firmwarem4300-24x24fm4300-24xn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5490
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 6.66%
||
7 Day CHG~0.00%
Published-19 Jun, 2025 | 05:26
Updated-16 Jul, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-antoinehantoineh
Product-football_poolFootball Pool
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-18811
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.2||MEDIUM
EPSS-0.17% / 38.37%
||
7 Day CHG~0.00%
Published-21 Apr, 2020 | 14:45
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-readynas_osn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19912
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.25% / 48.38%
||
7 Day CHG~0.00%
Published-30 Mar, 2020 | 21:28
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Intland codeBeamer ALM 9.5 and earlier, a cross-site scripting (XSS) vulnerability in the Upload Flash File feature allows authenticated remote attackers to inject arbitrary scripts via an active script embedded in an SWF file.

Action-Not Available
Vendor-intlandn/a
Product-codebeamern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-54534
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 2.37%
||
7 Day CHG~0.00%
Published-28 Jul, 2025 | 16:20
Updated-29 Jul, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2025.07 reflected XSS was possible on the agentpushPreset page

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-24841
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.10% / 28.01%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 06:27
Updated-01 Aug, 2024 | 23:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Add Customer for WooCommerce Plugin <= 1.7 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan's Art Add Customer for WooCommerce allows Stored XSS.This issue affects Add Customer for WooCommerce: from n/a through 1.7.

Action-Not Available
Vendor-dev.dans-artDan's Art
Product-add_customer_for_woocommerceAdd Customer for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-3539
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.12% / 32.00%
||
7 Day CHG~0.00%
Published-14 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Testimonials (Free < 2.7, Pro < 1.0.8) - Admin+ Stored Cross-Site Scripting

The Testimonials WordPress plugin before 2.7, super-testimonial-pro WordPress plugin before 1.0.8 do not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-themepointsUnknown
Product-testimonials_protestimonialsTestimonial ProTestimonials
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42361
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.8||MEDIUM
EPSS-0.30% / 53.14%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 18:27
Updated-14 Feb, 2025 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form Email <= 1.3.24 Authenticated Stored Cross-Site Scripting

The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Action-Not Available
Vendor-CodePeople
Product-contact_form_emailContact Form Email
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-34648
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.8||MEDIUM
EPSS-0.19% / 41.34%
||
7 Day CHG+0.08%
Published-23 Aug, 2022 | 15:45
Updated-20 Feb, 2025 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.

Action-Not Available
Vendor-uploading_svg\,_webp_and_ico_files_projectdmitrylitvinov
Product-uploading_svg\,_webp_and_ico_filesUploading SVG, WEBP and ICO files (WordPress plugin)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42750
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.74% / 72.07%
||
7 Day CHG~0.00%
Published-12 Aug, 2022 | 16:52
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule node.

Action-Not Available
Vendor-thingsboardn/a
Product-thingsboardn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42869
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 44.86%
||
7 Day CHG~0.00%
Published-31 Mar, 2022 | 17:51
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting (XSS) vulnerability exists in Chikista Patient Management Software 2.0.2 via the last_name parameter in the (1) patient/insert, (2) patient_report, (3) /appointment_report, (4) visit_report, and (5) /bill_detail_report pages.

Action-Not Available
Vendor-chikitsan/a
Product-patient_management_softwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42751
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.74% / 72.07%
||
7 Day CHG~0.00%
Published-12 Aug, 2022 | 16:52
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node.

Action-Not Available
Vendor-thingsboardn/a
Product-thingsboardn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42042
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.65% / 69.77%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 20:28
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5383
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 8.88%
||
7 Day CHG~0.00%
Published-31 May, 2025 | 15:00
Updated-09 Jun, 2025 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Yifang CMS Article Management Module cross site scripting

A vulnerability was found in Yifang CMS up to 2.0.2 and classified as problematic. Affected by this issue is some unknown functionality of the component Article Management Module. The manipulation of the argument Default Value leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-wanglongcnYifang
Product-yifangCMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-52879
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 2.37%
||
7 Day CHG~0.00%
Published-23 Jun, 2025 | 14:13
Updated-24 Jun, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-TeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-18229
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.33% / 55.00%
||
7 Day CHG~0.00%
Published-27 May, 2021 | 15:20
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php".

Action-Not Available
Vendor-phpmywindn/a
Product-phpmywindn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41169
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.32% / 54.70%
||
7 Day CHG~0.00%
Published-21 Oct, 2021 | 20:25
Updated-04 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization HTML tags in sulu/sulu

Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.

Action-Not Available
Vendor-sulusulu
Product-sulusulu
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-17828
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 46.30%
||
7 Day CHG~0.00%
Published-21 Dec, 2017 | 05:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter.

Action-Not Available
Vendor-doditsolutionsn/a
Product-busbooking-scriptn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6180
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-4.8||MEDIUM
EPSS-0.32% / 54.70%
||
7 Day CHG~0.00%
Published-03 Sep, 2019 | 18:50
Updated-17 Sep, 2024 | 02:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.

Action-Not Available
Vendor-Lenovo Group Limited
Product-xclarity_administratorXClarity Administrator (LXCA)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-52877
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 4.18%
||
7 Day CHG~0.00%
Published-23 Jun, 2025 | 14:13
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-TeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-17551
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.33% / 54.93%
||
7 Day CHG~0.00%
Published-07 Oct, 2020 | 16:05
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution.

Action-Not Available
Vendor-impresscmsn/a
Product-impresscmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41810
Matching Score-4
Assigner-M-Files Corporation
ShareView Details
Matching Score-4
Assigner-M-Files Corporation
CVSS Score-5.2||MEDIUM
EPSS-0.26% / 48.63%
||
7 Day CHG~0.00%
Published-02 May, 2022 | 19:06
Updated-16 Sep, 2024 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Script injection in M-Files Server products with versions before 22.2.11051.0, allows executing stored script in admin tool

Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable

Action-Not Available
Vendor-M-Files Oy
Product-serverM-Files Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-18413
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.05% / 15.31%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 00:00
Updated-05 Dec, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored cross site scripting (XSS) vulnerability in /index.php?admin-master-navmenu-add of Chaoji CMS v2.18 that allows attackers to execute arbitrary code.

Action-Not Available
Vendor-chaoji_cms_projectn/a
Product-chaoji_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 63
  • 64
  • Next
Details not found