Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-36967

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-02 Aug, 2022 | 21:58
Updated At-03 Aug, 2024 | 10:21
Rejected At-
Credits

In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:02 Aug, 2022 | 21:58
Updated At:03 Aug, 2024 | 10:21
Rejected At:
▼CVE Numbering Authority (CNA)

In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.progress.com/ws_ftp
x_refsource_MISC
https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022
x_refsource_MISC
Hyperlink: https://www.progress.com/ws_ftp
Resource:
x_refsource_MISC
Hyperlink: https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.progress.com/ws_ftp
x_refsource_MISC
x_transferred
https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022
x_refsource_MISC
x_transferred
Hyperlink: https://www.progress.com/ws_ftp
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:02 Aug, 2022 | 22:15
Updated At:10 Aug, 2022 | 15:04

In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Progress Software Corporation
progress
>>ipswitch_ws_ftp_server>>Versions before 8.7.3(exclusive)
cpe:2.3:a:progress:ipswitch_ws_ftp_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022cve@mitre.org
Vendor Advisory
https://www.progress.com/ws_ftpcve@mitre.org
Product
Vendor Advisory
Hyperlink: https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://www.progress.com/ws_ftp
Source: cve@mitre.org
Resource:
Product
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

10528Records found
CVE-2024-1474
Matching Score-10
Assigner-Progress Software Corporation
ShareView Details
Matching Score-10
Assigner-Progress Software Corporation
CVSS Score-7.5||HIGH
EPSS-0.45% / 35.79%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 15:33
Updated-02 Jan, 2025 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WS_FTP Server Reflected Cross-Site Scripting in Administrative Interface

In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface.

Action-Not Available
Vendor-Progress Software Corporation
Product-ws_ftp_serverWS_FTP Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12677
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.86% / 76.52%
||
7 Day CHG+0.22%
Published-14 May, 2020 | 17:34
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-moveit_automationn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-27665
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-33.11% / 98.15%
||
7 Day CHG~0.00%
Published-03 Apr, 2023 | 00:00
Updated-27 Nov, 2024 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-ws_ftp_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-42656
Matching Score-10
Assigner-Progress Software Corporation
ShareView Details
Matching Score-10
Assigner-Progress Software Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.48% / 37.79%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 16:06
Updated-24 Sep, 2024 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MOVEit Transfer Reflected XSS

In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer's web interface.  An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure.  If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-moveit_transferMOVEit Transfer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40045
Matching Score-10
Assigner-Progress Software Corporation
ShareView Details
Matching Score-10
Assigner-Progress Software Corporation
CVSS Score-8.3||HIGH
EPSS-0.90% / 54.87%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 14:49
Updated-24 Sep, 2024 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WS_FTP Server Ad Hoc Transfer Module Reflected Cross-Site Scripting Vulnerability

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module.  An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-ws_ftp_serverWS_FTP Serverws_ftp_server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41318
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-5.88% / 92.26%
||
7 Day CHG~0.00%
Published-28 Sep, 2021 | 17:40
Updated-04 Aug, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-whatsupgoldn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35759
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.13% / 79.58%
||
7 Day CHG+0.23%
Published-23 Jun, 2023 | 00:00
Updated-02 Aug, 2024 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Progress WhatsUp Gold before 23.0.0, an SNMP-related application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-whatsup_goldn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6217
Matching Score-10
Assigner-Progress Software Corporation
ShareView Details
Matching Score-10
Assigner-Progress Software Corporation
CVSS Score-7.1||HIGH
EPSS-0.51% / 39.51%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 16:14
Updated-02 Aug, 2024 | 08:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MOVEit Transfer XSS via MOVEit Gateway

In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.  An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-moveit_transferMOVEit Transfer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-18639
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.89% / 54.83%
||
7 Day CHG~0.00%
Published-06 Nov, 2019 | 15:07
Updated-05 Aug, 2024 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinity_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26100
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.42% / 33.90%
||
7 Day CHG~0.00%
Published-21 Apr, 2023 | 00:00
Updated-05 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Progress Flowmon before 12.2.0, an application endpoint failed to sanitize user-supplied input. A threat actor could leverage a reflected XSS vulnerability to execute arbitrary code within the context of a Flowmon user's web browser.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-flowmon_osn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-2737
Matching Score-10
Assigner-Progress Software Corporation
ShareView Details
Matching Score-10
Assigner-Progress Software Corporation
CVSS Score-8.5||HIGH
EPSS-0.20% / 9.36%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 13:28
Updated-21 Apr, 2026 | 00:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.

Action-Not Available
Vendor-Progress Software Corporation
Product-flowmonFlowmon
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-7654
Matching Score-10
Assigner-Progress Software Corporation
ShareView Details
Matching Score-10
Assigner-Progress Software Corporation
CVSS Score-8.3||HIGH
EPSS-0.28% / 19.33%
||
7 Day CHG~0.00%
Published-03 Sep, 2024 | 14:48
Updated-05 Sep, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service

An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.  Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.   Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.

Action-Not Available
Vendor-Progress Software Corporation
Product-openedgeOpenEdgeopenedge
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-6005
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-6.9||MEDIUM
EPSS-1.87% / 76.58%
||
7 Day CHG~0.00%
Published-27 Dec, 2015 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names field, (5) the Flow Monitor Credentials field, (6) the Flow Monitor Threshold Name field, (7) the Task Library Name field, (8) the Task Library Description field, (9) the Policy Library Name field, (10) the Policy Library Description field, (11) the Template Library Name field, (12) the Template Library Description field, (13) the System Script Library Name field, (14) the System Script Library Description field, or (15) the CLI Settings Library Description field.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-whatsup_goldn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1636
Matching Score-6
Assigner-Progress Software Corporation
ShareView Details
Matching Score-6
Assigner-Progress Software Corporation
CVSS Score-8||HIGH
EPSS-0.40% / 31.64%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 12:05
Updated-16 Dec, 2024 | 21:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential Cross-Site Scripting (XSS) in the page editing area

Potential Cross-Site Scripting (XSS) in the page editing area.

Action-Not Available
Vendor-Progress Software Corporation
Product-sitefinitySitefinitysitefinity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6367
Matching Score-6
Assigner-Progress Software Corporation
ShareView Details
Matching Score-6
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.51% / 39.63%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:05
Updated-02 Aug, 2024 | 08:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Roles

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6366
Matching Score-6
Assigner-Progress Software Corporation
ShareView Details
Matching Score-6
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.51% / 39.63%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:05
Updated-21 May, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Alert Center

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11626
Matching Score-6
Assigner-Progress Software Corporation
ShareView Details
Matching Score-6
Assigner-Progress Software Corporation
CVSS Score-8.4||HIGH
EPSS-0.34% / 26.16%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 07:49
Updated-29 Jul, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

Action-Not Available
Vendor-Progress Software Corporation
Product-sitefinitySitefinity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-8612
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9||CRITICAL
EPSS-1.67% / 73.84%
||
7 Day CHG~0.00%
Published-14 Feb, 2020 | 18:02
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-moveit_transfern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29376
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.41% / 33.03%
||
7 Day CHG~0.00%
Published-10 Apr, 2023 | 00:00
Updated-11 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinityn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27636
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.30% / 66.78%
||
7 Day CHG~0.00%
Published-16 Jun, 2024 | 00:00
Updated-08 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinityn/asitefinity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-28647
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.41% / 69.15%
||
7 Day CHG~0.00%
Published-17 Nov, 2020 | 13:08
Updated-04 Aug, 2024 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-moveit_transfern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-4344
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-3.81% / 88.66%
||
7 Day CHG~0.00%
Published-15 Aug, 2012 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the SNMP system name of the attacking host.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-whatsup_goldn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17056
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.82% / 52.44%
||
7 Day CHG~0.00%
Published-28 Sep, 2018 | 00:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinity_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17054
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.84% / 52.98%
||
7 Day CHG~0.00%
Published-03 Oct, 2018 | 18:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinity_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17053
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.84% / 52.98%
||
7 Day CHG~0.00%
Published-03 Oct, 2018 | 18:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinity_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-14037
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.17% / 63.49%
||
7 Day CHG~0.00%
Published-28 Sep, 2018 | 00:00
Updated-05 Aug, 2024 | 09:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This allows attackers (in the worst case) to take over user sessions.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-kendo_uin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40047
Matching Score-6
Assigner-Progress Software Corporation
ShareView Details
Matching Score-6
Assigner-Progress Software Corporation
CVSS Score-8.3||HIGH
EPSS-0.41% / 32.57%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 14:50
Updated-24 Sep, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WS_FTP Server Stored Cross-Site Scripting Vulnerability

In WS_FTP Server version prior to 8.8.2, a stored cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Management module. An attacker with administrative privileges could import a SSL certificate with malicious attributes containing cross-site scripting payloads.  Once the cross-site scripting payload is successfully stored,  an attacker could leverage this vulnerability to target WS_FTP Server admins with a specialized payload which results in the execution of malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-ws_ftp_serverWS_FTP Serverws_ftp_server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-18175
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.72% / 49.05%
||
7 Day CHG-0.03%
Published-12 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinityn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-18177
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.72% / 49.05%
||
7 Day CHG-0.03%
Published-12 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinityn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-18176
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.72% / 49.05%
||
7 Day CHG-0.03%
Published-12 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-sitefinityn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42711
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.99% / 57.93%
||
7 Day CHG~0.00%
Published-12 Oct, 2022 | 00:00
Updated-15 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-whatsup_goldn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9140
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-9.64% / 94.87%
||
7 Day CHG~0.00%
Published-22 May, 2017 | 04:54
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-telerik_reportingsitefinity_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6365
Matching Score-6
Assigner-Progress Software Corporation
ShareView Details
Matching Score-6
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.51% / 39.63%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:05
Updated-02 Aug, 2024 | 08:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Device Groups

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6364
Matching Score-6
Assigner-Progress Software Corporation
ShareView Details
Matching Score-6
Assigner-Progress Software Corporation
CVSS Score-7.6||HIGH
EPSS-0.51% / 39.67%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 16:04
Updated-02 Aug, 2024 | 08:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WhatsUp Gold Stored Cross-Site Scripting (XSS) via Dashboard

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified.  It is possible for an attacker to craft a XSS payload and store that value within a dashboard component.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

Action-Not Available
Vendor-Progress Software Corporation
Product-whatsup_goldWhatsUp Gold
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-48115
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 32.77%
||
7 Day CHG~0.00%
Published-17 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The dropdown menu in jspreadsheet before v4.6.0 was discovered to be vulnerable to cross-site scripting (XSS).

Action-Not Available
Vendor-jspreadsheetn/a
Product-jspreadsheetn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-47928
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 33.06%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-23 Jun, 2026 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.

Action-Not Available
Vendor-misp-projectn/a
Product-mispn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8075
Matching Score-4
Assigner-Hanwha Vision Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Hanwha Vision Co., Ltd.
CVSS Score-5.8||MEDIUM
EPSS-0.18% / 7.76%
||
7 Day CHG~0.00%
Published-26 Dec, 2025 | 04:31
Updated-07 Jan, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation

Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

Action-Not Available
Vendor-hanwhavisionHanwha Vision Co., Ltd.
Product-xno-6120qnv-c8011r_firmwarexnd-8081rv_firmwarexnp-8250rxnv-6080rw_firmwarexnp-c9303rwxnd-8040r_firmwarepnm-9084rqz1_firmwaretnv-c8014rmxnd-9083rv_pnm-9000vq_firmwarexnf-8010rwpnm-9084qz_firmwarexnv-c9083rpnm-9084rqz_firmwareknp-2120hnqnv-c8083r_firmwareqne-c9013rlqnd-c8013r_firmwarexnd-8080rw_firmwarexnf-9010rspnm-7000vdxnp-6321_firmwarexnd-6081revpnm-9084qz1_firmwarexnf-9010rvknp-2550rhaqnp-6320h_firmwarexnv-c7083r_firmwarexno-6080rs_firmwarepnm-9081vqkno-2080rn_firmwareqnf-8010xnz-l6320axnv-6120pnm-9085rqzxnd-6085v_firmwareqnp-6250hxnf-8010rvmnbxnv-c9083r_firmwarexnp-6321h_firmwareqnp-6320r_firmwarexno-c8083rxnd-8080rxnv-6123r_firmwarexnd-9082rv_firmwareqnf-c9010qnp-6320_firmwarexnv-8080rsqnp-6230h_firmwarexno-6083rxnv-8080r_firmwarexnv-8081re_xnp-8300rw_firmwarexnf-9013rv_firmwarexnb-8002_firmwareqnv-c9083r_firmwarexnv-6083rzxnv-8080rsaxnd-l6080vxno-6123r_firmwarexnv-9082rxnv-6081_firmwarexnv-8083rzxnp-6120h_firmwarexnb-9003qnp-6320hxnz-6320apnm-7000vd_firmwarexnv-c6083rxnb-6000_firmwarexnd-8080rv_firmwarexnv-8020rxnb-9002_firmwarexnv-8083rx_xnp-c6403xnp-6371rhqnf-c9010_firmwarexnd-6081rev_firmwareknd-2020rnqnp-6250xnd-6085xnp-6250rhqnv-c6083rxnd-6083rvxnv-9083rzxnb-6005_firmwarexnv-8030r_firmwarexno-8040rxnd-8081revxnz-6320_firmwarexnv-6022rxnp-c6403rwqno-c9083rpnm-9084qz1xnd-l6080rvxnd-6081rfqne-c9013rl_firmwarexnd-l6080rxno-9082rzxnp-c9253r__firmwarexnv-6012xnv-8083rvx_firmwareknp-2320rh_firmwarexnv-6022rmknb-5000nxnp-6371rh_firmwarexnd-c9083rv_firmwarexnp-9300rw_firmwarexno-6120rs_firmwareqnp-6230xnv-c8083r_firmwarexnv-6120_firmwarexnp-c8303rwxnf-8010rpnm-9000vqxnv-6081r_firmwarexnf-9010rvmxnp-6341rh_firmwarexnd-9082rfxnp-9250_firmwarexnv-8083z_firmwarexnd-8081vzknp-2320rhxno-8020rknd-5020rnxno-c7083rkno-5020rn_firmwarexnd-8082rfxnp-6400rqnv-c8083rxnd-8080rvknp-2120hn_firmwarexnb-9002xnd-6081vz_firmwarepnm-9002vq_firmwareqno-c8013r_firmwarexnv-8081z_firmwarexnp-c8253_firmwarexnp-c6403r_pnm-9080vq_firmwarexnb-8003xnv-6083zxnv-8083rz_firmwarexnp-c6403_firmwarexnd-c6083rvxnd-6081vxnp-c9253_firmwarexnv-6012mxnd-6080rv_firmwarexnd-l6080va_firmwarexnv-8020rmnkno-5080rnxnf-9010rvm_firmwarexnv-c6083_firmwarexnv-l6080raxno-9082rz_firmwarexnp-c8253pnm-9085rqz_firmwarexnv-6123rxnp-c8253r__firmwarexnd-6011f_firmwarexnp-6341rhqnp-6230hxnd-6080xnp-c9303rw_firmwaretnv-c8011rw_firmwarexnd-8081rf_firmwarexnd-6081fzxnd-8081fz_firmwarekno-2120rn_firmwarexnd-6081rvxnv-6120rspnm-9320vqpxnv-6083z_firmwarexnd-6081rv_firmwarexnv-9083r_firmwarexnd-c9083rvtnv-c8011rwxnv-8081re__firmwarexnv-6012_firmwarexnv-6080_firmwarexnp-c9253r_xnv-6120rs_firmwarexnd-8030r_firmwarexnv-6011_firmwarexnd-6080v_firmwarexnp-6040h_firmwarexnv-c6083xnv-8040rxnv-8081r_firmwarexnv-6022rm_firmwarexnp-6250rh_firmwarekno-5080rn_firmwarexnd-9083rv__firmwarexnv-c7083rxnd-6085_firmwarexnd-c7083rvxnv-8083rvxpnm-9321vqp_firmwarexno-8020r_firmwarexnd-6010_firmwarexnp-c8303rw_firmwaretnv-c7013rcknd-2010_firmwarexnd-8020fxnd-8040rxnv-l6080a_firmwarexnd-6080rknb-2000_firmwarexnz-l6320_firmwarexnd-8081fzxnf-8010rvw_firmwareknp-2320rha_firmwarexnd-8083rv_knp-2550rha_firmwareqnp-6250h_firmwarexnd-8093rv_xno-8083rxnv-6081z_firmwarexnv-6081xnp-6400pnm-7002vd_firmwareqnp-6250_firmwarexnv-6120rqnv-c8011rxnd-8082rvxnd-l6020rxno-6083r_firmwarexno-6010r_firmwareknb-5000n_firmwareqnp-6230_firmwarexnb-6005xnv-8030rxnv-6085xnd-c6083rv_firmwarexno-8082rxnv-6085_firmwarexnv-6080rxnd-6085vknd-5020rn_firmwarexnd-6080r_firmwareknd-5080rn_firmwarexnv-c6083r_firmwarexnv-8082rxnd-8083rvx_firmwarexnv-9083rz_firmwarexnp-c8253r_qne-c8013rl_firmwarexnv-6120r_firmwareqnf-c9010vxnv-8080rsa_firmwarexnv-6010qnp-6250r_firmwarexnv-6020rxnv-9083rqnd-c8013rxnv-8083r_firmwarexnd-l6080r_firmwarexnv-6083rz_firmwarexno-6020rxnf-8010rvxnv-6081re_firmwarexnd-6020r_firmwarexnp-6040hxnp-9300rwxnv-c8083rxnd-8030rxnp-9250xnp-8250r_firmwarexnp-6320h_firmwarexnp-c7310r_xnd-8080rwxnv-6080rsa_firmwareknd-2010qnv-c6083r_firmwarexnv-6080rwxnv-l6080_firmwareqno-c8083r_firmwarexnp-c9253xnd-6081fz_firmwarexnv-6083rxnz-6320a_firmwarexnd-9082rvxno-8080rwxnb-6003_firmwarexnv-8093r_firmwarexno-8030rqnp-6320rtnv-c7013rc_firmwarexno-8030r_firmwarexnv-8020rmn_firmwarexnd-l6080v_firmwarexno-6123rqnv-c9011r_firmwarexnv-8083rx__firmwarexnd-6081rf_firmwarexnb-8003_firmwaretnb-6030xnd-8093rv__firmwarexnd-c8083rv_firmwareqnv-c8023rxno-8082r_firmwarexnp-6321hxnv-6081zxnd-8083rv__firmwarexnp-c9310r__firmwarexnp-c7310r__firmwarexnp-8250_firmwarexnd-l6080rva_firmwarexnd-l6020r_firmwarexnv-8080rxnd-l6080rvaxnp-6320hs_firmwarexnd-6080vxnf-8010rvmnb_firmwarexnb-6002xnd-k6080nxno-9083r_firmwarekno-2010rn_firmwarexnp-6400rwxnd-c8083rvxnd-8081rvxnp-c9310r_xnv-6081rexnv-l6080knd-5080rnxno-l6080rxnv-8020r_firmwarexnv-6080xnp-6320_firmwarexno-l6120rxno-c6083rxno-c8083r_firmwarexnv-8082r_firmwareqno-c6083rxnp-6120hxnv-6012m_firmwareqnd-c8023rqnv-c9083rxnd-6080rvxnd-6081fxno-8080r_firmwarexno-8040r_firmwarexnf-8010r_firmwarexnv-8081rqno-c8083rxno-8080rxno-6120rxnp-6321tnv-c8014rm_firmwarexnd-6011fqnv-c8013r_firmwarekno-5020rnqnv-c8012_firmwarexnv-6011xno-6080rxnv-6011w_firmwarexno-l6080ra_firmwarekno-2010rnxnp-6400_firmwarekno-2120rnpnm-9000vd_firmwarexnp-6550rh_firmwarexnd-8081vz_firmwarexnd-k6080n_firmwareqnv-c9011rxnp-6320hsxnd-6081vzqnd-c8023r_firmwarexnd-6010xnv-6083r_firmwareknp-2320rhaxnv-8081zxnp-6320htnb-6030_firmwarexno-6080rsxnb-8000_firmwarexno-6120_firmwarexnd-6081v_firmwareknd-2080rnxnd-6020rxnf-9010rs_firmwareqno-c8013rxno-9083rxnv-8020rmpxno-6120rsxnv-l6080ra_firmwaretnv-7010rcxnd-l6080vaxnv-6080rs_firmwaretnv-7010rc_firmwarexnb-6000qne-c8013rlqno-c8023rxnv-8080rwxno-c6083r_firmwarexnv-8080rw_firmwarexno-6080r_firmwarexnf-8010rvmxnp-c6403r__firmwarexnd-6080rwxnv-6080r_firmwarepnm-9084qzxnv-8040r_firmwarexnz-l6320a_firmwarepnm-9320vqp_firmwareknd-2020rn_firmwarexnv-6022r_firmwarexnp-6550rhqnv-c8023r_firmwarepnm-9081vq_firmwarexnv-8080rs_firmwarepnm-9084rqzxnv-8083zxno-6085rxnf-8010rvwxnp-6320rhxno-l6020r_firmwarexnd-8020rxno-c7083r_firmwarexnp-c6403rw_firmwarexnp-9250r_firmwarexno-6085r_firmwarexnz-l6320xnp-9250rxnv-6080rsaqnf-c9010v_firmwarexnd-c7083rv_firmwarepnm-9084rqz1xnp-6320rh_firmwarexnv-8020rmp_firmwarepnm-9085rqz1_firmwarekno-2080rnxnv-6011wxnv-9082r_firmwarexno-l6120r_firmwarexnd-8081rfxnz-6320knd-2080rn_firmwareqnp-6320xnb-6001xnd-6081f_firmwarexnv-6010_firmwarexnp-8250knb-2000xnd-8081rev_firmwarexnd-8082rf_firmwarexno-l6080r_firmwarexnv-l6080rxnd-8082rv_firmwarexnv-6013m_firmwarexno-c9083r_firmwareqnp-6250rxno-l6080raxno-c9083rxnb-6001_firmwarexnd-8020r_firmwarexnf-9013rvxnv-6020r_firmwarexnd-l6080rv_firmwareqno-c8023r_firmwarexnb-8002xnd-8020f_firmwarexnp-6320xnv-l6080r_firmwarexnv-8093rpnm-9002vqpnm-9322vqp_firmwarexnb-6002_firmwarexnb-9003_firmwaretnv-c8034rmxno-6020r_firmwareqnv-c8013rxnd-6083rv_firmwarepnm-9322vqpxnv-8083rxnd-6080_firmwarepnm-9321vqpxnp-6400rw_firmwarexno-l6020rxno-8083r_firmwarepnm-7002vdtnv-c8034rm_firmwarexnd-8080r_firmwarexnf-8010rv_firmwarexnf-8010rw_firmwarexno-6120r_firmwarepnm-9080vqxnv-6013mxnf-9010rv_firmwarexnd-6080rw_firmwarexnp-6400r_firmwarexnf-8010rvm_firmwarexnp-8300rwxnb-6003xnd-8083rvxxnv-6081rxnb-8000xnd-8020rw_firmwareqno-c6083r_firmwarexno-8080rw_firmwarexnd-8020rwxnv-l6080apnm-9085rqz1qno-c9083r_firmwarexnv-6080rsqnf-8010_firmwarepnm-9000vdxnd-9082rf_firmwareqnv-c8012xno-6010rQNV-C8012
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15676
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.57% / 72.28%
||
7 Day CHG~0.00%
Published-01 Oct, 2020 | 18:31
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.

Action-Not Available
Vendor-Debian GNU/LinuxopenSUSEMozilla Corporation
Product-thunderbirddebian_linuxfirefoxfirefox_esrleapFirefoxFirefox ESRThunderbird
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-47701
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 27.11%
||
7 Day CHG~0.00%
Published-31 Jan, 2023 | 00:00
Updated-27 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS).

Action-Not Available
Vendor-comfast_projectn/a
Product-cf-wr623n_firmwarecf-wr623nn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-48012
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.37% / 68.37%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Opencats v0.9.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /opencats/index.php?m=settings&a=ajax_tags_upd.

Action-Not Available
Vendor-opencatsn/a
Product-opencatsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4771
Matching Score-4
Assigner-Hitachi Vantara
ShareView Details
Matching Score-4
Assigner-Hitachi Vantara
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 27.10%
||
7 Day CHG~0.00%
Published-03 Apr, 2023 | 18:58
Updated-11 Feb, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables. 

Action-Not Available
Vendor-Hitachi Vantara LLCHitachi, Ltd.
Product-vantara_pentaho_business_analytics_serverPentaho Business Analytics Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15870
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.68% / 47.49%
||
7 Day CHG~0.00%
Published-31 Jul, 2020 | 19:42
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2).

Action-Not Available
Vendor-n/aSonatype, Inc.
Product-nexus_repository_manager_3n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-22936
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.56% / 41.95%
||
7 Day CHG~0.00%
Published-01 Feb, 2024 | 00:00
Updated-16 Jan, 2025 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Parents & Student Portal in Genesis School Management Systems in Genesis AIMS Student Information Systems v.3053 allows remote attackers to inject arbitrary web script or HTML via the message parameter.

Action-Not Available
Vendor-manuelaldapen/agenesisedu
Product-parents_\&_student_portaln/aparent_student_portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4876
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.51% / 39.45%
||
7 Day CHG~0.00%
Published-04 Jan, 2023 | 22:02
Updated-28 May, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kaltura mwEmbed DefaultSettings.php cross site scripting

A vulnerability was found in Kaltura mwEmbed up to 2.96.rc1 and classified as problematic. This issue affects some unknown processing of the file includes/DefaultSettings.php. The manipulation of the argument HTTP_X_FORWARDED_HOST leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.96.rc2 is able to address this issue. The patch is named 13b8812ebc8c9fa034eed91ab35ba8423a528c0b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217427.

Action-Not Available
Vendor-kalturaKaltura
Product-mwembedmwEmbed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4822
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.51% / 39.57%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 20:47
Updated-17 May, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FlatPress Setup main.lib.php cross site scripting

A vulnerability, which was classified as problematic, has been found in FlatPress. This issue affects some unknown processing of the file setup/lib/main.lib.php of the component Setup. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 5f23b4c2eac294cc0ba5e541f83a6f8a26f9fed1. It is recommended to apply a patch to fix this issue. The identifier VDB-217001 was assigned to this vulnerability.

Action-Not Available
Vendor-flatpressn/a
Product-flatpressFlatPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15769
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.66% / 46.57%
||
7 Day CHG~0.00%
Published-18 Sep, 2020 | 13:10
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL.

Action-Not Available
Vendor-n/aGradle, Inc.
Product-enterprisen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-48118
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 37.25%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Acronym parameter.

Action-Not Available
Vendor-joranin/a
Product-joranin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15907
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.31%
||
7 Day CHG~0.00%
Published-07 Aug, 2020 | 19:39
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names containing JavaScript.

Action-Not Available
Vendor-n/aMahara
Product-maharan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-10002
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.1||LOW
EPSS-0.64% / 45.94%
||
7 Day CHG~0.00%
Published-01 Jan, 2023 | 16:16
Updated-07 Aug, 2024 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SimpleSAMLphp simplesamlphp-module-openid OpenID consumer.php cross site scripting

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in SimpleSAMLphp simplesamlphp-module-openid. Affected is an unknown function of the file templates/consumer.php of the component OpenID Handler. The manipulation of the argument AuthState leads to cross site scripting. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.0 is able to address this issue. The patch is identified as d652d41ccaf8c45d5707e741c0c5d82a2365a9a3. It is recommended to upgrade the affected component. VDB-217170 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-simplesamlphpSimpleSAMLphp
Product-simplesamlphp-module-openidsimplesamlphp-module-openid
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-48111
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.65% / 46.48%
||
7 Day CHG~0.00%
Published-10 Mar, 2023 | 00:00
Updated-27 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the check_login function of SIPE s.r.l WI400 between version 8 and 11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the f parameter.

Action-Not Available
Vendor-siri-informatican/a
Product-wi400n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 210
  • 211
  • Next
Details not found