Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-4422

Summary
Assigner-@huntrdev
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-18 Aug, 2023 | 18:35
Updated At-03 Oct, 2024 | 14:19
Rejected At-
Credits

Cross-site Scripting (XSS) - Stored in cockpit-hq/cockpit

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntrdev
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:18 Aug, 2023 | 18:35
Updated At:03 Oct, 2024 | 14:19
Rejected At:
▼CVE Numbering Authority (CNA)
Cross-site Scripting (XSS) - Stored in cockpit-hq/cockpit

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

Affected Products
Vendor
Agentejocockpit-hq
Product
cockpit-hq/cockpit
Versions
Affected
  • From unspecified before 2.6.3 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.06.8MEDIUM
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/2e12b773-b6a2-48da-a4bb-55d5d1307d2e
N/A
https://github.com/cockpit-hq/cockpit/commit/b8dad5e070608bb5e4ec58fabbee101b5af737cf
N/A
Hyperlink: https://huntr.dev/bounties/2e12b773-b6a2-48da-a4bb-55d5d1307d2e
Resource: N/A
Hyperlink: https://github.com/cockpit-hq/cockpit/commit/b8dad5e070608bb5e4ec58fabbee101b5af737cf
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/2e12b773-b6a2-48da-a4bb-55d5d1307d2e
x_transferred
https://github.com/cockpit-hq/cockpit/commit/b8dad5e070608bb5e4ec58fabbee101b5af737cf
x_transferred
Hyperlink: https://huntr.dev/bounties/2e12b773-b6a2-48da-a4bb-55d5d1307d2e
Resource:
x_transferred
Hyperlink: https://github.com/cockpit-hq/cockpit/commit/b8dad5e070608bb5e4ec58fabbee101b5af737cf
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
Agentejocockpit-hq
Product
cockpit
CPEs
  • cpe:2.3:a:cockpit-hq:cockpit:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 2.6.3 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:18 Aug, 2023 | 19:15
Updated At:22 Aug, 2023 | 00:58

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Secondary3.06.8MEDIUM
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.0
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CPE Matches
Agentejo
agentejo
>>cockpit>>Versions before 2.6.3(exclusive)
cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity@huntr.dev
CWE ID: CWE-79
Type: Primary
Source: security@huntr.dev
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/cockpit-hq/cockpit/commit/b8dad5e070608bb5e4ec58fabbee101b5af737cfsecurity@huntr.dev
Patch
https://huntr.dev/bounties/2e12b773-b6a2-48da-a4bb-55d5d1307d2esecurity@huntr.dev
Exploit
Hyperlink: https://github.com/cockpit-hq/cockpit/commit/b8dad5e070608bb5e4ec58fabbee101b5af737cf
Source: security@huntr.dev
Resource:
Patch
Hyperlink: https://huntr.dev/bounties/2e12b773-b6a2-48da-a4bb-55d5d1307d2e
Source: security@huntr.dev
Resource:
Exploit

Change History

0
Information is not available yet

Similar CVEs

3400Records found
CVE-2024-57772
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.43%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 00:00
Updated-17 May, 2025 | 02:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Action-Not Available
Vendor-jfinaloa_projectn/a
Product-jfinaloan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45668
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.07%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:25
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7960P before 1.4.1.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 1.0.3.106, RAX45 before 1.0.2.72, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, and RAX80 before 1.0.3.106.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-eax80ex7500rax80rax15rax75ex3800_firmwarer8000pex3700rax50ex7500_firmwarer7960prax45r8000p_firmwareeax80_firmwarerax200rax20rax20_firmwareex6130r7900prax200_firmwareeax20_firmwareex6130_firmwarerax80_firmwareeax20ex3800r7960p_firmwarerax15_firmwareex3700_firmwarerax75_firmwareex6120rax50_firmwarerax45_firmwarer7900p_firmwareex6120_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46070
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.75% / 72.84%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 15:29
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service Requests Section in login panel.

Action-Not Available
Vendor-vehicle_service_management_system_projectn/a
Product-vehicle_service_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45664
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.6||MEDIUM
EPSS-0.32% / 54.88%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:26
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r7000_firmwarer7000n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45665
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 50.51%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:26
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects EAX20 before 1.0.0.36, EAX80 before 1.0.1.62, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, RBW30 before 2.6.1.4, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, and RBS40V before 2.6.1.4.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbs40v_firmwareeax20_firmwarerbs40veax80ex7500rbw30_firmwareex6130_firmwarerbs750_firmwarerbs850_firmwarerbr850ex3800_firmwarerbr750_firmwareeax20rbw30ex3700ex7500_firmwarerbs850rbk752_firmwareex3800rbk752rbr750rbs750eax80_firmwareex3700_firmwareex6120rbk852_firmwarerbk852ex6130ex6120_firmwarerbr850_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46073
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-5.67% / 90.21%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 15:25
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the User List Section in login panel.

Action-Not Available
Vendor-vehicle_service_management_system_projectn/a
Product-vehicle_service_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 51.09%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 14:47
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.

Action-Not Available
Vendor-vehicle_service_management_system_projectn/a
Product-vehicle_service_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-34368
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 20.57%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 12:12
Updated-02 Aug, 2024 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kanban Boards for WordPress Plugin <= 2.5.20 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Kanban for WordPress Kanban Boards for WordPress plugin <= 2.5.20 versions.

Action-Not Available
Vendor-kanbanwpKanban for WordPress
Product-kanban_boardsKanban Boards for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6138
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 28.14%
||
7 Day CHG~0.00%
Published-11 Jul, 2024 | 06:00
Updated-01 Aug, 2024 | 21:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Secure Copy Content Protection < 4.0.9 - Admin+ Stored XSS

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-secure_copy_content_protection_and_content_lockingSecure Copy Content Protection and Content Lockingsecure_copy_content_protection_and_content_locking
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45672
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.2||MEDIUM
EPSS-0.26% / 48.66%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:24
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by Stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.76, R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 before 1.1.0.78, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6700v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, and RAX40 before 1.0.3.62.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r6700v2_firmwarerax40r6120r6850_firmwarer7450_firmwarer6220_firmwareac2600r6080_firmwareac2400r6900v2r6120_firmwarer7200_firmwarer6800r6900v2_firmwarer6260_firmwarer6260r6220r6020ac2400_firmwarer7350_firmwarer7400_firmwarer6020_firmwarer7200rax40_firmwared7000r6080d7000_firmwarer6230r6230_firmwareac2100_firmwared6200_firmwarer7400r6700v2ac2100r6850r7350r7450d6200r6800_firmwareac2600_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45888
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.38% / 58.99%
||
7 Day CHG~0.00%
Published-13 Mar, 2022 | 01:18
Updated-04 Aug, 2024 | 04:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on the left side of every page of the web application is vulnerable to XSS: it allows injection of JavaScript into its nodes. Creating such nodes is only possible for users who have the role Configuration Administrator or Administrator.

Action-Not Available
Vendor-pontonn/a
Product-x\/p_messengern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46065
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-20.36% / 95.40%
||
7 Day CHG~0.00%
Published-27 Jan, 2022 | 15:29
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_servicedesk_plusn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34187
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 13:00
Updated-24 Sep, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Call Now Icon Animate Plugin <= 0.1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alan Tien Call Now Icon Animate plugin <= 0.1.0 versions.

Action-Not Available
Vendor-Alan Tiến
Product-call_now_icon_animateCall Now Icon Animate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-25491
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-1.9||LOW
EPSS-0.01% / 1.60%
||
7 Day CHG-0.04%
Published-09 Feb, 2026 | 19:25
Updated-19 Feb, 2026 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft has a Stored XSS in Entry Types Name

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

Action-Not Available
Vendor-craftcmscraftcms
Product-craft_cmscms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-44760
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-18 Mar, 2022 | 18:00
Updated-23 Apr, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP-DownloadManager plugin <= 1.68.6 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability

Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions.

Action-Not Available
Vendor-wp-downloadmanager_projectLester 'GaMerZ' Chan
Product-wp-downloadmanagerWP-DownloadManager (WordPress plugin)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-2939
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 9.68%
||
7 Day CHG~0.00%
Published-22 Feb, 2026 | 09:32
Updated-23 Feb, 2026 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Student Management System Add Student add_student cross site scripting

A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used.

Action-Not Available
Vendor-ITSourceCode
Product-student_management_systemStudent Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-45676
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.07%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:23
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects RAX200 before 1.0.5.126, RAX20 before 1.0.2.82, RAX80 before 1.0.5.126, RAX15 before 1.0.2.82, and RAX75 before 1.0.5.126.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rax200_firmwarerax80rax15rax15_firmwarerax20rax200rax75_firmwarerax75rax80_firmwarerax20_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45666
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 50.51%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:26
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects CBR40 before 2.5.0.10, EAX80 before 1.0.1.64, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, RBW30 before 2.6.1.4, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, and RBS40V before 2.6.1.4.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbs40v_firmwarerbs40vcbr40_firmwareeax80ex7500rbw30_firmwareex6130_firmwarerbs750_firmwarerbs850_firmwarerbr850ex3800_firmwarerbr750_firmwarerbw30ex3700cbr40ex7500_firmwarerbs850rbk752_firmwareex3800rbk752rbr750rbs750eax80_firmwareex3700_firmwareex6120rbk852_firmwarerbk852ex6130ex6120_firmwarerbr850_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-7309
Matching Score-4
Assigner-Trellix
ShareView Details
Matching Score-4
Assigner-Trellix
CVSS Score-3.9||LOW
EPSS-0.18% / 39.40%
||
7 Day CHG~0.00%
Published-26 Aug, 2020 | 06:00
Updated-16 Sep, 2024 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Scripting vulnerability in ePO extension of MACC

Cross Site Scripting vulnerability in ePO extension in McAfee Application Control (MAC) prior to 8.3.1 allows administrators to inject arbitrary web script or HTML via specially crafted input in the policy discovery section.

Action-Not Available
Vendor-McAfee, LLC
Product-application_and_change_controlMcAfee Application and Change Control
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 57.95%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:25
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7000 before 1.0.11.116, R7900 before 1.0.4.38, R8000 before 1.0.4.68, RAX200 before 1.0.3.106, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, EX3700 before 1.0.0.90, MR60 before 1.0.6.110, R7000P before 1.3.2.126, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, EX3800 before 1.0.0.90, MS60 before 1.0.6.110, R6900P before 1.3.2.126, RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbs40v_firmwarecbr40_firmwarerax80eax80ex7500rbw30_firmwarerax15rax75r8000ex3800_firmwarer6900pr7900rbw30rax50ex3700r6900p_firmwarerbs850ex7500_firmwarerax45ms60_firmwarer7000_firmwarerbr750r8000_firmwareeax80_firmwarerax200rax20rax20_firmwareex6130r7000p_firmwarerax200_firmwareeax20_firmwarerbs40vex6130_firmwarerbs750_firmwaremr60mr60_firmwarerbs850_firmwarerbr850rax80_firmwarerbr750_firmwarer7000eax20r7000pcbr40rbk752_firmwareex3800r7900_firmwarerbk752rbs750rax15_firmwareex6120_firmwareex3700_firmwarerax75_firmwarerax50_firmwareex6120rax45_firmwarerbk852_firmwarerbk852ms60rbr850_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45675
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.8||MEDIUM
EPSS-0.18% / 40.14%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:24
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects R6120 before 1.0.0.76, R6260 before 1.1.0.78, R6850 before 1.1.0.78, R6350 before 1.1.0.78, R6330 before 1.1.0.78, R6800 before 1.2.0.76, R6700v2 before 1.2.0.76, R6900v2 before 1.2.0.76, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, and AC2600 before 1.2.0.76.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r6350_firmwarer6700v2_firmwarer6850_firmwarer6120r7450_firmwarer6330ac2600r6800_firmwareac2400r6900v2ac2100_firmwarer7200_firmwarer6120_firmwarer6800r6900v2_firmwarer7400r6700v2ac2100r6850r6260_firmwarer6260r6350r7350r7450r6330_firmwareac2400_firmwarer7350_firmwarer7400_firmwarer7200ac2600_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45671
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.07%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:25
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects CBR40 before 2.5.0.10, EAX80 before 1.0.1.62, EX7500 before 1.0.0.72, R7900 before 1.0.4.38, R8000 before 1.0.4.68, RAX200 before 1.0.4.120, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, MR60 before 1.0.6.110, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.4.120, MS60 before 1.0.6.110, RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 1.0.4.120, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbs40v_firmwarecbr40_firmwarerax80eax80ex7500rbw30_firmwarerax15rax75r8000r7900rbw30rax50rbs850ex7500_firmwarerax45ms60_firmwarerbr750r8000_firmwareeax80_firmwarerax200rax20rax20_firmwarerax200_firmwarerbs40vrbs750_firmwaremr60mr60_firmwarerbs850_firmwarerbr850rax80_firmwarerbr750_firmwarecbr40rbk752_firmwarer7900_firmwarerbk752rbs750rax15_firmwarerax75_firmwarerax50_firmwarerax45_firmwarerbk852_firmwarerbk852ms60rbr850_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34173
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:04
Updated-24 Sep, 2024 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Yandex Metrica Counter Plugin <= 1.4.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alexander Semikashev Yandex Metrica Counter plugin <= 1.4.3 versions.

Action-Not Available
Vendor-yandex_metrica_counter_projectAlexander Semikashev
Product-yandex_metric_counterYandex Metrica Counter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34170
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.71%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 14:26
Updated-19 Feb, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quick/Bulk Order Form for WooCommerce Plugin <= 3.5.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Overnight Quick/Bulk Order Form for WooCommerce plugin <= 3.5.7 versions.

Action-Not Available
Vendor-wpovernightWP Overnight
Product-download_quick\/bulk_order_form_for_woocommerceQuick/Bulk Order Form for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35048
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.71%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 11:50
Updated-10 Oct, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booking and Rental Manager Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MagePeople Team Booking and Rental Manager for Bike plugin <= 1.2.1 versions.

Action-Not Available
Vendor-MagePeople
Product-booking_\&_rental_managerBooking and Rental Manager for Bike
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34172
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:12
Updated-02 Aug, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WordPress Social Login Plugin <= 3.0.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Miled WordPress Social Login plugin <= 3.0.4 versions.

Action-Not Available
Vendor-miledMiled
Product-wordpress_social_loginWordPress Social Login
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-25488
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 10.84%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 18:07
Updated-10 Feb, 2026 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Action-Not Available
Vendor-craftcmscraftcms
Product-craft_commercecommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46072
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-5.67% / 90.21%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 15:26
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.

Action-Not Available
Vendor-vehicle_service_management_system_projectn/a
Product-vehicle_service_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34183
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 13:07
Updated-24 Sep, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Unite Gallery Lite Plugin <= 1.7.61 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Valiano Unite Gallery Lite plugin <= 1.7.61 versions.

Action-Not Available
Vendor-unitegalleryValiano
Product-unite_gallery_liteUnite Gallery Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46069
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-5.67% / 90.21%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 15:30
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.

Action-Not Available
Vendor-vehicle_service_management_system_projectn/a
Product-vehicle_service_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46068
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-5.67% / 90.21%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 15:46
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.

Action-Not Available
Vendor-vehicle_service_management_system_projectn/a
Product-vehicle_service_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6243
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.16% / 37.04%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 06:00
Updated-30 Jan, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML Forms < 1.3.33 - Admin+ Stored XSS

The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.

Action-Not Available
Vendor-linksoftwarellcUnknownhtmlforms
Product-html_formsHTML Forms html_forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-25489
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.01% / 1.74%
||
7 Day CHG-0.02%
Published-03 Feb, 2026 | 18:07
Updated-10 Feb, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Action-Not Available
Vendor-craftcmscraftcms
Product-craft_commercecommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2093
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.77%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 12:57
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting

The WP Duplicate Page WordPress plugin before 1.3 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Action-Not Available
Vendor-UnknownNinjaTeam
Product-wp_duplicate_pageWP Duplicate Page
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45667
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 57.95%
||
7 Day CHG~0.00%
Published-26 Dec, 2021 | 00:25
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7960P before 1.4.1.66, RAX200 before 1.0.3.106, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, EX3700 before 1.0.0.90, MR60 before 1.0.6.110, R8000P before 1.4.1.66, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, EX3800 before 1.0.0.90, MS60 before 1.0.6.110, R7900P before 1.4.1.66, RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbs40v_firmwarecbr40_firmwareeax80ex7500rbw30_firmwarerax80rax15ms60rax75ex3800_firmwarerbw30r8000pex3700rax50ex7500_firmwarerbs850r7960prax45ms60_firmwarerbr750r8000p_firmwareeax80_firmwarerax200rax20ex6130rax20_firmwarer7900prax200_firmwareeax20_firmwarerbs40vex6130_firmwarerbs750_firmwaremr60mr60_firmwarerbs850_firmwarerbr850rax80_firmwarerbr750_firmwareeax20cbr40rbk752_firmwareex3800rbk752rbs750r7960p_firmwarerax15_firmwareex3700_firmwarerax75_firmwareex6120rax50_firmwarerax45_firmwarerbk852_firmwarerbk852r7900p_firmwareex6120_firmwarerbr850_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-57498
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.09% / 24.78%
||
7 Day CHG~0.00%
Published-03 Feb, 2025 | 00:00
Updated-13 Jun, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in sayski ForestBlog 20241223 allows a remote attacker to escalate privileges via the article editing function.

Action-Not Available
Vendor-forestblog_projectn/a
Product-forestblogn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34018
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.14% / 33.30%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 17:01
Updated-02 Aug, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SoundCloud Shortcode Plugin <= 3.1.0 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SoundCloud Inc. SoundCloud Shortcode allows Stored XSS.This issue affects SoundCloud Shortcode: from n/a through 3.1.0.

Action-Not Available
Vendor-soundcloudSoundCloud Inc.
Product-soundcloud_shortcodeSoundCloud Shortcode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5920
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.34% / 56.36%
||
7 Day CHG~0.00%
Published-14 Nov, 2024 | 09:40
Updated-30 Apr, 2025 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write Panorama administrator to push a specially crafted configuration to a PAN-OS node. This enables impersonation of a legitimate PAN-OS administrator who can perform restricted actions on the PAN-OS node after the execution of JavaScript in the legitimate PAN-OS administrator's browser.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-pan-osCloud NGFWPAN-OSPrisma Access
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-57774
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.43%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 00:00
Updated-17 May, 2025 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Action-Not Available
Vendor-jfinaloa_projectn/a
Product-jfinaloan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34855
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.07% / 20.34%
||
7 Day CHG~0.00%
Published-12 Jun, 2023 | 00:00
Updated-03 Jan, 2025 | 23:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting (XSS) vulnerability in Youxun Electronic Equipment (Shanghai) Co., Ltd AC Centralized Management Platform v1.02.040 allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /upfile.cgi.

Action-Not Available
Vendor-ac_centralized_management_platform_projectn/a
Product-ac_centralized_management_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6094
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.23% / 45.31%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 06:00
Updated-02 Oct, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP ULike < 4.7.1 - Admin+ Stored XSS

The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-technowichUnknownwp_ulike_project
Product-wp_ulikeWP ULike wp_ulike
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6059
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.10% / 28.16%
||
7 Day CHG~0.00%
Published-17 Jun, 2024 | 18:31
Updated-23 Sep, 2024 | 22:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ingenico Estate Manager News Feed messages cross site scripting

A vulnerability, which was classified as problematic, has been found in Ingenico Estate Manager 2023. This issue affects some unknown processing of the file /emgui/rest/ums/messages of the component News Feed. The manipulation of the argument message leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268787. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-ingenicoIngenicoingenico
Product-estate_managementEstate Managerestate_manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6165
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 41.49%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 06:00
Updated-07 Jul, 2025 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WANotifier < 2.6.1 - Admin+ Stored XSS

The WANotifier WordPress plugin before 2.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-wanotifierUnknownwanotifier
Product-wanotifierWANotifierwanotifier
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-26961
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.36% / 57.80%
||
7 Day CHG~0.00%
Published-08 Aug, 2023 | 00:00
Updated-15 Oct, 2024 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request.

Action-Not Available
Vendor-alteryxn/a
Product-alteryx_servern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6158
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 41.49%
||
7 Day CHG~0.00%
Published-09 Aug, 2024 | 06:00
Updated-27 May, 2025 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Category Posts Widget (Free < 4.9.17, Pro < 4.9.13) - Admin+ Stored XSS

The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-tiptoppresszephyrwestUnknowntiptoppress
Product-category_posts_widgetterm_and_category_based_posts_widgetCategory Posts Widgetterm-and-category-based-posts-widgetterm-and-category-based-postscategory_posts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-25485
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.01% / 1.74%
||
7 Day CHG-0.02%
Published-03 Feb, 2026 | 18:06
Updated-10 Feb, 2026 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Action-Not Available
Vendor-craftcmscraftcms
Product-craft_commercecommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34011
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.06% / 18.06%
||
7 Day CHG~0.00%
Published-01 Sep, 2023 | 11:18
Updated-24 Sep, 2024 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ShopConstruct Plugin <= 1.1.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ShopConstruct plugin <= 1.1.2 versions.

Action-Not Available
Vendor-shopconstructShopConstruct
Product-shopconstructShopConstruct
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-58129
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.22% / 44.01%
||
7 Day CHG~0.00%
Published-28 Mar, 2025 | 00:00
Updated-08 Jul, 2025 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.

Action-Not Available
Vendor-mispMISP
Product-mispMISP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6070
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.32% / 54.90%
||
7 Day CHG~0.00%
Published-13 Jul, 2024 | 06:00
Updated-16 May, 2025 | 13:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
if-so < 1.8.0.4 - Admin+ Stored XSS

The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-if-soUnknownif-so
Product-if-soIf-So Dynamic Content Personalizationdynamic_content_personalization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-57771
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.43%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 00:00
Updated-17 May, 2025 | 02:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Action-Not Available
Vendor-jfinaloa_projectn/a
Product-jfinaloan/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 67
  • 68
  • Next
Details not found