Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-53690

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Oct, 2025 | 21:20
Updated At-17 Nov, 2025 | 21:36
Rejected At-
Credits

Nagios Fusion < 4.2.0 LDAP/AD Integration Stored XSS

Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability in the LDAP/AD authentication-server configuration. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add authentication servers via LDAP/AD integration could persist a malicious payload that executes in the context of other users' browsers.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Oct, 2025 | 21:20
Updated At:17 Nov, 2025 | 21:36
Rejected At:
▼CVE Numbering Authority (CNA)
Nagios Fusion < 4.2.0 LDAP/AD Integration Stored XSS

Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability in the LDAP/AD authentication-server configuration. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add authentication servers via LDAP/AD integration could persist a malicious payload that executes in the context of other users' browsers.

Affected Products
Vendor
Nagios Enterprises, LLCNagios
Product
Fusion
Modules
  • LDAP/AD Integration
Default Status
unaffected
Versions
Affected
  • From 0 before 4.2.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.06.2MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Version: 4.0
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-592CAPEC-592 Stored XSS
CAPEC ID: CAPEC-592
Description: CAPEC-592 Stored XSS
Solutions

Nagios addresses this vulnerability as "Stored XSS when adding authentication servers via AD/LDAP integration" and "Fixed XSS in Admin->LDAP/AD Integration."

Configurations
Workarounds
Exploits
Credits
finder
Tisha Manandhar
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.nagios.com/products/security/#fusion
vendor-advisory
patch
https://www.nagios.com/changelog/nagios-fusion/
release-notes
patch
https://www.vulncheck.com/advisories/nagios-fusion-ldap-ad-integration-stored-xss
third-party-advisory
Hyperlink: https://www.nagios.com/products/security/#fusion
Resource:
vendor-advisory
patch
Hyperlink: https://www.nagios.com/changelog/nagios-fusion/
Resource:
release-notes
patch
Hyperlink: https://www.vulncheck.com/advisories/nagios-fusion-ldap-ad-integration-stored-xss
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Oct, 2025 | 22:15
Updated At:06 Nov, 2025 | 18:20

Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability in the LDAP/AD authentication-server configuration. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add authentication servers via LDAP/AD integration could persist a malicious payload that executes in the context of other users' browsers.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.2MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Nagios Enterprises, LLC
nagios
>>fusion>>Versions before 4.2.0(exclusive)
cpe:2.3:a:nagios:fusion:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarydisclosure@vulncheck.com
CWE ID: CWE-79
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.nagios.com/changelog/nagios-fusion/disclosure@vulncheck.com
Release Notes
https://www.nagios.com/products/security/#fusiondisclosure@vulncheck.com
Vendor Advisory
https://www.vulncheck.com/advisories/nagios-fusion-ldap-ad-integration-stored-xssdisclosure@vulncheck.com
Third Party Advisory
Hyperlink: https://www.nagios.com/changelog/nagios-fusion/
Source: disclosure@vulncheck.com
Resource:
Release Notes
Hyperlink: https://www.nagios.com/products/security/#fusion
Source: disclosure@vulncheck.com
Resource:
Vendor Advisory
Hyperlink: https://www.vulncheck.com/advisories/nagios-fusion-ldap-ad-integration-stored-xss
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

3512Records found
CVE-2025-0228
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.09% / 26.00%
||
7 Day CHG~0.00%
Published-05 Jan, 2025 | 18:31
Updated-10 Jan, 2025 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Local Storage Todo App index.html cross site scripting

A vulnerability has been found in code-projects Local Storage Todo App 1.0 and classified as problematic. This vulnerability affects unknown code of the file /js-todo-app/index.html. The manipulation of the argument Add leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-local_storage_todo_appLocal Storage Todo App
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-9881
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 41.68%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 06:00
Updated-07 May, 2025 | 12:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress < 4.2.7.2 - Admin+ Stored XSS

The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownThimPress (PhysCode)
Product-learnpressLearnPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9892
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.21% / 43.30%
||
7 Day CHG~0.00%
Published-18 Oct, 2024 | 04:32
Updated-22 Oct, 2024 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Add Widget After Content <= 2.4.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Add Widget After Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-arelthiaphillipsapintop
Product-add_widget_after_contentAdd Widget After Content
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13476
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 46.25%
||
7 Day CHG~0.00%
Published-28 Dec, 2020 | 21:21
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module.

Action-Not Available
Vendor-nchsoftwaren/a
Product-express_invoicen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36376
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 23.29%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 00:00
Updated-02 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Scripting (XSS) vulnerability in Hostel Management System v.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the add course section.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-hostel_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33328
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.08% / 23.40%
||
7 Day CHG~0.00%
Published-28 May, 2023 | 17:47
Updated-10 Oct, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MailChimp Subscribe Forms Plugin <= 4.0.9.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PluginOps MailChimp Subscribe Form plugin <= 4.0.9.1 versions.

Action-Not Available
Vendor-pluginopsPluginOps
Product-mailchimp_subscribe_formMailChimp Subscribe Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35779
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.57%
||
7 Day CHG~0.00%
Published-19 Jun, 2023 | 13:21
Updated-10 Oct, 2024 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Seed Fonts Plugin 2.3.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Seed Webs Seed Fonts plugin <= 2.3.1 versions.

Action-Not Available
Vendor-seedwebsSeed Webs
Product-seed_fontsSeed Fonts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-36317
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.38%
||
7 Day CHG+0.01%
Published-23 Aug, 2023 | 00:00
Updated-03 Oct, 2024 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in sourcecodester Student Study Center Desk Management System 1.0 allows attackers to run arbitrary code via crafted GET request to web application URL.

Action-Not Available
Vendor-n/aoretnom23
Product-student_study_center_desk_management_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35878
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 32.15%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 07:57
Updated-10 Oct, 2024 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Extra User Details Plugin <= 0.5 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Vadym K. Extra User Details plugin <= 0.5 versions.

Action-Not Available
Vendor-extra_user_details_projectVadym K.
Product-extra_user_detailsExtra User Details
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29029
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 40.05%
||
7 Day CHG~0.00%
Published-24 Mar, 2021 | 12:03
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/edit_personal_page.php URI.

Action-Not Available
Vendor-bitweavern/a
Product-bitweavern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9769
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.24% / 46.97%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 03:25
Updated-09 Jul, 2025 | 12:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Video Gallery <= 2.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Video Gallery – Best WordPress YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-total-softtotalsoft
Product-video_galleryVideo Gallery – YouTube Gallery and Vimeo Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9641
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.07% / 20.45%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 06:00
Updated-07 May, 2025 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LuckyWP Table of Contents < 2.1.7 - Admin+ Stored XSS

The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-theluckywpUnknown
Product-luckywp_table_of_contentsLuckyWP Table of Contents
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-34236
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-6.2||MEDIUM
EPSS-0.04% / 13.19%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:39
Updated-28 Nov, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 Stored XSS via NetworksController.addNetworkAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29434
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.27% / 50.53%
||
7 Day CHG~0.00%
Published-19 Apr, 2021 | 18:45
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).

Action-Not Available
Vendor-torchboxwagtail
Product-wagtailwagtail
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8759
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.06% / 18.11%
||
7 Day CHG+0.01%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nested Pages <= 3.2.8 - Editor+ Stored XSS

The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-kylephillipsUnknown
Product-nested_pagesNested Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3645
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.10% / 27.00%
||
7 Day CHG~0.00%
Published-14 Aug, 2023 | 19:10
Updated-09 Oct, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS

The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-bitappsUnknown
Product-contact_form_builderContact Form Builder by Bit Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13301
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.20% / 41.91%
||
7 Day CHG~0.00%
Published-14 Sep, 2020 | 21:26
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a stored XSS on the standalone vulnerability page.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34369
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 20.47%
||
7 Day CHG~0.00%
Published-25 Jul, 2023 | 13:02
Updated-26 Sep, 2024 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Login Configurator Plugin <= 2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GrandSlambert Login Configurator plugin <= 2.1 versions.

Action-Not Available
Vendor-login_configurator_projectGrandSlambert
Product-login_configuratorLogin Configurator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34374
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.05% / 14.98%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 11:24
Updated-25 Sep, 2024 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AnsPress – Question and answer Plugin <= 4.3.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Rahul Aryan AnsPress plugin <= 4.3.0 versions.

Action-Not Available
Vendor-anspressRahul Aryan
Product-anspressAnsPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-27914
Matching Score-4
Assigner-Mautic
ShareView Details
Matching Score-4
Assigner-Mautic
CVSS Score-7.6||HIGH
EPSS-0.40% / 60.72%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 15:20
Updated-03 Aug, 2024 | 21:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript

Action-Not Available
Vendor-acquiaMautic
Product-mauticMautic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34173
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.87%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:04
Updated-24 Sep, 2024 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Yandex Metrica Counter Plugin <= 1.4.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alexander Semikashev Yandex Metrica Counter plugin <= 1.4.3 versions.

Action-Not Available
Vendor-yandex_metrica_counter_projectAlexander Semikashev
Product-yandex_metric_counterYandex Metrica Counter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33944
Matching Score-4
Assigner-Liferay, Inc.
ShareView Details
Matching Score-4
Assigner-Liferay, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.13% / 32.55%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 15:07
Updated-30 Jan, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34855
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.07% / 20.24%
||
7 Day CHG~0.00%
Published-12 Jun, 2023 | 00:00
Updated-03 Jan, 2025 | 23:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting (XSS) vulnerability in Youxun Electronic Equipment (Shanghai) Co., Ltd AC Centralized Management Platform v1.02.040 allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /upfile.cgi.

Action-Not Available
Vendor-ac_centralized_management_platform_projectn/a
Product-ac_centralized_management_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35095
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.57%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 13:30
Updated-10 Oct, 2024 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flo Forms Plugin <= 1.0.40 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Flothemes Flo Forms – Easy Drag & Drop Form Builder plugin <= 1.0.40 versions.

Action-Not Available
Vendor-flothemesFlothemes
Product-flo_formsFlo Forms – Easy Drag & Drop Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34187
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.87%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 13:00
Updated-24 Sep, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Call Now Icon Animate Plugin <= 0.1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alan Tien Call Now Icon Animate plugin <= 0.1.0 versions.

Action-Not Available
Vendor-Alan Tiến
Product-call_now_icon_animateCall Now Icon Animate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34412
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 11.03%
||
7 Day CHG~0.00%
Published-17 Aug, 2023 | 13:07
Updated-02 Aug, 2024 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XXS vulnerability in mbnet, mbnet.rokey, REX 200 and REX 250

A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS).

Action-Not Available
Vendor-redlionhelmholzRed Lion EuropeHelmholz
Product-mbnet_mdh_876mbnet_mdh_811mbnet_mdh_876_firmwarembnet_mdh_841mbnet_mdh_831_firmwarerex_200mbnet_mdh_811_firmwarembnet_mdh_871_firmwarembnet_mdh_835rex_200_firmwarembnet_mdh_835_firmwarembnet.rokey_rkh_259mbnet_mdh_858rex_250_firmwarembnet_mdh_859mbnet_mdh_871mbnet_mdh_859_firmwarerex_250mbnet.rokey_rkh_259_firmwarembnet.rokey_rkh_235_firmwarembnet_mdh_816_firmwarembnet.rokey_rkh_216mbnet.rokey_rkh_235mbnet_mdh_841_firmwarembnet_mdh_816mbnet_mdh_850_firmwarembnet.rokey_rkh_210mbnet_mdh_858_firmwarembnet.rokey_rkh_210_firmwarembnet_mdh_855_firmwarembnet.rokey_rkh_216_firmwarembnet_mdh_850mbnet_mdh_831mbnet_mdh_855mbNETREX 200REX 250mbNET.rokey
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11772
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.21% / 43.77%
||
7 Day CHG-0.04%
Published-15 Apr, 2020 | 13:50
Updated-04 Aug, 2024 | 11:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwared7800r9000r7500r7500_firmwarer7800rax120_firmwarexr500xr500_firmwarer7800_firmwarexr700_firmwarerax120xr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3469
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.2||MEDIUM
EPSS-0.14% / 34.84%
||
7 Day CHG~0.00%
Published-30 Jun, 2023 | 00:00
Updated-12 Nov, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Reflected in thorsten/phpmyfaq

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.2.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqthorsten/phpmyfaqphpmyfaq
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34372
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.87%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 15:04
Updated-24 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download SpamReferrerBlock Plugin <= 2.22 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Didier Sampaolo SpamReferrerBlock plugin <= 2.22 versions.

Action-Not Available
Vendor-didcodeDidier Sampaolo
Product-spamreferrerblockSpamReferrerBlock
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34368
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.07% / 20.47%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 12:12
Updated-02 Aug, 2024 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kanban Boards for WordPress Plugin <= 2.5.20 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Kanban for WordPress Kanban Boards for WordPress plugin <= 2.5.20 versions.

Action-Not Available
Vendor-kanbanwpKanban for WordPress
Product-kanban_boardsKanban Boards for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35092
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.87%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 15:19
Updated-24 Sep, 2024 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress breadcrumb simple Plugin <= 1.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Abhay Yadav Breadcrumb simple plugin <= 1.3 versions.

Action-Not Available
Vendor-abhayrajmcaAbhay Yadav
Product-breadcrumb_simpleBreadcrumb simple
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35048
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.57%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 11:50
Updated-10 Oct, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booking and Rental Manager Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MagePeople Team Booking and Rental Manager for Bike plugin <= 1.2.1 versions.

Action-Not Available
Vendor-MagePeople
Product-booking_\&_rental_managerBooking and Rental Manager for Bike
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6713
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.18%
||
7 Day CHG+0.01%
Published-15 May, 2025 | 20:07
Updated-11 Jun, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS

The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-freebiesdownloadUnknown
Product-pvn_auth_popupPVN Auth Popup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11781
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.23% / 45.76%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 15:09
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwarexr700d7800rbs50_firmwarerbs50r9000r7500rbr50_firmwarer7500_firmwarerbr50r7800rax120_firmwarexr500_firmwarerbk50r7800_firmwarexr700_firmwarerbk50_firmwarerax120xr500n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34657
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.06% / 19.81%
||
7 Day CHG~0.00%
Published-19 Jun, 2023 | 00:00
Updated-12 Dec, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in Eyoucms v1.6.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the web_recordnum parameter.

Action-Not Available
Vendor-eyoucmsn/a
Product-eyoucmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34377
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.57%
||
7 Day CHG~0.00%
Published-05 Aug, 2023 | 22:51
Updated-25 Sep, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress My Content Management Plugin <= 1.7.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin <= 1.7.6 versions.

Action-Not Available
Vendor-joedolsonJoseph C Dolson
Product-my_content_managementMy Content Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34170
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.57%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 14:26
Updated-19 Feb, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quick/Bulk Order Form for WooCommerce Plugin <= 3.5.7 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Overnight Quick/Bulk Order Form for WooCommerce plugin <= 3.5.7 versions.

Action-Not Available
Vendor-wpovernightWP Overnight
Product-download_quick\/bulk_order_form_for_woocommerceQuick/Bulk Order Form for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35157
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.5||HIGH
EPSS-1.24% / 79.05%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 18:22
Updated-27 Nov, 2024 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-6708
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.06% / 18.11%
||
7 Day CHG+0.01%
Published-15 May, 2025 | 20:07
Updated-04 Jun, 2025 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Profile Builder <= 3.12.0 - Admin+ Stored Cross Site Scripting

The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks.

Action-Not Available
Vendor-cozmoslabsUnknown
Product-profile_builderUser Profile Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3501
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 50.94%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:22
Updated-23 Apr, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FormCraft < 1.2.7 - Admin+ Stored XSS

The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-formcraftsUnknown
Product-formcraftFormCraft
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3445
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-3.5||LOW
EPSS-0.10% / 28.52%
||
7 Day CHG~0.00%
Published-28 Jun, 2023 | 13:22
Updated-06 Nov, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in spinacms/spina

Cross-site Scripting (XSS) - Stored in GitHub repository spinacms/spina prior to 2.15.1.

Action-Not Available
Vendor-denkgrootspinacmsdenkgroot
Product-spinaspinacms/spinaspina
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34183
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.87%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 13:07
Updated-24 Sep, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Unite Gallery Lite Plugin <= 1.7.61 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Valiano Unite Gallery Lite plugin <= 1.7.61 versions.

Action-Not Available
Vendor-unitegalleryValiano
Product-unite_gallery_liteUnite Gallery Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3499
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 23.90%
||
7 Day CHG~0.00%
Published-04 Sep, 2023 | 11:27
Updated-23 Apr, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Robo Gallery < 3.2.16 - Admin+ Stored XSS

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-robogalleryUnknown
Product-robo_galleryPhoto Gallery, Images, Slider in Rbs Image Gallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10614
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 29.16%
||
7 Day CHG~0.00%
Published-24 Jul, 2020 | 23:43
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display.

Action-Not Available
Vendor-osisoftn/a
Product-pi_visionOSIsoft PI System multiple products and versions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10405
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.32% / 54.88%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 13:04
Updated-04 Aug, 2024 | 10:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/edit-glossary.php by adding a question mark (?) followed by the payload.

Action-Not Available
Vendor-chadhaajayn/a
Product-phpkbn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10408
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.32% / 54.88%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 13:04
Updated-04 Aug, 2024 | 10:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/edit-subscriber.php by adding a question mark (?) followed by the payload.

Action-Not Available
Vendor-chadhaajayn/a
Product-phpkbn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33208
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.87%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 12:03
Updated-24 Sep, 2024 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cookie Monster Plugin <= 1.51 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in gsmith Cookie Monster plugin <= 1.51 versions.

Action-Not Available
Vendor-cookie_monster_projectgsmith
Product-cookie_monsterCookie Monster
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33840
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.06% / 16.99%
||
7 Day CHG~0.00%
Published-23 Oct, 2023 | 19:36
Updated-11 Sep, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Governance cross-site scripting

IBM Security Verify Governance 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 256037.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_governanceSecurity Verify Governance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3344
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.09% / 25.41%
||
7 Day CHG~0.00%
Published-24 Jul, 2023 | 10:20
Updated-05 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Auto Location for WP Job Manager via Google < 1.1 - Admin+ Cross Site Scripting

The Auto Location for WP Job Manager via Google WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-auto_location_for_wp_job_manager_via_google_projectUnknown
Product-auto_location_for_wp_job_manager_via_googleAuto Location for WP Job Manager via Google
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-33329
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.57%
||
7 Day CHG~0.00%
Published-18 Jul, 2023 | 17:15
Updated-25 Sep, 2024 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Post Type Generator Plugin <= 2.4.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Hijiri Custom Post Type Generator plugin <= 2.4.2 versions.

Action-Not Available
Vendor-custom_post_type_generator_projectHijiri
Product-custom_post_type_generatorCustom Post Type Generator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 68
  • 69
  • 70
  • 71
  • Next
Details not found