Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-11954

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-28 Jan, 2025 | 13:14
Updated At-28 Jan, 2025 | 14:17
Rejected At-
Credits

Pimcore Search Document cross site scripting

A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:28 Jan, 2025 | 13:14
Updated At:28 Jan, 2025 | 14:17
Rejected At:
▼CVE Numbering Authority (CNA)
Pimcore Search Document cross site scripting

A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Affected Products
Vendor
n/a
Product
Pimcore
Modules
  • Search Document
Versions
Affected
  • 11.4.2
Problem Types
TypeCWE IDDescription
CWECWE-80Basic Cross Site Scripting
CWECWE-74Injection
Type: CWE
CWE ID: CWE-80
Description: Basic Cross Site Scripting
Type: CWE
CWE ID: CWE-74
Description: Injection
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3.12.4LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
3.02.4LOW
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
2.03.3N/A
AV:N/AC:L/Au:M/C:N/I:P/A:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 2.4
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Version: 3.0
Base score: 2.4
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Version: 2.0
Base score: 3.3
Base severity: N/A
Vector:
AV:N/AC:L/Au:M/C:N/I:P/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Advisory disclosed2025-01-28 00:00:00
VulDB entry created2025-01-28 01:00:00
VulDB entry last update2025-01-28 14:15:14
Event: Advisory disclosed
Date: 2025-01-28 00:00:00
Event: VulDB entry created
Date: 2025-01-28 01:00:00
Event: VulDB entry last update
Date: 2025-01-28 14:15:14
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/?id.293905
vdb-entry
https://vuldb.com/?ctiid.293905
signature
permissions-required
https://vuldb.com/?submit.451774
third-party-advisory
https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg
exploit
Hyperlink: https://vuldb.com/?id.293905
Resource:
vdb-entry
Hyperlink: https://vuldb.com/?ctiid.293905
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.451774
Resource:
third-party-advisory
Hyperlink: https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg
Resource:
exploit
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg
exploit
https://vuldb.com/?submit.451774
exploit
Hyperlink: https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg
Resource:
exploit
Hyperlink: https://vuldb.com/?submit.451774
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:28 Jan, 2025 | 14:15
Updated At:04 Nov, 2025 | 17:40

A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.12.4LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Secondary2.03.3LOW
AV:N/AC:L/Au:M/C:N/I:P/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 2.4
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 2.0
Base score: 3.3
Base severity: LOW
Vector:
AV:N/AC:L/Au:M/C:N/I:P/A:N
CPE Matches

Pimcore
pimcore
>>pimcore>>11.4.2
cpe:2.3:a:pimcore:pimcore:11.4.2:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-74Secondarycna@vuldb.com
CWE-80Secondarycna@vuldb.com
CWE ID: CWE-74
Type: Secondary
Source: cna@vuldb.com
CWE ID: CWE-80
Type: Secondary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cgcna@vuldb.com
Exploit
Vendor Advisory
https://vuldb.com/?ctiid.293905cna@vuldb.com
Permissions Required
VDB Entry
https://vuldb.com/?id.293905cna@vuldb.com
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.451774cna@vuldb.com
Third Party Advisory
VDB Entry
https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
https://vuldb.com/?submit.451774134c704f-9b21-4f2e-91b3-4a467353bcc0
Third Party Advisory
VDB Entry
Hyperlink: https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg
Source: cna@vuldb.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://vuldb.com/?ctiid.293905
Source: cna@vuldb.com
Resource:
Permissions Required
VDB Entry
Hyperlink: https://vuldb.com/?id.293905
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://vuldb.com/?submit.451774
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Vendor Advisory
Hyperlink: https://vuldb.com/?submit.451774
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Third Party Advisory
VDB Entry

Change History

0
Information is not available yet

Similar CVEs

65Records found

CVE-2023-1517
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4||MEDIUM
EPSS-0.40% / 32.12%
||
7 Day CHG~0.00%
Published-20 Mar, 2023 | 00:00
Updated-26 Feb, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - DOM in pimcore/pimcore

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1286
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.8||MEDIUM
EPSS-0.43% / 34.46%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 00:00
Updated-28 Feb, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1312
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.2||MEDIUM
EPSS-0.41% / 33.34%
||
7 Day CHG~0.00%
Published-10 Mar, 2023 | 00:00
Updated-28 Feb, 2025 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2796
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.7||MEDIUM
EPSS-1.45% / 70.21%
||
7 Day CHG~0.00%
Published-23 Aug, 2022 | 08:00
Updated-03 Aug, 2024 | 00:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.4.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-3255
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.8||MEDIUM
EPSS-0.66% / 47.02%
||
7 Day CHG+0.02%
Published-21 Sep, 2022 | 12:00
Updated-28 May, 2025 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0955
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.57% / 43.18%
||
7 Day CHG~0.00%
Published-24 Mar, 2022 | 14:45
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in pimcore/data-hub

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/data-hub prior to 1.2.4.

Action-Not Available
Vendor-Pimcore
Product-data-hubpimcore/data-hub
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-30166
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-1.8||LOW
EPSS-0.22% / 12.68%
||
7 Day CHG+0.01%
Published-08 Apr, 2025 | 11:07
Updated-04 Nov, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore's Admin Classic Bundle allows HTML Injection

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content. The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is content, which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible. This vulnerability is fixed in 1.7.6.

Action-Not Available
Vendor-Pimcore
Product-admin_classic_bundleadmin-ui-classic-bundle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28106
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.69% / 48.45%
||
7 Day CHG~0.00%
Published-16 Mar, 2023 | 16:31
Updated-25 Feb, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore vulnerable to Cross-site Scripting in UrlSlug Data type

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2630
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.7||MEDIUM
EPSS-0.58% / 43.32%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 00:00
Updated-27 Jan, 2025 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2332
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4||MEDIUM
EPSS-0.36% / 27.64%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:57
Updated-19 Nov, 2024 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-site Scripting (XSS) in pimcore/pimcore

A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of arbitrary JavaScript code in the context of the user's browser, potentially stealing cookies or redirecting users to malicious sites. The issue is fixed in version 10.5.21.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcorepimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11956
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.82% / 52.90%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 13:46
Updated-04 Nov, 2025 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore customer-data-framework list sql injection

A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-Pimcore
Product-pimcorecustomer-data-framework
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-23648
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.83% / 53.02%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 18:05
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore Admin Classic Bundle host header injection in the password reset

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue.

Action-Not Available
Vendor-Pimcore
Product-admin_classic_bundleadmin-ui-classic-bundle
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2023-46722
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 38.94%
||
7 Day CHG~0.00%
Published-31 Oct, 2023 | 15:36
Updated-05 Sep, 2024 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews

The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually.

Action-Not Available
Vendor-Pimcore
Product-admin_classic_bundleadmin-ui-classic-bundle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-25625
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.68% / 47.99%
||
7 Day CHG~0.00%
Published-19 Feb, 2024 | 15:41
Updated-01 Apr, 2025 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore Host Header Injection in user invitation link

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input. The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker's domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application's domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.

Action-Not Available
Vendor-Pimcore
Product-admin_classic_bundleadmin-ui-classic-bundleadmin_classic_bundle
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2023-20257
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.36% / 27.84%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 16:55
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct cross-site scripting attacks. This vulnerability is due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by submitting malicious input containing script or HTML content within requests that would stored within the application interface. A successful exploit could allow the attacker to conduct cross-site scripting attacks against other users of the affected application.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Evolved Programmable Network Manager (EPNM)Cisco Prime Infrastructure
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20222
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.38% / 29.53%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 21:39
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Prime InfrastructureCisco Evolved Programmable Network Manager (EPNM)
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10806
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.40% / 32.22%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:31
Updated-06 Nov, 2024 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Hospital Management System betweendates-detailsreports.php cross site scripting

A vulnerability was found in PHPGurukul Hospital Management System 4.0. It has been declared as problematic. This vulnerability affects unknown code of the file betweendates-detailsreports.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anujkumarPHPGurukul LLP
Product-hospital_management_systemHospital Management Systemhospital_management_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2023-0007
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.37%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 16:30
Updated-24 Jan, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software on Panorama appliances enables an authenticated read-write administrator to store a JavaScript payload in the web interface that will execute in the context of another administrator’s browser when viewed.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-panorama_m-600panorama_m-500pan-ospanorama_m-200Prisma AccessPAN-OSCloud NGFW
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6251
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.37% / 29.17%
||
7 Day CHG~0.00%
Published-22 Jun, 2024 | 11:31
Updated-19 Sep, 2024 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
playSMS New Phonebook cross site scripting

A vulnerability, which was classified as problematic, was found in playSMS 1.4.3. Affected is an unknown function of the file /index.php?app=main&inc=feature_phonebook&op=phonebook_list of the component New Phonebook Handler. The manipulation of the argument name/email leads to basic cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-269418 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-playsmsn/aplaysms
Product-playsmsplaySMSplaysms
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-38318
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.26% / 17.16%
||
7 Day CHG+0.01%
Published-05 Feb, 2025 | 22:49
Updated-07 Mar, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Aspera Shares HTML injection

IBM Aspera Shares 1.9.0 through 1.10.0 PL6 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

Action-Not Available
Vendor-IBM Corporation
Product-aspera_sharesAspera Shares
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-24807
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.7||LOW
EPSS-0.52% / 40.25%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 20:09
Updated-01 Aug, 2024 | 23:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sulu is vulnerable to HTML Injection via Autocomplete Suggestion

Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.

Action-Not Available
Vendor-sulusulusulu
Product-sulusulusulu
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-39277
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.5||MEDIUM
EPSS-0.54% / 41.37%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 00:00
Updated-22 Apr, 2025 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) in external links in GLPI

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to GLPI 10.0.4. There are currently no known workarounds.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-10840
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.35% / 27.40%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 13:00
Updated-06 Nov, 2024 | 22:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
romadebrian WEB-Sekolah Backend akun_edit.php cross site scripting

A vulnerability classified as problematic has been found in romadebrian WEB-Sekolah 1.0. Affected is an unknown function of the file /Admin/akun_edit.php of the component Backend. The manipulation of the argument kode leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-romadebrianromadebrianromadebrian
Product-web-sekolahWEB-Sekolahweb-sekolah
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2024-10807
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.40% / 32.22%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 01:00
Updated-06 Nov, 2024 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Hospital Management System search.php cross site scripting

A vulnerability was found in PHPGurukul Hospital Management System 4.0. It has been rated as problematic. This issue affects some unknown processing of the file hms/doctor/search.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anujkumarPHPGurukul LLP
Product-hospital_management_systemHospital Management Systemhospital_management_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2024-10842
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.40% / 32.16%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 14:00
Updated-06 Nov, 2024 | 22:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
romadebrian WEB-Sekolah Backend Proses_Edit_Akun.php cross site scripting

A vulnerability, which was classified as problematic, has been found in romadebrian WEB-Sekolah 1.0. Affected by this issue is some unknown functionality of the file /Admin/Proses_Edit_Akun.php of the component Backend. The manipulation of the argument Username_Baru/Password leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-romadebrianromadebrianromadebrian
Product-web-sekolahWEB-Sekolahweb-sekolah
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-34246
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 11.94%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 21:18
Updated-20 May, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CtrlPanel: Stored XSS in Admin Role Management via Unescaped DataTable HTML Output

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror="alert('XSS_POC')"> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0.

Action-Not Available
Vendor-Ctrlpanel-gg
Product-panel
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2023-6164
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-2.2||LOW
EPSS-0.40% / 31.47%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 15:33
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MainWP Dashboard <= 4.5.1.2 - Authenticated(Administrator+) CSS Injection

The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags.

Action-Not Available
Vendor-mainwpmainwp
Product-mainwpMainWP Dashboard: Self-hosted WordPress Management for Agencies
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-4843
Matching Score-4
Assigner-Pegasystems Inc.
ShareView Details
Matching Score-4
Assigner-Pegasystems Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 21.29%
||
7 Day CHG~0.00%
Published-08 Sep, 2023 | 16:06
Updated-25 Sep, 2024 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.

Action-Not Available
Vendor-pegaPegasystems
Product-pega_platformPega Platform
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-20047
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 14.79%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 16:32
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco Identity Services Engine Software
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2023-4157
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.2||MEDIUM
EPSS-0.45% / 35.68%
||
7 Day CHG~0.00%
Published-04 Aug, 2023 | 17:15
Updated-09 Oct, 2024 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Special Elements in Output Used by a Downstream Component in omeka/omeka-s

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in GitHub repository omeka/omeka-s prior to version 4.0.3.

Action-Not Available
Vendor-omekaomekaomeka
Product-omeka_someka/omeka-someka
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-1564
Matching Score-4
Assigner-Pegasystems Inc.
ShareView Details
Matching Score-4
Assigner-Pegasystems Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 8.50%
||
7 Day CHG~0.00%
Published-15 Apr, 2026 | 21:31
Updated-23 Apr, 2026 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

Action-Not Available
Vendor-pegaPegasystems
Product-pega_platformPega Infinity
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2023-4109
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.38% / 29.90%
||
7 Day CHG~0.00%
Published-30 Aug, 2023 | 14:22
Updated-23 Apr, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection

The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.

Action-Not Available
Vendor-UnknownSaturday Drive, INC
Product-ninja_forms_contact_formNinja Forms Contact Form
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-20267
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 12.72%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 16:20
Updated-22 Jul, 2025 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco Identity Services Engine Software
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2026-44839
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.6||MEDIUM
EPSS-0.18% / 7.79%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 15:07
Updated-04 Jun, 2026 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RabbitMQ: Unsanitized vhost names allow for XSS in management UI

RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.

Action-Not Available
Vendor-rabbitmqBroadcom Inc.
Product-rabbitmq_serverrabbitmq-server
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-8145
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.42% / 34.01%
||
7 Day CHG~0.00%
Published-25 Aug, 2024 | 05:31
Updated-18 Sep, 2024 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ClassCMS Article admin cross site scripting

A vulnerability, which was classified as problematic, has been found in ClassCMS 4.8. Affected by this issue is some unknown functionality of the file /index.php/admin of the component Article Handler. The manipulation of the argument Title leads to basic cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-classcmsn/aclasscms
Product-classcmsClassCMSclasscms
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6469
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.74% / 49.99%
||
7 Day CHG~0.00%
Published-03 Jul, 2024 | 10:31
Updated-01 Aug, 2024 | 21:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
playSMS Template injection

A vulnerability was found in playSMS 1.4.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?app=main&inc=feature_firewall&op=firewall_list of the component Template Handler. The manipulation of the argument IP address with the input {{`id`} leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-270277 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-playsmsn/aplaysms
Product-playsmsplaySMSplaysms
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2024-6470
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.39% / 30.43%
||
7 Day CHG~0.00%
Published-03 Jul, 2024 | 12:31
Updated-05 Apr, 2025 | 00:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
playSMS Template injection

A vulnerability was found in playSMS 1.4.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php?app=main&inc=feature_inboxgroup&op=list of the component Template Handler. The manipulation of the argument Receiver Number with the input {{`id`}} leads to injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-270278 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-playsmsn/aplaysms
Product-playsmsplaySMSplaysms
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2024-6702
Matching Score-4
Assigner-Pegasystems Inc.
ShareView Details
Matching Score-4
Assigner-Pegasystems Inc.
CVSS Score-5.2||MEDIUM
EPSS-0.24% / 15.51%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 14:25
Updated-13 Sep, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.

Action-Not Available
Vendor-pegaPegasystems
Product-infinityPega Infinity
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-52967
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-3.3||LOW
EPSS-0.35% / 26.60%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 14:09
Updated-03 Feb, 2025 | 21:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiportalFortiPortal
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9797
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.25% / 15.77%
||
7 Day CHG~0.00%
Published-01 Sep, 2025 | 22:02
Updated-02 Sep, 2025 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mrvautin expressCart Edit Product edit injection

A vulnerability was determined in mrvautin expressCart up to b31302f4e99c3293bd742c6d076a721e168118b0. This impacts an unknown function of the file /admin/product/edit/ of the component Edit Product Page. This manipulation causes injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Action-Not Available
Vendor-mrvautin
Product-expressCart
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-36325
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-6.8||MEDIUM
EPSS-0.79% / 51.93%
||
7 Day CHG~0.00%
Published-10 Aug, 2022 | 11:18
Updated-14 Apr, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected devices do not properly sanitize data introduced by an user when rendering the web interface. This could allow an authenticated remote attacker with administrative privileges to inject code and lead to a DOM-based XSS.

Action-Not Available
Vendor-Siemens AG
Product-scalance_xp208_\(eip\)_firmwarescalance_xr528-6m_l3scalance_xc208g_eec_firmwarescalance_m-800_firmwarescalance_xm416-4c_l3scalance_xr-300eecscalance_xc206-2sfp_g_firmwarescalance_xr324wg_firmwarescalance_w700_ieee_802.11ac_firmwarescalance_xc-200scalance_xb208_firmwarescalance_xb213-3ld_firmwarescalance_xc208g_poe_firmwarescalance_xm408-4c_firmwarescalance_xm416-4cscalance_xr528-6m_firmwarescalance_xc206-2scalance_xr528-6m_2hr2_l3scalance_xp208eecscalance_xr552-12m_2hr2_l3scalance_xp-200scalance_xc206-2sfp_eecscalance_xc216_firmwarescalance_xp216_firmwarescalance_xr528-6mscalance_xr526-8c_firmwarescalance_xb216scalance_xr328-4c_wg_firmwarescalance_xr526_firmwarescalance_xr552scalance_xp208eec_firmwarescalance_xf204-2ba_irt_firmwarescalance_sc646-2c_firmwarescalance_xr-300wgscalance_xp208scalance_xc206-2g_poe__firmwarescalance_xr526scalance_xc224_scalance_xr552-12m_firmwarescalance_xr324-4m_poe_firmwarescalance_xm408-4c_l3scalance_xr552-12m_2hr2scalance_xr552-12scalance_xb213-3_firmwarescalance_sc622-2cscalance_xf204-2ba_dnascalance_xp208poe_eec_firmwarescalance_xc224-4c_g_eec_firmwarescalance_xr326-2c_poe_wg_firmwarescalance_xp216eec_firmwarescalance_xc208g_\(e\/ip\)scalance_xc224-4c_g_scalance_xm416-4c_l3_firmwarescalance_xr524_firmwarescalance_xr524-8cscalance_xc216scalance_xc224-4c_g_\(e\/ip\)scalance_xc216-4c_g_\(e\/ip\)scalance_xc216-4c_g_\(e\/ip\)_firmwarescalance_xb208scalance_xp216eecscalance_xc208eec_firmwarescalance_xc208gscalance_xr524-8c_l3scalance_sc646-2cscalance_xr552-12_firmwarescalance_xr324-4m_eec_firmwarescalance_xc216eec_firmwarescalance_xm408-4cscalance_xr-300eec_firmwarescalance_xr500scalance_xc216-4c_firmwarescalance_xb-200scalance_xb-200_firmwarescalance_xc216eecscalance_w700_ieee_802.11nscalance_xr324-4m_eecscalance_xc216-4c_gscalance_xr324-4m_poe_tsscalance_xc208_firmwarescalance_xp216poe_eec_firmwarescalance_xr528-6m_l3_firmwarescalance_xc224-4c_g_\(e\/ip\)_firmwarescalance_sc636-2c_firmwarescalance_xp208_\(eip\)scalance_sc642-2c_firmwarescalance_xr528scalance_xb205-3ldscalance_xr326-2c_poe_wgscalance_xc216-4c_g_eec_firmwarescalance_xr528-6m_2hr2scalance_xf-200ba_firmwarescalance_xm408-8c_l3scalance_sc-600_firmwarescalance_xb205-3ld_firmwarescalance_xc206-2g_poe_scalance_xm408-4c_l3_firmwarescalance_xr552-12mscalance_xm400scalance_xc208eecscalance_xb213-3ldscalance_xr524-8c_firmwarescalance_xr-300poe_firmwarescalance_sc632-2c_firmwarescalance_xr324-12m_firmwarescalance_xr528_firmwarescalance_xr-300_firmwarescalance_xc-200_firmwarescalance_xc224-4c_g_eecscalance_xb205-3scalance_xc206-2sfp_gscalance_xr526-8c_l3_firmwarescalance_xm416-4c_firmwarescalance_xc216-4cscalance_xr324-4m_poescalance_xr528-6m_2hr2_firmwarescalance_xc224-4c_g__firmwarescalance_xr328-4c_wgscalance_xb216_firmwarescalance_sc622-2c_firmwarescalance_xr526-8c_l3scalance_sc642-2cscalance_xc208g_firmwarescalance_xr324wgscalance_sc632-2cscalance_xc208scalance_xr324-12m_tsscalance_xp216_\(eip\)scalance_xb213-3scalance_xc208g_poescalance_xr500_firmwarescalance_xm408-8c_firmwarescalance_xr-300poescalance_w700_ieee_802.11acscalance_xc206-2sfp_g_\(e\/ip\)_firmwarescalance_xr-300wg_firmwarescalance_xm408-8cscalance_w700_ieee_802.11ax_firmwarescalance_xc206-2sfp_g_eecscalance_xp216scalance_m-800scalance_xr-300scalance_xp208_firmwarescalance_xp208poe_eecscalance_xm408-8c_l3_firmwarescalance_xf-200bascalance_xc208g_\(e\/ip\)_firmwarescalance_xm400_firmwarescalance_xc206-2sfp_g_\(e\/ip\)scalance_xc206-2sfp_eec_firmwarescalance_w700_ieee_802.11axscalance_xf204-2ba_dna_firmwarescalance_w700_ieee_802.11n_firmwarescalance_xc216-4c_g_firmwarescalance_xc208g_eecscalance_xc206-2_firmwarescalance_xp216poe_eecscalance_xr524-8c_l3_firmwarescalance_sc636-2cscalance_xr526-8cscalance_xr528-6m_2hr2_l3_firmwarescalance_xp-200_firmwarescalance_s615scalance_xr324-4m_poe_ts_firmwarescalance_xr552-12m_2hr2_l3_firmwarescalance_sc-600scalance_xc206-2g_poe_eecscalance_xb205-3_firmwarescalance_xr324-12m_ts_firmwarescalance_xr552_firmwarescalance_s615_firmwarescalance_xr524scalance_xp216_\(eip\)_firmwarescalance_xc206-2g_poe_eec_firmwarescalance_xf204-2ba_irtscalance_xr324-12mscalance_xc224__firmwarescalance_xr552-12m_2hr2_firmwarescalance_xc216-4c_g_eecscalance_xc206-2sfp_g_eec_firmwareSCALANCE M876-4 (EU)SCALANCE WAM763-1SCALANCE W1748-1 M12SCALANCE XC224-4C G (EIP Def.)SCALANCE W734-1 RJ45 (USA)SCALANCE XC206-2SFP GSCALANCE XR524-8C, 24VSCALANCE XC206-2 (SC)SCALANCE XB205-3 (SC, PN)SCALANCE XC216-4CSCALANCE SC646-2CSCALANCE XC206-2G PoE (54 V DC)SCALANCE XR328-4C WG (28xGE, DC 24V)SIPLUS NET SCALANCE XC206-2SCALANCE XP216EECSCALANCE XC216EECSCALANCE XR324WG (24 x FE, AC 230V)SCALANCE XB213-3 (ST, E/IP)SCALANCE XB208 (PN)SCALANCE XR552-12M (2HR2, L3 int.)SCALANCE M826-2 SHDSL-RouterSCALANCE XR328-4C WG (24XFE, 4XGE, 24V)SCALANCE W1788-2 M12SCALANCE W786-1 RJ45SCALANCE S615 LAN-RouterSCALANCE W774-1 M12 EECSCALANCE WUM766-1 (USA)SCALANCE XP216SCALANCE W778-1 M12 EECSCALANCE XP216POE EECSCALANCE W761-1 RJ45SCALANCE W722-1 RJ45SCALANCE XP208SCALANCE W1788-2 EEC M12SCALANCE SC642-2CSCALANCE XR526-8C, 24V (L3 int.)SCALANCE XC208GSCALANCE XR328-4C WG (24xFE,4xGE,AC230V)SCALANCE XR528-6M (2HR2)SCALANCE SC632-2CSCALANCE XC224SCALANCE XM408-4C (L3 int.)SCALANCE XB213-3 (SC, PN)SIPLUS NET SCALANCE XC208SCALANCE M812-1 ADSL-RouterSCALANCE XC206-2G PoESCALANCE XR328-4C WG (24xFE, 4xGE,DC24V)SCALANCE XC208G PoE (54 V DC)SCALANCE WAM766-1 EEC (US)SCALANCE W778-1 M12 EEC (USA)SCALANCE W786-2IA RJ45SCALANCE XB213-3 (SC, E/IP)SCALANCE XR526-8C, 24VSCALANCE XC208SCALANCE XB208 (E/IP)SCALANCE XR552-12MSCALANCE XP216 (Ethernet/IP)SCALANCE XB205-3 (ST, E/IP)SCALANCE M876-3 (ROK)SCALANCE MUM853-1 (EU)SCALANCE XF204-2BASCALANCE XR326-2C PoE WGSCALANCE XR526-8C, 1x230V (L3 int.)SCALANCE W774-1 RJ45 (USA)SCALANCE XC216-3G PoE (54 V DC)SCALANCE WAM766-1 EECSCALANCE XR526-8C, 2x230VSCALANCE XC206-2SFP G (EIP DEF.)SCALANCE XR528-6M (L3 int.)SCALANCE XM408-4CSCALANCE XR526-8C, 1x230VSCALANCE XR524-8C, 24V (L3 int.)SCALANCE M874-3SCALANCE XM408-8CSCALANCE M876-4 (NAM)SCALANCE W786-2 SFPSCALANCE W738-1 M12SCALANCE XC208G (EIP def.)SCALANCE XC224-4C G EECSCALANCE W1788-2IA M12SCALANCE W774-1 RJ45SCALANCE XC206-2SFP EECSCALANCE XM416-4CSCALANCE XC216-3G PoESCALANCE XR524-8C, 2x230VSCALANCE XR528-6M (2HR2, L3 int.)SCALANCE XB205-3LD (SC, E/IP)SCALANCE XC216-4C G EECSCALANCE WUM766-1SCALANCE XC216-4C GSCALANCE XB213-3LD (SC, E/IP)SCALANCE W721-1 RJ45SCALANCE XR326-2C PoE WG (without UL)SCALANCE XR324WG (24 X FE, DC 24V)SCALANCE W748-1 RJ45SCALANCE W788-2 RJ45SCALANCE XR524-8C, 1x230VSCALANCE XR524-8C, 1x230V (L3 int.)SCALANCE MUM856-1 (EU)SCALANCE XC206-2SFP G EECSCALANCE M874-2SCALANCE W734-1 RJ45SCALANCE W748-1 M12SCALANCE XF204-2BA DNASCALANCE XB213-3LD (SC, PN)SCALANCE XC224-4C GSCALANCE XR526-8C, 2x230V (L3 int.)SCALANCE SC626-2CSCALANCE XP208EECSCALANCE XF204 DNASCALANCE XR528-6MSCALANCE WAM766-1SCALANCE W788-1 RJ45SCALANCE M816-1 ADSL-RouterSCALANCE W1788-1 M12SCALANCE W786-2 RJ45SCALANCE XP208 (Ethernet/IP)RUGGEDCOM RM1224 LTE(4G) EUSCALANCE XB205-3 (ST, PN)SCALANCE XB216 (E/IP)SCALANCE XC208G PoESCALANCE XC216-4C G (EIP Def.)SCALANCE W788-2 M12SCALANCE WAM766-1 (US)SCALANCE XC206-2 (ST/BFOC)SCALANCE XP208PoE EECSCALANCE XR524-8C, 2x230V (L3 int.)SCALANCE M804PBSCALANCE W788-1 M12SCALANCE XC206-2G PoE EEC (54 V DC)SCALANCE M876-3SCALANCE XR552-12M (2HR2)SCALANCE XC206-2SFPSCALANCE SC636-2CSCALANCE XM408-8C (L3 int.)SCALANCE XM416-4C (L3 int.)SCALANCE W788-2 M12 EECSCALANCE XB216 (PN)SCALANCE XC216SCALANCE XF204SIPLUS NET SCALANCE XC216-4CSCALANCE XB205-3LD (SC, PN)SCALANCE SC622-2CSCALANCE WUM763-1SCALANCE MUM856-1 (RoW)SIPLUS NET SCALANCE XC206-2SFPSCALANCE W778-1 M12SCALANCE XB213-3 (ST, PN)SCALANCE XC208EECSCALANCE XC208G EECRUGGEDCOM RM1224 LTE(4G) NAMSCALANCE XR328-4C WG (28xGE, AC 230V)
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2022-36057
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.39% / 30.57%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 19:30
Updated-23 Apr, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse-Chat Cross-Site Scripting issue for channel names and descriptions

Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse-chatdiscourse-chat
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2022-20765
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.54% / 41.28%
||
7 Day CHG~0.00%
Published-27 May, 2022 | 14:06
Updated-06 Nov, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco UCS Director JavaScript Cross-Site Scripting Vulnerability

A vulnerability in the web applications of Cisco UCS Director could allow an authenticated, remote attacker to conduct a cross-site scripting attack on an affected system. This vulnerability is due to unsanitized user input. An attacker could exploit this vulnerability by submitting custom JavaScript to affected web applications. A successful exploit could allow the attacker to rewrite web page content, access sensitive information stored in the applications, and alter data by submitting forms.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ucs_directorCisco UCS Director
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-21145
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-77.78% / 99.51%
||
7 Day CHG+0.61%
Published-14 Apr, 2022 | 19:56
Updated-15 Apr, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting vulnerability exists in the WebUserActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-lansweeperLansweeper
Product-lansweeperlansweeper
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-45406
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.33% / 25.39%
||
7 Day CHG~0.00%
Published-09 Sep, 2024 | 16:46
Updated-13 Sep, 2024 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft CMS stored XSS in breadcrumb list and title fields

Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.

Action-Not Available
Vendor-craftcmscraftcmscraftcms
Product-craft_cmscmscraft_cms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2021-39348
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.5||MEDIUM
EPSS-5.04% / 91.24%
||
7 Day CHG~0.00%
Published-21 Oct, 2021 | 19:38
Updated-14 Feb, 2025 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.1.3.1 Authenticated Stored Cross-Site Scripting

The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-learnpressLearnPress
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-20098
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.49% / 38.79%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 18:11
Updated-15 Apr, 2025 | 14:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Admin Custom Login Plugin Persistent cross site scripting

A vulnerability was found in Admin Custom Login Plugin 2.4.5.2. It has been classified as problematic. Affected is an unknown function. The manipulation leads to basic cross site scripting (Persistent). It is possible to launch the attack remotely.

Action-Not Available
Vendor-weblizarunspecified
Product-admin_custom_loginAdmin Custom Login Plugin
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-66486
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 15.09%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 23:03
Updated-03 Apr, 2026 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities have been addressed in IBM Aspera Shares

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

Action-Not Available
Vendor-IBM Corporation
Product-aspera_sharesAspera Shares
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-7061
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.29% / 20.79%
||
7 Day CHG~0.00%
Published-04 Jul, 2025 | 12:32
Updated-20 Aug, 2025 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Intelbras InControl operador csv injection

A vulnerability was found in Intelbras InControl up to 2.21.60.9. It has been declared as problematic. This vulnerability affects unknown code of the file /v1/operador/. The manipulation leads to csv injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-intelbrasIntelbras
Product-incontrol_webInControl
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-27099
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 19.49%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 15:54
Updated-10 Jul, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tuleap allows XSS via the tracker names used in the semantic timeframe deletion message

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the tracker names used in the semantic timeframe deletion message. A tracker administrator with a semantic timeframe used by other trackers could use this vulnerability to force other tracker administrators to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740067916 and Tuleap Enterprise Edition 16.4-5 and 16.3-10.

Action-Not Available
Vendor-Enalean SAS
Product-tuleaptuleap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • Previous
  • 1
  • 2
  • Next
Details not found