Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-5742

Summary
Assigner-schneider
Assigner Org ID-076d1eb6-cfab-4401-b34d-6dfc2a413bdb
Published At-10 Jun, 2025 | 08:11
Updated At-10 Jun, 2025 | 13:08
Rejected At-
Credits

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated user modifies configuration parameters on the web server

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:schneider
Assigner Org ID:076d1eb6-cfab-4401-b34d-6dfc2a413bdb
Published At:10 Jun, 2025 | 08:11
Updated At:10 Jun, 2025 | 13:08
Rejected At:
▼CVE Numbering Authority (CNA)

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated user modifies configuration parameters on the web server

Affected Products
Vendor
Schneider Electric SESchneider Electric
Product
EVLink WallBox
Default Status
unaffected
Versions
Affected
  • All Versions
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-161-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-161-03.pdf
N/A
Hyperlink: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-161-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-161-03.pdf
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cybersecurity@se.com
Published At:10 Jun, 2025 | 09:15
Updated At:12 Jun, 2025 | 16:06

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated user modifies configuration parameters on the web server

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-79Primarycybersecurity@se.com
CWE ID: CWE-79
Type: Primary
Source: cybersecurity@se.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-161-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-161-03.pdfcybersecurity@se.com
N/A
Hyperlink: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-161-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-161-03.pdf
Source: cybersecurity@se.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

10506Records found

CVE-2025-3117
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 8.93%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 08:43
Updated-12 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists impacting configuration file paths that could cause an unvalidated data injected by authenticated malicious user leading to modify or read data in a victim’s browser.

Action-Not Available
Vendor-Schneider Electric SE
Product-Modicon Controllers M241/M251Modicon Controllers M262
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3899
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-5.1||MEDIUM
EPSS-0.14% / 3.78%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 08:25
Updated-12 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in Certificates page on Webserver that could cause an unvalidated data injected by authenticated malicious user leading to modify or read data in a victim’s browser.

Action-Not Available
Vendor-Schneider Electric SE
Product-Modicon Controllers M241/M251
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3905
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-5.1||MEDIUM
EPSS-0.25% / 16.57%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 08:32
Updated-12 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists impacting PLC system variables that could cause an unvalidated data injected by authenticated malicious user leading to modify or read data in a victim’s browser.

Action-Not Available
Vendor-Schneider Electric SE
Product-Modicon Controllers M258 / LMC058Modicon Controllers M241/M251
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13902
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-5.1||MEDIUM
EPSS-0.22% / 13.08%
||
7 Day CHG~0.00%
Published-10 Mar, 2026 | 17:06
Updated-23 Jun, 2026 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.

Action-Not Available
Vendor-Schneider Electric SE
Product-modicon_m251modicon_m241modicon_m258_firmwaremodicon_lmc058_firmwaremodicon_m258modicon_m251_firmwaremodicon_m241_firmwaremodicon_lmc058Modicon Controllers M258/LMC058Modicon Controllers M241/M251
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8401
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 20.67%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 16:35
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an authenticated attacker modifies folder names within the context of the product.

Action-Not Available
Vendor-Schneider Electric SE
Product-EcoStruxure Power Operation (EPO) 2021EcoStruxure Power Operation (EPO) 2022 – Advanced Reporting and Dashboards ModuleEcoStruxure Power Operation (EPO) 2022EcoStruxure Power Monitoring Expert (PME) 2020EcoStruxure Power Operation (EPO) 2021 – Advanced Reporting and Dashboards ModuleEcoStruxure Power Monitoring Expert (PME) 2021EcoStruxure Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6528
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 17.40%
||
7 Day CHG~0.00%
Published-11 Jul, 2024 | 09:03
Updated-01 Aug, 2024 | 21:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a vulnerability leading to a cross-site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.

Action-Not Available
Vendor-
Product-modicon_m241_firmwaremodicon_m262_firmwaremodicon_m262modicon_lmc058modicon_m241modicon_m258modicon_m258_firmwaremodicon_lmc058_firmwaremodicon_m251_firmwaremodicon_m251Modicon Controllers M262Modicon Controllers M241 / M251Modicon Controllers M258 / LMC058
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6853
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.64% / 46.66%
||
7 Day CHG~0.00%
Published-20 Nov, 2019 | 22:01
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.

Action-Not Available
Vendor-
Product-andover_continuum_9941_firmwareandover_continuum_5720_firmwareandover_continuum_9924andover_continuum_9900_firmwareandover_continuum_5740_firmwareandover_continuum_9940andover_continuum_bcx9640andover_continuum_9702andover_continuum_9900andover_continuum_9924_firmwareandover_continuum_9680andover_continuum_9702_firmwareandover_continuum_9941andover_continuum_bcx9640_firmwareandover_continuum_9940_firmwareandover_continuum_5740andover_continuum_9200_firmwareandover_continuum_bcx4040_firmwareandover_continuum_bcx4040andover_continuum_9200andover_continuum_9680_firmwareandover_continuum_5720Andover Continuum models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-5985
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-4.8||MEDIUM
EPSS-0.40% / 32.20%
||
7 Day CHG~0.00%
Published-15 Nov, 2023 | 03:35
Updated-29 Aug, 2024 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values.

Action-Not Available
Vendor-
Product-ion8650_firmwareion8800ion8650ion8800_firmwareION8650ION8800
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25553
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 31.45%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 20:38
Updated-05 Feb, 2025 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Action-Not Available
Vendor-Schneider Electric SE
Product-struxureware_data_center_expertStruxureWare Data Center Expert
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25551
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 32.02%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 20:37
Updated-12 Feb, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Action-Not Available
Vendor-Schneider Electric SE
Product-struxureware_data_center_expertStruxureWare Data Center Expert
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43376
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-7.6||HIGH
EPSS-0.38% / 30.23%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 19:55
Updated-05 Feb, 2025 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause code and session manipulation when malicious code is inserted into the browser. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior)

Action-Not Available
Vendor-Schneider Electric SE
Product-netbotz_570_firmwarenetbotz_355netbotz_455_firmwarenetbotz_550netbotz_570netbotz_450netbotz_455netbotz_550_firmwarenetbotz_355_firmwarenetbotz_450_firmwareNetBotz 4 - 355/450/455/550/570
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-5397
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||MEDIUM
EPSS-1.51% / 71.63%
||
7 Day CHG~0.00%
Published-28 Aug, 2014 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Schneider Electric Wonderware Cross-site Scripting

Cross-site scripting (XSS) vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-invensysSchneider Electric SE
Product-wonderware_information_serverWonderware Information Server Portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-5411
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-4.9||LOW
EPSS-1.29% / 66.95%
||
7 Day CHG~0.00%
Published-18 Sep, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Schneider Electric SCADA Expert ClearSCADA Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-AVEVASchneider Electric SE
Product-clearscadascada_expert_clearscadaClearSCADASCADA Expert ClearSCADA
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2050
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-8.2||HIGH
EPSS-0.47% / 37.67%
||
7 Day CHG~0.00%
Published-18 Mar, 2024 | 16:04
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists when an attacker injects then executes arbitrary malicious JavaScript code within the context of the product.

Action-Not Available
Vendor-
Product-Easergy T200 (Modbus) Models: T200I, T200E, T200P, T200S, T200H Easergy T200 (IEC104) Models: T200I, T200E, T200P, T200S, T200HEasergy T200 (DNP3) Models: T200I, T200E, T200P, T200S, T200H
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-5987
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 32.88%
||
7 Day CHG~0.00%
Published-15 Nov, 2023 | 03:48
Updated-02 Aug, 2024 | 08:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.

Action-Not Available
Vendor-
Product-ecostruxure_power_monitoring_expertEcoStruxure Power Monitoring Expert (PME)EcoStruxure Power Operation (EPO) – Advanced Reporting and Dashboards ModuleEcoStruxure Power SCADA Operation (PSO) - Advanced Reporting and Dashboards Module
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7746
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 32.26%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 21:02
Updated-03 Nov, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim’s browser.

Action-Not Available
Vendor-Schneider Electric SE
Product-ATV930/950/955/960/980/9A0/9B0/9L0/991/992/993 Altivar Process DrivesILC992 InterLink ConverterATS490 Altivar Soft StarterATV6000 Medium Voltage Altivar Process DrivesATV630/650/660/680/6A0/6B0/6L0 Altivar Process DrivesVW3A3720 & VW3A3721 Altivar Process Communication ModulesATV340E Altivar Machine DrivesVW3A3530D: ATVdPAC module
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-0694
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.55% / 72.37%
||
7 Day CHG~0.00%
Published-11 Feb, 2020 | 21:23
Updated-28 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0693.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_enterprise_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34565
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.39% / 31.64%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 00:00
Updated-02 Aug, 2024 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netbox 3.5.1 is vulnerable to Cross Site Scripting (XSS) in the "Create Wireless LAN Groups" function.

Action-Not Available
Vendor-netboxn/a
Product-netboxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5661
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.27% / 18.55%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 13:31
Updated-13 Nov, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Traffic Offense Reporting System Setting save-settings.php cross site scripting

A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part of the file /save-settings.php of the component Setting Handler. The manipulation of the argument site_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-carmeloSource Code & Projects
Product-traffic_offense_reporting_systemTraffic Offense Reporting System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-35792
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 21.41%
||
7 Day CHG~0.00%
Published-31 Jul, 2023 | 00:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vound Intella Connect 2.6.0.3 is vulnerable to stored Cross-site Scripting (XSS).

Action-Not Available
Vendor-vound-softwaren/a
Product-intella_connectn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5591
Matching Score-4
Assigner-The Missing Link Australia (TML)
ShareView Details
Matching Score-4
Assigner-The Missing Link Australia (TML)
CVSS Score-7.7||HIGH
EPSS-0.14% / 4.20%
||
7 Day CHG~0.00%
Published-05 Jan, 2026 | 00:02
Updated-22 Jan, 2026 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-site Scripting (XSS) in Kentico Xperience 13

Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context.

Action-Not Available
Vendor-Kentico Software
Product-xperienceKentico Xperience
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34835
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.76% / 51.23%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 00:00
Updated-05 Dec, 2024 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary JavaScript code via a vulnerable delete_file parameter.

Action-Not Available
Vendor-escanavn/a
Product-escan_management_consolen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10128
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.41% / 33.41%
||
7 Day CHG~0.00%
Published-05 Sep, 2023 | 19:13
Updated-30 Sep, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SearchBlox product before V-9.2.1 is vulnerable to Stored-Cross Site Scripting

SearchBlox product with version before 9.2.1 is vulnerable to stored cross-site scripting at multiple user input parameters. In SearchBlox products multiple parameters are not sanitized/validate properly which allows an attacker to inject malicious JavaScript.

Action-Not Available
Vendor-searchbloxSearchBlox
Product-searchbloxSearchBlox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-22123
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-5.4||MEDIUM
EPSS-0.71% / 49.33%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 16:45
Updated-17 Sep, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-halohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-56761
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 14.60%
||
7 Day CHG~0.00%
Published-03 Sep, 2025 | 00:00
Updated-09 Sep, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

Action-Not Available
Vendor-n/aUsememos
Product-memosn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5727
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.27% / 18.53%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 06:31
Updated-10 Jun, 2025 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Student Result Management System Announcement Page announcement cross site scripting

A vulnerability classified as problematic has been found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /script/academic/announcement of the component Announcement Page. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-razormistSourceCodester
Product-student_result_management_systemStudent Result Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-21690
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.79% / 52.14%
||
7 Day CHG~0.00%
Published-18 Jan, 2022 | 22:15
Updated-22 Apr, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting in Onionshare

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is used in all components for displaying the server access history. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend.

Action-Not Available
Vendor-onionshareonionshare
Product-onionshareonionshare
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10094
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.65% / 47.16%
||
7 Day CHG~0.00%
Published-28 Apr, 2020 | 13:17
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Lexmark CS31x before LW74.VYL.P273; CS41x before LW74.VY2.P273; CS51x before LW74.VY4.P273; CX310 before LW74.GM2.P273; CX410 & XC2130 before LW74.GM4.P273; CX510 & XC2132 before LW74.GM7.P273; MS310, MS312, MS317 before LW74.PRL.P273; MS410, M1140 before LW74.PRL.P273; MS315, MS415, MS417 before LW74.TL2.P273; MS51x, MS610dn, MS617 before LW74.PR2.P273; M1145, M3150dn before LW74.PR2.P273; MS610de, M3150 before LW74.PR4.P273; MS71x,M5163dn before LW74.DN2.P273; MS810, MS811, MS812, MS817, MS818 before LW74.DN2.P273; MS810de, M5155, M5163 before LW74.DN4.P273; MS812de, M5170 before LW74.DN7.P273; MS91x before LW74.SA.P273; MX31x, XM1135 before LW74.SB2.P273; MX410, MX510 & MX511 before LW74.SB4.P273; XM1140, XM1145 before LW74.SB4.P273; MX610 & MX611 before LW74.SB7.P273; XM3150 before LW74.SB7.P273; MX71x, MX81x before LW74.TU.P273; XM51xx & XM71xx before LW74.TU.P273; MX91x & XM91x before LW74.MG.P273; MX6500e before LW74.JD.P273; C746 before LHS60.CM2.P738; C748, CS748 before LHS60.CM4.P738; C792, CS796 before LHS60.HC.P738; C925 before LHS60.HV.P738; C950 before LHS60.TP.P738; X548 & XS548 before LHS60.VK.P738; X74x & XS748 before LHS60.NY.P738; X792 & XS79x before LHS60.MR.P738; X925 & XS925 before LHS60.HK.P738; X95x & XS95x before LHS60.TQ.P738; 6500e before LHS60.JR.P738;C734 LR.SK.P824 and earlier; C736 LR.SKE.P824 and earlier; E46x LR.LBH.P824 and earlier; T65x LR.JP.P824 and earlier; X46x LR.BS.P824 and earlier; X65x LR.MN.P824 and earlier; X73x LR.FL.P824 and earlier; W850 LP.JB.P823 and earlier; and X86x LP.SP.P823 and earlier.

Action-Not Available
Vendor-n/aLexmark International, Inc.
Product-ms812de_firmwarem1145_firmwarexm1140x65xm3150_firmwarecx510c746ms415_firmwarec748m5163dn_firmwarex95x_firmwaree46x_firmwarecx510_firmwarecx410_firmwaremx510xm1145ms812_firmwaremx6500e_firmwarex792_firmwarems610dnms610dn_firmwarecs748_firmwarec925_firmwarec746_firmwarec792_firmwarexs925ms810de_firmwarems315x548_firmwarexm91xc736_firmwarecs41x_firmwarecs51xxm3150_firmwarexm51xxcx410m5163_firmwarem5170_firmwarexm71xxms415w850c734cs796_firmwarecx310xm1135_firmwarems810_firmwarexs95xmx410_firmwarex95xms817_firmwarems51xc950xs79xms810ms417ms817mx91x_firmwarex74xc734_firmwarexs95x_firmwarecs748x65x_firmwarex46x_firmwarems811xs748x46xmx91xms317ms310_firmwarex74x_firmwaremx31xmx611_firmwarems410_firmwarew850_firmwaremx510_firmwarems317_firmwarem3150dn_firmwarec792ms810demx611mx410ms410c748_firmwarem1140_firmwarexc2132_firmwarems811_firmwarem5155_firmwarex86x_firmwarems818_firmwarec950_firmwaremx6500ecx310_firmwaremx71x_firmwaremx81xxs548_firmwarecs31xcs796xc2132ms312_firmwarems71x_firmwarems71xms91x_firmwaremx81x_firmwarexm91x_firmwarexs79x_firmwarems617_firmwarex925xs925_firmwarexm1145_firmwarex73x_firmwaremx31x_firmwarexc2130ms617cs31x_firmwarem3150m5170ms312xm1135xm3150ms610dexm51xx_firmwarem1140mx610_firmwarexs748_firmwarecs41xe46xm3150dnms417_firmwarem5163ms51x_firmwarex548x73xxm1140_firmwarem5155ms812dex86xms91x6500ec925m1145xc2130_firmwarem5163dnxm71xx_firmwarems812ms8186500e_firmwarex792c736ms310cs51x_firmwaremx71xms315_firmwaremx610t65x_firmwaremx511xs548x925_firmwaremx511_firmwaret65xms610de_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-0893
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.30% / 67.22%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 15:48
Updated-28 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0894.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_enterprise_serversharepoint_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-0903
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.65% / 73.88%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 15:48
Updated-28 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server, aka 'Microsoft Exchange Server Spoofing Vulnerability'.

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2019 Cumulative Update 4Microsoft Exchange Server 2016 Cumulative Update 15Microsoft Exchange Server 2019 Cumulative Update 3Microsoft Exchange Server 2016 Cumulative Update 14
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-34830
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.65% / 47.09%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 00:00
Updated-05 Dec, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

i-doit Open v24 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the timeout parameter on the login page.

Action-Not Available
Vendor-i-doitn/a
Product-i-doitn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-57205
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 14.55%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 00:00
Updated-03 Oct, 2025 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iNiLabs School Express (SMS Express) 6.2 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the content-management features available to authenticated admin users. The vulnerability resides in POSTed editor parameters submitted to the /posts/edit/{id} endpoint (and similarly in Notice and Pages editors). Due to insufficient input sanitization and output encoding, attackers can inject HTML/JS payloads. The payload is saved and later rendered unsanitized, resulting in JavaScript execution in other users' browsers when they access the affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not enforce a restrictive Content Security Policy (CSP) or adequate filtering to prevent such attacks.

Action-Not Available
Vendor-inilabsn/a
Product-school_expressn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-0925
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.52% / 71.69%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 15:12
Updated-28 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0923, CVE-2020-0924, CVE-2020-0926, CVE-2020-0927, CVE-2020-0930, CVE-2020-0933, CVE-2020-0954, CVE-2020-0973, CVE-2020-0978.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_enterprise_serversharepoint_foundationsharepoint_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint FoundationMicrosoft SharePoint Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-55735
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.05%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 18:56
Updated-22 Aug, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
flaskBlog Stored XSS Vulnerability

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post. The code that causes the problem is in template/routes.html.

Action-Not Available
Vendor-dogukanurkerDogukanUrker
Product-flaskblogFlaskBlog
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-807
Reliance on Untrusted Inputs in a Security Decision
CVE-2020-0954
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.52% / 71.69%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 15:13
Updated-28 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0923, CVE-2020-0924, CVE-2020-0925, CVE-2020-0926, CVE-2020-0927, CVE-2020-0930, CVE-2020-0933, CVE-2020-0973, CVE-2020-0978.

Action-Not Available
Vendor-Microsoft Corporation
Product-project_serversharepoint_enterprise_serversharepoint_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint ServerMicrosoft Project Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-3595
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.81% / 52.93%
||
7 Day CHG~0.00%
Published-22 Jan, 2020 | 15:20
Updated-06 Aug, 2024 | 23:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla!
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5585
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.17% / 6.52%
||
7 Day CHG~0.00%
Published-25 Jun, 2025 | 02:22
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-siteorigingpriday
Product-siteorigin_widgets_bundleSiteOrigin Widgets Bundle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-0894
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.30% / 67.22%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 15:48
Updated-28 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0893.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_enterprise_serversharepoint_foundationsharepoint_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint FoundationMicrosoft SharePoint Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-57981
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 9.65%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:24
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Social Widget Plugin <= 2.3.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget wp-social-widget allows Stored XSS.This issue affects WP Social Widget: from n/a through <= 2.3.1.

Action-Not Available
Vendor-catchsquarecatchsquare
Product-wp_social_widgetWP Social Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-57576
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 8.83%
||
7 Day CHG~0.00%
Published-04 Sep, 2025 | 00:00
Updated-10 Sep, 2025 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPGurukul Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) in /admin/updateorder.php.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-online_shopping_portaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-56379
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 30.46%
||
7 Day CHG~0.00%
Published-02 Oct, 2025 | 00:00
Updated-03 Oct, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field.

Action-Not Available
Vendor-frappen/a
Product-erpnextfrappen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-57539
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 18.45%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 00:00
Updated-18 Sep, 2025 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in the U2F Origin field of the Datacenter configuration in Proxmox Virtual Environment (PVE) 8.4 allows authenticated users to store malicious input. The payload is rendered unsafely in the Web UI and executed when viewed by other users, potentially leading to session hijacking or other attacks.

Action-Not Available
Vendor-proxmoxn/a
Product-virtual_environmentn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-56514
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.26% / 17.73%
||
7 Day CHG~0.00%
Published-01 Oct, 2025 | 00:00
Updated-21 Oct, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in Fiora chat application 1.0.0 allows executes arbitrary JavaScript when malicious SVG files are rendered by other users.

Action-Not Available
Vendor-suisuijiangn/a
Product-fioran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-22370
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 35.26%
||
7 Day CHG~0.00%
Published-08 Jul, 2022 | 17:45
Updated-16 Sep, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 221194.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_accessSecurity Verify Access
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15028
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.57% / 43.30%
||
7 Day CHG~0.00%
Published-07 Jul, 2020 | 15:37
Updated-04 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter.

Action-Not Available
Vendor-nedin/a
Product-nedin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15030
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.57% / 43.30%
||
7 Day CHG~0.00%
Published-07 Jul, 2020 | 15:35
Updated-04 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Routes.php rtr parameter.

Action-Not Available
Vendor-nedin/a
Product-nedin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5721
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 19.51%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 04:00
Updated-10 Jun, 2025 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Student Result Management System Profile Setting Page update_profile cross site scripting

A vulnerability, which was classified as problematic, was found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /script/academic/core/update_profile of the component Profile Setting Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-razormistSourceCodester
Product-student_result_management_systemStudent Result Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-6368
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.72%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 11:31
Updated-17 Sep, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LabVantage LIMS POST Request cross site scripting

A vulnerability was found in LabVantage LIMS 2017. It has been rated as problematic. This issue affects some unknown processing of the file /labvantage/rc?command=page of the component POST Request Handler. The manipulation of the argument param1 leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269801 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-labvantageLabVantagelabvantage
Product-laboratory_information_management_systemLIMSlabvantage
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15037
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.55% / 42.09%
||
7 Day CHG~0.00%
Published-07 Jul, 2020 | 14:02
Updated-04 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.

Action-Not Available
Vendor-nedin/a
Product-nedin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15034
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.57% / 43.30%
||
7 Day CHG~0.00%
Published-07 Jul, 2020 | 15:29
Updated-04 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Setup.php tet parameter.

Action-Not Available
Vendor-nedin/a
Product-nedin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 210
  • 211
  • Next
Details not found