U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 8,528 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2024-51735

Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the `general-template.md` template.The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS. This may lead to commands executed on the host as well. This issue is not yet resolved. Users are advised to add their own filtering or to reach out to the developer to aid in developing a patch.

Published: November 05, 2024; 2:15:07 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-49377

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.

Published: November 05, 2024; 2:15:05 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-34445

Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: November 04, 2024; 7:15:03 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-34444

Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: November 04, 2024; 7:15:03 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-48057

localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.

Published: November 04, 2024; 6:15:04 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-51685

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael Gangolf Accordion title for Elementor allows Stored XSS.This issue affects Accordion title for Elementor: from n/a through 1.2.1.

Published: November 04, 2024; 10:15:24 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-51683

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael Gangolf Custom post type templates for Elementor allows Stored XSS.This issue affects Custom post type templates for Elementor: from n/a through 1.10.1.

Published: November 04, 2024; 10:15:24 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-51682

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HasThemes HT Builder – WordPress Theme Builder for Elementor allows Stored XSS.This issue affects HT Builder – WordPress Theme Builder for Elementor: from n/a through 1.3.0.

Published: November 04, 2024; 10:15:23 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-51681

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodeRevolution WP Pocket URLs allows Stored XSS.This issue affects WP Pocket URLs: from n/a through 1.0.3.

Published: November 04, 2024; 10:15:23 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-51680

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CrestaProject – Rizzo Andrea Cresta Addons for Elementor allows Stored XSS.This issue affects Cresta Addons for Elementor: from n/a through 1.0.9.

Published: November 04, 2024; 10:15:23 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-51678

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Marcel Pol Elo Rating Shortcode allows Stored XSS.This issue affects Elo Rating Shortcode: from n/a through 1.0.3.

Published: November 04, 2024; 10:15:23 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-51677

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WebberZone Knowledge Base allows Stored XSS.This issue affects Knowledge Base: from n/a through 2.2.0.

Published: November 04, 2024; 10:15:22 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-9147

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Bna Informatics PosPratik allows XSS Through HTTP Query Strings.This issue affects PosPratik: before v3.2.1.

Published: November 04, 2024; 8:17:06 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-43211

Cross Site Scripting (XSS) vulnerability in PluginOps MailChimp Subscribe Forms allows Stored XSS.This issue affects MailChimp Subscribe Forms: from n/a through 4.0.9.8.

Published: November 01, 2024; 11:15:41 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-38744

Missing Authorization vulnerability in Upqode Plum: Spin Wheel & Email Pop-up allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS.This issue affects Plum: Spin Wheel & Email Pop-up: from n/a through 2.0.

Published: November 01, 2024; 11:15:34 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-37214

Missing Authorization vulnerability in Dropshipping Guru Ali2Woo Lite Exploiting Incorrectly Configured Access Control Security Levels, Stored XSS.This issue affects Ali2Woo Lite: from n/a through 3.3.5.

Published: November 01, 2024; 11:15:20 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-42515

Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML, thereby possibly causing stored XSS. Attackers can append a XSS payload to a word that has a corresponding glossary entry.

Published: October 31, 2024; 3:15:12 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-48910

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

Published: October 31, 2024; 11:15:15 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-43933

Cross-Site Request Forgery (CSRF) vulnerability in WPMobile.App allows Stored XSS.This issue affects WPMobile.App: from n/a through 11.48.

Published: October 31, 2024; 6:15:05 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-10086

A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.

Published: October 30, 2024; 6:15:03 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)