U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 7,315 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2024-2428

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks

Published: April 10, 2024; 1:15:49 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31868

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Published: April 09, 2024; 12:15:08 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31365

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Post Type Builder (PTB) allows Reflected XSS.This issue affects Post Type Builder (PTB): from n/a through 2.0.8.

Published: April 09, 2024; 4:15:07 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31357

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Ultimate Store Kit Elementor Addons allows Stored XSS.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.5.2.

Published: April 08, 2024; 5:15:10 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31349

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch MailMunch – Grow your Email List allows Stored XSS.This issue affects MailMunch – Grow your Email List: from n/a through 3.1.6.

Published: April 07, 2024; 2:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31348

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Testimonials allows Stored XSS.This issue affects Testimonials: from n/a through 3.0.5.

Published: April 07, 2024; 2:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31346

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blocksmarket Gradient Text Widget for Elementor allows Stored XSS.This issue affects Gradient Text Widget for Elementor: from n/a through 1.0.1.

Published: April 07, 2024; 2:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31344

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Phpbits Creative Studio Easy Login Styler – White Label Admin Login Page for WordPress allows Stored XSS.This issue affects Easy Login Styler – White Label Admin Login Page for WordPress: from n/a through 1.0.6.

Published: April 07, 2024; 2:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31306

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Stored XSS.This issue affects Essential Blocks for Gutenberg: from n/a through 4.5.3.

Published: April 07, 2024; 2:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31258

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.Company Form to Chat App allows Stored XSS.This issue affects Form to Chat App: from n/a through 1.1.6.

Published: April 07, 2024; 2:15:10 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31257

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Formsite Formsite | Embed online forms to collect orders, registrations, leads, and surveys allows Stored XSS.This issue affects Formsite | Embed online forms to collect orders, registrations, leads, and surveys: from n/a through 1.6.

Published: April 07, 2024; 2:15:09 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31256

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebinarPress allows Reflected XSS.This issue affects WebinarPress: from n/a through 1.33.9.

Published: April 07, 2024; 2:15:09 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31255

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ELEXtensions ELEX WooCommerce Dynamic Pricing and Discounts allows Reflected XSS.This issue affects ELEX WooCommerce Dynamic Pricing and Discounts: from n/a through 2.1.2.

Published: April 07, 2024; 2:15:09 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31236

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.3.93.

Published: April 07, 2024; 2:15:09 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-49965

SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ssid and password parameters on the Setup Page.

Published: April 05, 2024; 10:15:10 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2380

Stored XSS in graph rendering in Checkmk <2.3.0b4.

Published: April 05, 2024; 9:15:07 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-29193

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API (`[0]`) in the client side. Then, it uses `Object.entries` to iterate over the result (`[1]`) whose first item (`name`) gets appended using `innerHTML` (`[2]`). In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available.

Published: April 04, 2024; 3:15:08 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-29182

Collabora Online is a collaborative online office suite based on LibreOffice. A stored cross-site scripting vulnerability was found in Collabora Online. An attacker could create a document with an XSS payload in document text referenced by field which, if hovered over to produce a tooltip, could be executed by the user's browser. Users should upgrade to Collabora Online 23.05.10.1 or higher. Earlier series of Collabora Online, 22.04, 21.11, etc. are unaffected.

Published: April 04, 2024; 11:15:38 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2692

SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.

Published: April 03, 2024; 10:15:06 PM -0400
V3.1: 9.6 CRITICAL
V2.0:(not available)
CVE-2024-3181

Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting

Published: April 03, 2024; 4:15:07 PM -0400
V3.x:(not available)
V2.0:(not available)