U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 7,317 matching records.
Displaying matches 141 through 160.
Vuln ID Summary CVSS Severity
CVE-2024-2692

SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.

Published: April 03, 2024; 10:15:06 PM -0400
V3.1: 9.6 CRITICAL
V2.0:(not available)
CVE-2024-3181

Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting

Published: April 03, 2024; 4:15:07 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-3180

Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Prior to fix, stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.

Published: April 03, 2024; 3:15:44 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-3179

Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting. 

Published: April 03, 2024; 3:15:44 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2753

Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without escaping. A rogue administrator could inject malicious javascript into the Calendar Color Settings screen which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N&version=3.1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator   Thank you Rikuto Tauchi for reporting

Published: April 03, 2024; 3:15:43 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31109

Cross-Site Request Forgery (CSRF) vulnerability in Toastie Studio Woocommerce Social Media Share Buttons allows Stored XSS.This issue affects Woocommerce Social Media Share Buttons: from n/a through 1.3.0.

Published: April 02, 2024; 2:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31105

Cross-Site Request Forgery (CSRF) vulnerability in Adam Bowen Tax Rate Upload allows Reflected XSS.This issue affects Tax Rate Upload: from n/a through 2.4.5.

Published: April 02, 2024; 2:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2435

For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal. Access to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).

Published: April 02, 2024; 1:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-25080

WebMail in Axigen 10.x before 10.3.3.62 allows XSS via the image attachment viewer.

Published: April 01, 2024; 5:15:50 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-27609

Bonita before 2023.2-u2 allows stored XSS via a UI screen in the administration panel.

Published: March 31, 2024; 8:15:49 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31104

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GetResponse GetResponse for WordPress allows Stored XSS.This issue affects GetResponse for WordPress: from n/a through 5.5.33.

Published: March 31, 2024; 4:15:14 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31103

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kanban for WordPress Kanban Boards for WordPress allows Reflected XSS.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21.

Published: March 31, 2024; 4:15:14 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31102

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scimone Ignazio Prenotazioni allows Stored XSS.This issue affects Prenotazioni: from n/a through 1.7.4.

Published: March 31, 2024; 4:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31101

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in August Infotech AI Twitter Feeds (Twitter widget & shortcode) allows Stored XSS.This issue affects AI Twitter Feeds (Twitter widget & shortcode): from n/a through 2.4.

Published: March 31, 2024; 4:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31097

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stephan Spencer SEO Title Tag allows Reflected XSS.This issue affects SEO Title Tag: from n/a through 3.5.9.

Published: March 31, 2024; 4:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31092

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Philip M. Hofer (Frumph) Comic Easel allows Reflected XSS.This issue affects Comic Easel: from n/a through 1.15.

Published: March 31, 2024; 4:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31091

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SparkWeb Interactive, Inc. Custom Field Bulk Editor allows Reflected XSS.This issue affects Custom Field Bulk Editor: from n/a through 1.9.1.

Published: March 31, 2024; 4:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31090

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 荒野无灯 Hacklog Down As PDF allows Reflected XSS.This issue affects Hacklog Down As PDF: from n/a through 2.3.6.

Published: March 31, 2024; 4:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31089

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Techblissonline.Com (Rajesh) Platinum SEO allows Stored XSS.This issue affects Platinum SEO: from n/a through 2.4.0.

Published: March 31, 2024; 4:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-31087

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joel Starnes pageMash > Page Management allows Reflected XSS.This issue affects pageMash > Page Management: from n/a through 1.3.0.

Published: March 31, 2024; 4:15:12 PM -0400
V3.x:(not available)
V2.0:(not available)