U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 6,198 matching records.
Displaying matches 341 through 360.
Vuln ID Summary CVSS Severity
CVE-2020-22327

An issue was discovered in HFish 0.5.1. When a payload is inserted where the name is entered, XSS code is triggered when the administrator views the information.

Published: January 26, 2023; 4:15:21 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-4554

B2B Customer Ordering System developed by ID Software Project and Consultancy Services before version 1.0.0.347 has an authenticated Reflected XSS vulnerability. This has been fixed in the version 1.0.0.347.

Published: January 24, 2023; 4:15:09 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4307

The ?????? ?????? ?????? WordPress plugin before 2.9.3 does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-24070

app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.

Published: January 23, 2023; 12:15:18 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-24027

In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

Published: January 20, 2023; 5:15:10 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-24026

In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.

Published: January 20, 2023; 5:15:10 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-22910

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.

Published: January 20, 2023; 1:15:10 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-23691

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.

Published: January 20, 2023; 3:15:17 AM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-47197

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

Published: January 19, 2023; 1:15:14 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-47196

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post.

Published: January 19, 2023; 1:15:14 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-47195

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user.

Published: January 19, 2023; 1:15:14 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-47194

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user.

Published: January 19, 2023; 1:15:13 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-23637

IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.

Published: January 17, 2023; 4:15:17 PM -0500
V3.1: 7.6 HIGH
V2.0:(not available)
CVE-2022-40704

A XSS vulnerability was found in phoromatic_r_add_test_details.php in phoronix-test-suite.

Published: January 17, 2023; 2:15:11 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-43718

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Published: January 16, 2023; 6:15:10 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-43717

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Published: January 16, 2023; 6:15:10 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-46872

An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)

Published: January 13, 2023; 1:15:10 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-42967

Caret is vulnerable to an XSS attack when the user opens a crafted Markdown file when preview mode is enabled. This directly leads to client-side code execution.

Published: January 11, 2023; 8:15:09 AM -0500
V3.1: 9.6 CRITICAL
V2.0:(not available)
CVE-2023-22911

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.

Published: January 10, 2023; 3:15:10 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2021-46871

tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows XSS in HEEx class attributes.

Published: January 10, 2023; 1:15:09 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)