U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 21,886 matching records.
Displaying matches 421 through 440.
Vuln ID Summary CVSS Severity
CVE-2021-26263

Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.

Published: April 25, 2023; 3:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-30177

CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.

Published: April 25, 2023; 2:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-25484

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Oliver Schlöbe Simple Yearly Archive plugin <= 2.1.8 versions.

Published: April 25, 2023; 1:15:08 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-47608

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Quick Contact Form plugin <= 8.0.3.1 versions.

Published: April 25, 2023; 1:15:08 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-25314

Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user.

Published: April 25, 2023; 12:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-30417

A cross-site scripting (XSS) vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message.

Published: April 25, 2023; 9:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-26843

A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.

Published: April 25, 2023; 9:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-25347

A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php.

Published: April 25, 2023; 9:15:09 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-25346

A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.

Published: April 25, 2023; 9:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-27619

Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Macho Themes Regina Lite theme <= 2.0.7 versions.

Published: April 25, 2023; 8:15:09 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-25710

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DIGITALBLUE Click to Call or Chat Buttons plugin <= 1.4.0 versions.

Published: April 25, 2023; 8:15:09 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-25490

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin <= 1.7.4 versions.

Published: April 25, 2023; 8:15:09 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-25479

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Podlove Podlove Subscribe button plugin <= 1.3.7 versions.

Published: April 25, 2023; 8:15:09 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-45837

Reflected Cross-Site Scripting (XSS) vulnerability in Denis ???????? plugin <= 6.0.1 versions.

Published: April 25, 2023; 8:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-28354

In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.

Published: April 24, 2023; 5:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-27991

The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely.

Published: April 24, 2023; 2:15:09 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-27990

The XSS vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.

Published: April 24, 2023; 2:15:09 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-26059

An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user.

Published: April 24, 2023; 2:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-30613

Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading.

Published: April 24, 2023; 1:15:10 PM -0400
V3.1: 9.0 CRITICAL
V2.0:(not available)
CVE-2023-26061

An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Published: April 24, 2023; 1:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)