U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 21,889 matching records.
Displaying matches 441 through 460.
Vuln ID Summary CVSS Severity
CVE-2023-26059

An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user.

Published: April 24, 2023; 2:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-30613

Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading.

Published: April 24, 2023; 1:15:10 PM -0400
V3.1: 9.0 CRITICAL
V2.0:(not available)
CVE-2023-26061

An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Published: April 24, 2023; 1:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-41612

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Shareaholic Similar Posts plugin <= 3.1.6 versions.

Published: April 24, 2023; 1:15:09 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-29848

Bang Resto 1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the itemName parameter in the admin/menu.php Add New Menu function.

Published: April 24, 2023; 11:15:08 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-47598

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Plugins Pro WP Super Popup plugin <= 1.1.2 versions.

Published: April 24, 2023; 11:15:07 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-47158

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pakpobox alfred24 Click & Collect plugin <= 1.1.7 versions.

Published: April 24, 2023; 11:15:07 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-45084

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Softaculous Loginizer plugin <= 1.7.5 versions.

Published: April 24, 2023; 11:15:07 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-23892

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Jamie Poitra M Chart plugin <= 1.9.4 versions.

Published: April 24, 2023; 10:15:07 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-31045

** DISPUTED ** A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere."

Published: April 24, 2023; 4:15:07 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-27614

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Ian Haycox Motor Racing League plugin <= 1.9.9 versions.

Published: April 23, 2023; 7:15:07 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-27425

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in James Irving-Swift Electric Studio Client Login plugin <= 0.8.1 versions.

Published: April 23, 2023; 7:15:07 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-25451

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPChill CPO Content Types plugin <= 1.1.0 versions.

Published: April 23, 2023; 7:15:07 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-23832

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in TC Ultimate WP Query Search Filter plugin <= 1.0.10 versions.

Published: April 23, 2023; 7:15:07 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-23827

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Google Maps v3 Shortcode plugin <= 1.2.1 versions.

Published: April 23, 2023; 7:15:07 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-23817

Auth. (contrinbutor+) Cross-Site Scripting (XSS) vulnerability in WebArea | Vera Nedvyzhenko Simple PDF Viewer plugin <= 1.9 versions.

Published: April 23, 2023; 7:15:07 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-23816

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Twardes Sitemap Index plugin <= 1.2.3 versions.

Published: April 23, 2023; 7:15:07 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-23806

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Davinder Singh Custom Settings plugin <= 1.0 versions.

Published: April 23, 2023; 7:15:06 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-23717

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in George Gecewicz Portfolio Slideshow plugin <= 1.13.0 versions.

Published: April 23, 2023; 7:15:06 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-24404

Reflected Cross-Site Scripting (XSS) vulnerability in VryaSage Marketing Performance plugin <= 2.0.0 versions.

Published: April 23, 2023; 6:15:07 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)