U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 7,094 matching records.
Displaying matches 841 through 860.
Vuln ID Summary CVSS Severity
CVE-2023-46201

Cross-Site Request Forgery (CSRF) vulnerability in Jeff Sherk Auto Login New User After Registration allows Stored XSS.This issue affects Auto Login New User After Registration: from n/a through 1.9.6.

Published: November 13, 2023; 12:15:08 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-47652

Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links allows Stored XSS.This issue affects Auto Affiliate Links: from n/a through 6.4.2.4.

Published: November 12, 2023; 11:15:08 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-47516

Cross-Site Request Forgery (CSRF) vulnerability in Stark Digital Category Post List Widget allows Stored XSS.This issue affects Category Post List Widget: from n/a through 2.0.

Published: November 12, 2023; 11:15:08 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-5547

The course upload preview contained an XSS risk for users uploading unsafe data.

Published: November 09, 2023; 3:15:10 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-5546

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

Published: November 09, 2023; 3:15:10 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-5544

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

Published: November 09, 2023; 3:15:09 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-5541

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.

Published: November 09, 2023; 3:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-5819

The Amazonify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. However, please note that this can also be combined with CVE-2023-5818 for CSRF to XSS.

Published: November 07, 2023; 3:15:09 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-46744

Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a "blacklist" called "InvalidSvgElements" are present. This list only contains the element "script". and 2. No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. However it is possible to bypass the above filtering mechanism and execute arbitrary JavaScript code by introducing other HTML elements such as an <iframe> element with a "src" attribute containing a "javascript:" value. Authenticated adversaries with the "assets.create" permission, can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS.

Published: November 07, 2023; 1:15:09 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-32966

Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab Jazz Popups leads to Stored XSS.This issue affects Jazz Popups: from n/a through 1.8.7.

Published: November 07, 2023; 1:15:08 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-5771

Proofpoint Enterprise Protection contains a stored XSS vulnerability in the AdminUI. An unauthenticated attacker can send a specially crafted email with HTML in the subject which triggers XSS when viewing quarantined messages.  This issue affects Proofpoint Enterprise Protection: from 8.20.0 before patch 4796, from 8.18.6 before patch 4795 and all other prior versions.

Published: November 06, 2023; 4:15:10 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-5530

The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue

Published: November 06, 2023; 4:15:10 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-46251

MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_): - _Clickable Smilies and BB Code → [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_.

Published: November 06, 2023; 1:15:08 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-47272

Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

Published: November 05, 2023; 7:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-47260

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails.

Published: November 05, 2023; 12:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-47259

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter.

Published: November 05, 2023; 12:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-47258

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter.

Published: November 05, 2023; 12:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-45360

An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers.

Published: November 03, 2023; 1:15:30 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-41343

Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. A remote attacker with regular user privilege can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.

Published: November 03, 2023; 1:15:29 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-43193

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

Published: November 02, 2023; 8:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)