U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 7,096 matching records.
Displaying matches 861 through 880.
Vuln ID Summary CVSS Severity
CVE-2023-41343

Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. A remote attacker with regular user privilege can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.

Published: November 03, 2023; 1:15:29 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-43193

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

Published: November 02, 2023; 8:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-5480

Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to bypass XSS preventions via a malicious file. (Chromium security severity: High)

Published: November 01, 2023; 2:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-1715

A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.

Published: November 01, 2023; 6:15:09 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-46235

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10.15, due to a lack of request sanitization in the logs, a malicious request containing XSS would be stored in a log file. When an administrator of the FOG server logged in and viewed the logs, they would be parsed as HTML and displayed accordingly. Version 1.5.10.15 contains a patch. As a workaround, view logs from an external text editor rather than the dashboard.

Published: October 31, 2023; 11:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-5458

The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Published: October 31, 2023; 10:15:12 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-39172

A stored XSS in the process overview (bersicht zugewiesener Vorgaenge) in mbsupport openVIVA c2 20220101 allows a remote, authenticated, low-privileged attacker to execute arbitrary code in the victim's browser via name field of a process.

Published: October 30, 2023; 6:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-46858

Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not."

Published: October 28, 2023; 9:15:41 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-46854

Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxmox products, allows XSS via the edit notes feature.

Published: October 28, 2023; 6:15:08 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-34834

An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.

Published: October 27, 2023; 5:15:08 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-34833

An issue was discovered in VERMEG AgileReporter 21.3. An admin can enter an XSS payload in the Analysis component.

Published: October 27, 2023; 5:15:08 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-29009

baserCMS is a website development framework with WebAPI that runs on PHP8 and CakePHP4. There is a XSS Vulnerability in Favorites Feature to baserCMS. This issue has been patched in version 4.8.0.

Published: October 27, 2023; 4:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-45869

ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.

Published: October 26, 2023; 11:15:09 AM -0400
V3.1: 9.0 CRITICAL
V2.0:(not available)
CVE-2023-45137

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, are vulnerable to cross-site scripting. When trying to create a document that already exists, XWiki displays an error message in the form for creating it. Due to missing escaping, this error message is vulnerable to raw HTML injection and thus XSS. The injected code is the document reference of the existing document so this requires that the attacker first creates a non-empty document whose name contains the attack code. This has been patched in `org.xwiki.platform:xwiki-platform-web` version 13.4-rc-1 and `org.xwiki.platform:xwiki-platform-web-templates` versions 14.10.12 and 15.5-rc-1 by adding the appropriate escaping. The vulnerable template file `createinline.vm` is part of XWiki's WAR and can be patched by manually applying the changes from the fix.

Published: October 25, 2023; 5:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-45754

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in I Thirteen Web Solution Easy Testimonial Slider and Form allows Stored XSS.This issue affects Easy Testimonial Slider and Form: from n/a through 1.0.18.

Published: October 25, 2023; 2:17:33 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-44767

A File upload vulnerability in RiteCMS 3.0 allows a local attacker to upload a SVG file with XSS content.

Published: October 25, 2023; 2:17:32 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-3010

Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability.

Published: October 25, 2023; 2:17:29 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-45998

kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS.

Published: October 23, 2023; 6:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-38194

An issue was discovered in SuperWebMailer 9.00.0.01710. It allows keepalive.php XSS via a GET parameter.

Published: October 20, 2023; 9:15:08 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-38192

An issue was discovered in SuperWebMailer 9.00.0.01710. It allows superadmincreate.php XSS via crafted incorrect passwords.

Published: October 20, 2023; 9:15:07 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)