Search Results (47288 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-42909 1 Wepanow 1 Print Away 2025-03-26 6.5 Medium
WEPA Print Away does not verify that a user has authorization to access documents before generating print orders and associated release codes. This could allow an attacker to generate print orders and release codes for documents they don´t own and print hem without authorization. In order to exploit this vulnerability, the user must have an account with wepanow.com or any of the institutions they serve, and be logged in.
CVE-2022-42908 1 Wepanow 1 Print Away 2025-03-26 6.3 Medium
WEPA Print Away is vulnerable to a stored XSS. It does not properly sanitize uploaded filenames, allowing an attacker to deceive a user into uploading a document with a malicious filename, which will be included in subsequent HTTP responses, allowing a stored XSS to occur. This attack is persistent across victim sessions.
CVE-2022-34386 1 Dell 2 Supportassist For Business Pcs, Supportassist For Home Pcs 2025-03-26 5.5 Medium
Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.
CVE-2024-4149 1 Premio 2 Chaty, Floating Chat Widget 2025-03-26 6.1 Medium
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE-2021-37374 1 Teradek 2 Clip, Clip Firmware 2025-03-26 5.4 Medium
Cross Site Scripting (XSS) vulnerability in Teradek Clip all firmware versions allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.
CVE-2023-0677 1 Phpipam 1 Phpipam 2025-03-26 6.1 Medium
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.
CVE-2023-0144 1 Mage-people 1 Event Manager And Tickets Selling For Woocommerce 2025-03-26 5.4 Medium
The Event Manager and Tickets Selling Plugin for WooCommerce WordPress plugin before 3.8.0 does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2022-4824 1 Essentialplugin 1 Wp Blog And Widget 2025-03-26 5.4 Medium
The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVE-2022-4577 1 Goldplugins 1 Easy Testimonials 2025-03-26 5.4 Medium
The Easy Testimonials WordPress plugin before 3.9.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVE-2022-48311 1 Hp 2 Deskjet 2540 A9u23b, Deskjet 2540 A9u23b Firmware 2025-03-26 9 Critical
**UNSUPPORTED WHEN ASSIGNED** Cross Site Scripting (XSS) in HP Deskjet 2540 series printer Firmware Version CEP1FN1418BR and Product Model Number A9U23B allows authenticated attacker to inject their own script into the page via HTTP configuration page. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2024-27680 1 Flusity 1 Flusity 2025-03-26 6.1 Medium
Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the "Contact form."
CVE-2024-26279 1 Joomla 1 Joomla\! 2025-03-26 6.1 Medium
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
CVE-2024-21729 1 Joomla 1 Joomla\! 2025-03-26 6.1 Medium
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
CVE-2023-0174 1 Rextheme 1 Wp Vr 2025-03-25 5.4 Medium
The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2022-4838 1 Codection 1 Clean Login 2025-03-25 5.4 Medium
The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVE-2023-23849 1 Synopsys 1 Coverity 2025-03-25 8.1 High
Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Any web service hosted on the same sub domain can set a cookie for the whole subdomain which can be used to bypass other mitigations in place for malicious purposes. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C
CVE-2025-29782 1 Wegia 1 Wegia 2025-03-25 5.4 Medium
WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_tipo_docs_atendido.php` endpoint in versions of the WeGIA application prior to 3.2.17. This vulnerability allows attackers to inject malicious scripts into the `tipo` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Version 3.2.17 contains a patch for the issue.
CVE-2023-0599 1 Rapid7 1 Metasploit 2025-03-25 6.1 Medium
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization.  Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.
CVE-2024-26318 1 Serenity 1 Serenity 2025-03-25 6.1 Medium
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.
CVE-2023-22849 1 Apache 1 Sling Cms 2025-03-25 6.1 Medium
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6