ReportizFlow
Filtered by vendor
Subscriptions
Total
39057 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-61769 | 1 Emlog | 1 Emlog | 2025-10-08 | N/A |
| Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including version 2.5.22 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is possible to upload .svg file that contains JavaScript code that is later being executed. Commit 052f9c4226b2c0014bcd857fec47677340b185b1 fixes the issue. | ||||
| CVE-2025-40649 | 1 Bbmri-eric | 1 Negotiator | 2025-10-08 | N/A |
| Stored Cross-Site Scripting (XSS) in Biobanking and Biomolecular Resources Negotiator v3.15.2 - European Research Infrastructure (BBMRI-ERIC), consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using parameter text in '/api/v3/negotiations/<postUID>/posts'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | ||||
| CVE-2025-43824 | 1 Liferay | 2 Dxp, Portal | 2025-10-08 | N/A |
| The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded. | ||||
| CVE-2025-11390 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2025-10-08 | 4.3 Medium |
| A weakness has been identified in PHPGurukul Cyber Cafe Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /search.php of the component POST Parameter Handler. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-25009 | 1 Elastic | 1 Kibana | 2025-10-08 | 8.7 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | ||||
| CVE-2025-61998 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61999 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-11421 | 1 Code-projects | 1 Voting System | 2025-10-08 | 3.5 Low |
| A flaw has been found in code-projects Voting System 1.0. The affected element is an unknown function of the file /admin/candidates_edit.php. This manipulation of the argument Firstname/Lastname/Platform causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2025-43823 | 1 Liferay | 2 Dxp, Portal | 2025-10-08 | N/A |
| Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field. | ||||
| CVE-2025-61996 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61997 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-43821 | 2025-10-08 | N/A | ||
| Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field. | ||||
| CVE-2025-27915 | 1 Zimbra | 1 Collaboration | 2025-10-08 | 5.4 Medium |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration. | ||||
| CVE-2024-5420 | 1 Seh | 3 Inu-100, Utnserver Pro, Utnserver Promax | 2025-10-08 | N/A |
| Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below. | ||||
| CVE-2025-11437 | 2025-10-08 | 2.4 Low | ||
| A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector. | ||||
| CVE-2025-11435 | 2025-10-08 | 4.3 Medium | ||
| A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch. | ||||
| CVE-2025-11433 | 2025-10-08 | 3.5 Low | ||
| A security flaw has been discovered in itsourcecode Leave Management System 1.0. This impacts the function redirect of the file /module/employee/controller.php?action=reset of the component Query Parameter Handler. Performing manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-50938 | 1 Hustoj | 1 Hustoj | 2025-10-08 | 6.1 Medium |
| Cross site scripting (XSS) vulnerability in Hustoj 2025-01-31 via the TID parameter to thread.php. | ||||
| CVE-2025-26791 | 2 Cure53, Redhat | 6 Dompurify, Ansible Automation Platform, Network Observ Optr and 3 more | 2025-10-07 | 4.5 Medium |
| DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS). | ||||
| CVE-2025-0706 | 1 Joeybling | 1 Bootplus | 2025-10-07 | 2.4 Low |
| A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/sys/admin.html. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||