ReportizFlow
Filtered by vendor
Subscriptions
Total
44865 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55056 | 2 Maxum, Maxum Development Corporation | 2 Rumpus, Rumpus Ftp Server | 2025-11-24 | 4.8 Medium |
| Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | ||||
| CVE-2025-13178 | 2 Bdtask, Codecanyon | 2 Saleserp, Saleserp | 2025-11-24 | 3.5 Low |
| A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-62731 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 4.8 Medium |
| SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55. | ||||
| CVE-2025-62729 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55. | ||||
| CVE-2025-62297 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55. | ||||
| CVE-2025-62296 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | ||||
| CVE-2025-62295 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | ||||
| CVE-2025-13180 | 1 Bdtask | 2 Wholesale, Wholesale Inventory Control And Inventory Management System | 2025-11-24 | 3.5 Low |
| A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2609 | 1 Magnussolution | 1 Magnusbilling | 2025-11-22 | 8.2 High |
| Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php. This issue affects MagnusBilling: through 7.3.0. | ||||
| CVE-2025-13186 | 1 Bdtask | 2 Isshue, Isshue Multi Store Ecommerce Shopping Cart Solution | 2025-11-22 | 2.4 Low |
| A weakness has been identified in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution up to 4.0. This impacts an unknown function of the file /dashboard/Ccustomer/manage_customer. This manipulation of the argument Search causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4760 | 1 Wso2 | 5 Api Control Plane, Api Manager, Carbon Api Management Api and 2 more | 2025-11-22 | 4.8 Medium |
| An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. | ||||
| CVE-2025-41001 | 1 Soplanning | 1 Soplanning | 2025-11-22 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'LOGOUT_REDIRECT' parameter in '/soplanning/www/process/options.php'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | ||||
| CVE-2025-47773 | 1 Combodo | 1 Itop | 2025-11-22 | 8.8 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | ||||
| CVE-2025-47932 | 1 Combodo | 1 Itop | 2025-11-22 | 8.8 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack. | ||||
| CVE-2025-48055 | 1 Combodo | 1 Itop | 2025-11-22 | 8.5 High |
| Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0. | ||||
| CVE-2025-48065 | 1 Combodo | 1 Itop | 2025-11-22 | 8.8 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | ||||
| CVE-2025-13450 | 1 Oretnom23 | 1 Online Shop Project | 2025-11-21 | 3.5 Low |
| A vulnerability was determined in SourceCodester Online Shop Project 1.0. Impacted is an unknown function of the file /shop/register.php. This manipulation of the argument f_name causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-36153 | 1 Ibm | 1 Concert | 2025-11-21 | 6.1 Medium |
| IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-34080 | 1 Contec | 1 Conprosys Hmi System | 2025-11-21 | 6.1 Medium |
| The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7. | ||||
| CVE-2025-64176 | 2 Matiasdesuu, Thinkdashboard Project | 2 Thinkdashboard, Thinkdashboard | 2025-11-21 | 5.3 Medium |
| ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8. | ||||