ReportizFlow
Filtered by vendor
Subscriptions
Total
44930 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43804 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-11-07 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in Search widget in Liferay Portal 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter. | ||||
| CVE-2025-63593 | 1 Getgrav | 2 Grav, Grav Cms | 2025-11-07 | 6.1 Medium |
| Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS). | ||||
| CVE-2024-30145 | 1 Hcltech | 1 Domino Leap | 2025-11-07 | 6.5 Medium |
| Multiple vectors in HCL Domino Volt and Domino Leap allow client-side script injection in the authoring environment and deployed applications. | ||||
| CVE-2024-12020 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 6.1 Medium |
| There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge. This vulnerability only affects LogicalDOC Enterprise. | ||||
| CVE-2025-62800 | 2 Fastmcp, Jlowin | 2 Fastmcp, Fastmcp | 2025-11-07 | 6.1 Medium |
| FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0. | ||||
| CVE-2025-5347 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | 6.3 Medium |
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module. | ||||
| CVE-2025-5343 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2025-11-07 | 6.3 Medium |
| Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option. | ||||
| CVE-2024-29034 | 1 Carrierwave Project | 1 Carrierwave | 2025-11-07 | 6.8 Medium |
| CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6. | ||||
| CVE-2025-12546 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11946 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-3384 | 1 Redhat | 1 Quay | 2025-11-07 | 5.4 Medium |
| A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS). | ||||
| CVE-2025-26258 | 2 Remyandrade, Sourcecodester | 2 Employee Management System, Employee Management System | 2025-11-07 | 6.1 Medium |
| Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.' | ||||
| CVE-2023-52292 | 1 Ibm | 1 Sterling File Gateway | 2025-11-07 | 6.4 Medium |
| IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-46786 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-11-06 | 4.3 Medium |
| Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access. | ||||
| CVE-2025-2490 | 1 Ujcms | 1 Ujcms | 2025-11-06 | 2.4 Low |
| A vulnerability was found in Dromara ujcms 9.7.5. It has been rated as problematic. Affected by this issue is the function uploadZip/upload of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java of the component File Upload. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-36248 | 1 Ibm | 1 Copy Services Manager | 2025-11-06 | 6.1 Medium |
| IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-50574 | 2 Hiruna, Hirunaofficial | 2 Glamour Salon Management System, Glamour Salon Management System | 2025-11-06 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in blog-details.php in Hiruna Gallage's Glamour Salon Management System v1 allows remote attackers to inject arbitrary web script or HTML via the blog comment section parameter. | ||||
| CVE-2025-41681 | 1 Mbconnectline | 2 Mbnet.mini, Mbnet.mini Firmware | 2025-11-06 | 4.8 Medium |
| A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content. | ||||
| CVE-2024-11491 | 1 115cms | 1 115cms | 2025-11-06 | 3.5 Low |
| A vulnerability was found in 115cms up to 20240807. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php/admin/web/useradmin.html. The manipulation of the argument ks leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-36172 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-11-05 | 6.4 Medium |
| IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||