ReportizFlow
Filtered by vendor
Subscriptions
Total
45092 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11107 | 1 Bowo | 1 System Dashboard | 2025-05-17 | 6.1 Medium |
| The System Dashboard WordPress plugin before 2.8.15 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks. | ||||
| CVE-2024-10893 | 1 Wpbookingcalendar | 1 Wp Booking Calendar | 2025-05-17 | 4.8 Medium |
| The WP Booking Calendar WordPress plugin before 10.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-9934 | 2 Aueda, Silkypress | 2 Wp-imagezoom, Wp Image Zoom | 2025-05-17 | 6.1 Medium |
| The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5429 | 1 Logichunt | 1 Logo Slider | 2025-05-17 | 7.6 High |
| The Logo Slider WordPress plugin before 4.1.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-7891 | 2 Christoph Nagel, Just-a-web-developer | 2 Floating Contact Button, Floating Contact Button | 2025-05-16 | 4.8 Medium |
| The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2024-7955 | 1 Squirrly | 1 Starbox | 2025-05-16 | 4.8 Medium |
| The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-7846 | 1 Yithemes | 1 Yith Woocommerce Ajax Search | 2025-05-16 | 5.4 Medium |
| YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts. | ||||
| CVE-2025-4547 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-05-16 | 2.4 Low |
| A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Add User Page. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple parameters might be affected. | ||||
| CVE-2024-0283 | 1 Kashipara | 1 Food Management System | 2025-05-16 | 3.5 Low |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file party_details.php. The manipulation of the argument party_name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249838 is the identifier assigned to this vulnerability. | ||||
| CVE-2025-0787 | 1 Esafenet | 1 Cdg | 2025-05-16 | 3.5 Low |
| A vulnerability was found in ESAFENET CDG V5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /appDetail.jsp. The manipulation of the argument curpage leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0785 | 1 Esafenet | 1 Cdg | 2025-05-16 | 3.5 Low |
| A vulnerability was found in ESAFENET CDG V5 and classified as problematic. This issue affects some unknown processing of the file /SysConfig.jsp. The manipulation of the argument help leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-26493 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | 4.6 Medium |
| In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab | ||||
| CVE-2025-31140 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | 4.6 Medium |
| In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page | ||||
| CVE-2025-46618 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | 3.5 Low |
| In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab | ||||
| CVE-2024-26152 | 1 Humansignal | 1 Label Studio | 2025-05-16 | 4.7 Medium |
| ### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1. ### PoC 1. Create a project.  2. Upload a file containing the payload using the "Upload Files" function.   The following are the contents of the files used in the PoC ``` { "data": { "prompt": "labelstudio universe image", "images": [ { "value": "id123#0", "style": "margin: 5px", "html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>" } ] } } ``` 3. Select the text-to-image generation labeling template of Ranking and scoring   4. Select a task  5. Check that the script is running  ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering. | ||||
| CVE-2022-34021 | 1 Resiot | 1 Iot Platform And Lorawan Network Server | 2025-05-16 | 5.4 Medium |
| Multiple Cross Site Scripting (XSS) vulnerabilities in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via the form fields. | ||||
| CVE-2025-22466 | 1 Ivanti | 1 Endpoint Manager | 2025-05-16 | 8.2 High |
| Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | ||||
| CVE-2025-22465 | 1 Ivanti | 1 Endpoint Manager | 2025-05-16 | 6.1 Medium |
| Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required. | ||||
| CVE-2024-5744 | 1 Tipsandtricks-hq | 1 Wp Emember | 2025-05-16 | 6.8 Medium |
| The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | ||||
| CVE-2024-6070 | 1 If-so | 1 If-so | 2025-05-16 | 4.8 Medium |
| The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||