Total
39847 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10711 | 1 07fly | 3 07fly-cms, 07flycms, 07flycrm | 2025-09-22 | 4.3 Medium |
| A vulnerability has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This vulnerability affects unknown code of the file /index.php/sysmanage/Login. Such manipulation of the argument Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2021-42083 | 3 Linux, Microsoft, Osnexus | 3 Linux Kernel, Windows, Quantastor | 2025-09-22 | 8.7 High |
| An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value ' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters) * click add * click apply * create a test alert * The test alert will run the command “id | tee /tmp/ttttttddddssss” as root. * after the test alert inspect /tmp/ttttttddddssss it'll contain the ids of the root user. | ||||
| CVE-2021-42080 | 1 Osnexus | 1 Quantastor | 2025-09-22 | 7.4 High |
| An attacker is able to launch a Reflected XSS attack using a crafted URL. POC: Visit the following URL https://<IPADDRESS>:8153/qstorapi/echo?inputMessage=<img%20src=x%20onerror=alert(document.cookie)> | ||||
| CVE-2024-32770 | 1 Qnap | 1 Photo Station | 2025-09-20 | 6.3 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow remote attackers who have gained user access to inject malicious code. We have already fixed the vulnerability in the following version: Photo Station 6.4.3 ( 2024/07/12 ) and later | ||||
| CVE-2024-32767 | 1 Qnap | 1 Photo Station | 2025-09-20 | 6.3 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow remote attackers who have gained user access to inject malicious code. We have already fixed the vulnerability in the following version: Photo Station 6.4.3 ( 2024/07/12 ) and later | ||||
| CVE-2024-32768 | 1 Qnap | 1 Photo Station | 2025-09-20 | 6.3 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow remote attackers who have gained user access to inject malicious code. We have already fixed the vulnerability in the following version: Photo Station 6.4.3 ( 2024/07/12 ) and later | ||||
| CVE-2024-32769 | 1 Qnap | 1 Photo Station | 2025-09-20 | 6.3 Medium |
| A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow remote attackers who have gained user access to inject malicious code. We have already fixed the vulnerability in the following version: Photo Station 6.4.3 ( 2024/07/12 ) and later | ||||
| CVE-2025-51534 | 2 Austrian Archaeological Institute, Craws | 2 Openatlas, Openatlas | 2025-09-20 | 8.1 High |
| A cross-site scripting (XSS) vulnerability in Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | ||||
| CVE-2025-55834 | 2 Huayi-tec, Jeewms | 2 Jeewms, Jeewms | 2025-09-20 | 6.1 Medium |
| A Cross Site Scripting vulnerability in JeeWMS v.3.7 and before allows a remote attacker to obtain sensitive information via the logController.do component | ||||
| CVE-2025-56252 | 1 Pathinfotech | 1 Servitiumcrm | 2025-09-20 | 6.1 Medium |
| Cross Site Scripting (xss) vulnerability in ServitiumCRM 2.10 allowing attackers to execute arbitrary code via a crafted URL to the mobile parameter. | ||||
| CVE-2025-10614 | 2 Emiloi, Itsourcecode | 2 E-logbook With Health Monitoring System For Covid-19, E-logbook With Health Monitoring System For Covid-19 | 2025-09-20 | 4.3 Medium |
| A vulnerability was determined in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0 on COVID. This affects an unknown function of the file /print_reports_prev.php. Executing manipulation of the argument profile_id can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-10631 | 2 Facebook-riares, Itsourcecode | 2 Online Petshop Management System, Online Petshop Management System | 2025-09-20 | 3.5 Low |
| A vulnerability was identified in itsourcecode Online Petshop Management System 1.0. Impacted is an unknown function of the file addcnp.php of the component Available Products Page. The manipulation of the argument name/description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-10632 | 2 Facebook-riares, Itsourcecode | 2 Online Petshop Management System, Online Petshop Management System | 2025-09-20 | 3.5 Low |
| A security flaw has been discovered in itsourcecode Online Petshop Management System 1.0. The affected element is an unknown function of the file availableframe.php of the component Admin Dashboard. The manipulation of the argument name/address results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2024-56156 | 1 Halo | 1 Halo | 2025-09-19 | 9.0 Critical |
| Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13. | ||||
| CVE-2025-27145 | 1 9001 | 1 Copyparty | 2025-09-19 | 3.6 Low |
| copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note that, as a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Version 1.16.15 contains a fix. | ||||
| CVE-2024-42412 | 1 Elecom | 4 Wab-i1750-ps, Wab-i1750-ps Firmware, Wab-s1167-ps and 1 more | 2025-09-19 | 6.1 Medium |
| Cross-site scripting vulnerability exists in ELECOM wireless access points due to improper processing of input values in menu.cgi. If a user views a malicious web page while logged in to the product, an arbitrary script may be executed on the user's web browser. | ||||
| CVE-2022-35664 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM. | ||||
| CVE-2023-48624 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||
| CVE-2023-48623 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. | ||||
| CVE-2023-48620 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | ||||