221 matches found
CVE-2023-41103
Interact 7.9.79.5 allows stored Cross-site Scripting XSS attacks in several locations, allowing an attacker to store a JavaScript payload...
CVE-2021-24445
The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting...
CVE-2021-24421
The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue...
CVE-2021-24440
The Sign-up Sheets WordPress plugin before 1.0.14 did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in...
CVE-2025-48366
GroupOffice (Intermesh BV) contains a stored blind XSS in the user profile Phone Number field, exploitable prior to versions 6.8.119 and 25.0.20. The payload can persist and execute when other users view the Address Book, enabling actions like forced redirects and unauthorized fetches. Versions 6...
CVE-2025-48366 GroupOffice's Blind Stored XSS in Phone Number Field Enables Forced Redirect and Unauthorized Actions
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persisten...
CVE-2025-48366 GroupOffice's Blind Stored XSS in Phone Number Field Enables Forced Redirect and Unauthorized Actions
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persisten...
CVE-2025-45754
A stored cross-site scripting XSS vulnerability exists in SeedDMS 6.0.32. This vulnerability allows an attacker to inject malicious JavaScript payloads by creating a document with an XSS payload as the document name...
Cross-Site Scripting (XSS)
yeswiki/yeswiki is vulnerable to stored cross-site scripting XSS. The vulnerability is due to improper input sanitization in the comments feature, allowing obfuscated JavaScript payloads to bypass filters and execute in users' browsers...
CVE-2025-46346
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting XSS vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user...
CVE-2025-46346
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting XSS vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user...
CVE-2025-46346 YesWiki Vulnerable to Stored XSS in Comments
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting XSS vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user...
YesWiki Stored XSS Vulnerability in Comments
Summary A stored cross-site scripting XSS vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the...
PT-2025-18180 · Yeswiki · Yeswiki
Name of the Vulnerable Software and Affected Versions: YesWiki versions prior to 4.5.4 Description: A stored cross-site scripting XSS issue was found in the comments feature of YesWiki, a wiki system written in PHP. This issue allows a malicious actor to inject JavaScript payloads that are stored...
CVE-2025-30090
mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true...
CVE-2025-30090
CVE-2025-30090 affects SquirrelMail mime.php in versions up to 1.4.23-svn-20250401 and 1.5.x up to 1.5.2-svn-20250401, enabling cross-site scripting via email headers after $encoded is set to true. The provided documents describe the vulnerable component and the weak handling in headers, with no ...
CVE-2024-12870 Stored Cross-site Scripting (XSS) in infiniflow/ragflow
A stored cross-site scripting XSS vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch cec2080. The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' conten...
CVE-2025-25460
A stored Cross-Site Scripting XSS vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to...
CVE-2024-28277
In Sourcecodester School Task Manager v1.0, a vulnerability was identified within the subjectname= parameter, enabling Stored Cross-Site Scripting XSS attacks. This vulnerability allows attackers to manipulate the subject's name, potentially leading to the execution of malicious JavaScript payloa...
CVE-2025-0054
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web...