CVE-2025-48875 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...

CVE-2025-48875 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...

CVE-2025-48875

CVE-2025-48875 affects FreeScout prior to version 1.8.181, where incorrect validation of last_name and first_name during profile data updates enables injection of arbitrary JavaScript. The attacker could trigger XSS when the affected data is deleted (described as a flesh-message in some sources)....

PT-2025-23424 · Ibm · Ibm Planning Analytics Local

Name of the Vulnerable Software and Affected Versions: IBM Planning Analytics Local versions 2.0 through 2.1 Description: The issue allows an authenticated user to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure...

CVE-2025-40651

Reflected Cross-Site Scripting XSS vulnerability in Real Easy Store. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the keyword parameter in /index.php?a=search. This vulnerability can be exploited to steal...

CVE-2024-45094

IBM DS8900F and DS8A00 Hardware Management Console HMC is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2025-23392 Reflected XSS in SystemsController.java in spacewalk-java

A Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in spacewalk-java allows execution of arbitrary Javascript code on target systems.This issue affects Container suse/manager/5.0/x8664/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container...

Cross-Site Scripting (XSS)

clickstorm/cs-seo is vulnerable to cross-site scripting XSS. The vulnerability is due to improper handling of data in the JSON-LD output, allows an attacker to execute arbitrary JavaScript code in the context of the affected TYPO3 backend session...

CVE-2025-32794

OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting XSS vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system ...

CVE-2025-48368

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting XSS vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim'...

CVE-2025-22388

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting XSS vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or...

CVE-2024-45071

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2024-48120

X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting XSS in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list...

CVE-2024-23729

The ColorOS Internet Browser com.heytap.browser application 45.10.3.4.1 for Android allows a remote attacker to execute arbitrary JavaScript code via the com.android.browser.RealBrowserActivity component...

CVE-2024-40690

IBM InfoSphere Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 29772...

CVE-2024-27270

IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576...

CVE-2024-23724

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view th...

CVE-2024-35153

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

CVE-2024-47117

IBM Carbon Design System Carbon Charts 0.4.0 through 1.13.16 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

CVE-2024-32733

Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify...