5042 matches found
CVE-2025-27444 Extension - rsjoomla.com - A reflected XSS vulnerability RSform!Pro component 3.0.0 - 3.3.13 for Joomla
A reflected XSS vulnerability in RSform!Pro component 3.0.0 - 3.3.13 for Joomla was discovered. The issue arises from the improper handling of the filterdateFrom GET parameter, which is reflected unescaped in the administrative backend interface. This allows an authenticated attacker with admin o...
CVE-2025-27444 Extension - rsjoomla.com - A reflected XSS vulnerability RSform!Pro component 3.0.0 - 3.3.13 for Joomla
A reflected XSS vulnerability in RSform!Pro component 3.0.0 - 3.3.13 for Joomla was discovered. The issue arises from the improper handling of the filterdateFrom GET parameter, which is reflected unescaped in the administrative backend interface. This allows an authenticated attacker with admin o...
CVE-2024-8008
CVE-2024-8008 is a reflected Cross-Site Scripting (XSS) vulnerability in multiple WSO2 products caused by insufficient output encoding in error messages from the JDBC user store connection validation request. An attacker can craft a request payload that triggers JavaScript execution in the victim...
CVE-2024-40114
A Cross Site Scripting XSS vulnerability in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before allows an attacker to manipulate the language cookie to inject malicious JavaScript code...
CVE-2024-40114
A Cross Site Scripting XSS vulnerability in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before allows an attacker to manipulate the language cookie to inject malicious JavaScript code...
CVE-2025-48495
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0,...
CVE-2025-47289
CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...
CVE-2025-48495 Gokapi has stored XSS vulnerability in friendly name for API keys
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0,...
CVE-2025-47289 Stored XSS in CE Phoenix Cart Testimonials Allows Account Takeover if Missing HttpOnly Flag
CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...
CVE-2025-47289
Summary: CVE-2025-47289 is a stored XSS in CE Phoenix (versions 1.0.9.9–1.1.0.2) where an attacker can inject JavaScript into the testimonial description. When an admin approves the testimonial, the script runs in the context of any visiting user, and cookies may be exfiltrated because they are n...
Gokapi 安全漏洞
Gokapi is a lightweight, self-hosted Firefox sending alternative from Marc Bulling Personal Developer. A security vulnerability exists in Gokapi versions prior to 2.0.0, which stems from a cross-site scripting attack that may result from the injection of JavaScript code when renaming API key...
CVE-2024-40114
A Cross Site Scripting XSS vulnerability in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before allows an attacker to manipulate the language cookie to inject malicious JavaScript code...
CVE-2025-48875
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...
CVE-2025-48875
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...
CVE-2025-48875 FreeScout Vulnerable to Stored XSS
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...
PT-2025-23423 · Ibm · Ibm Planning Analytics Local
Name of the Vulnerable Software and Affected Versions: IBM Planning Analytics Local versions 2.0 through 2.1 Description: The issue allows an authenticated user to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure...
U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ███████
A Cross-Site Scripting XSS vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the conte...
U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ████
A Cross-Site Scripting XSS vulnerability was identified in an ASP.NET web application. The issue was caused by improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the...
CVE-2025-31501
Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink...
CVE-2025-31500
Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name...