| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions. |
| Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. |
| Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPJobster <= 6.3.5 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Auto Repair <= 22.6 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Sonaar <= 4.27.4 versions. |
| Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. |
| Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction. |
| Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. |
| A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module. |
| Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add. |
| An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload. |
| CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3. |
