Total
39744 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41708 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-11-04 | 5.4 Medium |
| References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available exploits are known. | ||||
| CVE-2023-41704 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-11-04 | 7.1 High |
| Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content. No publicly available exploits are known. | ||||
| CVE-2023-41703 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-11-04 | 6.1 Medium |
| User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avoid potentially malicious content. No publicly available exploits are known. | ||||
| CVE-2023-29052 | 1 Open-xchange | 1 Ox App Suite | 2025-11-04 | 5.4 Medium |
| Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known. | ||||
| CVE-2025-2977 | 1 Gfi | 1 Kerio Connect | 2025-11-04 | 3.5 Low |
| A vulnerability was found in GFI KerioConnect 10.0.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12045 | 2 Themeisle, Wordpress | 2 Orbit Fox, Wordpress | 2025-11-04 | 6.4 Medium |
| The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-30166 | 1 Pimcore | 1 Admin Classic Bundle | 2025-11-04 | 4.8 Medium |
| Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content. The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is content, which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible. This vulnerability is fixed in 1.7.6. | ||||
| CVE-2025-29790 | 1 Contao | 1 Contao | 2025-11-04 | 5.4 Medium |
| Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6. | ||||
| CVE-2024-40785 | 1 Apple | 7 Ipados, Iphone Os, Macos and 4 more | 2025-11-04 | 6.1 Medium |
| This issue was addressed with improved checks. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to a cross site scripting attack. | ||||
| CVE-2024-34507 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-11-04 | 7.4 High |
| An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. XSS can occur because of mishandling of the 0x1b character, as demonstrated by Special:RecentChanges#%1b0000000. | ||||
| CVE-2024-34500 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-11-04 | 6.1 Medium |
| An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class. | ||||
| CVE-2024-34481 | 2 Drupal, Kontextwork | 2 Wiki, Drupal Wiki | 2025-11-04 | 6.1 Medium |
| drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page. | ||||
| CVE-2024-32484 | 1 Ankitects | 1 Anki | 2025-11-04 | 7.4 High |
| An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability. | ||||
| CVE-2024-27838 | 2 Apple, Redhat | 9 Ipados, Iphone Os, Macos and 6 more | 2025-11-04 | 6.5 Medium |
| The issue was addressed by adding additional logic. This issue is fixed in tvOS 17.5, iOS 16.7.8 and iPadOS 16.7.8, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. A maliciously crafted webpage may be able to fingerprint the user. | ||||
| CVE-2023-51704 | 1 Mediawiki | 1 Mediawiki | 2025-11-04 | 6.1 Medium |
| An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights. | ||||
| CVE-2023-49111 | 1 Kiuwan | 1 Sast | 2025-11-04 | 6.5 Medium |
| For Kiuwan installations with SSO (single sign-on) enabled, an unauthenticated reflected cross-site scripting attack can be performed on the login page "login.html". This is possible due to the request parameter "message" values being directly included in a JavaScript block in the response. This is especially critical in business environments using AD SSO authentication, e.g. via ADFS, where attackers could potentially steal AD passwords. This issue affects Kiuwan SAST: <master.1808.p685.q13371 | ||||
| CVE-2023-45360 | 1 Mediawiki | 1 Mediawiki | 2025-11-04 | 5.4 Medium |
| An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. | ||||
| CVE-2020-11926 | 1 Luvion | 1 Grand Elite 3 Connect | 2025-11-04 | 7.5 High |
| An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to. | ||||
| CVE-2025-43440 | 1 Apple | 7 Ios, Ipados, Iphone Os and 4 more | 2025-11-04 | 6.5 Medium |
| This issue was addressed with improved checks This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash. | ||||
| CVE-2025-0708 | 1 Fumiao | 1 Opencms | 2025-11-04 | 3.5 Low |
| A vulnerability was found in fumiao opencms 2.2. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/model/addOrUpdate of the component Add Model Management Page. The manipulation of the argument 模板前缀 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||