Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-10040 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2024-13993 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors. | |||||
| CVE-2013-10071 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2022-50585 | 2025-11-04 | N/A | N/A | ||
| The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.7 / Nagios XI 5.8.9 contains a cross-site scripting (XSS) vulnerability via the Audit Log page search input. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2025-56313 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
| A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation. | |||||
| CVE-2023-7313 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2024-58272 | 2025-11-04 | N/A | N/A | ||
| Nagios Log Server versions prior to 2024R1 contain a stored cross-site scripting (XSS) vulnerability where an attacker-supplied username containing JavaScript is stored and later rendered without proper encoding/escaping in admin or user-facing pages. When an authenticated victim loads the affected page, the browser executes the injected script in the victim's context. | |||||
| CVE-2017-20209 | 2025-11-04 | N/A | N/A | ||
| Nagios Fusion versions prior to 4.0.1 are vulnerable to cross-site scripting (XSS) via the Users and Servers pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2024-14001 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2023-7312 | 2025-11-04 | N/A | N/A | ||
| Nagios Fusion versions prior to 4.2.0 contain a stored cross-site scripting (XSS) vulnerability when adding or configuring Email Settings. Unsanitized user input can be stored and later rendered in the administrative UI, causing JavaScript to execute in the browser of any user who views the affected page. An attacker who can add or modify SMTP/email settings or manipulate the sendmail configuration fields could persist a malicious payload that executes in the context of other users' browsers. | |||||
| CVE-2023-7321 | 2025-11-04 | N/A | N/A | ||
| Nagios Log Server versions prior to 2.1.14 are vulnerable to cross-site scripting (XSS) via the Snapshots Page. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin. | |||||
| CVE-2025-11806 | 2025-11-04 | N/A | 6.4 MEDIUM | ||
| The Qzzr Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qzzr' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'quiz' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2021-47695 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 5.8.0 are vulnerable to stored cross-site scripting (XSS) via the My Tools page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||||
| CVE-2025-62265 | 2025-11-04 | N/A | N/A | ||
| Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page. | |||||
| CVE-2025-61427 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
| A reflected cross-site scripting (XSS) vulnerability in BEO GmbH BEO Atlas Einfuhr Ausfuhr 3.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the userid and password parameters. | |||||
| CVE-2025-64365 | 2025-11-04 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in colabrio Ohio Extra ohio-extra allows DOM-Based XSS.This issue affects Ohio Extra: from n/a through <= 3.6.0. | |||||
| CVE-2025-63443 | 2025-11-04 | N/A | 5.4 MEDIUM | ||
| School Management System PHP v1.0 is vulnerable to Cross Site Scripting (XSS) in /login.php via the password parameter. | |||||
| CVE-2025-11922 | 2025-11-04 | N/A | 6.4 MEDIUM | ||
| The Inactive Logout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ina_redirect_page_individual_user' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12090 | 2025-11-04 | N/A | 6.4 MEDIUM | ||
| The Employee Spotlight – Team Member Showcase & Meet the Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social URLs in all versions up to, and including, 5.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12118 | 2025-11-04 | N/A | 6.4 MEDIUM | ||
| The Schema Scalpel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping when outputting user-supplied data into JSON-LD schema markup. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||