| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characters allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover. This vulnerability is fixed in 7.1.0. |
| MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php. |
| MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment. |
| ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0. |
| ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0. |
| ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused. This vulnerability is fixed in 7.1.0. |
| ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user, including administrators, views the attacker's profile, their session cookies are exfiltrated to a remote server. This vulnerability is fixed in 7.1.0. |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
We have already fixed the vulnerability in the following versions:
QuFTP Service 1.4.3 and later
QuFTP Service 1.5.2 and later
QuFTP Service 1.6.2 and later |
| LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provides an invalid visit label. While the data is properly JSON encoded, the Content-Type header is not set causing the web browser to interpret the payload as HTML, opening the possibility of a cross-site scripting if a user is tricked into following an invalid link. This vulnerability is fixed in 27.0.3 and 28.0.1. |
| A vulnerability was identified in projectworlds Lawyer Management System 1.0. This issue affects some unknown processing of the file /lawyers.php. The manipulation of the argument first_Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. |
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS — enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Custom Query Blocks post-type-archive-mapping allows DOM-Based XSS.This issue affects Custom Query Blocks: from n/a through <= 5.5.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.38. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free allows DOM-Based XSS.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.7.1.1. |
| Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3. |
| A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. |
| A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user. |
| Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link. |
| WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials. |
