Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24390 | 1 Wesecur | 1 Wesecur | 2023-07-27 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WeSecur Security plugin <= 1.2.1 versions. | |||||
| CVE-2023-36384 | 1 Booking Calendar Project | 1 Booking Calendar | 2023-07-27 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions. | |||||
| CVE-2023-2082 | 1 Buymeacoffee | 1 Buy Me A Coffee | 2023-07-27 | N/A | 5.4 MEDIUM |
| The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.6 due to insufficient sanitization and escaping on the 'text value set via the bmc_post_reception action. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to inject arbitrary web scripts into pages that execute whenever a victim accesses a page with the injected scripts. | |||||
| CVE-2023-3708 | 1 Deothemes | 1 Medikaid | 2023-07-27 | N/A | 6.1 MEDIUM |
| Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2023-33231 | 1 Solarwinds | 1 Database Performance Analyzer | 2023-07-27 | N/A | 6.1 MEDIUM |
| XSS attack was possible in DPA 2023.2 due to insufficient input validation | |||||
| CVE-2023-33329 | 1 Custom Post Type Generator Project | 1 Custom Post Type Generator | 2023-07-27 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Hijiri Custom Post Type Generator plugin <= 2.4.2 versions. | |||||
| CVE-2023-33312 | 1 Easy Captcha Project | 1 Easy Captcha | 2023-07-27 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wppal Easy Captcha plugin <= 1.0 versions. | |||||
| CVE-2023-32965 | 1 Crudlab | 1 Jazz Popups | 2023-07-27 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CRUDLab Jazz Popups plugin <= 1.8.7 versions. | |||||
| CVE-2023-36656 | 1 Jaegertracing | 1 Jaeger Ui | 2023-07-27 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Jaegertracing Jaeger UI before v.1.31.0 allows a remote attacker to execute arbitrary code via the KeyValuesTable component. | |||||
| CVE-2023-38350 | 1 Pnp4nagios | 1 Pnp4nagios | 2023-07-26 | N/A | 5.4 MEDIUM |
| PNP4Nagios through 81ebfc5 has stored XSS in the AJAX controller via the basket API and filters. This affects 0.6.26. | |||||
| CVE-2023-3822 | 1 Pimcore | 1 Pimcore | 2023-07-26 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. | |||||
| CVE-2023-3821 | 1 Pimcore | 1 Pimcore | 2023-07-26 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. | |||||
| CVE-2023-37733 | 1 Tduckcloud | 1 Tduck-platform | 2023-07-26 | N/A | 6.1 MEDIUM |
| An arbitrary file upload vulnerability in tduck-platform v4.0 allows attackers to execute arbitrary code via a crafted HTML file. | |||||
| CVE-2023-2701 | 1 Mediaburst | 1 Gravity Forms | 2023-07-26 | N/A | 6.1 MEDIUM |
| The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin. | |||||
| CVE-2023-2579 | 1 Inventorypress Project | 1 Inventorypress | 2023-07-26 | N/A | 5.4 MEDIUM |
| The InventoryPress WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-1893 | 1 Login Configurator Project | 1 Login Configurator | 2023-07-26 | N/A | 6.1 MEDIUM |
| The Login Configurator WordPress plugin through 2.1 does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators. | |||||
| CVE-2023-2143 | 1 Ideastocode | 1 Enable Svg\, Webp \& Ico Upload | 2023-07-26 | N/A | 5.4 MEDIUM |
| The Enable SVG, WebP & ICO Upload WordPress plugin through 1.0.3 does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability. | |||||
| CVE-2023-2960 | 1 Olivaekspertiz | 1 Oliva Ekspertiz | 2023-07-26 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oliva Expertise Oliva Expertise EKS allows Cross-Site Scripting (XSS).This issue affects Oliva Expertise EKS: before 1.2. | |||||
| CVE-2023-37223 | 1 Archerirm | 1 Archer | 2023-07-26 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Archer Platform before v.6.13 and fixed in v.6.12.0.6 and v.6.13.0 allows a remote authenticated attacker to execute arbitrary code via a crafted malicious script. | |||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2022-07-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2020-11456 | 1 Limesurvey | 1 Limesurvey | 2022-07-30 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). | |||||
| CVE-2021-38265 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2022-07-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter. | |||||
| CVE-2021-39047 | 1 Ibm | 2 Cognos Analytics, Planning Analytics | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Planning Analytics 2.0 and IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214349. | |||||
| CVE-2022-34305 | 1 Apache | 1 Tomcat | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. | |||||
| CVE-2022-34964 | 1 Openteknik | 1 Open Source Social Network | 2022-07-29 | N/A | 4.8 MEDIUM |
| OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the SitePages module. | |||||
| CVE-2022-0899 | 1 Draftpress | 1 Header Footer Code Manager | 2022-07-29 | N/A | 6.1 MEDIUM |
| The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2019-5962 | 1 Zoho | 1 Salesiq | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-5970 | 1 Sukimalab | 1 Attendance Manager | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-5972 | 1 Sukimalab | 1 Online Lesson Booking | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2022-34963 | 1 Openteknik | 1 Open Source Social Network | 2022-07-29 | N/A | 5.4 MEDIUM |
| OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the News Feed module. | |||||
| CVE-2022-2072 | 1 Name Directory Project | 1 Name Directory | 2022-07-29 | N/A | 6.1 MEDIUM |
| The Name Directory WordPress plugin before 1.25.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well | |||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector. | |||||
| CVE-2021-24333 | 1 Content Copy Protection \& Prevent Image Save Project | 1 Content Copy Protection \& Prevent Image Save | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. | |||||
| CVE-2022-34961 | 1 Openteknik | 1 Open Source Social Network | 2022-07-29 | N/A | 5.4 MEDIUM |
| OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Users Timeline module. | |||||
| CVE-2021-24328 | 1 Clogica | 1 Wp Login Security And History | 2022-07-29 | 3.5 LOW | 6.2 MEDIUM |
| The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well | |||||
| CVE-2022-2115 | 1 Essentialplugin | 1 Popup Anything | 2022-07-29 | N/A | 6.1 MEDIUM |
| The Popup Anything WordPress plugin before 2.1.7 does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-2189 | 1 Tipsandtricks-hq | 1 Wp Video Lightbox | 2022-07-29 | N/A | 6.1 MEDIUM |
| The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2022-20916 | 1 Cisco | 1 Iot Control Center | 2022-07-29 | N/A | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco IoT Control Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2022-2239 | 1 Emarketdesign | 1 Request A Quote | 2022-07-29 | N/A | 4.8 MEDIUM |
| The Request a Quote WordPress plugin through 2.3.7 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2299 | 1 Allow Svg Files Project | 1 Allow Svg Files | 2022-07-29 | N/A | 5.4 MEDIUM |
| The Allow SVG Files WordPress plugin through 1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads | |||||
| CVE-2022-2340 | 1 W-dalil Project | 1 W-dalil | 2022-07-29 | N/A | 4.8 MEDIUM |
| The W-DALIL WordPress plugin through 2.0 does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-35651 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-07-29 | N/A | 6.1 MEDIUM |
| A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. | |||||
| CVE-2022-2341 | 1 Simple Page Transition Project | 1 Simple Page Transition | 2022-07-29 | N/A | 4.8 MEDIUM |
| The Simple Page Transition WordPress plugin through 1.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2020-13564 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter. | |||||
| CVE-2020-13563 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template group_id parameter. | |||||
| CVE-2021-24822 | 1 Stylishcostcalculator | 1 Stylish Cost Calculator | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters | |||||
| CVE-2021-24615 | 1 Wechat Reward Project | 1 Wechat Reward | 2022-07-29 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | |||||
| CVE-2021-24431 | 1 Language Bar Flags Project | 1 Language Bar Flags | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users | |||||
| CVE-2021-24586 | 1 Evona | 1 Per Page Add To Head | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used. | |||||
| CVE-2021-24685 | 1 Flat Preloader Project | 1 Flat Preloader | 2022-07-29 | 5.0 MEDIUM | 5.4 MEDIUM |
| The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload) | |||||