Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36849 | 1 Social Media Share Buttons Project | 1 Social Media Share Buttons | 2022-07-26 | N/A | 4.8 MEDIUM |
| Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in René Hermenau's Social Media Share Buttons plugin <= 3.8.1 at WordPress. | |||||
| CVE-2022-32065 | 1 Ruoyi | 1 Ruoyi | 2022-07-26 | 3.5 LOW | 5.4 MEDIUM |
| An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file. | |||||
| CVE-2022-32274 | 1 Ttpsc | 1 The Scheduler | 2022-07-26 | 3.5 LOW | 5.4 MEDIUM |
| The Transition Scheduler add-on 6.5.0 for Atlassian Jira is prone to stored XSS via the project name to the creation function. | |||||
| CVE-2022-34025 | 1 Vestacp | 1 Vesta Control Panel | 2022-07-25 | N/A | 6.1 MEDIUM |
| Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the post function at /web/api/v1/upload/UploadHandler.php. | |||||
| CVE-2022-36303 | 1 Vestacp | 1 Vesta Control Panel | 2022-07-25 | N/A | 6.1 MEDIUM |
| Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the handle_file_upload function at /web/api/v1/upload/UploadHandler.php. | |||||
| CVE-2022-36304 | 1 Vestacp | 1 Vesta Control Panel | 2022-07-25 | N/A | 6.1 MEDIUM |
| Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the generate_response function at /web/api/v1/upload/UploadHandler.php. | |||||
| CVE-2022-36305 | 1 Vestacp | 1 Vesta Control Panel | 2022-07-25 | N/A | 6.1 MEDIUM |
| Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php. | |||||
| CVE-2022-29577 | 1 Antisamy Project | 1 Antisamy | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367. | |||||
| CVE-2022-24891 | 1 Owasp | 1 Enterprise Security Api | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin. | |||||
| CVE-2022-24728 | 2 Ckeditor, Drupal | 2 Ckeditor, Drupal | 2022-07-25 | 3.5 LOW | 5.4 MEDIUM |
| CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. | |||||
| CVE-2021-41164 | 3 Ckeditor, Drupal, Oracle | 9 Ckeditor, Drupal, Agile Plm and 6 more | 2022-07-25 | 3.5 LOW | 5.4 MEDIUM |
| CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | |||||
| CVE-2021-41183 | 5 Debian, Drupal, Fedoraproject and 2 more | 20 Debian Linux, Drupal, Fedora and 17 more | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. | |||||
| CVE-2021-41182 | 5 Debian, Drupal, Fedoraproject and 2 more | 20 Debian Linux, Drupal, Fedora and 17 more | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. | |||||
| CVE-2021-41165 | 3 Ckeditor, Drupal, Oracle | 4 Ckeditor, Drupal, Banking Apis and 1 more | 2022-07-25 | 3.5 LOW | 5.4 MEDIUM |
| CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | |||||
| CVE-2021-35043 | 3 Antisamy Project, Netapp, Oracle | 9 Antisamy, Active Iq Unified Manager, Banking Enterprise Default Managment and 6 more | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character. | |||||
| CVE-2020-7656 | 1 Jquery | 1 Jquery | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed. | |||||
| CVE-2020-11022 | 8 Debian, Drupal, Fedoraproject and 5 more | 78 Debian Linux, Drupal, Fedora and 75 more | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
| CVE-2018-8032 | 3 Apache, Debian, Oracle | 38 Axis, Debian Linux, Agile Engineering Data Management and 35 more | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. | |||||
| CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 54 Debian Linux, Drupal, Fedora and 51 more | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
| CVE-2022-34853 | 1 Wpwax | 1 Team | 2022-07-25 | N/A | 5.4 MEDIUM |
| Multiple Authenticated (contributor or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in wpWax Team plugin <= 1.2.6 at WordPress. | |||||
| CVE-2021-29788 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2022-07-25 | N/A | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 203310. | |||||
| CVE-2021-29790 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2022-07-25 | N/A | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 203440. | |||||
| CVE-2022-23438 | 1 Fortinet | 1 Fortios | 2022-07-25 | N/A | 6.1 MEDIUM |
| An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in FortiOS version 7.0.5 and prior and 6.4.9 and prior may allow an unauthenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the captive portal authentication replacement page. | |||||
| CVE-2022-27910 | 1 Joomlatools | 1 Docman | 2022-07-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla component 'Joomlatools - DOCman 3.5.13 (and likely most versions below)' are affected to an reflected Cross-Site Scripting (XSS) in an image upload function | |||||
| CVE-2022-0209 | 1 Facebook-wall-and-social-integration Project | 1 Facebook-wall-and-social-integration | 2022-07-25 | 3.5 LOW | 4.8 MEDIUM |
| The Mitsol Social Post Feed WordPress plugin before 1.11 does not escape some of its settings before outputting them back in attributes, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2020-21967 | 1 Prestashop | 1 Prestashop | 2022-07-25 | 3.5 LOW | 4.8 MEDIUM |
| File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add new file page. | |||||
| CVE-2021-42117 | 1 Businessdnasolutions | 1 Topease | 2022-07-25 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution. | |||||
| CVE-2020-13673 | 1 Drupal | 1 Entity Embed | 2022-07-25 | 2.6 LOW | 6.1 MEDIUM |
| The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting. | |||||
| CVE-2022-30536 | 1 Wp Maintenance Project | 1 Wp Maintenance | 2022-07-25 | N/A | 4.8 MEDIUM |
| Authenticated Stored Cross-Site Scripting (XSS) vulnerability in Florent Maillefaud's WP Maintenance plugin <= 6.0.7 at WordPress. | |||||
| CVE-2022-22304 | 1 Fortinet | 1 Fortiauthenticator Agent For Microsoft Outlook Web Access | 2022-07-25 | N/A | 6.1 MEDIUM |
| An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAuthenticator OWA Agent for Microsoft version 2.2 and 2.1 may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests. | |||||
| CVE-2020-25626 | 2 Encode, Redhat | 2 Django Rest Framework, Ceph Storage | 2022-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability. | |||||
| CVE-2021-38374 | 1 Open-xchange | 1 Ox App Suite | 2022-07-22 | 3.5 LOW | 5.4 MEDIUM |
| OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL. | |||||
| CVE-2022-31097 | 1 Grafana | 1 Grafana | 2022-07-22 | N/A | 5.4 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting. | |||||
| CVE-2022-32118 | 1 Arox | 1 School Erp Pro | 2022-07-22 | N/A | 6.1 MEDIUM |
| Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php. | |||||
| CVE-2021-22234 | 1 Gitlab | 1 Gitlab | 2022-07-22 | 3.5 LOW | 6.4 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.11 before 13.11.7, all versions starting from 13.12 before 13.12.8, and all versions starting from 14.0 before 14.0.4. A specially crafted design image allowed attackers to read arbitrary files on the server. | |||||
| CVE-2021-31673 | 1 Cyclos | 1 Cyclos | 2022-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter. | |||||
| CVE-2022-29046 | 1 Jenkins | 1 Subversion | 2022-07-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-31201 | 1 Monitoringsoft | 1 Softguard Web | 2022-07-21 | N/A | 5.4 MEDIUM |
| SoftGuard Web (SGW) before 5.1.5 allows HTML injection. | |||||
| CVE-2022-30982 | 1 Gentics | 1 Gentics Cms | 2022-07-21 | N/A | 5.4 MEDIUM |
| An issue was discovered in Gentics CMS before 5.43.1. There is stored XSS in the profile description and in the username. | |||||
| CVE-2020-36552 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2022-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Made field to /dashboard/menu-list.php. | |||||
| CVE-2020-36550 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2022-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Table Name field to /dashboard/table-list.php. | |||||
| CVE-2020-36551 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2022-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Item Name field to /dashboard/menu-list.php. | |||||
| CVE-2020-36553 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2022-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Area(food_type) field to /dashboard/menu-list.php. | |||||
| CVE-2020-35261 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2022-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php. | |||||
| CVE-2020-35305 | 1 Gollum Project | 1 Gollum | 2022-07-21 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog. | |||||
| CVE-2022-2396 | 1 Simple E-learning System Project | 1 Simple E-learning System | 2022-07-21 | N/A | 5.4 MEDIUM |
| A vulnerability classified as problematic was found in SourceCodester Simple e-Learning System 1.0. Affected by this vulnerability is an unknown functionality of the file /vcs/claire_blake. The manipulation of the argument Bio with the input "><script>alert(document.cookie)</script> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-25869 | 1 Angularjs | 1 Angular | 2022-07-21 | N/A | 6.1 MEDIUM |
| All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. | |||||
| CVE-2022-0967 | 1 Showdoc | 1 Showdoc | 2022-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4. | |||||
| CVE-2021-22261 | 1 Gitlab | 1 Gitlab | 2022-07-21 | 3.5 LOW | 4.8 MEDIUM |
| A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses | |||||
| CVE-2022-35227 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session. | |||||