Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-35227 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session. | |||||
| CVE-2022-35170 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal does - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. This leads to limited impact on confidentiality and integrity of data. | |||||
| CVE-2022-32247 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, is susceptible to script execution attack by an unauthenticated attacker due to improper sanitization of the User inputs while interacting on the Network. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-22370 | 1 Ibm | 1 Security Verify Access | 2022-07-20 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 221194. | |||||
| CVE-2022-31102 | 1 Linuxfoundation | 1 Argo-cd | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser. This vulnerability only affects Argo CD instances which have single sign on (SSO) enabled. The exploit also assumes the attacker has 1) access to the API server's encryption key, 2) a method to add a cookie to the victim's browser, and 3) the ability to convince the victim to visit a malicious `/auth/callback` link. The vulnerability is classified as low severity because access to the API server's encryption key already grants a high level of access. Exploiting the XSS would allow the attacker to impersonate the victim, but would not grant any privileges which the attacker could not otherwise gain using the encryption key. A patch for this vulnerability has been released in the following Argo CD versions 2.4.5 and 2.3.6. There is currently no known workaround. | |||||
| CVE-2022-30517 | 1 Mogublog Project | 1 Mogublog | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mogu blog 5.2 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-33156 | 1 Matomo | 1 Integration | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The matomo_integration (aka Matomo Integration) extension before 1.3.2 for TYPO3 allows XSS. | |||||
| CVE-2022-33157 | 1 Libconnect Project | 1 Libconnect | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The libconnect extension before 7.0.8 and 8.x before 8.1.0 for TYPO3 allows XSS. | |||||
| CVE-2021-46827 | 1 Sync | 5 Oxygen Publishing Engine, Oxygen Xml Author, Oxygen Xml Developer and 2 more | 2022-07-20 | N/A | 6.1 MEDIUM |
| An issue was discovered in Oxygen XML WebHelp before 22.1 build 2021082006 and 23.x before 23.1 build 2021090310. An XSS vulnerability in search terms proposals (in online documentation generated using Oxygen XML WebHelp) allows attackers to execute JavaScript by convincing a user to type specific text in the WebHelp output search field. | |||||
| CVE-2022-32074 | 1 Osticket | 1 Osticket | 2022-07-20 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file. | |||||
| CVE-2022-32225 | 1 Veeam | 1 Management Pack | 2022-07-20 | N/A | 6.1 MEDIUM |
| A reflected DOM-Based XSS vulnerability has been discovered in the Help directory of Veeam Management Pack for Microsoft System Center 8.0. This vulnerability could be exploited by an attacker by convincing a legitimate user to visit a crafted URL on a Veeam Management Pack for Microsoft System Center server, allowing for the execution of arbitrary scripts. | |||||
| CVE-2022-25802 | 1 Bestpractical | 1 Request Tracker | 2022-07-20 | N/A | 6.1 MEDIUM |
| Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment. | |||||
| CVE-2022-22477 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2022-07-20 | N/A | 6.1 MEDIUM |
| IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 225605. | |||||
| CVE-2022-34092 | 1 I3geo Project | 1 I3geo | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via svg2img.php. | |||||
| CVE-2022-34094 | 1 I3geo Project | 1 I3geo | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php. | |||||
| CVE-2022-34093 | 1 I3geo Project | 1 I3geo | 2022-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php. | |||||
| CVE-2022-33155 | 1 Ameos Tarteaucitron Project | 1 Ameos Tarteaucitron | 2022-07-19 | 3.5 LOW | 5.4 MEDIUM |
| The ameos_tarteaucitron (aka AMEOS - TarteAuCitron GDPR cookie banner and tracking management / French RGPD compatible) extension before 1.2.23 for TYPO3 allows XSS. | |||||
| CVE-2022-29602 | 1 Grid Elements Project | 1 Grid Elements | 2022-07-19 | 3.5 LOW | 5.4 MEDIUM |
| The gridelements (aka Grid Elements) extension through 7.6.1, 8.x through 8.7.0, 9.x through 9.7.0, and 10.x through 10.2.0 extension for TYPO3 allows XSS. | |||||
| CVE-2022-33154 | 1 Schema Project | 1 Schema | 2022-07-19 | 3.5 LOW | 5.4 MEDIUM |
| The schema (aka Embedding schema.org vocabulary) extension before 1.13.1 and 2.x before 2.5.1 for TYPO3 allows XSS. | |||||
| CVE-2022-35172 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-07-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-25303 | 1 Whoogle-search Project | 1 Whoogle-search | 2022-07-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped. | |||||
| CVE-2020-35774 | 1 Twitter | 1 Twitter-server | 2022-07-19 | 3.5 LOW | 5.4 MEDIUM |
| server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint. | |||||
| CVE-2022-2100 | 1 Wpzinc | 1 Page Generator | 2022-07-19 | 3.5 LOW | 4.8 MEDIUM |
| The Page Generator WordPress plugin before 1.6.5 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-25875 | 1 Svelte | 1 Svelte | 2022-07-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function. | |||||
| CVE-2022-31904 | 1 Uberrider | 1 Mediacenter | 2022-07-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| EGT-Kommunikationstechnik UG Mediacenter before v2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Online_Update.php. | |||||
| CVE-2021-39015 | 3 Ibm, Linux, Microsoft | 3 Engineering Lifecycle Optimization Publishing, Linux Kernel, Windows | 2022-07-18 | N/A | 5.4 MEDIUM |
| IBM Engineering Lifecycle Optimization - Publishing 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213655. | |||||
| CVE-2022-2090 | 1 Flycart | 1 Discount Rules For Woocommerce | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin's discount rule page, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-2092 | 1 Wpovernight | 1 Woocommerce Pdf Invoices\& Packing Slips | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.16.0 doesn't escape a parameter on its setting page, making it possible for attackers to conduct reflected cross-site scripting attacks. | |||||
| CVE-2022-1933 | 1 Collect And Deliver Interface For Woocommerce Project | 1 Collect And Deliver Interface For Woocommerce | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-32318 | 1 Fast Food Ordering System Project | 1 Fast Food Ordering System | 2022-07-18 | 3.5 LOW | 5.4 MEDIUM |
| Fast Food Ordering System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the component /ffos/classes/Master.php?f=save_category. | |||||
| CVE-2022-2146 | 1 Import Csv Files Project | 1 Import Csv Files | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Import CSV Files WordPress plugin through 1.0 does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting | |||||
| CVE-2022-2118 | 1 Tooltulips | 1 404s | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The 404s WordPress plugin before 3.5.1 does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2114 | 1 Supsystic | 1 Data Tables Generator | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Data Tables Generator by Supsystic WordPress plugin before 1.10.20 does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-2169 | 1 Dwbooster | 1 Loading Page With Loading Screen | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Loading Page with Loading Screen WordPress plugin before 1.0.83 does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2168 | 1 Wpdownloadmanager | 1 Download Manager | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-2151 | 1 Emarketdesign | 1 Best Contact Management Software | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Best Contact Management Software WordPress plugin through 3.7.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2149 | 1 Very Simple Breadcrumb Project | 1 Very Simple Breadcrumb | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Very Simple Breadcrumb WordPress plugin through 1.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2148 | 1 Linkedin Company Updates Project | 1 Linkedin Company Updates | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The LinkedIn Company Updates WordPress plugin through 1.5.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2194 | 1 Tipsandtricks-hq | 1 Accept Stripe | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2187 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2022-2186 | 1 Bracketspace | 1 Simple Post Notes | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Post Notes WordPress plugin before 1.7.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2173 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-35224 | 1 Sap | 1 Enterprise Portal | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This attack can be used to non-permanently deface or modify portal content. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim?s web browser session. | |||||
| CVE-2020-35437 | 1 Intelliants | 1 Subrion Cms | 2022-07-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI. | |||||
| CVE-2020-15364 | 1 Nexos Project | 1 Nexos | 2022-07-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS. | |||||
| CVE-2022-2363 | 1 Simple Parking Management System Project | 1 Simple Parking Management System | 2022-07-16 | 3.5 LOW | 4.6 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in SourceCodester Simple Parking Management System 1.0. Affected by this issue is some unknown functionality of the file /ci_spms/admin/search/searching/. The manipulation of the argument search with the input "><script>alert("XSS")</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2364 | 1 Simple Parking Management System Project | 1 Simple Parking Management System | 2022-07-16 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Simple Parking Management System 1.0. This affects an unknown part of the file /ci_spms/admin/category. The manipulation of the argument vehicle_type with the input "><script>alert("XSS")</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-31654 | 1 Vmware | 1 Vrealize Log Insight | 2022-07-16 | 3.5 LOW | 5.4 MEDIUM |
| VMware vRealize Log Insight in versions prior to 8.8.2 contain a stored cross-site scripting vulnerability due to improper input sanitization in configurations. | |||||
| CVE-2022-31655 | 1 Vmware | 1 Vrealize Log Insight | 2022-07-16 | 3.5 LOW | 5.4 MEDIUM |
| VMware vRealize Log Insight in versions prior to 8.8.2 contain a stored cross-site scripting vulnerability due to improper input sanitization in alerts. | |||||
| CVE-2022-32115 | 1 Withknown | 1 Known | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file. | |||||