Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43441 | 1 Iorder Project | 1 Iorder | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An HTML Injection Vulnerability in iOrder 1.0 allows the remote attacker to execute Malicious HTML codes via the signup form | |||||
| CVE-2021-42663 | 1 Online Event Booking And Reservation System Project | 1 Online Event Booking And Reservation System | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice. | |||||
| CVE-2020-4706 | 1 Ibm | 1 Api Connect | 2022-07-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 187194. | |||||
| CVE-2021-27214 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. | |||||
| CVE-2021-25327 | 1 Skyworthdigital | 2 Rn510, Rn510 Firmware | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. Missing CSRF protection in devices can lead to XSRF, as the above pages are vulnerable to cross-site scripting (XSS). | |||||
| CVE-2021-39910 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. | |||||
| CVE-2021-43961 | 1 Sonatype | 1 Nexus Repository Manager | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection. | |||||
| CVE-2021-37524 | 1 Fusionpbx | 1 Fusionpbx | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php. | |||||
| CVE-2021-25066 | 1 Ninjaforms | 1 Ninja Forms | 2022-07-12 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2290 | 1 Trilium Project | 1 Trilium | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta. | |||||
| CVE-2022-29513 | 1 Cybozu | 1 Garoon | 2022-07-12 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script. | |||||
| CVE-2019-9669 | 1 Wordfence | 1 Wordfence | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** The Wordfence plugin 7.2.3 for WordPress allows XSS via a unique attack vector. NOTE: It has been asserted that this is not a valid vulnerability in the context of the Wordfence WordPress plugin as the firewall rules are not maintained as part of the Wordfence software but rather it is a set of rules hosted on vendor servers and pushed to the plugin with no versioning associated. Bypassing a WAF rule doesn't make a WordPress site vulnerable (speaking in terms of software vulnerabilities). | |||||
| CVE-2022-25373 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-07-12 | 3.5 LOW | 5.4 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. | |||||
| CVE-2022-29931 | 1 Raytion | 1 Custom Security Manager | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The administration interface of the Raytion Custom Security Manager (Raytion CSM) in Version 7.2.0 allows reflected Cross-site Scripting (XSS). | |||||
| CVE-2022-2300 | 1 Microweber | 1 Microweber | 2022-07-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. | |||||
| CVE-2022-1593 | 1 Site Offline Or Coming Soon Project | 1 Site Offline Or Coming Soon | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Site Offline or Coming Soon WordPress plugin through 1.6.6 does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack | |||||
| CVE-2014-3650 | 1 Redhat | 1 Jboss Aerogear | 2022-07-11 | 3.5 LOW | 5.4 MEDIUM |
| Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input. | |||||
| CVE-2022-27627 | 1 Cybozu | 1 Garoon | 2022-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Organization's Information of Cybozu Garoon 4.10.2 to 5.5.1 allows a remote attacker to execute an arbitrary script on the logged-in user's web browser. | |||||
| CVE-2022-34007 | 1 Eqs | 1 Integrity Line | 2022-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| EQS Integrity Line through 2022-07-01 allows a stored XSS via a crafted whistleblower entry. | |||||
| CVE-2022-2213 | 1 Library Management System Project | 1 Library Management System | 2022-07-11 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in SourceCodester Library Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_admin_details.php?id=admin. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-30289 | 1 Citeum | 1 Opencti | 2022-07-11 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location. | |||||
| CVE-2022-29168 | 1 Wire | 1 Wire-webapp | 2022-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering `@mentions` in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim allowing the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-05-04-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or wire-server 2022-05-04 (chart/4.11.0) or later. No known workarounds exist. | |||||
| CVE-2013-4170 | 1 Emberjs | 1 Ember.js | 2022-07-09 | 2.6 LOW | 6.1 MEDIUM |
| In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). This vulnerability only affects applications that assign or bind user-provided content to `tagName`. | |||||
| CVE-2017-20118 | 1 Trueconf | 1 Server | 2022-07-09 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in TrueConf Server 4.3.7. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/conferences/list/. The manipulation of the argument domxss leads to basic cross site scripting (DOM). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20116 | 1 Trueconf | 1 Server | 2022-07-09 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in TrueConf Server 4.3.7. It has been classified as problematic. Affected is an unknown function of the file /admin/group/list/. The manipulation of the argument checked_group_id leads to basic cross site scripting (Reflected). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20122 | 1 Bitrix24 | 1 Bitrix Site Manager | 2022-07-09 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability classified as problematic was found in Bitrix Site Manager 12.06.2015. Affected by this vulnerability is an unknown functionality of the component Contact Form. The manipulation of the argument text with the input <img src="http://1"; on onerror="$(’p').text(’Hacked’)" /> leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20117 | 1 Trueconf | 1 Server | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in TrueConf Server 4.3.7. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/group. The manipulation leads to basic cross site scripting (DOM). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20115 | 1 Trueconf | 1 Server | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in TrueConf Server 4.3.7 and classified as problematic. This issue affects some unknown processing of the file /admin/conferences/list/. The manipulation of the argument sort leads to basic cross site scripting (Reflected). The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20113 | 1 Trueconf | 1 Server | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in TrueConf Server 4.3.7. This affects an unknown part. The manipulation leads to basic cross site scripting (Stored). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20114 | 1 Trueconf | 1 Server | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been found in TrueConf Server 4.3.7 and classified as problematic. This vulnerability affects unknown code of the file /admin/conferences/get-all-status/. The manipulation of the argument keys[] leads to basic cross site scripting (Reflected). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2280 | 1 Microweber | 1 Microweber | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. | |||||
| CVE-2022-28803 | 1 Silverstripe | 1 Silverstripe | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). | |||||
| CVE-2022-33043 | 1 Urtracker | 1 Urtracker | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the batch add function of Urtracker Premium v4.0.1.1477 allows attackers to execute arbitrary web scripts or HTML via a crafted excel file. | |||||
| CVE-2022-25238 | 1 Silverstripe | 1 Framework | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code. | |||||
| CVE-2021-39074 | 1 Ibm | 1 Security Guardium | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Security Guardium 11.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2022-31065 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. | |||||
| CVE-2022-31064 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-07-07 | 2.1 LOW | 5.4 MEDIUM |
| BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. | |||||
| CVE-2022-31094 | 1 Scratchstatus | 1 Scratchtools | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. In affected versions anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken over if they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript. This issue has been addressed in the 2.5.2 release. Users having issues scratching should open an issue in the project issue tracker https://github.com/STForScratch/ScratchTools/ | |||||
| CVE-2022-31057 | 1 Shopware | 1 Shopware | 2022-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31035 | 1 Linuxfoundation | 1 Argo-cd | 2022-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading. | |||||
| CVE-2022-28172 | 1 Hikvision | 22 Ds-a71024, Ds-a71024 Firmware, Ds-a71048 and 19 more | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device. | |||||
| CVE-2022-1470 | 1 Ultimate Woocommerce Csv Importer Project | 1 Ultimate Woocommerce Csv Importer | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1327 | 1 Image Gallery - Grid Gallery Project | 1 Image Gallery - Grid Gallery | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Image Gallery - Grid Gallery WordPress plugin through 1.1.1 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1326 | 1 Form - Contact Form Project | 1 Form - Contact Form | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1321 | 1 Miniorange | 1 Google Authenticator | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | |||||
| CVE-2022-1113 | 1 Floristone | 1 Flower Delivery | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Flower Delivery by Florist One WordPress plugin through 3.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setups) | |||||
| CVE-2022-1095 | 1 Mihdan\ | 1 No External Links Project | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Mihdan: No External Links WordPress plugin through 4.8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-1029 | 1 Miniorange | 1 Limit Login Attempts | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | |||||
| CVE-2022-1028 | 1 Miniorange | 1 Wordpress Security | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | |||||
| CVE-2022-1010 | 1 Miniorange | 1 Login Using Wordpress Users | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||