Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31910 | 1 Online Tutor Portal Site Project | 1 Online Tutor Portal Site | 2022-06-27 | 3.5 LOW | 4.8 MEDIUM |
| Online Tutor Portal Site v1.0 is vulnerable to Cross Site Scripting (XSS). via /otps/classes/Master.php. | |||||
| CVE-2022-31913 | 1 Online Discussion Forum Site Project | 1 Online Discussion Forum Site | 2022-06-27 | 3.5 LOW | 4.8 MEDIUM |
| Online Discussion Forum Site v1.0 is vulnerable to Cross Site Scripting (XSS) via /odfs/classes/Master.php?f=save_category, name. | |||||
| CVE-2022-29442 | 1 Private Messages Project | 1 Private Messages | 2022-06-27 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated (subscriber or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Messages For WordPress <= 2.1.10 at WordPress. | |||||
| CVE-2022-29440 | 1 Promotion Slider Project | 1 Promotion Slider | 2022-06-27 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Promotion Slider plugin <= 3.3.4 at WordPress. | |||||
| CVE-2022-28202 | 1 Mediawiki | 1 Mediawiki | 2022-06-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete. | |||||
| CVE-2022-21938 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2022-06-24 | 3.5 LOW | 5.4 MEDIUM |
| Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. | |||||
| CVE-2022-21937 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2022-06-24 | 2.1 LOW | 5.4 MEDIUM |
| Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. | |||||
| CVE-2017-20047 | 1 Axis | 12 M3005, M3005 Firmware, M3007 and 9 more | 2022-06-24 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability classified as problematic was found in AXIS P1204, P3225, P3367, M3045, M3005 and M3007. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | |||||
| CVE-2022-29452 | 1 Atlasgondal | 1 Export All Urls | 2022-06-24 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (editor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Export All URLs plugin <= 4.1 at WordPress. | |||||
| CVE-2022-32280 | 1 Xakuro | 1 Xo Slider | 2022-06-24 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Xakuro's XO Slider plugin <= 3.3.2 at WordPress. | |||||
| CVE-2022-28612 | 1 Custom Popup Builder Project | 1 Custom Popup Builder | 2022-06-24 | 3.5 LOW | 5.4 MEDIUM |
| Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at WordPress. | |||||
| CVE-2022-24004 | 1 Vanderbilt | 1 Redcap | 2022-06-24 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown. | |||||
| CVE-2022-29618 | 1 Sap | 1 Netweaver Development Infrastructure | 2022-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user’s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-24127 | 1 Vanderbilt | 1 Redcap | 2022-06-24 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page. | |||||
| CVE-2022-29443 | 1 Nicdark | 1 Hotel Booking | 2022-06-24 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Nicdark's Hotel Booking plugin <= 3.0 at WordPress. | |||||
| CVE-2021-41415 | 1 Subscription-manager Project | 1 Subscription-manager | 2022-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Subscription-Manager v1.0 /main.js has a cross-site scripting (XSS) vulnerability in the machineDetail parameter. | |||||
| CVE-2022-30903 | 1 Nokia | 2 G-2425g-a, G-2425g-a Firmware | 2022-06-23 | 3.5 LOW | 4.8 MEDIUM |
| Nokia "G-2425G-A" Bharti Airtel Routers Hardware version "3FE48299DEAA" Software Version "3FE49362IJHK42" is vulnerable to Cross-Site Scripting (XSS) via the admin->Maintenance>Device Management. | |||||
| CVE-2022-2087 | 1 Bank Management System Project | 1 Bank Management System | 2022-06-23 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Bank Management System 1.0. This affects the file /mnotice.php?id=2. The manipulation of the argument notice with the input <script>alert(1)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2021-36901 | 1 Asylumdigital | 1 Age Gate | 2022-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in Phil Baker's Age Gate plugin <= 2.17.0 at WordPress. | |||||
| CVE-2022-31059 | 1 Discourse | 1 Discourse Calendar | 2022-06-23 | 2.1 LOW | 5.4 MEDIUM |
| Discourse Calendar is a calendar plugin for Discourse, an open-source messaging app. Prior to version 1.0.1, parsing and rendering of Event names can be susceptible to cross-site scripting (XSS) attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in version 1.0.1 of the Discourse Calendar plugin. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks. | |||||
| CVE-2022-27859 | 1 Nicdark | 1 Nd-travel | 2022-06-23 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Nicdark d.o.o. Travel Management plugin <= 2.0 at WordPress. | |||||
| CVE-2022-29406 | 1 Dynamicweblab | 1 Wp-team-manager | 2022-06-23 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in DynamicWebLab's WordPress Team Manager plugin <= 1.6.9 at WordPress. | |||||
| CVE-2021-40910 | 1 Phpcms | 1 Phpcms | 2022-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a reflective cross-site scripting (XSS) vulnerability in the PHPCMS V9.6.3 management side. | |||||
| CVE-2022-29485 | 1 Ss-proj | 1 Shirasagi | 2022-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in SHIRASAGI v1.0.0 to v1.14.2, and v1.15.0 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-32286 | 1 Mendix | 1 Saml | 2022-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link. | |||||
| CVE-2022-29438 | 1 Nextcode | 1 Image Slider By Nextcode | 2022-06-23 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (author or higher user role) Persistent Cross-Site Scripting (XSS) vulnerability in Image Slider by NextCode plugin <= 1.1.2 at WordPress. | |||||
| CVE-2022-31048 | 1 Typo3 | 1 Typo3 | 2022-06-23 | 3.5 LOW | 5.4 MEDIUM |
| TYPO3 is an open source web content management system. Prior to versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. TYPO3 versions 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | |||||
| CVE-2022-31049 | 1 Typo3 | 1 Typo3 | 2022-06-23 | 3.5 LOW | 5.4 MEDIUM |
| TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, user submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | |||||
| CVE-2022-29034 | 1 Siemens | 1 Sinema Remote Connect Server | 2022-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). An error message pop up window in the web interface of the affected application does not prevent injection of JavaScript code. This could allow attackers to perform reflected cross-site scripting (XSS) attacks. | |||||
| CVE-2022-2079 | 1 Xgenecloud | 1 Nocodb | 2022-06-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+. | |||||
| CVE-2022-31403 | 1 Combodo | 1 Itop | 2022-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php. | |||||
| CVE-2022-1756 | 1 Thenewsletterplugin | 1 Newsletter | 2022-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below. | |||||
| CVE-2021-40678 | 1 Piwigo | 1 Piwigo | 2022-06-22 | 3.5 LOW | 5.4 MEDIUM |
| In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit. | |||||
| CVE-2022-32145 | 1 Siemens | 1 Teamcenter Active Workspace | 2022-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Teamcenter Active Workspace V5.2 (All versions < V5.2.9), Teamcenter Active Workspace V6.0 (All versions < V6.0.3). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected application that could allow an attacker to execute malicious code by tricking users into accessing a malicious link. | |||||
| CVE-2022-2066 | 1 Facturascripts | 1 Facturascripts | 2022-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06. | |||||
| CVE-2022-2065 | 1 Facturascripts | 1 Facturascripts | 2022-06-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06. | |||||
| CVE-2022-29894 | 1 Strapi | 1 Strapi | 2022-06-22 | 3.5 LOW | 4.8 MEDIUM |
| Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege. | |||||
| CVE-2022-26101 | 1 Sap | 1 Fiori Launchpad | 2022-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-24399 | 1 Sap | 1 Focused Run | 2022-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-1750 | 1 Sticky Popup Project | 1 Sticky Popup | 2022-06-21 | 3.5 LOW | 4.8 MEDIUM |
| The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue mostly affects sites where unfiltered_html has been disabled for administrators and on multi-site installations where unfiltered_html is disabled for administrators. | |||||
| CVE-2022-1961 | 1 Gtm4wp | 1 Gtm4wp | 2022-06-21 | 3.5 LOW | 4.8 MEDIUM |
| The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the `gtm4wp-options[scroller-contentid]` parameter found in the `~/public/frontend.php` file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2022-1773 | 1 Wp Athletics Project | 1 Wp Athletics | 2022-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Athletics WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1772 | 1 Google Places Reviews Project | 1 Google Places Reviews | 2022-06-21 | 2.1 LOW | 4.8 MEDIUM |
| The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account. | |||||
| CVE-2022-1814 | 1 Wp Admin Style Project | 1 Wp Admin Style | 2022-06-21 | 3.5 LOW | 4.8 MEDIUM |
| The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1822 | 1 Zephyrproject | 1 Zephyr | 2022-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2018-25039 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/RgUrlBlock.asp. The manipulation of the argument BasicParentalNewKeyword with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-25038 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been classified as problematic. This affects an unknown part of the file /goform/RgDhcp. The manipulation of the argument PppUserName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-25037 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this issue is some unknown functionality of the file /goform/RgDdns. The manipulation of the argument DdnsHostName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-25036 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /goform/RgTime. The manipulation of the argument TimeServer1/TimeServer2/TimeServer3 with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-25035 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Thomson TCW710 ST5D.10.05. Affected is an unknown function of the file /goform/RGFirewallEL. The manipulation of the argument EmailAddress/SmtpServerName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||