Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30999 | 1 Friendsofflarum | 1 Upload | 2022-06-10 | 3.5 LOW | 5.4 MEDIUM |
| FriendsofFlarum (FoF) Upload is an extension that handles file uploads intelligently for your forum. If FoF Upload prior to version 1.2.3 is configured to allow the uploading of SVG files ('image/svg+xml'), navigating directly to an SVG file URI could execute arbitrary Javascript code decided by an attacker. This Javascript code could include the execution of HTTP web requests to Flarum, or any other web service. This could allow data to be leaked by an authenticated Flarum user, or, possibly, for data to be modified maliciously. This issue has been patched with v1.2.3, which now sanitizes uploaded SVG files. As a workaround, remove the ability for users to upload SVG files through FoF Upload. | |||||
| CVE-2022-29732 | 1 Deltacontrols | 2 Entelitouch, Entelitouch Firmware | 2022-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to contain a cross-site scripting (XSS) vulnerability via the Username parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2022-30349 | 1 Sscms | 1 Siteserver Cms | 2022-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| siteserver SSCMS 6.15.51 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-29734 | 1 Ict | 2 Protege Gx, Protege Wx | 2022-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in ICT Protege GX/WX v2.08 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter. | |||||
| CVE-2022-29711 | 1 Librenms | 1 Librenms | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| LibreNMS v22.3.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /Table/GraylogController.php. | |||||
| CVE-2022-29628 | 1 Online Market Place Site Project | 1 Online Market Place Site | 2022-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /omps/seller of Online Market Place Site v1.0 allows attackers to execute arbitrary web cripts or HTML via a crafted payload injected into the Page parameter. | |||||
| CVE-2022-29598 | 1 Solutions-atlantic | 1 Regulatory Reporting System | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to an reflected Cross-Site Scripting (XSS) vulnerability via RRSWeb/maint/ShowDocument/ShowDocument.aspx . | |||||
| CVE-2022-29540 | 1 Resi | 1 Gemini-net | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| resi-calltrace in RESI Gemini-Net 4.2 is affected by Multiple XSS issues. Unauthenticated remote attackers can inject arbitrary web script or HTML into an HTTP GET parameter that reflects user input without sanitization. This exists on numerous application endpoints, | |||||
| CVE-2022-29648 | 1 Jflyfox | 1 Jfinal Cms | 2022-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request. | |||||
| CVE-2022-29653 | 1 Ofcms Project | 1 Ofcms | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json. | |||||
| CVE-2022-26972 | 1 Barco | 1 Control Room Management Suite | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /cgi-bin endpoint. The URL parameters are not correctly sanitized, leading to reflected XSS. | |||||
| CVE-2022-26974 | 1 Barco | 1 Control Room Management Suite | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a file upload mechanism. Lack of input sanitization in the upload mechanism leads to reflected XSS. | |||||
| CVE-2022-26976 | 1 Barco | 1 Control Room Management Suite | 2022-06-09 | 3.5 LOW | 5.4 MEDIUM |
| Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. Lack of input sanitization in the upload mechanism is leads to reflected XSS. | |||||
| CVE-2022-26977 | 1 Barco | 1 Control Room Management Suite | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. Lack of input sanitization of the upload mechanism is leads to stored XSS. | |||||
| CVE-2022-26978 | 1 Barco | 1 Control Room Management Suite | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /checklogin.jsp endpoint. The os_username parameters is not correctly sanitized, leading to reflected XSS. | |||||
| CVE-2022-24967 | 1 Blackrainbow | 1 Nimbus | 2022-06-09 | 3.5 LOW | 5.4 MEDIUM |
| Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site Scripting (XSS). | |||||
| CVE-2021-36866 | 1 Fatcatapps | 1 Easy Pricing Tables | 2022-06-09 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) vulnerability in Fatcat Apps Easy Pricing Tables plugin <= 3.1.2 at WordPress. | |||||
| CVE-2022-29258 | 1 Xwiki | 1 Xwiki | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3, XWiki Platform Filter UI contains a possible cross-site scripting vector in the `Filter.FilterStreamDescriptorForm` wiki page related to pretty much all the form fields printed in the home page of the application. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest workaround is to edit the wiki page `Filter.FilterStreamDescriptorForm` (with wiki editor) according to the instructions in the GitHub Security Advisory. | |||||
| CVE-2022-20802 | 1 Cisco | 1 Enterprise Chat And Email | 2022-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web interface of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input that is processed by the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected system. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials. | |||||
| CVE-2022-20765 | 1 Cisco | 1 Ucs Director | 2022-06-09 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web applications of Cisco UCS Director could allow an authenticated, remote attacker to conduct a cross-site scripting attack on an affected system. This vulnerability is due to unsanitized user input. An attacker could exploit this vulnerability by submitting custom JavaScript to affected web applications. A successful exploit could allow the attacker to rewrite web page content, access sensitive information stored in the applications, and alter data by submitting forms. | |||||
| CVE-2021-43331 | 1 Gnu | 1 Mailman | 2022-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS. | |||||
| CVE-2021-27778 | 1 Hcltech | 1 Traveler | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. | |||||
| CVE-2021-27914 | 1 Acquia | 1 Mautic | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript | |||||
| CVE-2022-1643 | 1 Birthdays Widget Project | 1 Birthdays Widget | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Birthdays Widget WordPress plugin through 1.7.18 does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1009 | 1 Wpmudev | 1 Smush Image Compression And Optimization | 2022-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file | |||||
| CVE-2022-1275 | 1 Stillbreathing | 1 Bannerman | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The BannerMan WordPress plugin through 0.2.4 does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed (such as in multisite) | |||||
| CVE-2022-1294 | 1 99webtools | 1 Imdb Info Box | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The IMDB info box WordPress plugin through 2.0 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1387 | 1 No Future Posts Project | 1 No Future Posts | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The No Future Posts WordPress plugin through 1.4 does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed | |||||
| CVE-2022-1299 | 1 Slideshow Project | 1 Slideshow | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Slideshow WordPress plugin through 2.3.1 does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1456 | 1 Ays-pro | 1 Poll Maker | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowed | |||||
| CVE-2022-1395 | 1 Easy Faq With Expanding Text Project | 1 Easy Faq With Expanding Text | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Easy FAQ with Expanding Text WordPress plugin through 3.2.8.3.1 does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfiltered_html is disallowed | |||||
| CVE-2022-1527 | 1 Wpwhitesecurity | 1 Wp 2fa | 2022-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1646 | 1 Simple Real Estate Pack Project | 1 Simple Real Estate Pack | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1645 | 1 Amazon Link Project | 1 Amazon Link | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Amazon Link WordPress plugin through 3.2.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-1644 | 1 Call\&book Mobile Bar Project | 1 Call\&book Mobile Bar | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Call&Book Mobile Bar WordPress plugin through 1.2.2 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2021-27781 | 1 Hcltech | 2 Bigfix Mobile, Modern Client Management | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Master operator may be able to embed script tag in HTML with alert pop-up display cookie. | |||||
| CVE-2022-1928 | 1 Gitea | 1 Gitea | 2022-06-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9. | |||||
| CVE-2022-1528 | 1 Vikwp | 1 Vik Booking | 2022-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.9 does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-31648 | 1 Talend | 1 Administration Center | 2022-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Talend Administration Center is vulnerable to a reflected Cross-Site Scripting (XSS) issue in the SSO login endpoint. The issue is fixed for versions 8.0.x in TPS-5233, for versions 7.3.x in TPS-5324, and for versions 7.2.x in TPS-5235. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. | |||||
| CVE-2022-1542 | 1 Justsystems | 1 Hpb Dashboard | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The HPB Dashboard WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-1562 | 1 Room 34 Creative Services | 1 Enable Svg | 2022-06-08 | 3.5 LOW | 5.4 MEDIUM |
| The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads | |||||
| CVE-2022-1564 | 1 10web | 1 Form Maker | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1566 | 1 Quotes Llama Project | 1 Quotes Llama | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Quotes llama WordPress plugin through 0.7 does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. The attack could also be performed by tricking an admin to import a malicious CSV file | |||||
| CVE-2022-29091 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2022-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dell Unity, Dell UnityVSA, and Dell UnityXT versions prior to 5.2.0.0.5.173 contain a Reflected Cross-Site Scripting Vulnerability in Unisphere GUI. An Unauthenticated Remote Attacker could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. | |||||
| CVE-2022-1568 | 1 Wpdarko | 1 Team Members | 2022-06-08 | 3.5 LOW | 4.8 MEDIUM |
| The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1582 | 1 Webfactoryltd | 1 External Links In New Window \/ New Tab | 2022-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. | |||||
| CVE-2022-20672 | 1 Cisco | 1 Common Services Platform Collector | 2022-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2022-20673 | 1 Cisco | 1 Common Services Platform Collector | 2022-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2022-20674 | 1 Cisco | 1 Common Services Platform Collector | 2022-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2021-32989 | 1 Lcds | 1 Laquis Scada | 2022-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting. | |||||