Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1255 | 1 Codection | 1 Import And Export Users And Customers | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues | |||||
| CVE-2022-21702 | 3 Fedoraproject, Grafana, Netapp | 3 Fedora, Grafana, E-series Performance Analyzer | 2022-05-07 | 2.1 LOW | 5.4 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-29907 | 1 Mediawiki | 1 Mediawiki | 2022-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages. | |||||
| CVE-2022-24873 | 1 Shopware | 1 Shopware | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. | |||||
| CVE-2022-29152 | 1 Ericom | 1 Powerterm Webconnect | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page. | |||||
| CVE-2022-29584 | 1 Mahara | 1 Mahara | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action. | |||||
| CVE-2022-28477 | 1 Wbce | 1 Wbce Cms | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-28454 | 1 Limbas | 1 Limbas | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2021-38952 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211408. | |||||
| CVE-2022-22427 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223720. | |||||
| CVE-2022-1514 | 1 Facturascripts | 1 Facturascripts | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account. | |||||
| CVE-2022-22322 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 218370. | |||||
| CVE-2022-22443 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 224440. | |||||
| CVE-2022-27860 | 1 Footer-text Project | 1 Footer-text | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress. | |||||
| CVE-2022-28102 | 1 Php Mysql Admin Panel Generator Project | 1 Php Mysql Admin Panel Generator | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php. | |||||
| CVE-2021-36867 | 1 Psychological Tests \& Quizzes Project | 1 Psychological Tests \& Quizzes | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights. | |||||
| CVE-2021-26628 | 2 Linux, Maxb | 2 Linux Kernel, Maxboard | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files. | |||||
| CVE-2022-26597 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name. | |||||
| CVE-2022-26596 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names. | |||||
| CVE-2022-1504 | 1 Microweber | 1 Microweber | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks. | |||||
| CVE-2022-1503 | 1 Get-simple | 1 Getsimple Cms | 2022-05-05 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in GetSimple CMS. Affected by this issue is the file /admin/edit.php of the Content Module. The manipulation of the argument post-content with an input like <script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely but requires authentication. Expoit details have been disclosed within the advisory. | |||||
| CVE-2022-28290 | 1 Welaunch | 1 Wordpress Country Selector | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part of the HTTP request | |||||
| CVE-2022-29418 | 1 Night Mode Project | 1 Night Mode | 2022-05-05 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color]. | |||||
| CVE-2022-1173 | 1 Getgrav | 1 Grav | 2022-05-05 | 3.5 LOW | 5.4 MEDIUM |
| stored xss in GitHub repository getgrav/grav prior to 1.7.33. | |||||
| CVE-2022-27428 | 1 Gallerycms Project | 1 Gallerycms | 2022-05-05 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in /index.php/album/add of GalleryCMS v2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the album_name parameter. | |||||
| CVE-2021-26080 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. | |||||
| CVE-2022-29811 | 1 Jetbrains | 1 Hub | 2022-05-05 | 3.5 LOW | 4.8 MEDIUM |
| In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. | |||||
| CVE-2022-29817 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible | |||||
| CVE-2022-27103 | 1 Element-plus | 1 Element-plus | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column. | |||||
| CVE-2022-1396 | 1 Donorbox | 1 Donorbox | 2022-05-05 | 3.5 LOW | 4.8 MEDIUM |
| The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-28094 | 1 Online Sports Complex Booking System Project | 1 Online Sports Complex Booking System | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the fid parameter at booking.php. | |||||
| CVE-2022-26564 | 1 Digitaldruid | 1 Hoteldruid | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. | |||||
| CVE-2022-29415 | 1 Ravpage Project | 1 Ravpage | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in Mati Skiba @ Rav Messer's Ravpage plugin <= 2.16 at WordPress. | |||||
| CVE-2022-28448 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info. | |||||
| CVE-2022-28449 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system. | |||||
| CVE-2022-28450 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser. | |||||
| CVE-2022-28522 | 1 Zcms Project | 1 Zcms | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| ZCMS v20170206 was discovered to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add. | |||||
| CVE-2021-41161 | 1 Combodo | 1 Itop | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-20778 | 1 Cisco | 1 Webex Meetings | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the authentication component of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the authentication component of Cisco Webex Meetings. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2022-1458 | 1 Open-emr | 1 Openemr | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1. | |||||
| CVE-2022-1457 | 1 Facturascripts | 1 Facturascripts | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account. | |||||
| CVE-2022-20788 | 1 Cisco | 2 Unified Communications Manager, Unity Connection | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2022-22345 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2022-05-04 | 3.5 LOW | 4.8 MEDIUM |
| IBM QRadar 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 220041. | |||||
| CVE-2022-26673 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2022-28367 | 1 Antisamy Project | 1 Antisamy | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. | |||||
| CVE-2022-28074 | 1 Fit2cloud | 1 Halo | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools. | |||||
| CVE-2021-32927 | 1 Uffizio | 1 Gps Tracker | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker. | |||||
| CVE-2022-0876 | 1 Wpdevart | 1 Social Comments | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| The Social comments by WpDevArt WordPress plugin before 2.5.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2021-36895 | 1 Tripetto | 1 Tripetto | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload. | |||||
| CVE-2022-28586 | 1 Hoosk | 1 Hoosk | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars. | |||||