Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43295 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. | |||||
| CVE-2021-43294 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. | |||||
| CVE-2022-1112 | 1 Autolinks Project | 1 Autolinks | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting against a logged in admin via a CSRF attack | |||||
| CVE-2022-1091 | 1 10up | 1 Safe Svg | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks). | |||||
| CVE-2022-1090 | 1 Good-bad-comments Project | 1 Good-bad-comments | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Good & Bad Comments WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-29529 | 1 Misp | 1 Misp | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. | |||||
| CVE-2022-29532 | 1 Misp | 1 Misp | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. | |||||
| CVE-2022-1088 | 1 Contextureintl | 1 Page Security \& Membership | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1063 | 1 Thank Me Later Project | 1 Thank Me Later | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-23285 | 1 Eaton | 1 Intelligent Power Manager | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to reflected Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. | |||||
| CVE-2021-23284 | 1 Eaton | 1 Intelligent Power Manager Infrastructure | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to Stored Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. | |||||
| CVE-2022-0737 | 1 Text Hover Project | 1 Text Hover | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Text Hover WordPress plugin before 4.2 does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-0765 | 1 Loco Translate Project | 1 Loco Translate | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-0780 | 1 Searchiq | 1 Searchiq | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SearchIQ WordPress plugin before 3.9 contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siq_ajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter | |||||
| CVE-2022-0879 | 1 Calderaforms | 1 Caldera Forms | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0994 | 1 Incsub | 1 Hummingbird | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-0571 | 2 Fedoraproject, Phoronix-media | 3 Extra Packages For Enterprise Linux, Fedora, Phoronix Test Suite | 2022-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository phoronix-test-suite/phoronix-test-suite prior to 10.8.2. | |||||
| CVE-2021-3318 | 1 Dzzoffice | 1 Dzzoffice | 2022-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter. | |||||
| CVE-2021-1543 | 1 Cisco | 18 Sf220-24, Sf220-24 Firmware, Sf220-24p and 15 more | 2022-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting (XSS) attack Conduct an HTML injection attack For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-28280 | 1 Php-fusion | 1 Phpfusion | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML | |||||
| CVE-2021-29209 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29210 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2020-35204 | 1 Quest | 1 Policy Authority For Unified Communications | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the PolicyAuthority/Common/FolderControl.jsp file via the unqID parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-29208 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2020-35203 | 1 Quest | 1 Policy Authority For Unified Communications | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the initFile.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-29503 | 1 Hedgedoc | 1 Hedgedoc | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| HedgeDoc is a platform to write and share markdown. HedgeDoc before version 1.8.2 is vulnerable to a cross-site scripting attack using the YAML-metadata of a note. An attacker with write access to a note can embed HTML tags in the Open Graph metadata section of the note, resulting in the frontend rendering the script tag as part of the `<head>` section. Unless your instance prevents guests from editing notes, this vulnerability allows unauthenticated attackers to inject JavaScript into notes that allow guest edits. If your instance prevents guests from editing notes, this vulnerability allows authenticated attackers to inject JavaScript into any note pages they have write-access to. This vulnerability is patched in version 1.8.2. As a workaround, one can disable guest edits until the next update. | |||||
| CVE-2021-32809 | 3 Ckeditor, Fedoraproject, Oracle | 10 Ckeditor, Fedora, Application Express and 7 more | 2022-04-25 | 3.5 LOW | 5.4 MEDIUM |
| ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2. | |||||
| CVE-2022-1380 | 1 Snipeitapp | 1 Snipe-it | 2022-04-25 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie. | |||||
| CVE-2022-29020 | 1 Forestblog Project | 1 Forestblog | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar. | |||||
| CVE-2021-3509 | 1 Redhat | 1 Ceph Storage | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability. | |||||
| CVE-2022-1001 | 1 Wp Downgrade Project | 1 Wp Downgrade | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-0706 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2022-04-25 | 2.1 LOW | 4.8 MEDIUM |
| The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed | |||||
| CVE-2021-25120 | 1 Easysocialfeed | 1 Easy Social Feed | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Easy Social Feed Free and Pro WordPress plugins before 6.2.7 do not sanitise some of their parameters used via AJAX actions before outputting them back in the response, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2022-27853 | 1 Contest-gallery | 1 Contest Gallery | 2022-04-25 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9 | |||||
| CVE-2022-27422 | 1 Chamilo | 1 Chamilo Lms | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL. | |||||
| CVE-2022-27425 | 1 Chamilo | 1 Chamilo | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php. | |||||
| CVE-2020-35730 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2022-04-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | |||||
| CVE-2018-11689 | 2 Hanwha-security, Samsung | 19 Hrd-1641, Hrd-1641 Firmware, Hrd-1642 and 16 more | 2022-04-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Web Viewer for Hanwha DVR 2.17 and Smart Viewer in Samsung Web Viewer for Samsung DVR are vulnerable to XSS via the /cgi-bin/webviewer_login_page data3 parameter. (The same Web Viewer codebase was transitioned from Samsung to Hanwha.) | |||||
| CVE-2022-0288 | 2 Ad Inserter Pro Project, Ad Inserter Project | 2 Ad Inserter Pro, Ad Inserter | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0252 | 1 Givewp | 1 Givewp | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0234 | 1 Pluginus | 1 Woocs | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocs_in_order_currency parameter of the woocs_get_products_price_html AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0211 | 1 Getshieldsecurity | 1 Shield Security | 2022-02-28 | 3.5 LOW | 4.8 MEDIUM |
| The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2022-0186 | 1 Machothemes | 1 Image Photo Gallery Final Tiles Grid | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard | |||||
| CVE-2021-25101 | 1 Anti-malware Security And Brute-force Firewall Project | 1 Anti-malware Security And Brute-force Firewall | 2022-02-28 | 3.5 LOW | 4.8 MEDIUM |
| The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user. | |||||
| CVE-2021-25100 | 1 Givewp | 1 Givewp | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25099 | 1 Givewp | 1 Givewp | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-37999 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient data validation in New Tab Page in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to inject arbitrary scripts or HTML in a new browser tab via a crafted HTML page. | |||||
| CVE-2021-25060 | 1 Fivestarplugins | 1 Five Star Business Profile And Schema | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| The Five Star Business Profile and Schema WordPress plugin before 2.1.7 does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-25058 | 1 The Buffer Button Project | 1 The Buffer Button | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| The Buffer Button WordPress plugin through 1.0 was vulnerable to Authenticated Stored Cross Site Scripting (XSS) within the Twitter username to mention text field. | |||||
| CVE-2021-25057 | 1 Translationexchange | 1 Translation Exchange | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) within the Project Key text field found in the plugin's settings. | |||||