Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25055 | 1 Feedwordpress Project | 1 Feedwordpress | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter. | |||||
| CVE-2021-24921 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Database Cleaner WordPress plugin before 3.0.4 does not sanitise and escape $_GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-26256 | 1 Ays-pro | 1 Survey Maker | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Survey Maker WordPress plugin (versions <= 2.0.6). | |||||
| CVE-2022-23647 | 1 Prismjs | 1 Prism | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin. | |||||
| CVE-2021-30650 | 1 Broadcom | 1 Layer7 Api Management Oauth Toolkit | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL for the OTK web UI and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the OTK web UI client application. | |||||
| CVE-2022-23053 | 1 Nasa | 1 Openmct | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Condition Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions. | |||||
| CVE-2022-23054 | 1 Nasa | 1 Openmct | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Summary Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions. | |||||
| CVE-2022-22126 | 1 Nasa | 1 Openmct | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Web Page” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions. | |||||
| CVE-2021-29110 | 1 Esri | 1 Portal For Arcgis | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application. | |||||
| CVE-2021-29103 | 1 Esri | 1 Arcgis Server | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. | |||||
| CVE-2021-29106 | 1 Esri | 1 Arcgis Server | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. | |||||
| CVE-2021-29116 | 1 Esri | 1 Arcgis Server | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. | |||||
| CVE-2021-29105 | 1 Esri | 1 Arcgis Server | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory. | |||||
| CVE-2021-29109 | 1 Esri | 1 Portal For Arcgis | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. | |||||
| CVE-2021-29107 | 1 Esri | 1 Arcgis Server | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. | |||||
| CVE-2021-29104 | 1 Esri | 1 Arcgis Server | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. | |||||
| CVE-2021-40840 | 1 Liveconfig | 1 Liveconfig | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| A Stored XSS issue exists in the admin/users user administration form in LiveConfig 2.12.2. | |||||
| CVE-2021-44916 | 1 Opmantek | 1 Open-audit | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Opmantek Open-AudIT Community 4.2.0 (Fixed in 4.3.0) is affected by a Cross Site Scripting (XSS) vulnerability. If a bad value is passed to the routine via a URL, malicious JavaScript code can be executed in the victim's browser. | |||||
| CVE-2021-41304 | 1 Atlassian | 2 Data Center, Jira | 2022-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2. | |||||
| CVE-2021-37695 | 4 Ckeditor, Debian, Fedoraproject and 1 more | 12 Ckeditor, Debian Linux, Fedora and 9 more | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2. | |||||
| CVE-2021-32808 | 3 Ckeditor, Fedoraproject, Oracle | 13 Ckeditor, Fedora, Application Express and 10 more | 2022-02-28 | 3.5 LOW | 5.4 MEDIUM |
| ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2. | |||||
| CVE-2021-24900 | 1 Wpmanageninja | 1 Ninja Tables | 2022-02-28 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-0678 | 1 Microweber | 1 Microweber | 2022-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-0690 | 1 Microweber | 1 Microweber | 2022-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-46372 | 1 Erudika | 1 Scoold | 2022-02-25 | 3.5 LOW | 5.4 MEDIUM |
| Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown editor is vulnerable to a XSS attack when using uppercase letters. | |||||
| CVE-2021-46108 | 1 Dlink | 2 Dsl-2730e, Dsl-2730e Firmware | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| D-Link DSL-2730E CT-20131125 devices allow XSS via the username parameter to the password page in the maintenance configuration. | |||||
| CVE-2022-20659 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2022-25317 | 1 Cerebrate-project | 1 Cerebrate | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description. | |||||
| CVE-2022-24981 | 1 Jqueryform | 1 Jqueryform | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in forms generated by JQueryForm.com before 2022-02-05 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to admin.php. | |||||
| CVE-2018-18623 | 1 Grafana | 1 Grafana | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | |||||
| CVE-2022-25323 | 1 Zerof | 1 Web Server | 2022-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZEROF Web Server 2.0 allows /admin.back XSS. | |||||
| CVE-2014-8597 | 1 Php-fusion | 1 Phpfusion | 2022-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel. | |||||
| CVE-2021-37403 | 1 Open-xchange | 1 Open-xchange Appsuite | 2022-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used. | |||||
| CVE-2021-46251 | 1 Scratchoauth2 Project | 1 Scratchoauth2 | 2022-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | |||||
| CVE-2022-0612 | 1 Livehelperchat | 1 Live Helper Chat | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2022-25185 | 1 Jenkins | 1 Generic Webhook Trigger | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build cause when using the webhook, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-24589 | 1 Burden Project | 1 Burden | 2022-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the task parameter. | |||||
| CVE-2022-25191 | 1 Jenkins | 1 Agent Server Parameter | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-25203 | 1 Jenkins | 1 Team Views | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Read permission. | |||||
| CVE-2022-25202 | 1 Jenkins | 1 Promoted Builds \(simple\) | 2022-02-23 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name of custom promotion levels, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2022-23367 | 1 Fulusso Project | 1 Fulusso | 2022-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user's device via open redirection. | |||||
| CVE-2021-46558 | 1 Issabel | 1 Pbx | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Add User module of Issabel PBX 20200102 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the username and password fields. | |||||
| CVE-2020-13668 | 1 Drupal | 1 Drupal | 2022-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | |||||
| CVE-2022-24586 | 1 Pluxml | 1 Pluxml | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters. | |||||
| CVE-2022-0576 | 1 Librenms | 1 Librenms | 2022-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in Packagist librenms/librenms prior to 22.1.0. | |||||
| CVE-2022-0575 | 1 Librenms | 1 Librenms | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms prior to 22.2.0. | |||||
| CVE-2021-25107 | 1 Accesspressthemes | 1 Form Store To Db | 2022-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin | |||||
| CVE-2021-24904 | 1 Lenderd | 1 Mortgage Calculators Wp | 2022-02-22 | 3.5 LOW | 4.8 MEDIUM |
| The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24874 | 1 Sendinblue | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2022-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2022-0589 | 1 Librenms | 1 Librenms | 2022-02-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms prior to 22.1.0. | |||||