Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23863 | 1 Bosch | 1 Video Security | 2022-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| HTML code injection vulnerability in Android Application, Bosch Video Security, version 3.2.3. or earlier, when successfully exploited allows an attacker to inject random HTML code into a component loaded by WebView, thus allowing the Application to display web resources controlled by the attacker. | |||||
| CVE-2021-23174 | 1 Wpchill | 1 Download Monitor | 2022-02-02 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, &downloadable_file_version[0]. | |||||
| CVE-2022-22852 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-02-02 | 4.3 MEDIUM | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_list. | |||||
| CVE-2022-22850 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types. | |||||
| CVE-2021-34073 | 1 Gadget Works Online Ordering System Project | 1 Gadget Works Online Ordering System | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerabilty exists in Sourcecodester Gadget Works Online Ordering System in PHP/MySQLi 1.0 via the Category parameter in an add function in category/index.php. | |||||
| CVE-2022-21719 | 1 Glpi-project | 1 Glpi | 2022-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2022-0379 | 1 Microweber | 1 Microweber | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-0378 | 1 Microweber | 1 Microweber | 2022-02-02 | 4.3 MEDIUM | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-0387 | 1 Livehelperchat | 1 Livehelperchat | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2022-0370 | 1 Livehelperchat | 1 Livehelperchat | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2021-43334 | 1 Buddyboss | 1 Buddyboss | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| BuddyBoss Platform through 1.8.0 allows XSS via the Group Name or Group Description field. | |||||
| CVE-2022-0372 | 1 Craterapp | 1 Crater | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior to 6.0.2. | |||||
| CVE-2022-0348 | 1 Pimcore | 1 Pimcore | 2022-02-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2. | |||||
| CVE-2021-46065 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2022-02-02 | 3.5 LOW | 4.8 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code. | |||||
| CVE-2022-22851 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-02-01 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the specialization parameter in doctors.php | |||||
| CVE-2021-44118 | 1 Spip | 1 Spip | 2022-02-01 | 3.5 LOW | 5.4 MEDIUM |
| SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by other users (stored XSS). | |||||
| CVE-2021-44120 | 1 Spip | 1 Spip | 2022-02-01 | 3.5 LOW | 5.4 MEDIUM |
| SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author's information, the malicious code will be executed. The "Who are you" and "Website Name" fields are vulnerable. | |||||
| CVE-2022-0251 | 1 Pimcore | 1 Pimcore | 2022-02-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.10. | |||||
| CVE-2022-0374 | 1 Livehelperchat | 1 Live Helper Chat | 2022-02-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2022-0375 | 1 Livehelperchat | 1 Live Helper Chat | 2022-02-01 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2020-14166 | 1 Atlassian | 1 Jira Service Desk | 2022-02-01 | 3.5 LOW | 4.8 MEDIUM |
| The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file. | |||||
| CVE-2021-40337 | 1 Hitachi | 1 Linkone | 2022-01-31 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in Hitachi Energy LinkOne allows an attacker that manages to exploit the vulnerability can take advantage to exploit multiple web attacks and stole sensitive information. This issue affects: Hitachi Energy LinkOne 3.20; 3.22; 3.23; 3.24; 3.25; 3.26. | |||||
| CVE-2017-5157 | 2 Schneider-electric, Schneider Electric | 2 Homelynk Controller Lss100100, Homelynk Controller Lss100100 Firmware | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Schneider Electric homeLYnk Controller, LSS100100, all versions prior to V1.5.0. The homeLYnk controller is susceptible to a cross-site scripting attack. User inputs can be manipulated to cause execution of JavaScript code. | |||||
| CVE-2020-7571 | 1 Schneider-electric | 1 Webreports | 2022-01-31 | 3.5 LOW | 5.4 MEDIUM |
| A CWE-79 Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users. | |||||
| CVE-2020-7570 | 1 Schneider-electric | 1 Webreports | 2022-01-31 | 3.5 LOW | 5.4 MEDIUM |
| A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users. | |||||
| CVE-2020-28210 | 1 Schneider-electric | 1 Ecostruxure Building Operation | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser. | |||||
| CVE-2021-41929 | 1 The Electric Billing Management System Project | 1 The Electric Billing Management System | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Sourcecodester The Electric Billing Management System 1.0 by oretnom23, allows attackers to execute arbitrary code via the about page. | |||||
| CVE-2021-41930 | 1 Online Covid Vaccination Scheduler System Project | 1 Online Covid Vaccination Scheduler System | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid Vaccination Scheduler System v1 by oretnom23, allows attackers to execute arbitrary code via the lid parameter to /scheduler/addSchedule.php. | |||||
| CVE-2021-42168 | 1 Try My Recipe Project | 1 Try My Recipe | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Sourcecodester Try My Recipe (Recipe Sharing Website - CMS) by oretnom23, allows attackers to gain the PHPSESID or other unspecified impacts via the fullname parameter to the login_registration page. | |||||
| CVE-2021-24965 | 1 Fivestarplugins | 1 Five Star Restaurant Reservations | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins | |||||
| CVE-2021-46083 | 1 Uscat Project | 1 Uscat | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code. | |||||
| CVE-2021-46084 | 1 Uscat Project | 1 Uscat | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via "close registration information" input box. | |||||
| CVE-2021-46087 | 1 Jflyfox | 1 Jfinal Cms | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS. Because developers do not filter the parameters submitted by the user input form, any user with background permission can affect the system security by entering malicious code. | |||||
| CVE-2022-0268 | 1 Getgrav | 1 Grav | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28. | |||||
| CVE-2021-46034 | 1 Forestblog Project | 1 Forestblog | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vulnerability that can be injected through the nickname input box. | |||||
| CVE-2022-21710 | 1 Mediawiki | 1 Shortdescription | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4. | |||||
| CVE-2022-21715 | 1 Codeigniter | 1 Codeigniter | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only. | |||||
| CVE-2021-45225 | 1 Coins-global | 1 Construction Cloud | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in COINS Construction Cloud 11.12. Due to improper input neutralization, it is vulnerable to reflected cross-site scripting (XSS) via malicious links (affecting the search window and activity view window). | |||||
| CVE-2021-25080 | 1 Crmperks | 1 Contact Form Entries | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry | |||||
| CVE-2021-25079 | 1 Crmperks | 1 Contact Form Entries | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page | |||||
| CVE-2021-45224 | 1 Coins-global | 1 Construction Cloud | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in COINS Construction Cloud 11.12. In several locations throughout the application, JavaScript code is passed as a URL parameter. Attackers can trivially alter this code to cause malicious behaviour. The application is therefore vulnerable to reflected XSS via malicious URLs. | |||||
| CVE-2021-25078 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests. | |||||
| CVE-2021-25049 | 1 Mobile Events Manager Project | 1 Mobile Events Manager | 2022-01-28 | 3.5 LOW | 4.8 MEDIUM |
| The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-25035 | 1 Revmakx | 1 Backup And Staging By Wp Time Capsule | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25031 | 1 Oxilab | 1 Image Hover Effects Ultimate | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-41658 | 1 Student Quarterly Grading System Project | 1 Student Quarterly Grading System | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Sourcecodester Student Quarterly Grading System by oretnom23, allows attackers to execute arbitrary code via the fullname and username parameters to the users page. | |||||
| CVE-2021-25015 | 1 Mycred | 1 Mycred | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-33848 | 1 Fresenius-kabi | 8 Agilia Connect, Agilia Connect Firmware, Agilia Partner Maintenance Software and 5 more | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 is vulnerable to reflected cross-site scripting attacks. An attacker could inject JavaScript in a GET parameter of HTTP requests and perform unauthorized actions such as stealing internal information and performing actions in context of an authenticated user. | |||||
| CVE-2021-24976 | 1 Wbolt | 1 Smart Seo Tool | 2022-01-28 | 2.6 LOW | 6.1 MEDIUM |
| The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24974 | 1 Adtribes | 1 Product Feed Pro For Woocommerce | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping. | |||||