Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24923 | 1 Sendinblue | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-25017 | 1 Themeum | 1 Tutor Lms | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25083 | 1 Roundupwp | 1 Registrations For The Events Calendar | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24985 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2022-23127 | 2 Iconics, Mitsubishielectric | 2 Mobilehmi, Mc Works64 | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. | |||||
| CVE-2021-25062 | 1 Villatheme | 1 Orders Tracking For Woocommerce | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25008 | 1 Codesnippets | 1 Code Snippets | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24694 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2022-01-27 | 3.5 LOW | 5.4 MEDIUM |
| The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode. | |||||
| CVE-2021-24423 | 1 Updraftplus | 1 Updraftplus | 2022-01-27 | 3.5 LOW | 4.8 MEDIUM |
| The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-45380 | 1 Appcms | 1 Appcms | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php | |||||
| CVE-2021-4103 | 1 B3log | 1 Vditor | 2022-01-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 1.0.34. | |||||
| CVE-2021-4172 | 1 Showdoc | 1 Showdoc | 2022-01-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2. | |||||
| CVE-2021-33966 | 1 Spotweb Project | 1 Spotweb | 2022-01-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross site scripting (XSS) vulnerability in spotweb 1.4.9, allows authenticated attackers to execute arbitrary code via crafted GET request to the login page. | |||||
| CVE-2022-0285 | 1 Pimcore | 1 Pimcore | 2022-01-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9. | |||||
| CVE-2022-23083 | 1 Broadcom | 2 Netmaster File Transfer Management, Netmaster Network Management For Tcp\/ip | 2022-01-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transfer Management contain a XSS (Cross-Site Scripting) vulnerability in ReportCenter UI due to insufficient input validation that could potentially allow an attacker to execute code on the affected machine. | |||||
| CVE-2022-0278 | 1 Microweber | 1 Microweber | 2022-01-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-26247 | 1 Cacti | 1 Cacti | 2022-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. | |||||
| CVE-2022-0210 | 1 Buffercode | 1 Random Banner | 2022-01-25 | 3.5 LOW | 4.8 MEDIUM |
| The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39946 | 1 Gitlab | 1 Gitlab | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis | |||||
| CVE-2021-3816 | 1 Cacti | 1 Cacti | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. | |||||
| CVE-2021-44091 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in Courcecodester Multi Restaurant Table Reservation System 1.0 in register.php via the (1) fullname, (2) phone, and (3) address parameters. | |||||
| CVE-2021-46030 | 1 Javaquarkbbs Project | 1 Javaquarkbbs | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuarkBBS <= v2. By entering specific statements into the background tag management module, the attack statement will be stored in the database, and the next victim will be attacked when he accesses the tag module. | |||||
| CVE-2022-23045 | 1 Phpipam | 1 Phpipam | 2022-01-25 | 3.5 LOW | 4.8 MEDIUM |
| PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS. | |||||
| CVE-2021-44299 | 1 Naviwebs | 1 Navigate Cms | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2022-0243 | 1 Orchardcore | 1 Orchardcore | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2. | |||||
| CVE-2022-0274 | 1 Orchardcore | 1 Orchardcore | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2. | |||||
| CVE-2021-46025 | 1 Oneblog Project | 1 Oneblog | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2.8. via the add function in the operation tab list in the background. | |||||
| CVE-2021-46026 | 1 Mysiteforme | 1 Mysiteforme | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting (XSS) via the add blog tag function in the blog tag in the background blog management. | |||||
| CVE-2021-4143 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. | |||||
| CVE-2022-21690 | 1 Onionshare | 1 Onionshare | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is used in all components for displaying the server access history. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend. | |||||
| CVE-2021-4074 | 1 I-plugins | 1 Whmcs Bridge | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. Due to missing authorization checks on the cc_whmcs_bridge_add_admin function, low-level authenticated users such as subscribers can exploit this vulnerability. | |||||
| CVE-2022-0181 | 1 Expresstech | 1 Quiz And Survey Master | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-0182 | 1 Expresstech | 1 Quiz And Survey Master | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote authenticated attacker to inject an arbitrary script via an website that uses Quiz And Survey Master. | |||||
| CVE-2021-3853 | 1 Chaskiq | 1 Chaskiq | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2022-0256 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2022-0253 | 1 Livehelperchat | 1 Livehelperchat | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2022-0257 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-42357 | 1 Apache | 1 Knox | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign. | |||||
| CVE-2021-44217 | 1 Ericsson | 1 Codechecker | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API. | |||||
| CVE-2022-0260 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7. | |||||
| CVE-2022-0262 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7. | |||||
| CVE-2022-0232 | 1 Metagauss | 1 Leadmagic | 2022-01-24 | 3.5 LOW | 4.8 MEDIUM |
| The User Registration, Login & Landing Pages WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the loader_text parameter found in the ~/includes/templates/landing-page.php file which allows attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.2.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2022-0233 | 1 Metagauss | 1 Profilegrid | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pm_user_avatar and pm_cover_image parameters found in the ~/admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts into their profile, in versions up to and including 1.2.7. | |||||
| CVE-2018-6510 | 1 Puppet | 1 Puppet Enterprise | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. | |||||
| CVE-2018-6511 | 1 Puppet | 1 Puppet Enterprise | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. | |||||
| CVE-2015-6502 | 1 Puppet | 1 Puppet Enterprise | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the console in Puppet Enterprise before 2015.2.1 allows remote attackers to inject arbitrary web script or HTML via the string parameter, related to Login Redirect. | |||||
| CVE-2021-3857 | 1 Chaskiq | 1 Chaskiq | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-25024 | 1 Theeventscalendar | 1 Eventcalendar | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues | |||||
| CVE-2021-25005 | 1 Seur Oficial Project | 1 Seur Oficial | 2022-01-24 | 3.5 LOW | 4.8 MEDIUM |
| The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-25061 | 1 Wpbookingsystem | 1 Wp Booking System | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. | |||||