Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1549 | 1 Wp Athletics Project | 1 Wp Athletics | 2022-06-18 | 3.5 LOW | 5.4 MEDIUM |
| The WP Athletics WordPress plugin through 1.1.7 does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability. | |||||
| CVE-2022-0745 | 1 Likebtn | 1 Like Button Rating | 2022-06-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body | |||||
| CVE-2021-25116 | 1 Enqueue Anything Project | 1 Enqueue Anything | 2022-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. | |||||
| CVE-2022-1605 | 1 Email Users Project | 1 Email Users | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users | |||||
| CVE-2022-1604 | 1 Mailerlite | 1 Mailerlite Signup Forms | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1624 | 1 Latest Tweets Widget Project | 1 Latest Tweets Widget | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Latest Tweets Widget WordPress plugin through 1.1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1612 | 1 Webriti | 1 Webriti Smtp Mail | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Webriti SMTP Mail WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1608 | 1 Byonepress | 1 Social Locker | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The OnePress Social Locker WordPress plugin through 5.6.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1656 | 1 Artbees | 2 Jupiter X Core, Jupiterx | 2022-06-17 | 5.5 MEDIUM | 5.4 MEDIUM |
| Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key. | |||||
| CVE-2022-1710 | 1 Dwbooster | 1 Appointment Hour Booking | 2022-06-17 | 3.5 LOW | 4.8 MEDIUM |
| The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2022-1707 | 1 Gtm4wp | 1 Google Tag Manager | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating into the data layer of sites with insufficient sanitization in versions up to an including 1.15. The affected file is ~/public/frontend.php and this could be exploited by unauthenticated attackers. | |||||
| CVE-2022-1694 | 1 Useful Banner Manager Project | 1 Useful Banner Manager | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Useful Banner Manager WordPress plugin through 1.6.1 does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete banners from the plugin by submitting a form. | |||||
| CVE-2022-1724 | 1 Simple-membership-plugin | 1 Simple Membership | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-1532 | 1 Themify | 1 Woocommerce Product Filter | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1336 | 1 Ceikay | 1 Carousel Ck | 2022-06-17 | 3.5 LOW | 4.8 MEDIUM |
| The Carousel CK WordPress plugin through 1.1.0 does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed | |||||
| CVE-2022-1335 | 1 Ceikay | 1 Slideshow Ck | 2022-06-17 | 3.5 LOW | 4.8 MEDIUM |
| The Slideshow CK WordPress plugin before 1.4.10 does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed | |||||
| CVE-2021-40902 | 1 Flatcore | 1 Flatcore-cms | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| flatCore-CMS version 2.0.8 is affected by Cross Site Scripting (XSS) in the "Create New Page" option through the index page. | |||||
| CVE-2022-30760 | 1 Ihb-eg | 1 Fn2web | 2022-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| An Insecure Direct Object Reference (IDOR) issue in fn2Web in ihb eG FlexNow before 2.04.09.016 allows remote authenticated attackers to obtain sensitive student information (final grades, study courses, degrees) by changing the student ID parameter in the HTTP POST request to the FrontControllerSS endpoint. | |||||
| CVE-2022-31038 | 1 Gogs | 1 Gogs | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters. | |||||
| CVE-2022-24876 | 1 Glpi-project | 1 Glpi | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Kanban is a GLPI view to display Projects, Tickets, Changes or Problems on a task board. In versions prior to 10.0.1 a user can exploit a cross site scripting vulnerability in Kanban by injecting HTML code in its user name. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-2060 | 1 Dolibarr | 1 Dolibarr | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0. | |||||
| CVE-2017-20027 | 1 Humhub | 1 Humhub | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in HumHub up to 1.0.1 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting (DOM). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20026 | 1 Humhub | 1 Humhub | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been found in HumHub up to 1.0.1 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting (Reflected). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-41750 | 1 Nystudio107 | 1 Seomatic | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded URL of a malicious web page / file and fileName parameter containing an arbitrary filename with the intended content-type to be rendered in the user's browser as the extension. | |||||
| CVE-2017-20043 | 1 Navetti | 1 Pricepoint | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Navetti PricePoint 4.6.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting (Persistent). The attack may be launched remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20044 | 1 Navetti | 1 Pricepoint | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to basic cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2022-26041 | 1 Generex | 1 Rccmd | 2022-06-17 | 5.5 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in RCCMD 4.26 and earlier allows a remote authenticated attacker with an administrative privilege to read or alter an arbitrary file on the server via unspecified vectors. | |||||
| CVE-2022-27231 | 1 Veronalabs | 1 Wp Statistics | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product. | |||||
| CVE-2017-20040 | 1 Sicunet | 1 Access Control | 2022-06-17 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement. | |||||
| CVE-2022-31287 | 1 Axiosys | 1 Bento4 | 2022-06-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Bento4 v1.2. There is an allocation size request error in /Ap4RtpAtom.cpp. | |||||
| CVE-2022-31285 | 1 Axiosys | 1 Bento4 | 2022-06-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Bento4 1.2. The allocator is out of memory in /Source/C++/Core/Ap4Array.h. | |||||
| CVE-2022-31282 | 1 Axiosys | 1 Bento4 | 2022-06-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| Bento4 MP4Dump v1.2 was discovered to contain a segmentation violation via an unknown address at /Source/C++/Core/Ap4DataBuffer.cpp:175. | |||||
| CVE-2021-41502 | 1 Intelliants | 1 Subrion Cms | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Subrion CMS v4.2.1 There is a stored cross-site scripting (XSS) vulnerability that can execute malicious JavaScript code by modifying the name of the uploaded image, closing the html tag, or adding the onerror attribute. | |||||
| CVE-2020-36544 | 1 Sialweb | 1 Sialweb Cms | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been found in SialWeb CMS and classified as problematic. This vulnerability affects unknown code of the component Search Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-31402 | 1 Combodo | 1 Itop | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php. | |||||
| CVE-2022-29620 | 1 Filezilla-project | 1 Filezilla | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| ** DISPUTED ** FileZilla v3.59.0 allows attackers to obtain cleartext passwords of connected SSH or FTP servers via a memory dump.- NOTE: the vendor does not consider this a vulnerability. | |||||
| CVE-2022-32978 | 1 Jpeg | 1 Libjpeg | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is an assertion failure in SingleComponentLSScan::ParseMCU in singlecomponentlsscan.cpp in libjpeg before 1.64 via an empty JPEG-LS scan. | |||||
| CVE-2022-29254 | 1 Silverstripe | 1 Silverstripe-omnipay | 2022-06-17 | 5.8 MEDIUM | 6.5 MEDIUM |
| silverstripe-omnipay is a SilverStripe integration with Omnipay PHP payments library. For a subset of Omnipay gateways (those that use intermediary states like `isNotification()` or `isRedirect()`), if the payment identifier or success URL is exposed it is possible for payments to be prematurely marked as completed without payment being taken. This is mitigated by the fact that most payment gateways hide this information from users, however some issuing banks offer flawed 3DSecure implementations that may inadvertently expose this data. The following versions have been patched to fix this issue: `2.5.2`, `3.0.2`, `3.1.4`, and `3.2.1`. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-25807 | 1 Igel | 1 Universal Management Suite | 2022-06-17 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. A hardcoded DES key in the LDAPDesPWEncrypter class allows an attacker, who has discovered encrypted LDAP bind credentials, to decrypt those credentials using a static 8-byte DES key. | |||||
| CVE-2022-25805 | 1 Igel | 1 Universal Management Suite | 2022-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. The transmission of cleartext LDAP bind credentials by the cmd_mgt_load_mgt_tree command allows an attacker (who can intercept or inspect traffic between an authenticated UMS client and server) to compromise those LDAP bind credentials. | |||||
| CVE-2022-25804 | 1 Igel | 1 Universal Management Suite | 2022-06-17 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. Insecure permissions for the serverconfig registry key (under JavaSoft\Prefs\de\igel\rm\config in HKEY_LOCAL_MACHINE\SOFTWARE) allow an unprivileged local attacker to read the encrypted dbuser and dbpassword values for the UMS superuser. | |||||
| CVE-2021-42811 | 1 Thalesgroup | 1 Safenet Keysecure | 2022-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SafeNet KeySecure allows an authenticated user to read arbitrary files from the underlying system on which the product is deployed. | |||||
| CVE-2022-30610 | 2 Ibm, Linux | 2 Spectrum Copy Data Management, Linux Kernel | 2022-06-17 | 3.5 LOW | 4.5 MEDIUM |
| IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 is vulnerable to reverse tabnabbing where it could allow a page linked to from within IBM Spectrum Copy Data Management to rewrite it. An administrator could enter a link to a malicious URL that another administrator could then click. Once clicked, that malicious URL could then rewrite the original page with a phishing page. IBM X-Force ID: 227363. | |||||
| CVE-2022-30898 | 1 Chshcms | 1 Cscms | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-site request forgery (CSRF) vulnerability in Cscms music portal system v4.2 allows remote attackers to change the administrator's username and password. | |||||
| CVE-2022-30611 | 2 Ibm, Linux | 2 Spectrum Copy Data Management, Linux Kernel | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using some fields of the form in the portal UI to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 227364. | |||||
| CVE-2022-21499 | 2 Debian, Oracle | 2 Debian Linux, Linux | 2022-06-17 | 4.6 MEDIUM | 6.7 MEDIUM |
| KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). | |||||
| CVE-2022-31485 | 2 Carrier, Hidglobal | 28 Lenels2 Lnl-4420, Lenels2 Lnl-4420 Firmware, Lenels2 Lnl-x2210 and 25 more | 2022-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| An unauthenticated attacker can send a specially crafted packets to update the “notes” section of the home page of the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29. | |||||
| CVE-2017-20033 | 1 Phplist | 1 Phplist | 2022-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in PHPList 3.2.6. This affects an unknown part of the file /lists/admin/. The manipulation of the argument page with the input send\'\";><script>alert(8)</script> leads to cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20034 | 1 Phplist | 1 Phplist | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability classified as problematic was found in PHPList 3.2.6. This vulnerability affects unknown code of the file /lists/admin/ of the component List Name. The manipulation leads to cross site scripting (Persistent). The attack can be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20035 | 1 Phplist | 1 Phplist | 2022-06-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in PHPList 3.2.6. This issue affects some unknown processing of the file /lists/admin/ of the component Subscribe. The manipulation leads to cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||