Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28290 | 1 Welaunch | 1 Wordpress Country Selector | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part of the HTTP request | |||||
| CVE-2022-29418 | 1 Night Mode Project | 1 Night Mode | 2022-05-05 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color]. | |||||
| CVE-2022-24880 | 1 Flask-session-captcha Project | 1 Flask-session-captcha | 2022-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. | |||||
| CVE-2021-45839 | 1 Terra-master | 3 F2-210, F4-210, Tos | 2022-05-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint. | |||||
| CVE-2022-1173 | 1 Getgrav | 1 Grav | 2022-05-05 | 3.5 LOW | 5.4 MEDIUM |
| stored xss in GitHub repository getgrav/grav prior to 1.7.33. | |||||
| CVE-2022-27428 | 1 Gallerycms Project | 1 Gallerycms | 2022-05-05 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in /index.php/album/add of GalleryCMS v2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the album_name parameter. | |||||
| CVE-2021-26080 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. | |||||
| CVE-2022-29813 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 4.6 MEDIUM | 6.7 MEDIUM |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible | |||||
| CVE-2022-29811 | 1 Jetbrains | 1 Hub | 2022-05-05 | 3.5 LOW | 4.8 MEDIUM |
| In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. | |||||
| CVE-2022-29815 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 4.6 MEDIUM | 6.7 MEDIUM |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible | |||||
| CVE-2022-29817 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible | |||||
| CVE-2022-27135 | 1 Xpdfreader | 1 Xpdf | 2022-05-05 | 4.3 MEDIUM | 5.5 MEDIUM |
| xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. An attacker can exploit this bug to cause a Denial of Service (Segmentation fault) or other unspecified effects by sending a crafted PDF file to the pdftoppm binary. | |||||
| CVE-2022-27103 | 1 Element-plus | 1 Element-plus | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column. | |||||
| CVE-2022-1396 | 1 Donorbox | 1 Donorbox | 2022-05-05 | 3.5 LOW | 4.8 MEDIUM |
| The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24805 | 1 Designwall | 1 Dw Question \& Answer | 2022-05-05 | 4.3 MEDIUM | 4.3 MEDIUM |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. | |||||
| CVE-2021-24800 | 1 Designwall | 1 Dw Question \& Answer | 2022-05-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments. | |||||
| CVE-2022-28094 | 1 Online Sports Complex Booking System Project | 1 Online Sports Complex Booking System | 2022-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the fid parameter at booking.php. | |||||
| CVE-2022-26564 | 1 Digitaldruid | 1 Hoteldruid | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. | |||||
| CVE-2022-29415 | 1 Ravpage Project | 1 Ravpage | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in Mati Skiba @ Rav Messer's Ravpage plugin <= 2.16 at WordPress. | |||||
| CVE-2022-28448 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info. | |||||
| CVE-2022-1461 | 1 Open-emr | 1 Openemr | 2022-05-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1. | |||||
| CVE-2022-28449 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system. | |||||
| CVE-2022-28450 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser. | |||||
| CVE-2022-28522 | 1 Zcms Project | 1 Zcms | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| ZCMS v20170206 was discovered to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add. | |||||
| CVE-2021-41161 | 1 Combodo | 1 Itop | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-20778 | 1 Cisco | 1 Webex Meetings | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the authentication component of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the authentication component of Cisco Webex Meetings. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2022-1458 | 1 Open-emr | 1 Openemr | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1. | |||||
| CVE-2022-20787 | 1 Cisco | 1 Unified Communications Manager | 2022-05-04 | 6.0 MEDIUM | 6.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2022-1457 | 1 Facturascripts | 1 Facturascripts | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account. | |||||
| CVE-2022-20805 | 1 Cisco | 1 Umbrella Secure Web Gateway | 2022-05-04 | 2.7 LOW | 4.1 MEDIUM |
| A vulnerability in the automatic decryption process in Cisco Umbrella Secure Web Gateway (SWG) could allow an authenticated, adjacent attacker to bypass the SSL decryption and content filtering policies on an affected system. This vulnerability is due to how the decryption function uses the TLS Sever Name Indication (SNI) extension of an HTTP request to discover the destination domain and determine if the request needs to be decrypted. An attacker could exploit this vulnerability by sending a crafted request over TLS from a client to an unknown or controlled URL. A successful exploit could allow an attacker to bypass the decryption process of Cisco Umbrella SWG and allow malicious content to be downloaded to a host on a protected network. There are workarounds that address this vulnerability. | |||||
| CVE-2022-22815 | 2 Debian, Python | 2 Debian Linux, Pillow | 2022-05-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | |||||
| CVE-2022-20788 | 1 Cisco | 2 Unified Communications Manager, Unity Connection | 2022-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2022-28743 | 1 Foscam | 3 R2c, R2c Application Firmware, R2c System Firmware | 2022-05-04 | 8.5 HIGH | 6.6 MEDIUM |
| Time-of-check Time-of-use (TOCTOU) Race Condition vulerability in Foscam R2C IP camera running System FW <= 1.13.1.6, and Application FW <= 2.91.2.66, allows an authenticated remote attacker with administrator permissions to execute arbitrary remote code via a malicious firmware patch. The impact of this vulnerability is that the remote attacker could gain full remote access to the IP camera and the underlying Linux system with root permissions. With root access to the camera's Linux OS, an attacker could effectively change the code that is running, add backdoor access, or invade the privacy of the user by accessing the live camera stream. | |||||
| CVE-2022-1444 | 1 Radare | 1 Radare2 | 2022-05-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| heap-use-after-free in GitHub repository radareorg/radare2 prior to 5.7.0. This vulnerability is capable of inducing denial of service. | |||||
| CVE-2021-38939 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2022-05-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM QRadar SIEM 7.3, 7.4, and 7.5 stores potentially sensitive information in log files that could be read by an user with access to creating domains. IBM X-Force ID: 211037. | |||||
| CVE-2022-22345 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2022-05-04 | 3.5 LOW | 4.8 MEDIUM |
| IBM QRadar 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 220041. | |||||
| CVE-2022-0636 | 1 Lenovo | 1 Thin Installer | 2022-05-04 | 4.9 MEDIUM | 5.5 MEDIUM |
| A denial of service vulnerability was reported in Lenovo Thin Installer prior to version 1.3.0039 that could trigger a system crash. | |||||
| CVE-2022-26673 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2022-20066 | 2 Google, Mediatek | 4 Android, Mt8168, Mt8365 and 1 more | 2022-05-03 | 2.1 LOW | 4.4 MEDIUM |
| In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06171729; Issue ID: ALPS06171729. | |||||
| CVE-2022-28367 | 1 Antisamy Project | 1 Antisamy | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. | |||||
| CVE-2022-28074 | 1 Fit2cloud | 1 Halo | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools. | |||||
| CVE-2021-32927 | 1 Uffizio | 1 Gps Tracker | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker. | |||||
| CVE-2022-0876 | 1 Wpdevart | 1 Social Comments | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| The Social comments by WpDevArt WordPress plugin before 2.5.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2021-36895 | 1 Tripetto | 1 Tripetto | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload. | |||||
| CVE-2022-29417 | 1 Shortpixel | 1 Shortpixel Adaptive Images | 2022-05-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings. | |||||
| CVE-2022-28586 | 1 Hoosk | 1 Hoosk | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars. | |||||
| CVE-2022-23711 | 1 Elastic | 1 Kibana | 2022-05-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring. The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source. | |||||
| CVE-2021-38483 | 1 Fanuc | 1 Roboguide | 2022-05-03 | 3.6 LOW | 6.0 MEDIUM |
| The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation. | |||||
| CVE-2022-22558 | 1 Dell | 40 C4130, C4130 Firmware, C6320 and 37 more | 2022-05-03 | 3.6 LOW | 6.0 MEDIUM |
| Dell PowerEdge Server BIOS contains an Improper SMM communication buffer verification vulnerability. A Local High Privileged attacker could potentially exploit this vulnerability leading to arbitrary writes or denial of service. | |||||
| CVE-2022-28820 | 1 Adobe | 1 Acs Aem Commons | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. | |||||