Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24431 | 1 Language Bar Flags Project | 1 Language Bar Flags | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users | |||||
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24434 | 1 Codeblab | 1 Glass | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24595 | 1 Wp Cookie Choice Project | 1 Wp Cookie Choice | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack. | |||||
| CVE-2021-24615 | 1 Wechat Reward Project | 1 Wechat Reward | 2022-07-29 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | |||||
| CVE-2021-24685 | 1 Flat Preloader Project | 1 Flat Preloader | 2022-07-29 | 5.0 MEDIUM | 5.4 MEDIUM |
| The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload) | |||||
| CVE-2021-24584 | 1 Motopress | 1 Timetable And Event Schedule | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues | |||||
| CVE-2021-24570 | 1 Wpplugin | 1 Accept Donations With Paypal | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well. | |||||
| CVE-2021-24581 | 1 Blue-admin Project | 1 Blue-admin | 2022-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24586 | 1 Evona | 1 Per Page Add To Head | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used. | |||||
| CVE-2021-24487 | 1 Sanskruti | 1 St-daily-tip | 2022-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. | |||||
| CVE-2021-24504 | 1 Wplearnmanager | 1 Wp Learn Manager | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated) | |||||
| CVE-2021-24618 | 1 Wbolt | 1 Donate With Qrcode | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack. | |||||
| CVE-2018-25045 | 1 Django-rest-framework | 1 Django Rest Framework | 2022-07-29 | N/A | 6.1 MEDIUM |
| Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping. | |||||
| CVE-2022-34550 | 1 Student Information Management System Project | 1 Student Information Management System | 2022-07-29 | N/A | 5.4 MEDIUM |
| Sims v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /addNotifyServlet. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the notifyInfo parameter. | |||||
| CVE-2022-34991 | 1 Techvill | 1 Paymoney | 2022-07-29 | N/A | 5.4 MEDIUM |
| Paymoney v3.3 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the first_name and last_name parameters. | |||||
| CVE-2022-2510 | 1 Hallowelt | 1 Bluespice | 2022-07-28 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL. | |||||
| CVE-2022-35653 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-07-28 | N/A | 6.1 MEDIUM |
| A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users. | |||||
| CVE-2022-34988 | 1 Inoutscripts | 1 Blockchain Altexchanger | 2022-07-28 | N/A | 5.4 MEDIUM |
| Inout Blockchain AltExchanger v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/js. | |||||
| CVE-2021-44478 | 1 Siemens | 2 Polarion Alm, Polarion Subversion Webclient | 2022-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient for SVN (All versions). A cross-site scripting is present due to improper neutralization of data sent to the web page through the SVN WebClient in the affected product. An attacker could exploit this to execute arbitrary code and extract sensitive information by sending a specially crafted link to users with administrator privileges. | |||||
| CVE-2021-44263 | 1 Gurock | 1 Testrail | 2022-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Gurock TestRail before 7.2.4 mishandles HTML escaping. | |||||
| CVE-2021-42770 | 1 Opnsense | 1 Opnsense | 2022-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester. | |||||
| CVE-2022-35882 | 2022-07-28 | N/A | N/A | ||
| Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in GS Plugins GS Testimonial Slider plugin <= 1.9.1 at WordPress. | |||||
| CVE-2022-1494 | 1 Google | 1 Chrome | 2022-07-28 | N/A | 6.1 MEDIUM |
| Insufficient data validation in Trusted Types in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass trusted types policy via a crafted HTML page. | |||||
| CVE-2022-1492 | 1 Google | 1 Chrome | 2022-07-28 | N/A | 6.1 MEDIUM |
| Insufficient data validation in Blink Editing in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to inject arbitrary scripts or HTML via a crafted HTML page. | |||||
| CVE-2022-36131 | 1 Midori-global | 1 Better Pdf Exporter | 2022-07-28 | N/A | 6.1 MEDIUM |
| The Better PDF Exporter add-on 10.0.0 for Atlassian Jira is prone to stored XSS via a crafted description to the PDF Templates overview page. | |||||
| CVE-2021-24565 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2022-07-28 | 6.8 MEDIUM | 8.8 HIGH |
| The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-34582 | 1 Phoenixcontact | 4 Fl Mguard 1102, Fl Mguard 1102 Firmware, Fl Mguard 1105 and 1 more | 2022-07-28 | 3.5 LOW | 4.8 MEDIUM |
| In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 a user with high privileges can inject HTML code (XSS) through web-based management or the REST API with a manipulated certificate file. | |||||
| CVE-2021-39609 | 1 Flatcore | 1 Flatcore-cms | 2022-07-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function. | |||||
| CVE-2022-34358 | 1 Ibm | 1 I | 2022-07-27 | N/A | 5.4 MEDIUM |
| IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230516. | |||||
| CVE-2022-27545 | 1 Hcltech | 1 Bigfix Platform | 2022-07-27 | N/A | 5.4 MEDIUM |
| BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page. | |||||
| CVE-2022-2199 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 6.1 MEDIUM |
| The main MiCODUS MV720 GPS tracker web server has a reflected cross-site scripting vulnerability that could allow an attacker to gain control by tricking a user into making a request. | |||||
| CVE-2022-34048 | 1 Wavlink | 2 Wn533a8, Wn533a8 Firmware | 2022-07-27 | N/A | 6.1 MEDIUM |
| Wavlink WN533A8 M33A8.V5030.190716 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login_page parameter. | |||||
| CVE-2022-2511 | 1 Hallowelt | 1 Bluespice | 2022-07-27 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL. | |||||
| CVE-2022-21802 | 1 Grapesjs | 1 Grapesjs | 2022-07-27 | N/A | 6.1 MEDIUM |
| The package grapesjs before 0.19.5 are vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager. | |||||
| CVE-2022-2514 | 1 Fava Project | 1 Fava | 2022-07-27 | N/A | 6.1 MEDIUM |
| The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim. | |||||
| CVE-2022-2523 | 1 Fava Project | 1 Fava | 2022-07-27 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2. | |||||
| CVE-2022-33943 | 2022-07-27 | N/A | N/A | ||
| Authenticated (contributor or higher user role) Cross-Site Scripting (XSS) vulnerability in Nico Amarilla's BxSlider WP plugin <= 2.0.0 at WordPress. | |||||
| CVE-2022-36922 | 2022-07-27 | N/A | N/A | ||
| Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not escape the search query parameter displayed on the 'search' result page, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-36902 | 2022-07-27 | N/A | N/A | ||
| Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-36905 | 2022-07-27 | N/A | N/A | ||
| Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29890 | 1 Octopus | 1 Server | 2022-07-27 | N/A | 6.1 MEDIUM |
| In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | |||||
| CVE-2019-19085 | 1 Octopus | 1 Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML. | |||||
| CVE-2022-35569 | 1 Blogifier | 1 Blogifier | 2022-07-27 | N/A | 4.8 MEDIUM |
| Blogifier v3.0 was discovered to contain an arbitrary file upload vulnerability at /api/storage/upload/PostImage. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted file. | |||||
| CVE-2022-24692 | 1 Dsk | 1 Dsknet | 2022-07-27 | N/A | 5.4 MEDIUM |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution. | |||||
| CVE-2022-31160 | 1 Jqueryui | 1 Jquery Ui | 2022-07-27 | N/A | 6.1 MEDIUM |
| jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`. | |||||
| CVE-2018-20239 | 1 Atlassian | 8 Application Links, Confluence Data Center, Confluence Server and 5 more | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0. | |||||
| CVE-2020-14175 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2. | |||||
| CVE-2020-29444 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters. | |||||