Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2151 | 1 Emarketdesign | 1 Best Contact Management Software | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Best Contact Management Software WordPress plugin through 3.7.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2149 | 1 Very Simple Breadcrumb Project | 1 Very Simple Breadcrumb | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Very Simple Breadcrumb WordPress plugin through 1.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2148 | 1 Linkedin Company Updates Project | 1 Linkedin Company Updates | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The LinkedIn Company Updates WordPress plugin through 1.5.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2194 | 1 Tipsandtricks-hq | 1 Accept Stripe | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2186 | 1 Bracketspace | 1 Simple Post Notes | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Post Notes WordPress plugin before 1.7.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2187 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2022-2173 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-35224 | 1 Sap | 1 Enterprise Portal | 2022-07-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This attack can be used to non-permanently deface or modify portal content. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim?s web browser session. | |||||
| CVE-2020-35437 | 1 Intelliants | 1 Subrion Cms | 2022-07-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI. | |||||
| CVE-2020-15364 | 1 Nexos Project | 1 Nexos | 2022-07-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS. | |||||
| CVE-2022-2363 | 1 Simple Parking Management System Project | 1 Simple Parking Management System | 2022-07-16 | 3.5 LOW | 4.6 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in SourceCodester Simple Parking Management System 1.0. Affected by this issue is some unknown functionality of the file /ci_spms/admin/search/searching/. The manipulation of the argument search with the input "><script>alert("XSS")</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2364 | 1 Simple Parking Management System Project | 1 Simple Parking Management System | 2022-07-16 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Simple Parking Management System 1.0. This affects an unknown part of the file /ci_spms/admin/category. The manipulation of the argument vehicle_type with the input "><script>alert("XSS")</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-31654 | 1 Vmware | 1 Vrealize Log Insight | 2022-07-16 | 3.5 LOW | 5.4 MEDIUM |
| VMware vRealize Log Insight in versions prior to 8.8.2 contain a stored cross-site scripting vulnerability due to improper input sanitization in configurations. | |||||
| CVE-2022-31655 | 1 Vmware | 1 Vrealize Log Insight | 2022-07-16 | 3.5 LOW | 5.4 MEDIUM |
| VMware vRealize Log Insight in versions prior to 8.8.2 contain a stored cross-site scripting vulnerability due to improper input sanitization in alerts. | |||||
| CVE-2022-32115 | 1 Withknown | 1 Known | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file. | |||||
| CVE-2022-31290 | 1 Withknown | 1 Known | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Known v1.2.2+2020061101 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Your Name text field. | |||||
| CVE-2022-2089 | 1 Bold-themes | 1 Bold Page Builder | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| The Bold Page Builder WordPress plugin before 4.3.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-2093 | 1 Ninjateam | 1 Wp Duplicate Page | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| The WP Duplicate Page WordPress plugin before 1.3 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-2050 | 1 Maxfoundry | 1 Wp-paginate | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| The WP-Paginate WordPress plugin before 2.1.9 does not escape one of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when unfiltered_html is disallowed | |||||
| CVE-2022-1951 | 1 Kitestudio | 1 Core Plugin For Kitestudio Themes | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The core plugin for kitestudio WordPress plugin before 2.3.1 does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-1938 | 1 Awin | 1 Awin Data Feed | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| The Awin Data Feed WordPress plugin through 1.6 does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings | |||||
| CVE-2022-1937 | 1 Awin | 1 Awin Data Feed | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Awin Data Feed WordPress plugin through 1.6 does not sanitise and escape a parameter before outputting it back via an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1894 | 1 Sygnoos | 1 Popup Builder | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed | |||||
| CVE-2022-32308 | 1 Ublock Origin Project | 1 Ublock Origin | 2022-07-15 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in uBlock Origin extension before 1.41.1 allows remote attackers to run arbitrary code via a spoofed 'MessageSender.url' to the browser renderer process. | |||||
| CVE-2022-22682 | 1 Synology | 1 Calendar | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2022-1546 | 1 Visser | 1 Woocommerce - Product Importer | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce - Product Importer WordPress plugin through 1.5.2 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1474 | 1 Wp-eventmanager | 1 Wp Event Manager | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1220 | 1 Foxy-shop | 1 Foxyshop | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-27168 | 1 Litecart | 1 Litecart | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in LiteCart versions prior to 2.4.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-2365 | 1 Trilium Project | 1 Trilium | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.53.3. | |||||
| CVE-2022-35416 | 1 H3c | 1 Ssl Vpn | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnlang cookie XSS. | |||||
| CVE-2022-1910 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-32061 | 1 Snipeitapp | 1 Snipe-it | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2022-32060 | 1 Snipeitapp | 1 Snipe-it | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2022-31029 | 1 Adminite | 1 Adminlte | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31136 | 1 Joinbookwyrm | 1 Bookwyrm | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bookwyrm is an open source social reading and reviewing program. Versions of Bookwyrm prior to 0.4.1 did not properly sanitize html being rendered to users. Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses. These vulnerabilities may be exploited as cross site scripting attacks on users viewing these fields. Users are advised to upgrade to version 0.4.1. There are no known workarounds for this issue. | |||||
| CVE-2022-31063 | 1 Enalean | 1 Tuleap | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.111 the title of a document is not properly escaped in the search result of MyDocmanSearch widget and in the administration page of the locked documents. A malicious user with the capability to create a document could force victim to execute uncontrolled code. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-33098 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-44791 | 1 Apache | 1 Druid | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. | |||||
| CVE-2022-35230 | 1 Zabbix | 1 Zabbix | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | |||||
| CVE-2022-31133 | 1 Humhub | 1 Humhub | 2022-07-14 | 3.5 LOW | 4.8 MEDIUM |
| HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue. | |||||
| CVE-2022-23713 | 1 Elastic | 1 Kibana | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. | |||||
| CVE-2022-32567 | 1 Appfire | 1 Jira Misc Custom Fields | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function. | |||||
| CVE-2022-2342 | 1 Getoutline | 1 Outline | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. | |||||
| CVE-2022-20815 | 1 Cisco | 2 Unified Communications Manager, Unified Communications Manager Im And Presence Service | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2022-20800 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im And Presence Service, Unity Connection | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2022-31127 | 1 Nextauth.js | 1 Next-auth | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven't created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it. | |||||
| CVE-2022-2316 | 1 Devolutions | 1 Devolutions Server | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or redirect a user to another site. | |||||
| CVE-2015-3172 | 1 Eidogo | 1 Eidogo | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via maliciously crafted SGF input. | |||||
| CVE-2022-31113 | 1 Thinkst | 1 Canarytokens | 2022-07-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens. This permits an attacker who recognised an HTTP-based Canarytoken (a URL) to execute Javascript in the Canarytoken's history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. The issue has been patched on Canarytokens.org and in the latest release. No signs of successful exploitation of this vulnerability have been found. Users are advised to upgrade. There are no known workarounds for this issue. | |||||