Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-33043 | 1 Urtracker | 1 Urtracker | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the batch add function of Urtracker Premium v4.0.1.1477 allows attackers to execute arbitrary web scripts or HTML via a crafted excel file. | |||||
| CVE-2022-25238 | 1 Silverstripe | 1 Framework | 2022-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code. | |||||
| CVE-2021-39074 | 1 Ibm | 1 Security Guardium | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Security Guardium 11.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2022-31065 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. | |||||
| CVE-2022-31064 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-07-07 | 2.1 LOW | 5.4 MEDIUM |
| BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. | |||||
| CVE-2022-31094 | 1 Scratchstatus | 1 Scratchtools | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. In affected versions anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken over if they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript. This issue has been addressed in the 2.5.2 release. Users having issues scratching should open an issue in the project issue tracker https://github.com/STForScratch/ScratchTools/ | |||||
| CVE-2022-31057 | 1 Shopware | 1 Shopware | 2022-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31035 | 1 Linuxfoundation | 1 Argo-cd | 2022-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading. | |||||
| CVE-2022-28172 | 1 Hikvision | 22 Ds-a71024, Ds-a71024 Firmware, Ds-a71048 and 19 more | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device. | |||||
| CVE-2022-1470 | 1 Ultimate Woocommerce Csv Importer Project | 1 Ultimate Woocommerce Csv Importer | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1327 | 1 Image Gallery - Grid Gallery Project | 1 Image Gallery - Grid Gallery | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Image Gallery - Grid Gallery WordPress plugin through 1.1.1 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1326 | 1 Form - Contact Form Project | 1 Form - Contact Form | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1321 | 1 Miniorange | 1 Google Authenticator | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | |||||
| CVE-2022-1113 | 1 Floristone | 1 Flower Delivery | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Flower Delivery by Florist One WordPress plugin through 3.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setups) | |||||
| CVE-2022-1095 | 1 Mihdan\ | 1 No External Links Project | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Mihdan: No External Links WordPress plugin through 4.8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-1029 | 1 Miniorange | 1 Limit Login Attempts | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | |||||
| CVE-2022-1028 | 1 Miniorange | 1 Wordpress Security | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | |||||
| CVE-2022-1010 | 1 Miniorange | 1 Login Using Wordpress Users | 2022-07-07 | 3.5 LOW | 4.8 MEDIUM |
| The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-31085 | 2 Debian, Ldap-account-manager | 2 Debian Linux, Ldap Account Manager | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration. | |||||
| CVE-2022-23896 | 1 Admidio | 1 Admidio | 2022-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Admidio 4.1.2 version is affected by stored cross-site scripting (XSS). | |||||
| CVE-2017-20108 | 1 Easy Table Project | 1 Easy Table | 2022-07-07 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in Easy Table Plugin 1.6. This affects an unknown part of the file /wordpress/wp-admin/options-general.php. The manipulation with the input "><script>alert(1)</script> leads to basic cross site scripting. It is possible to initiate the attack remotely. | |||||
| CVE-2020-19897 | 1 Wuzhicms | 1 Wuzhi Cms | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter. | |||||
| CVE-2020-21161 | 1 Ruckuswireless | 2 Zonedirector, Zonedirector Firmware | 2022-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Ruckus Wireless ZoneDirector 9.8.3.0. | |||||
| CVE-2017-20098 | 1 Weblizar | 1 Admin Custom Login | 2022-07-06 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability was found in Admin Custom Login Plugin 2.4.5.2. It has been classified as problematic. Affected is an unknown function. The manipulation leads to basic cross site scripting (Persistent). It is possible to launch the attack remotely. | |||||
| CVE-2022-2140 | 1 Smartics | 1 Smartics | 2022-07-06 | 6.0 MEDIUM | 9.0 CRITICAL |
| Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters. | |||||
| CVE-2022-33005 | 1 Deltaww | 1 Diaenergie | 2022-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the System Settings/IOT Settings module of Delta Electronics DIAEnergie v1.08.00 allows attackers to execute arbitrary web scripts via a crafted payload injected into the Name text field. | |||||
| CVE-2017-20100 | 1 Air Transfer Project | 1 Air Transfer | 2022-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Air Transfer 1.0.14/1.2.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2218 | 1 Parse-url Project | 1 Parse-url | 2022-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0. | |||||
| CVE-2022-33009 | 1 Lightcms Project | 1 Lightcms | 2022-07-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file. | |||||
| CVE-2022-34133 | 1 Jorani Project | 1 Jorani | 2022-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Benjamin BALET Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php. | |||||
| CVE-2022-22502 | 1 Ibm | 3 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak | 2022-07-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227124. | |||||
| CVE-2022-1776 | 1 Icegram | 1 Popups\, Welcome Bar\, Optins And Lead Generation Plugin | 2022-07-06 | 3.5 LOW | 5.4 MEDIUM |
| The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-2217 | 1 Parse-url Project | 1 Parse-url | 2022-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0. | |||||
| CVE-2022-1904 | 1 Fatcatapps | 1 Easy Pricing Tables | 2022-07-06 | 2.6 LOW | 6.1 MEDIUM |
| The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user (both authenticated and unauthenticated) when a specific setting is enabled, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-2041 | 1 Brizy | 1 Brizy-page Builder | 2022-07-06 | 3.5 LOW | 5.4 MEDIUM |
| The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-2040 | 1 Brizy | 1 Brizy-page Builder | 2022-07-06 | 3.5 LOW | 5.4 MEDIUM |
| The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-1916 | 1 Pluginus | 1 Active Products Tables For Woocommerce | 2022-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store WordPress plugin before 1.0.5 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected cross-Site Scripting | |||||
| CVE-2022-33910 | 1 Mantisbt | 1 Mantisbt | 2022-07-06 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute. | |||||
| CVE-2022-29096 | 1 Dell | 1 Wyse Management Suite | 2022-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Dell Wyse Management Suite 3.6.1 and below contains a Reflected Cross-Site Scripting Vulnerability in saveGroupConfigurations page. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. | |||||
| CVE-2022-1971 | 1 Wpgetready | 1 Nextcellent Gallery | 2022-07-06 | 3.5 LOW | 4.8 MEDIUM |
| The NextCellent Gallery WordPress plugin through 1.9.35 does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-1964 | 1 Easy Svg Support Project | 1 Easy Svg Support | 2022-07-06 | 3.5 LOW | 5.4 MEDIUM |
| The Easy SVG Support WordPress plugin before 3.3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads | |||||
| CVE-2022-1995 | 1 Miniorange | 1 Malware Scanner | 2022-07-06 | 3.5 LOW | 4.8 MEDIUM |
| The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | |||||
| CVE-2022-1994 | 1 Miniorange | 1 Login With Otp Over Sms\, Email\, Whatsapp And Google Authenticator | 2022-07-06 | 3.5 LOW | 4.8 MEDIUM |
| The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2022-32209 | 1 Rubyonrails | 1 Rails Html Sanitizers | 2022-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags: ["select", "style"] %>```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])```All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user). | |||||
| CVE-2022-24851 | 1 Ldap-account-manager | 1 Ldap Account Manager | 2022-07-06 | 3.5 LOW | 4.8 MEDIUM |
| LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version 7.9.1. | |||||
| CVE-2022-27238 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-07-05 | 3.5 LOW | 5.4 MEDIUM |
| BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed. | |||||
| CVE-2022-30120 | 1 Concretecms | 1 Concrete Cms | 2022-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting | |||||
| CVE-2022-30119 | 1 Concretecms | 1 Concrete Cms | 2022-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting. | |||||
| CVE-2022-30118 | 1 Concretecms | 1 Concrete Cms | 2022-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting. | |||||
| CVE-2022-23057 | 1 Frappe | 1 Erpnext | 2022-07-05 | 3.5 LOW | 5.4 MEDIUM |
| In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile. | |||||