Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23058 | 1 Frappe | 1 Erpnext | 2022-07-05 | 3.5 LOW | 5.4 MEDIUM |
| ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover. | |||||
| CVE-2018-15917 | 1 Jorani Project | 1 Jorani | 2022-07-05 | 3.5 LOW | 5.4 MEDIUM |
| Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language. | |||||
| CVE-2021-38344 | 1 Brizy | 1 Brizy-page Builder | 2022-07-05 | 3.5 LOW | 5.4 MEDIUM |
| The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page. | |||||
| CVE-2022-0376 | 1 User-meta | 1 User Meta User Profile Builder And User Management | 2022-07-05 | 3.5 LOW | 4.8 MEDIUM |
| The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2021-24485 | 1 Wp-special-textboxes Project | 1 Wp-special-textboxes | 2022-07-04 | 3.5 LOW | 4.8 MEDIUM |
| The Special Text Boxes WordPress plugin before 5.9.110 does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2022-29172 | 1 Auth0 | 1 Lock | 2022-07-02 | 2.6 LOW | 6.1 MEDIUM |
| Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`. | |||||
| CVE-2021-22822 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2022-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79 Improper Neutralization of Input During Web Page Generation (?Cross-site Scripting?) vulnerability exists that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2) | |||||
| CVE-2021-24410 | 1 Telugu Bible Verse Daily Project | 1 Telugu Bible Verse Daily | 2022-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The తెల�గ� బైబిల� వచనమ�ల� WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues | |||||
| CVE-2021-32478 | 1 Moodle | 1 Moodle | 2022-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. | |||||
| CVE-2021-32750 | 1 Muwire Project | 1 Muwire | 2022-07-02 | 3.5 LOW | 5.7 MEDIUM |
| MuWire is a file publishing and networking tool that protects the identity of its users by using I2P technology. Users of MuWire desktop client prior to version 0.8.8 can be de-anonymized by an attacker who knows their full ID. An attacker could send a message with a subject line containing a URL with an HTML image tag and the MuWire client would try to fetch that image via clearnet, thus exposing the IP address of the user. The problem is fixed in MuWire 0.8.8. As a workaround, users can disable messaging functionality to prevent other users from sending them malicious messages. | |||||
| CVE-2021-32827 | 2 Mock-server, Oracle | 2 Mockserver, Communications Cloud Native Core Policy | 2022-07-02 | 6.8 MEDIUM | 9.6 CRITICAL |
| MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS. An attacker that can trick a victim into visiting a malicious site while running MockServer locally, will be able to run arbitrary code on the MockServer machine. With an overly broad default CORS configuration MockServer allows any site to send cross-site requests. Additionally, MockServer allows you to create dynamic expectations using Javascript or Velocity templates. Both engines may allow an attacker to execute arbitrary code on-behalf of MockServer. By combining these two issues (Overly broad CORS configuration + Script injection), an attacker could serve a malicious page so that if a developer running MockServer visits it, they will get compromised. For more details including a PoC see the referenced GHSL-2021-059. | |||||
| CVE-2020-6324 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2022-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Netweaver AS ABAP(BSP Test Application sbspext_table), version-700,701,720,730,731,740,750,751,752,753,754,755, allows an unauthenticated attacker to send polluted URL to the victim, when the victim clicks on this URL, the attacker can read, modify the information available in the victim?s browser leading to Reflected Cross Site Scripting. | |||||
| CVE-2022-23056 | 1 Frappe | 1 Erpnext | 2022-07-01 | 3.5 LOW | 5.4 MEDIUM |
| In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack. | |||||
| CVE-2020-27509 | 1 Galaxkey | 1 Galaxkey | 2022-07-01 | 3.5 LOW | 5.4 MEDIUM |
| Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11.5 allows an attacker to perform an account takeover by intercepting the HTTP Post request when sending an email and injecting a specially crafted XSS payload in the 'subject' field. The payload executes when the recipient logs into their mailbox. | |||||
| CVE-2019-11291 | 2 Redhat, Vmware | 2 Openstack, Rabbitmq | 2022-07-01 | 3.5 LOW | 4.8 MEDIUM |
| Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information. | |||||
| CVE-2017-2601 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. | |||||
| CVE-2022-33122 | 1 Eyoucms | 1 Eyoucms | 2022-06-30 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page. | |||||
| CVE-2021-39408 | 1 Online Student Rate System Project | 1 Online Student Rate System | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Online Student Rate System 1.0 via the page parameter on the index.php file | |||||
| CVE-2021-38871 | 3 Ibm, Linux, Microsoft | 3 Jazz Team Server, Linux Kernel, Windows | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208345. | |||||
| CVE-2022-0663 | 1 Printfriendly | 1 Print\, Pdf\, Email By Printfriendly | 2022-06-30 | 3.5 LOW | 4.8 MEDIUM |
| The Print, PDF, Email by PrintFriendly WordPress plugin before 5.2.3 does not sanitise and escape the Custom Button Text settings, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2017-20092 | 1 Yoast | 1 Google Analytics Dashboard | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability classified as problematic was found in Google Analytics Dashboard Plugin 2.1.1. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. The attack can be launched remotely. | |||||
| CVE-2022-1266 | 1 Wpwax | 1 Post Grid\, Slider \& Carousel Ultimate | 2022-06-30 | 3.5 LOW | 4.8 MEDIUM |
| The Post Grid, Slider & Carousel Ultimate WordPress plugin before 1.5.0 does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2017-20094 | 1 Newstatpress Project | 1 Newstatpress | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in NewStatPress Plugin 1.2.4. This issue affects some unknown processing. The manipulation leads to basic cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 1.2.5 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20097 | 1 Wp-filebase Download Manager Project | 1 Wp-filebase Download Manager | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in WP-Filebase Download Manager Plugin 3.4.4. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely. | |||||
| CVE-2020-5298 | 1 Octobercms | 1 October | 2022-06-30 | 3.5 LOW | 4.8 MEDIUM |
| In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466). | |||||
| CVE-2021-25088 | 1 Google Xml Sitemaps Project | 1 Google Xml Sitemaps | 2022-06-30 | 3.5 LOW | 4.8 MEDIUM |
| The XML Sitemaps WordPress plugin before 4.1.3 does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2021-25104 | 1 Oceanwp | 1 Ocean Extra | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2022-34189 | 1 Jenkins | 1 Image Tag Parameter | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Image Tag Parameter Plugin 1.10 and earlier does not escape the name and description of Image Tag parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34188 | 1 Jenkins | 1 Hidden Parameter | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34187 | 1 Jenkins | 1 Filesystem List Parameter | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Filesystem List Parameter Plugin 0.0.7 and earlier does not escape the name and description of File system objects list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34186 | 1 Jenkins | 1 Dynamic Extended Choice Parameter | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape the name and description of Moded Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34185 | 1 Jenkins | 1 Date Parameter | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Date Parameter Plugin 0.0.4 and earlier does not escape the name and description of Date parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34184 | 1 Jenkins | 1 Crx Content Package Deployer | 2022-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins CRX Content Package Deployer Plugin 1.9 and earlier does not escape the name and description of CRX Content Package Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34171 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-34172 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-34170 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2022-34173 | 1 Jenkins | 1 Jenkins | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2017-20096 | 1 Wp-spamfree Anti-spam Project | 1 Wp-spamfree Anti-spam | 2022-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in WP-SpamFree Anti-Spam Plugin 2.1.1.4. This affects an unknown part. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely. | |||||
| CVE-2022-32987 | 1 Simple Bakery Shop Management System Project | 1 Simple Bakery Shop Management System | 2022-06-29 | 3.5 LOW | 4.8 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in /bsms/?page=manage_account of Simple Bakery Shop Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username or Full Name fields. | |||||
| CVE-2022-34328 | 1 Pmb Project | 1 Pmb | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php. | |||||
| CVE-2017-20089 | 1 Gwolle Guestbook Project | 1 Gwolle Guestbook | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Gwolle Guestbook Plugin 1.7.4. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. | |||||
| CVE-2020-13562 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter. | |||||
| CVE-2020-27982 | 1 Icewarp | 1 Mail Server | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp 11.4.5.0 allows XSS via the language parameter. | |||||
| CVE-2020-28038 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.5.2 allows stored XSS via post slugs. | |||||
| CVE-2020-28034 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2022-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.5.2 allows XSS associated with global variables. | |||||
| CVE-2022-34194 | 1 Jenkins | 1 Readonly Parameter | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Readonly Parameter Plugin 1.0.0 and earlier does not escape the name and description of Readonly String and Readonly Text parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34193 | 1 Jenkins | 1 Package Version | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Package Version Plugin 1.0.1 and earlier does not escape the name of Package version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34192 | 1 Jenkins | 1 Ontrack | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ontrack Jenkins Plugin 4.0.0 and earlier does not escape the name of Ontrack: Multi Parameter choice, Ontrack: Parameter choice, and Ontrack: SingleParameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34191 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.77 and earlier does not escape the name of NetStorm Test parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34190 | 1 Jenkins | 1 Maven Metadata | 2022-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.1 and earlier does not escape the name and description of List maven artifact versions parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||