Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-4967 | 3 Debian, Pivotal Software, Vmware | 3 Debian Linux, Rabbitmq, Rabbitmq | 2022-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. | |||||
| CVE-2017-4965 | 3 Debian, Pivotal Software, Vmware | 3 Debian Linux, Rabbitmq, Rabbitmq | 2022-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. | |||||
| CVE-2008-3023 | 2 Fswiki, Microsoft | 2 Freestyle Wiki, Internet Explorer | 2022-05-14 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in FreeStyle Wiki 3.6.2 and earlier, and 3.6.3 dev3 and earlier development versions, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2005-1799. | |||||
| CVE-2022-28507 | 1 Bdt-121 Project | 2 Bdt-121, Bdt-121 Firmware | 2022-05-14 | 3.5 LOW | 4.8 MEDIUM |
| Dragon Path Technologies Bharti Airtel Routers Hardware BDT-121 version 1.0 is vulnerable to Cross Site Scripting (XSS) via Dragon path router admin page. | |||||
| CVE-2022-27183 | 1 Splunk | 1 Splunk | 2022-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platform instances. Note that the Cloud Monitoring Console is not impacted. | |||||
| CVE-2021-36912 | 1 Google-news-sitemap Project | 1 Google-news-sitemap | 2022-05-14 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-Site Scripting (XSS) vulnerability in Andrea Pernici News Sitemap for Google plugin <= 1.0.16 on WordPress, attackers must have contributor or higher user role. | |||||
| CVE-2020-10688 | 1 Redhat | 5 Enterprise Linux, Fuse, Jboss Enterprise Application Platform and 2 more | 2022-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. | |||||
| CVE-2021-32604 | 1 Solarwinds | 1 Serv-u | 2022-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, aka "Share URL XSS." | |||||
| CVE-2022-24899 | 1 Contao | 1 Contao | 2022-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings. | |||||
| CVE-2022-1464 | 1 Gogs | 1 Gogs | 2022-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account . | |||||
| CVE-2020-19203 | 1 Netgate | 1 Pfsense | 2022-05-13 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS. | |||||
| CVE-2022-30241 | 1 Jquery Json-viewer Project | 1 Jquery Json-viewer | 2022-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element. | |||||
| CVE-2022-27878 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2022-05-13 | 6.0 MEDIUM | 6.8 MEDIUM |
| On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-28716 | 1 F5 | 3 Big-ip Advanced Firewall Manager, Big-ip Carrier-grade Nat, Big-ip Policy Enforcement Manager | 2022-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| On 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP AFM, CGNAT, and PEM Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2021-38269 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2022-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command. | |||||
| CVE-2021-38263 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2022-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script. | |||||
| CVE-2022-27230 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Guided Configuration | 2022-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP APM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of F5 BIG-IP Guided Configuration that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-1590 | 1 Bludit | 1 Bludit | 2022-05-13 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Bludit 3.13.1. It has been declared as problematic. This vulnerability affects the endpoint /admin/new-content of the New Content module. The manipulation of the argument content with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-25854 | 1 Tagify Project | 1 Tagify | 2022-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload. | |||||
| CVE-2022-1231 | 2 Fedoraproject, Plantuml | 2 Fedora, Plantuml | 2022-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running). | |||||
| CVE-2021-25267 | 1 Sophos | 2 Firewall, Firewall Firmware | 2022-05-13 | 8.5 HIGH | 8.4 HIGH |
| Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 19.0 GA. | |||||
| CVE-2021-25268 | 1 Sophos | 2 Firewall, Firewall Firmware | 2022-05-13 | 6.0 MEDIUM | 8.4 HIGH |
| Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from MySophos admin to SFOS admin in Sophos Firewall older than version 19.0 GA. | |||||
| CVE-2021-22260 | 1 Gitlab | 1 Gitlab | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf | |||||
| CVE-2021-39885 | 1 Gitlab | 1 Gitlab | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names | |||||
| CVE-2022-27880 | 1 F5 | 1 Traffix Signaling Delivery Controller | 2022-05-12 | 3.5 LOW | 4.8 MEDIUM |
| On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-0321 | 1 Ohiowebtech | 1 Wp Voting Contest | 2022-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Voting Contest WordPress plugin before 3.0 does not sanitise and escape the post_id parameter before outputting it back in the response via the wpvc_social_share_icons AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2022-1575 | 1 Diagrams | 1 Drawio | 2022-05-12 | 6.8 MEDIUM | 9.6 CRITICAL |
| Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app. | |||||
| CVE-2022-27854 | 1 Psychological Tests \& Quizzes Project | 1 Psychological Tests \& Quizzes | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher role via &wpt_test_page_submit_button_caption parameter. | |||||
| CVE-2022-25344 | 1 Olivetti | 2 D-color Mf3555, D-color Mf3555 Firmware | 2022-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser. | |||||
| CVE-2022-29939 | 1 Librehealth | 1 Librehealth Ehr | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities. | |||||
| CVE-2022-29940 | 1 Librehealth | 1 Librehealth Ehr | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities. | |||||
| CVE-2022-1530 | 1 Livehelperchat | 1 Live Helper Chat | 2022-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. The attacker can execute malicious JavaScript on the application. | |||||
| CVE-2022-26244 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "special" field. | |||||
| CVE-2022-25493 | 1 Hospital Management System Project | 1 Hospital Management System | 2022-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| HMS v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via treatmentrecord.php. | |||||
| CVE-2022-22853 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Name field. | |||||
| CVE-2022-28707 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2020-13954 | 3 Apache, Netapp, Oracle | 6 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 3 more | 2022-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573. | |||||
| CVE-2022-28508 | 1 Mantisbt | 1 Mantisbt | 2022-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field. | |||||
| CVE-2022-28081 | 1 Ar-php | 1 Arphp | 2022-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web scripts. | |||||
| CVE-2021-34590 | 1 Bender | 4 Cc612, Cc612 Firmware, Cc613 and 1 more | 2022-05-12 | 3.5 LOW | 5.4 MEDIUM |
| In Bender/ebee Charge Controllers in multiple versions are prone to Cross-site Scripting. An authenticated attacker could write HTML Code into configuration values. These values are not properly escaped when displayed. | |||||
| CVE-2022-1584 | 1 Microweber | 1 Microweber | 2022-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim | |||||
| CVE-2022-25784 | 1 Secomea | 18 Sitemanager 1129, Sitemanager 1129 Firmware, Sitemanager 1139 and 15 more | 2022-05-11 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in Web GUI of SiteManager allows logged-in user to inject scripting. This issue affects: Secomea SiteManager all versions prior to 9.7. | |||||
| CVE-2022-25781 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2022-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in Web UI of Secomea GateManager allows phishing attacker to inject javascript or html into logged in user session. | |||||
| CVE-2022-1571 | 1 Facturascripts | 1 Facturascripts | 2022-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ... | |||||
| CVE-2022-1555 | 1 Microweber | 1 Microweber | 2022-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie... | |||||
| CVE-2022-27330 | 1 E-commerce Website Project | 1 E-commerce Website | 2022-05-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field. | |||||
| CVE-2022-25349 | 1 Materializecss | 1 Materialize | 2022-05-11 | 4.3 MEDIUM | 5.4 MEDIUM |
| All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component. | |||||
| CVE-2021-31674 | 1 Cyclos | 1 Cyclos | 2022-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant. | |||||
| CVE-2022-1536 | 1 Automad | 1 Automad | 2022-05-11 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been found in automad up to 1.10.9 and classified as problematic. This vulnerability affects the Dashboard. The manipulation of the argument title with the input Home</title><script>alert("home")</script><title> leads to a cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit details have disclosed to the public and may be used. | |||||
| CVE-2022-21149 | 1 S-cart | 1 S-cart | 2022-05-11 | 3.5 LOW | 3.5 LOW |
| The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 are vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user's account through the stolen cookie. | |||||