Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29947 | 1 Woodpecker-ci | 1 Woodpecker | 2022-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping. | |||||
| CVE-2022-26325 | 1 Microfocus | 1 Netiq Access Manager | 2022-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.2 | |||||
| CVE-2022-1282 | 1 10web | 1 Photo Gallery | 2022-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action. | |||||
| CVE-2022-1269 | 1 Fastflow | 1 Fastflow | 2022-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Fast Flow WordPress plugin before 1.2.11 does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-28588 | 1 Springbootmovie Project | 1 Springbootmovie | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| In SpringBootMovie <=1.2 when adding movie names, malicious code can be stored because there are no filtering parameters, resulting in stored XSS. | |||||
| CVE-2022-28599 | 1 Thedaylightstudio | 1 Fuel Cms | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack. | |||||
| CVE-2021-32792 | 3 Apache, Fedoraproject, Zmartzone | 3 Http Server, Fedora, Mod Auth Openidc | 2022-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`. | |||||
| CVE-2021-41948 | 1 Intelliants | 1 Subrion | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects". | |||||
| CVE-2022-1526 | 1 Emlog | 1 Emlog | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Emlog Pro up to 1.2.2. This affects the POST parameter handling of articles. The manipulation with the input <script>alert(1);</script> leads to cross site scripting. It is possible to initiate the attack remotely but it requires a signup and login by the attacker. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-23065 | 1 Vendure | 1 Vendure | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users. | |||||
| CVE-2022-1175 | 1 Gitlab | 1 Gitlab | 2022-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. | |||||
| CVE-2022-26565 | 1 Totaljs | 1 Content Management System | 2022-05-10 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page. | |||||
| CVE-2021-41810 | 1 M-files | 1 Server | 2022-05-10 | 3.5 LOW | 4.8 MEDIUM |
| Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable | |||||
| CVE-2021-39390 | 1 Partkeepr | 1 Partkeepr | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter. | |||||
| CVE-2021-25102 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2022-05-10 | 2.6 LOW | 4.7 MEDIUM |
| The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk | |||||
| CVE-2022-29444 | 1 Cloudways | 1 Breeze | 2022-05-09 | 3.5 LOW | 5.4 MEDIUM |
| Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack. | |||||
| CVE-2020-23617 | 1 Totolink | 4 N100re, N100re Firmware, N200re and 1 more | 2022-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability in the error page of Totolink N200RE and N100RE Routers 2.0 allows attackers to execute arbitrary web scripts or HTML via SCRIPT element. | |||||
| CVE-2021-36844 | 1 Mythemeshop | 1 Wp Subscribe | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress. | |||||
| CVE-2022-28589 | 1 Pixelimity | 1 Pixelimity | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Pixelimity 1.0 allows attackers to execute arbitrary web scripts or HTML via the Title field in admin/pages.php?action=add_new | |||||
| CVE-2020-23618 | 1 Xtendtech | 1 Voice Logger | 2022-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting (XSS) vulnerability in Xtend Voice Logger 1.0 allows attackers to execute arbitrary web scripts or HTML, via the path of the error page. | |||||
| CVE-2022-23060 | 1 Shopizer | 1 Shopizer | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab | |||||
| CVE-2022-29969 | 1 Mediawiki | 1 Rss For Mediawiki | 2022-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). | |||||
| CVE-2022-20629 | 1 Cisco | 1 Firepower Management Center | 2022-05-09 | 3.5 LOW | 5.4 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2022-20627 | 1 Cisco | 1 Firepower Management Center | 2022-05-09 | 3.5 LOW | 5.4 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2022-20628 | 1 Cisco | 1 Firepower Management Center | 2022-05-09 | 3.5 LOW | 5.4 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2022-20740 | 1 Cisco | 1 Firepower Management Center | 2022-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack. This vulnerability is due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface. A successful exploit could allow the attacker to conduct cross-site scripting attacks and gain access to sensitive browser-based information. | |||||
| CVE-2022-1046 | 1 Vfbpro | 1 Visual Form Builder | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-0428 | 1 Keywordrush | 1 Content Egg | 2022-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Content Egg WordPress plugin before 5.3.0 does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0418 | 1 Event List Project | 1 Event List | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed | |||||
| CVE-2021-43932 | 1 Smartptt | 1 Smartptt Scada | 2022-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Elcomplus SmartPTT is vulnerable when an attacker injects JavaScript code into a specific parameter that can executed upon accessing the dashboard or the main page. | |||||
| CVE-2022-0662 | 1 Ajdg | 1 Adrotate | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-0649 | 1 Ajdg | 1 Adrotate | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1250 | 1 Lifterlms | 1 Lifterlms | 2022-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2022-1255 | 1 Codection | 1 Import And Export Users And Customers | 2022-05-09 | 3.5 LOW | 4.8 MEDIUM |
| The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues | |||||
| CVE-2022-21702 | 3 Fedoraproject, Grafana, Netapp | 3 Fedora, Grafana, E-series Performance Analyzer | 2022-05-07 | 2.1 LOW | 5.4 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-29907 | 1 Mediawiki | 1 Mediawiki | 2022-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages. | |||||
| CVE-2022-24873 | 1 Shopware | 1 Shopware | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. | |||||
| CVE-2022-29152 | 1 Ericom | 1 Powerterm Webconnect | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page. | |||||
| CVE-2022-29584 | 1 Mahara | 1 Mahara | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action. | |||||
| CVE-2022-28477 | 1 Wbce | 1 Wbce Cms | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-28454 | 1 Limbas | 1 Limbas | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2021-38952 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211408. | |||||
| CVE-2022-22427 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223720. | |||||
| CVE-2022-1514 | 1 Facturascripts | 1 Facturascripts | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account. | |||||
| CVE-2022-22322 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 218370. | |||||
| CVE-2022-22443 | 1 Ibm | 1 Infosphere Information Server | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 224440. | |||||
| CVE-2022-27860 | 1 Footer-text Project | 1 Footer-text | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress. | |||||
| CVE-2022-28101 | 1 Lyonbros | 1 Turtl | 2022-05-06 | 6.0 MEDIUM | 9.0 CRITICAL |
| Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection. | |||||
| CVE-2022-28102 | 1 Php Mysql Admin Panel Generator Project | 1 Php Mysql Admin Panel Generator | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php. | |||||
| CVE-2021-36867 | 1 Psychological Tests \& Quizzes Project | 1 Psychological Tests \& Quizzes | 2022-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights. | |||||