Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-9752 | 2 Opensuse, Otrs | 3 Backports Sle, Leap, Otrs | 2022-05-03 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm. | |||||
| CVE-2022-24868 | 1 Glpi-project | 1 Glpi | 2022-05-03 | 3.5 LOW | 5.4 MEDIUM |
| GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars. | |||||
| CVE-2021-46782 | 1 Supsystic | 1 Price Table | 2022-05-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pricing Table by Supsystic WordPress plugin before 1.9.5 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0248 | 1 Contact Form Submissions Project | 1 Contact Form Submissions | 2022-05-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission | |||||
| CVE-2020-14014 | 1 Naviwebs | 1 Navigate Cms | 2022-05-01 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS. | |||||
| CVE-2013-4341 | 1 Moodle | 1 Moodle | 2022-05-01 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. | |||||
| CVE-2021-42063 | 1 Sap | 1 Knowledge Warehouse | 2022-04-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data. | |||||
| CVE-2022-23993 | 1 Pfsense | 2 Pfsense, Pfsense Plus | 2022-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| /usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS. | |||||
| CVE-2021-37195 | 1 Siemens | 1 Comos | 2022-04-29 | 2.6 LOW | 6.1 MEDIUM |
| A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS accepts arbitrary code as attachment to tasks. This could allow an attacker to inject malicious code that is executed when loading the attachment. | |||||
| CVE-2021-30119 | 1 Kaseya | 1 Vsa | 2022-04-29 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078` | |||||
| CVE-2020-19204 | 1 Ipfire | 1 Ipfire | 2022-04-29 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated Stored Cross-Site Scriptiong (XSS) vulnerability exists in Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text box or "remark" parameter. It allows an authenticated WebGUI user to execute Stored Cross-site Scripting in the Routing Table Entries. | |||||
| CVE-2017-5003 | 2 Emc, Rsa | 3 Rsa Identity Governance And Lifecycle, Rsa Identity Management And Governance, Rsa Via Lifecycle And Governance | 2022-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all patch levels); RSA Via Lifecycle and Governance version 7.0 (all patch levels); and RSA Identity Management and Governance (IMG) version 6.9.1 (all patch levels) have Reflected Cross Site Scripting vulnerabilities that could potentially be exploited by malicious users to compromise an affected system. | |||||
| CVE-2017-5004 | 2 Emc, Rsa | 3 Rsa Identity Governance And Lifecycle, Rsa Identity Management And Governance, Rsa Via Lifecycle And Governance | 2022-04-29 | 3.5 LOW | 5.4 MEDIUM |
| EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all patch levels); RSA Via Lifecycle and Governance version 7.0 (all patch levels); and RSA Identity Management and Governance (IMG) version 6.9.1 (all patch levels) have Stored Cross Site Scripting vulnerabilities that could potentially be exploited by malicious users to compromise an affected system. | |||||
| CVE-2022-1439 | 1 Microweber | 1 Microweber | 2022-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction. | |||||
| CVE-2022-29589 | 1 Crypt-server Project | 1 Crypt-server | 2022-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Crypt Server before 3.3.0 allows XSS in the index view. This is related to serial, computername, and username. | |||||
| CVE-2022-24870 | 1 Combodo | 1 Itop | 2022-04-29 | 3.5 LOW | 5.4 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2020-9410 | 2 Oracle, Tibco | 3 Retail Order Broker, Jasperreports Library, Jasperreports Server | 2022-04-28 | 6.8 MEDIUM | 8.8 HIGH |
| The report generator component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an attacker to exploit HTML injection to gain full control of a web interface containing the output of the report generator component with the privileges of any user that views the affected report(s). The attacker can theoretically exploit this vulnerability when other users view a maliciously generated report, where those reports use Fusion Charts and a data source with contents controlled by the attacker. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions 7.1.1 and below, versions 7.2.0 and 7.2.1, version 7.3.0, version 7.5.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions 7.1.1 and below, TIBCO JasperReports Server: versions 7.1.1 and below, version 7.2.0, version 7.5.0, TIBCO JasperReports Server for AWS Marketplace: versions 7.5.0 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below. | |||||
| CVE-2021-41162 | 1 Combodo | 1 Itop | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-22435 | 1 Ibm | 1 Maximo Asset Management | 2022-04-28 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2022-22436 | 1 Ibm | 1 Maximo Asset Management | 2022-04-28 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 224164. | |||||
| CVE-2020-6558 | 4 Apple, Debian, Google and 1 more | 5 Iphone Os, Debian Linux, Chrome and 2 more | 2022-04-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in iOSWeb in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2022-1022 | 1 Chatwoot | 1 Chatwoot | 2022-04-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0. | |||||
| CVE-2021-21800 | 1 Advantech | 1 R-seenet | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerabilities exist in the ssh_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability. | |||||
| CVE-2021-21799 | 1 Advantech | 1 R-seenet | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability. | |||||
| CVE-2021-21802 | 1 Advantech | 1 R-seenet | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. | |||||
| CVE-2021-21803 | 1 Advantech | 1 R-seenet | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. | |||||
| CVE-2021-21801 | 1 Advantech | 1 R-seenet | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. | |||||
| CVE-2022-24864 | 1 Originprotocol | 1 Origin Website | 2022-04-28 | 3.5 LOW | 5.4 MEDIUM |
| Origin Protocol is a blockchain based project. The Origin Protocol project website allows for malicious users to inject malicious Javascript via a POST request to `/presale/join`. User-controlled data is passed with no sanitization to SendGrid and injected into an email that is delivered to the founders@originprotocol.com. If the email recipient is using an email program that is susceptible to XSS, then that email recipient will receive an email that may contain malicious XSS. Regardless if the email recipient’s mail program has vulnerabilities or not, the hacker can at the very least inject malicious HTML that modifies the body content of the email. There are currently no known workarounds. | |||||
| CVE-2022-28222 | 1 Cleantalk | 1 Antispam | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php` | |||||
| CVE-2022-28221 | 1 Cleantalk | 1 Antispam | 2022-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Comments.php` | |||||
| CVE-2020-26870 | 4 Cure53, Debian, Microsoft and 1 more | 5 Dompurify, Debian Linux, Visual Studio 2017 and 2 more | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. | |||||
| CVE-2022-23350 | 1 Bigantsoft | 1 Bigant Server | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| BigAnt Software BigAnt Server v5.6.06 was discovered to contain a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2021-23283 | 1 Eaton | 1 Intelligent Power Protector | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software. | |||||
| CVE-2022-26593 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category. | |||||
| CVE-2022-27436 | 1 Ecommerce-website Project | 1 Ecommerce-website | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_user at Ecommerce-Website v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username text field. | |||||
| CVE-2022-1187 | 1 Wp Youtube Live Project | 1 Wp Youtube Live | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the ~/inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21. | |||||
| CVE-2021-41570 | 1 Veritas | 1 Netbackup | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| Veritas NetBackup OpsCenter Analytics 9.1 allows XSS via the NetBackup Master Server Name, Display Name, NetBackup User Name, or NetBackup Password field during a Settings/Configuration Add operation. | |||||
| CVE-2021-43295 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. | |||||
| CVE-2021-43294 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. | |||||
| CVE-2022-1112 | 1 Autolinks Project | 1 Autolinks | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting against a logged in admin via a CSRF attack | |||||
| CVE-2022-1091 | 1 10up | 1 Safe Svg | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks). | |||||
| CVE-2022-1090 | 1 Good-bad-comments Project | 1 Good-bad-comments | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Good & Bad Comments WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-29529 | 1 Misp | 1 Misp | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. | |||||
| CVE-2022-29532 | 1 Misp | 1 Misp | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. | |||||
| CVE-2020-25163 | 1 Osisoft | 1 Pi Vision | 2022-04-27 | 4.9 MEDIUM | 7.3 HIGH |
| A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions. | |||||
| CVE-2022-1088 | 1 Contextureintl | 1 Page Security \& Membership | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1063 | 1 Thank Me Later Project | 1 Thank Me Later | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-23285 | 1 Eaton | 1 Intelligent Power Manager | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to reflected Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. | |||||
| CVE-2021-23284 | 1 Eaton | 1 Intelligent Power Manager Infrastructure | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to Stored Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. | |||||
| CVE-2022-0737 | 1 Text Hover Project | 1 Text Hover | 2022-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The Text Hover WordPress plugin before 4.2 does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||