Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44911 | 1 Xpressengine | 1 Xpressengine | 2022-02-16 | 3.5 LOW | 5.4 MEDIUM |
| XE before 1.11.6 is vulnerable to Unrestricted file upload via modules/menu/menu.admin.controller.php. When uploading the Mouse over button and When selected button, there is no restriction on the file suffix, which leads to any file uploading to the files directory. Since .htaccess only restricts the PHP type, uploading HTML-type files leads to stored XSS vulnerabilities. | |||||
| CVE-2022-22534 | 1 Sap | 1 Netweaver | 2022-02-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application. | |||||
| CVE-2021-44969 | 1 Taogogo | 1 Taocms | 2022-02-16 | 3.5 LOW | 4.8 MEDIUM |
| Taocms v3.0.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Management Column component. | |||||
| CVE-2021-44970 | 1 1234n | 1 Minicms | 2022-02-16 | 3.5 LOW | 5.4 MEDIUM |
| MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php. | |||||
| CVE-2022-23047 | 1 Exponentcms | 1 Exponent Cms | 2022-02-16 | 3.5 LOW | 4.8 MEDIUM |
| Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site" | |||||
| CVE-2022-22812 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2022-02-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a web session compromise when an attacker injects and then executes arbitrary malicious JavaScript code inside the target browser. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) | |||||
| CVE-2022-22546 | 1 Sap | 1 Businessobjects Web Intelligence | 2022-02-16 | 3.5 LOW | 5.4 MEDIUM |
| Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420. | |||||
| CVE-2022-23622 | 1 Xwiki | 1 Xwiki | 2022-02-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in the following conditions: 1. The wiki must be open to registration for anyone. 2. The wiki must be closed to view for Guest users or more specifically the XWiki.Registration page must be forbidden in View for guest user. A way to obtain the second condition is when administrators checked the "Prevent unregistered users from viewing pages, regardless of the page rights" box in the administration rights. This issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. There are two main ways for protecting against this vulnerability, the easiest and the best one is by applying a patch in the `registerinline.vm` template, the patch consists in checking the value of the xredirect field to ensure it matches: `<input type="hidden" name="xredirect" value="$escapetool.xml($!request.xredirect)" />`. If for some reason it's not possible to patch this file, another workaround is to ensure "Prevent unregistered users from viewing pages, regardless of the page rights" is not checked in the rights and apply a better right scheme using groups and rights on spaces. | |||||
| CVE-2021-45357 | 1 Piwigo | 1 Piwigo | 2022-02-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php. | |||||
| CVE-2021-20877 | 1 Canon | 34 2204f, 2204n, 2206if and 31 more | 2022-02-14 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Canon laser printers and small office multifunctional printers (LBP162L/LBP162, MF4890dw, MF269dw/MF265dw/MF264dw/MF262dw, MF249dw/MF245dw/MF244dw/MF242dw/MF232w, and MF229dw/MF224dw/MF222dw sold in Japan, imageCLASS MF Series (MF113W/MF212W/MF217W/MF227DW/MF229DW, MF232W/MF244DW/MF247DW/MF249DW, MF264DW/MF267DW/MF269DW/MF269DW VP, and MF4570DN/MF4570DW/MF4770N/MF4880DW/MF4890DW) and imageCLASS LBP Series (LBP113W/LBP151DW/LBP162DW ) sold in the US, and iSENSYS (LBP162DW, LBP113W, LBP151DW, MF269dw, MF267dw, MF264dw, MF113w, MF249dw, MF247dw, MF244dw, MF237w, MF232w, MF229dw, MF217w, MF212w, MF4780w, and MF4890dw) and imageRUNNER (2206IF, 2204N, and 2204F) sold in Europe) allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-0473 | 1 Otrs | 1 Otrs | 2022-02-14 | 3.5 LOW | 4.8 MEDIUM |
| OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions. | |||||
| CVE-2022-21241 | 1 Csv\+ Project | 1 Csv\+ | 2022-02-14 | 6.8 MEDIUM | 9.6 CRITICAL |
| Cross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a remote unauthenticated attacker to inject an arbitrary script or an arbitrary OS command via a specially crafted CSV file that contains HTML a tag. | |||||
| CVE-2022-0395 | 1 Livehelperchat | 1 Live Helper Chat | 2022-02-14 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2022-0394 | 1 Livehelperchat | 1 Live Helper Chat | 2022-02-14 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2022-0352 | 1 Calibre-web Project | 1 Calibre-web | 2022-02-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16. | |||||
| CVE-2022-23378 | 1 Tastyigniter | 1 Tastyigniter | 2022-02-11 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable. | |||||
| CVE-2022-0539 | 1 Beanstalk Console Project | 1 Beanstalk Console | 2022-02-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist ptrofimov/beanstalk_console prior to 1.7.14. | |||||
| CVE-2021-45919 | 1 Std42 | 1 Elfinder | 2022-02-11 | 3.5 LOW | 5.4 MEDIUM |
| Studio 42 elFinder through 2.1.31 allows XSS via an SVG document. | |||||
| CVE-2022-0526 | 1 Chatwoot | 1 Chatwoot | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0. | |||||
| CVE-2021-45329 | 1 Gitea | 1 Gitea | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field. | |||||
| CVE-2022-0527 | 1 Chatwoot | 1 Chatwoot | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0. | |||||
| CVE-2022-0506 | 1 Microweber | 1 Microweber | 2022-02-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-0510 | 1 Pimcore | 1 Pimcore | 2022-02-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore prior to 10.3.1. | |||||
| CVE-2022-21799 | 1 Elecom | 2 Wrc-300febk-r, Wrc-300febk-r Firmware | 2022-02-11 | 2.9 LOW | 5.2 MEDIUM |
| Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R firmware v1.13 and earlier allows an attacker on the adjacent network to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-0509 | 1 Pimcore | 1 Pimcore | 2022-02-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.3.1. | |||||
| CVE-2022-22146 | 1 Dounokouno | 1 Transmitmail | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in TransmitMail 2.5.0 to 2.6.1 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-45281 | 1 Quickbox | 1 Quickbox | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| QuickBox Pro v2.4.8 contains a cross-site scripting (XSS) vulnerability at "adminuseredit.php?usertoedit=XSS", as the user supplied input for the value of this parameter is not properly sanitized. | |||||
| CVE-2022-22142 | 1 Econosys-system | 1 Php Mailform | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in the checkbox of php_mailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-21805 | 1 Econosys-system | 1 Php Mailform | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in the attached file name of php_mailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-25077 | 1 Visser | 1 Store Toolkit For Woocommerce | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25029 | 1 Cluevo | 1 Learning Management System | 2022-02-11 | 3.5 LOW | 4.8 MEDIUM |
| The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-0502 | 1 Livehelperchat | 1 Live Helper Chat | 2022-02-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v. | |||||
| CVE-2022-0501 | 1 Beanstalk Console Project | 1 Beanstalk Console | 2022-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstalk_console prior to 1.7.12. | |||||
| CVE-2021-25103 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2022-02-10 | 2.6 LOW | 4.7 MEDIUM |
| The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY | |||||
| CVE-2021-25106 | 1 Wpeka | 1 Wplegalpages | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting | |||||
| CVE-2021-24880 | 1 Supportcandy | 1 Supportcandy | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-25105 | 1 Ivorysearch | 1 Ivory Search | 2022-02-10 | 3.5 LOW | 4.8 MEDIUM |
| The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-0148 | 1 Premio | 1 Mystickyelements | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin page. | |||||
| CVE-2022-0149 | 1 Visser | 1 Store Exporter For Woocommerce | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page. | |||||
| CVE-2021-37402 | 1 Open-xchange | 1 Open-xchange Appsuite | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled. | |||||
| CVE-2021-26698 | 1 Open-xchange | 1 Open-xchange Appsuite | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used. | |||||
| CVE-2021-24878 | 1 Supportcandy | 1 Supportcandy | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-35479 | 1 Nagios | 1 Log Server | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link or third-party web page. | |||||
| CVE-2021-35478 | 1 Nagios | 1 Log Server | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users who open a crafted link or third-party web page. | |||||
| CVE-2009-3856 | 1 Twilightcms | 1 Twilight Cms | 2022-02-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the default URI in news/ in Twilight CMS before 4.1 allows remote attackers to inject arbitrary web script or HTML via the calendar parameter. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2022-21662 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | |||||
| CVE-2022-0437 | 1 Karma Project | 1 Karma | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14. | |||||
| CVE-2022-23980 | 1 Yet Another Stars Rating Project | 1 Yet Another Stars Rating | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability discovered in Yasr – Yet Another Stars Rating WordPress plugin (versions <= 2.9.9), vulnerable at parameter 'source'. | |||||
| CVE-2022-23133 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. | |||||
| CVE-2021-36787 | 1 In2code | 1 Femanager | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document. | |||||