Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28210 | 1 Schneider-electric | 1 Ecostruxure Building Operation | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser. | |||||
| CVE-2021-41929 | 1 The Electric Billing Management System Project | 1 The Electric Billing Management System | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Sourcecodester The Electric Billing Management System 1.0 by oretnom23, allows attackers to execute arbitrary code via the about page. | |||||
| CVE-2021-41930 | 1 Online Covid Vaccination Scheduler System Project | 1 Online Covid Vaccination Scheduler System | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid Vaccination Scheduler System v1 by oretnom23, allows attackers to execute arbitrary code via the lid parameter to /scheduler/addSchedule.php. | |||||
| CVE-2021-42168 | 1 Try My Recipe Project | 1 Try My Recipe | 2022-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Sourcecodester Try My Recipe (Recipe Sharing Website - CMS) by oretnom23, allows attackers to gain the PHPSESID or other unspecified impacts via the fullname parameter to the login_registration page. | |||||
| CVE-2021-24965 | 1 Fivestarplugins | 1 Five Star Restaurant Reservations | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins | |||||
| CVE-2021-46083 | 1 Uscat Project | 1 Uscat | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code. | |||||
| CVE-2021-46084 | 1 Uscat Project | 1 Uscat | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via "close registration information" input box. | |||||
| CVE-2021-46087 | 1 Jflyfox | 1 Jfinal Cms | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS. Because developers do not filter the parameters submitted by the user input form, any user with background permission can affect the system security by entering malicious code. | |||||
| CVE-2022-0268 | 1 Getgrav | 1 Grav | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28. | |||||
| CVE-2021-46034 | 1 Forestblog Project | 1 Forestblog | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vulnerability that can be injected through the nickname input box. | |||||
| CVE-2022-21710 | 1 Mediawiki | 1 Shortdescription | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4. | |||||
| CVE-2022-21715 | 1 Codeigniter | 1 Codeigniter | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only. | |||||
| CVE-2021-45225 | 1 Coins-global | 1 Construction Cloud | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in COINS Construction Cloud 11.12. Due to improper input neutralization, it is vulnerable to reflected cross-site scripting (XSS) via malicious links (affecting the search window and activity view window). | |||||
| CVE-2021-25080 | 1 Crmperks | 1 Contact Form Entries | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry | |||||
| CVE-2021-25079 | 1 Crmperks | 1 Contact Form Entries | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page | |||||
| CVE-2021-45224 | 1 Coins-global | 1 Construction Cloud | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in COINS Construction Cloud 11.12. In several locations throughout the application, JavaScript code is passed as a URL parameter. Attackers can trivially alter this code to cause malicious behaviour. The application is therefore vulnerable to reflected XSS via malicious URLs. | |||||
| CVE-2021-25078 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests. | |||||
| CVE-2021-25049 | 1 Mobile Events Manager Project | 1 Mobile Events Manager | 2022-01-28 | 3.5 LOW | 4.8 MEDIUM |
| The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-25035 | 1 Revmakx | 1 Backup And Staging By Wp Time Capsule | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25031 | 1 Oxilab | 1 Image Hover Effects Ultimate | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-41658 | 1 Student Quarterly Grading System Project | 1 Student Quarterly Grading System | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Sourcecodester Student Quarterly Grading System by oretnom23, allows attackers to execute arbitrary code via the fullname and username parameters to the users page. | |||||
| CVE-2021-25015 | 1 Mycred | 1 Mycred | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-40909 | 1 Php Crud Without Refresh\/reload Using Ajax And Datatables Tutorial Project | 1 Php Crud Without Refresh\/reload Using Ajax And Datatables Tutorial | 2022-01-28 | 6.8 MEDIUM | 9.6 CRITICAL |
| Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email parameters to /ajax_crud. | |||||
| CVE-2021-33848 | 1 Fresenius-kabi | 8 Agilia Connect, Agilia Connect Firmware, Agilia Partner Maintenance Software and 5 more | 2022-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 is vulnerable to reflected cross-site scripting attacks. An attacker could inject JavaScript in a GET parameter of HTTP requests and perform unauthorized actions such as stealing internal information and performing actions in context of an authenticated user. | |||||
| CVE-2021-24976 | 1 Wbolt | 1 Smart Seo Tool | 2022-01-28 | 2.6 LOW | 6.1 MEDIUM |
| The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24974 | 1 Adtribes | 1 Product Feed Pro For Woocommerce | 2022-01-28 | 3.5 LOW | 5.4 MEDIUM |
| The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping. | |||||
| CVE-2021-24923 | 1 Sendinblue | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-25017 | 1 Themeum | 1 Tutor Lms | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25083 | 1 Roundupwp | 1 Registrations For The Events Calendar | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24985 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2022-23127 | 2 Iconics, Mitsubishielectric | 2 Mobilehmi, Mc Works64 | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. | |||||
| CVE-2021-25062 | 1 Villatheme | 1 Orders Tracking For Woocommerce | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25008 | 1 Codesnippets | 1 Code Snippets | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24694 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2022-01-27 | 3.5 LOW | 5.4 MEDIUM |
| The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode. | |||||
| CVE-2021-24423 | 1 Updraftplus | 1 Updraftplus | 2022-01-27 | 3.5 LOW | 4.8 MEDIUM |
| The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-45380 | 1 Appcms | 1 Appcms | 2022-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php | |||||
| CVE-2021-4103 | 1 B3log | 1 Vditor | 2022-01-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 1.0.34. | |||||
| CVE-2021-4172 | 1 Showdoc | 1 Showdoc | 2022-01-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2. | |||||
| CVE-2021-33966 | 1 Spotweb Project | 1 Spotweb | 2022-01-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross site scripting (XSS) vulnerability in spotweb 1.4.9, allows authenticated attackers to execute arbitrary code via crafted GET request to the login page. | |||||
| CVE-2022-0285 | 1 Pimcore | 1 Pimcore | 2022-01-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9. | |||||
| CVE-2022-22769 | 1 Tibco | 3 Ebx, Ebx Add-ons, Product And Service Catalog Powered By Tibco Ebx | 2022-01-26 | 6.0 MEDIUM | 9.0 CRITICAL |
| The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.124 and below, TIBCO EBX: versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15, TIBCO EBX: versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3, TIBCO EBX Add-ons: versions 3.20.18 and below, TIBCO EBX Add-ons: versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6, TIBCO EBX Add-ons: versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0, and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.1.0 and below. | |||||
| CVE-2022-23083 | 1 Broadcom | 2 Netmaster File Transfer Management, Netmaster Network Management For Tcp\/ip | 2022-01-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transfer Management contain a XSS (Cross-Site Scripting) vulnerability in ReportCenter UI due to insufficient input validation that could potentially allow an attacker to execute code on the affected machine. | |||||
| CVE-2022-0278 | 1 Microweber | 1 Microweber | 2022-01-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-26247 | 1 Cacti | 1 Cacti | 2022-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. | |||||
| CVE-2022-0210 | 1 Buffercode | 1 Random Banner | 2022-01-25 | 3.5 LOW | 4.8 MEDIUM |
| The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39946 | 1 Gitlab | 1 Gitlab | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis | |||||
| CVE-2021-3816 | 1 Cacti | 1 Cacti | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. | |||||
| CVE-2021-44091 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in Courcecodester Multi Restaurant Table Reservation System 1.0 in register.php via the (1) fullname, (2) phone, and (3) address parameters. | |||||
| CVE-2021-46030 | 1 Javaquarkbbs Project | 1 Javaquarkbbs | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuarkBBS <= v2. By entering specific statements into the background tag management module, the attack statement will be stored in the database, and the next victim will be attacked when he accesses the tag module. | |||||
| CVE-2022-23045 | 1 Phpipam | 1 Phpipam | 2022-01-25 | 3.5 LOW | 4.8 MEDIUM |
| PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS. | |||||