Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44299 | 1 Naviwebs | 1 Navigate Cms | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2022-0243 | 1 Orchardcore | 1 Orchardcore | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2. | |||||
| CVE-2022-0274 | 1 Orchardcore | 1 Orchardcore | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2. | |||||
| CVE-2021-46025 | 1 Oneblog Project | 1 Oneblog | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2.8. via the add function in the operation tab list in the background. | |||||
| CVE-2021-46026 | 1 Mysiteforme | 1 Mysiteforme | 2022-01-25 | 3.5 LOW | 5.4 MEDIUM |
| mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting (XSS) via the add blog tag function in the blog tag in the background blog management. | |||||
| CVE-2021-4143 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. | |||||
| CVE-2022-21690 | 1 Onionshare | 1 Onionshare | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is used in all components for displaying the server access history. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend. | |||||
| CVE-2021-4074 | 1 I-plugins | 1 Whmcs Bridge | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. Due to missing authorization checks on the cc_whmcs_bridge_add_admin function, low-level authenticated users such as subscribers can exploit this vulnerability. | |||||
| CVE-2022-0181 | 1 Expresstech | 1 Quiz And Survey Master | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-0182 | 1 Expresstech | 1 Quiz And Survey Master | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote authenticated attacker to inject an arbitrary script via an website that uses Quiz And Survey Master. | |||||
| CVE-2022-0256 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2022-0253 | 1 Livehelperchat | 1 Livehelperchat | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3853 | 1 Chaskiq | 1 Chaskiq | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2022-0257 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-42357 | 1 Apache | 1 Knox | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign. | |||||
| CVE-2021-44217 | 1 Ericsson | 1 Codechecker | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API. | |||||
| CVE-2022-0260 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7. | |||||
| CVE-2022-0262 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7. | |||||
| CVE-2022-0232 | 1 Metagauss | 1 Leadmagic | 2022-01-24 | 3.5 LOW | 4.8 MEDIUM |
| The User Registration, Login & Landing Pages WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the loader_text parameter found in the ~/includes/templates/landing-page.php file which allows attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.2.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2022-0233 | 1 Metagauss | 1 Profilegrid | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pm_user_avatar and pm_cover_image parameters found in the ~/admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts into their profile, in versions up to and including 1.2.7. | |||||
| CVE-2018-6511 | 1 Puppet | 1 Puppet Enterprise | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. | |||||
| CVE-2015-6502 | 1 Puppet | 1 Puppet Enterprise | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the console in Puppet Enterprise before 2015.2.1 allows remote attackers to inject arbitrary web script or HTML via the string parameter, related to Login Redirect. | |||||
| CVE-2018-6510 | 1 Puppet | 1 Puppet Enterprise | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6. | |||||
| CVE-2021-3857 | 1 Chaskiq | 1 Chaskiq | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-25024 | 1 Theeventscalendar | 1 Eventcalendar | 2022-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues | |||||
| CVE-2021-25005 | 1 Seur Oficial Project | 1 Seur Oficial | 2022-01-24 | 3.5 LOW | 4.8 MEDIUM |
| The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-25061 | 1 Wpbookingsystem | 1 Wp Booking System | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. | |||||
| CVE-2021-25046 | 1 Webnus | 1 Modern Events Calendar Lite | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS. | |||||
| CVE-2021-3862 | 1 Icecoder | 1 Icecoder | 2022-01-24 | 3.5 LOW | 4.8 MEDIUM |
| icecoder is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-25065 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. | |||||
| CVE-2021-25067 | 1 Pluginops | 1 Landing Page | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page. | |||||
| CVE-2021-46005 | 1 Car Rental Management System Project | 1 Car Rental Management System | 2022-01-24 | 3.5 LOW | 5.4 MEDIUM |
| Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter. | |||||
| CVE-2021-33040 | 1 Futurepress | 1 Epub.js | 2022-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS. | |||||
| CVE-2021-4170 | 1 Calibre-web Project | 1 Calibre-web | 2022-01-22 | 3.5 LOW | 5.4 MEDIUM |
| calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-40813 | 1 Element-it | 1 Http Commander | 2022-01-22 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the "Zip content" feature in Element-IT HTTP Commander 3.1.9 allows remote authenticated users to inject arbitrary web script or HTML via filenames. | |||||
| CVE-2020-28919 | 1 Tribe29 | 1 Checkmk | 2022-01-21 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title. | |||||
| CVE-2020-8436 | 1 Metagauss | 1 Registrationmagic | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress via the rm_form_id, rm_tr, or form_name parameter. | |||||
| CVE-2022-22529 | 1 Sap | 1 Enterprise Threat Detection | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Enterprise Threat Detection (ETD) - version 2.0, does not sufficiently encode user-controlled inputs which may lead to an unauthorized attacker possibly exploit XSS vulnerability. The UIs in ETD are using SAP UI5 standard controls, the UI5 framework provides automated output encoding for its standard controls. This output encoding prevents stored malicious user input from being executed when it is reflected in the UI. | |||||
| CVE-2021-36920 | 1 Wpchill | 1 Download Monitor | 2022-01-21 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress plugin Download Monitor (versions <= 4.4.6). | |||||
| CVE-2021-38127 | 1 Microfocus | 1 Arcsight Enterprise Security Manager | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS). | |||||
| CVE-2021-38126 | 1 Microfocus | 1 Arcsight Enterprise Security Manager | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS). | |||||
| CVE-2021-45088 | 2 Debian, Gnome | 2 Debian Linux, Epiphany | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page. | |||||
| CVE-2021-45085 | 2 Debian, Gnome | 2 Debian Linux, Epiphany | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list. | |||||
| CVE-2021-45087 | 2 Debian, Gnome | 2 Debian Linux, Epiphany | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title. | |||||
| CVE-2021-45086 | 2 Debian, Gnome | 2 Debian Linux, Epiphany | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js. | |||||
| CVE-2021-25955 | 1 Dolibarr | 1 Dolibarr | 2022-01-21 | 3.5 LOW | 9.0 CRITICAL |
| In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation. | |||||
| CVE-2020-13169 | 1 Solarwinds | 1 Orion Platform | 2022-01-21 | 3.5 LOW | 9.0 CRITICAL |
| Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account). | |||||
| CVE-2022-22114 | 1 Sismics | 1 Teedy | 2022-01-21 | 4.3 MEDIUM | 9.6 CRITICAL |
| In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victim’s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker. | |||||
| CVE-2022-22115 | 1 Sismics | 1 Teedy | 2022-01-21 | 3.5 LOW | 9.0 CRITICAL |
| In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation. | |||||
| CVE-2021-42551 | 1 Alcoda | 1 Netbiblio | 2022-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the search functionality of AlCoda NetBiblio WebOPAC allows an unauthenticated user to craft a reflected Cross-Site Scripting attack. This issue affects: AlCoda NetBiblio WebOPAC versions prior to 4.0.0.320; versions later than 4.0.0.328. This issue does not affect: AlCoda NetBiblio WebOPAC version 4.0.0.335 and later versions. | |||||