Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43321 | 1 Shopwind | 1 Shopwind | 2022-11-10 | N/A | 6.1 MEDIUM |
| Shopwind v3.4.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the component /common/library/Page.php. | |||||
| CVE-2019-20436 | 1 Wso2 | 2 Api Manager, Identity Server | 2022-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects. | |||||
| CVE-2019-20439 | 1 Wso2 | 1 Api Manager | 2022-11-09 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in defining a scope in the "manage the API" page of the API Publisher. | |||||
| CVE-2019-20437 | 1 Wso2 | 2 Api Manager, Identity Server | 2022-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect's URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations. | |||||
| CVE-2019-20435 | 1 Wso2 | 1 Api Manager | 2022-11-09 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter. | |||||
| CVE-2019-20434 | 1 Wso2 | 1 Api Manager | 2022-11-09 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console. | |||||
| CVE-2022-39800 | 1 Sap | 1 Businessobjects Business Intelligence | 2022-11-09 | N/A | 6.1 MEDIUM |
| SAP BusinessObjects BI LaunchPad - versions 420, 430, is susceptible to script execution attack by an unauthenticated attacker due to improper sanitization of the user inputs while interacting on the network. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2020-15500 | 1 Tileserver | 1 Tileservergl | 2022-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS. | |||||
| CVE-2022-3002 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2022-11-09 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | |||||
| CVE-2022-39270 | 1 Discourse | 1 Discotoc | 2022-11-09 | N/A | 5.4 MEDIUM |
| DiscoTOC is a Discourse theme component that generates a table of contents for topics. Users that can create topics in TOC-enabled categories (and have sufficient trust level - configured in component's settings) are able to inject arbitrary HTML on that topic's page. The issue has been fixed on the `main` branch. Admins can update the theme component through the admin UI (Customize -> Themes -> Components -> DiscoTOC -> Check for Updates). Alternatively, admins can temporarily disable the DiscoTOC theme component. | |||||
| CVE-2021-24822 | 1 Stylishcostcalculator | 1 Stylish Cost Calculator | 2022-11-09 | 3.5 LOW | 5.4 MEDIUM |
| The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters | |||||
| CVE-2021-24642 | 1 Scroll Banner Project | 1 Scroll Banner | 2022-11-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE (via a file upload) as well as XSS | |||||
| CVE-2021-24615 | 1 Wechat Reward Project | 1 Wechat Reward | 2022-11-09 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | |||||
| CVE-2021-24683 | 1 Awplife | 1 Weather Effect | 2022-11-09 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24595 | 1 Wp Cookie Choice Project | 1 Wp Cookie Choice | 2022-11-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack. | |||||
| CVE-2021-40369 | 1 Apache | 1 Jspwiki | 2022-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later. | |||||
| CVE-2021-24685 | 1 Flat Preloader Project | 1 Flat Preloader | 2022-11-09 | 5.0 MEDIUM | 5.4 MEDIUM |
| The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload) | |||||
| CVE-2021-24570 | 1 Wpplugin | 1 Accept Donations With Paypal | 2022-11-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well. | |||||
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2022-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2022-43121 | 1 Intelliants | 1 Subrion Cms | 2022-11-09 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the CMS Field Add page of Intelliants Subrion CMS v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tooltip text field. | |||||