Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27913 | 1 Joomla | 1 Joomla\! | 2022-10-27 | N/A | 6.1 MEDIUM |
| An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components. | |||||
| CVE-2020-15339 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 6.1 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS. | |||||
| CVE-2022-29046 | 2 Apple, Jenkins | 2 Macos, Subversion | 2022-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34911 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text(). | |||||
| CVE-2022-38195 | 1 Esri | 1 Arcgis Server | 2022-10-27 | N/A | 6.1 MEDIUM |
| There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2022-36783 | 1 Algosec | 1 Fireflow | 2022-10-27 | N/A | 5.4 MEDIUM |
| AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) A malicious user injects JavaScript code into a parameter called IntersectudRule on the search/result.html page. The malicious user changes the request from POST to GET and sends the URL to another user (victim). JavaScript code is executed on the browser of the other user. | |||||
| CVE-2022-1269 | 1 Fastflow | 1 Fastflow | 2022-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Fast Flow WordPress plugin before 1.2.12 does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-22534 | 1 Sap | 1 Netweaver | 2022-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application. | |||||
| CVE-2022-34305 | 1 Apache | 1 Tomcat | 2022-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. | |||||
| CVE-2022-34007 | 1 Eqs | 1 Integrity Line | 2022-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| EQS Integrity Line Professional through 2022-07-01 allows a stored XSS via a crafted whistleblower entry. | |||||
| CVE-2022-1327 | 1 Rich-web | 1 Image Gallery | 2022-10-26 | 3.5 LOW | 4.8 MEDIUM |
| The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-36266 | 1 Airspan | 2 Airspot 5410, Airspot 5410 Firmware | 2022-10-26 | N/A | 6.1 MEDIUM |
| In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a stored XSS vulnerability. As the binary file /home/www/cgi-bin/login.cgi does not check if the user is authenticated, a malicious actor can craft a specific request on the login.cgi endpoint that contains a base32 encoded XSS payload that will be accepted and stored. A successful attack will results in the injection of malicious scripts into the user settings page. | |||||
| CVE-2022-37063 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2022-10-26 | N/A | 5.4 MEDIUM |
| All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. An authenticated remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. | |||||
| CVE-2022-2152 | 1 Duplicate Page And Post Project | 1 Duplicate Page And Post | 2022-10-26 | N/A | 4.8 MEDIUM |
| The Duplicate Page and Post WordPress plugin before 2.8 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-34870 | 1 Apache | 1 Geode | 2022-10-25 | N/A | 5.4 MEDIUM |
| Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. | |||||
| CVE-2022-24654 | 1 Intelbras | 2 Ata 200, Ata 200 Firmware | 2022-10-25 | N/A | 5.4 MEDIUM |
| Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload. | |||||
| CVE-2022-1757 | 1 Pagebar Project | 1 Pagebar | 2022-10-25 | 3.5 LOW | 5.4 MEDIUM |
| The pagebar WordPress plugin before 2.70 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues | |||||
| CVE-2022-34140 | 1 Feehi | 1 Feehi Cms | 2022-10-25 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field. | |||||
| CVE-2022-0598 | 1 Login With Phone Number Project | 1 Login With Phone Number | 2022-10-25 | N/A | 4.8 MEDIUM |
| The Login with phone number WordPress plugin before 1.3.8 does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-3392 | 1 Wp Humans.txt Project | 1 Wp Humans.txt | 2022-10-25 | N/A | 4.8 MEDIUM |
| The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||