Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3391 | 1 Retain | 1 Retain Live Chat | 2022-10-25 | N/A | 4.8 MEDIUM |
| The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-3350 | 1 Tech-banker | 1 Contact Bank | 2022-10-25 | N/A | 4.8 MEDIUM |
| The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-38198 | 1 Esri | 1 Arcgis Server | 2022-10-25 | N/A | 6.1 MEDIUM |
| There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2020-25864 | 1 Hashicorp | 1 Consul | 2022-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | |||||
| CVE-2022-22546 | 1 Sap | 1 Businessobjects Web Intelligence | 2022-10-25 | 3.5 LOW | 5.4 MEDIUM |
| Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420. | |||||
| CVE-2021-39175 | 1 Hedgedoc | 1 Hedgedoc | 2022-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading. | |||||
| CVE-2019-7671 | 1 Primasystems | 1 Flexair | 2022-10-25 | 3.5 LOW | 9.0 CRITICAL |
| Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site. | |||||
| CVE-2022-36368 | 1 Ipfire | 1 Ipfire | 2022-10-25 | N/A | 4.8 MEDIUM |
| Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script. | |||||
| CVE-2021-21313 | 1 Glpi-project | 1 Glpi | 2022-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not properly sanitized. Here are two payloads (due to two different exploitations depending on which parameter you act) to exploit the vulnerability:/ajax/common.tabs.php?_target=javascript:alert(document.cookie)&_itemtype=DisplayPreference&_glpi_tab=DisplayPreference$2&id=258&displaytype=Ticket (Payload triggered if you click on the button). /ajax/common.tabs.php?_target=/front/ticket.form.php&_itemtype=Ticket&_glpi_tab=Ticket$1&id=(){};(function%20(){alert(document.cookie);})();function%20a&#. | |||||
| CVE-2022-40690 | 1 Bookstackapp | 1 Bookstack | 2022-10-24 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script. | |||||
| CVE-2021-30071 | 1 Hestiacp | 1 Control Panel | 2022-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2022-3139 | 1 Designextreme | 1 We\'re Open | 2022-10-22 | N/A | 4.8 MEDIUM |
| The We’re Open! WordPress plugin before 1.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-43425 | 1 Jenkins | 1 Custom Checkbox Parameter | 2022-10-21 | N/A | 5.4 MEDIUM |
| Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2021-33231 | 1 Easyvista | 1 Service Manager | 2022-10-21 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field. | |||||
| CVE-2021-21333 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2022-10-21 | 2.6 LOW | 6.1 MEDIUM |
| Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0. | |||||
| CVE-2022-40311 | 1 Fatcatapps | 1 Analytics Cat | 2022-10-21 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress. | |||||
| CVE-2022-41638 | 1 Chop-chop | 1 Pop-up Chop Chop | 2022-10-21 | N/A | 5.4 MEDIUM |
| Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress. | |||||
| CVE-2022-27494 | 1 Aethon | 1 Tug Home Base Server | 2022-10-21 | N/A | 5.4 MEDIUM |
| Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | |||||
| CVE-2022-42206 | 1 Hospital Management System Project | 1 Hospital Management System | 2022-10-21 | N/A | 5.4 MEDIUM |
| PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php. | |||||
| CVE-2022-1059 | 1 Aethon | 1 Tug Home Base Server | 2022-10-21 | N/A | 6.1 MEDIUM |
| Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | |||||