Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25044 | 1 Premium-themes | 1 Cryptocurrency Pricing List And Ticker | 2022-10-11 | N/A | 6.1 MEDIUM |
| The Cryptocurrency Pricing list and Ticker WordPress plugin through 1.5 does not sanitise and escape the ccpw_setpage parameter before outputting it back in pages where its shortcode is embed, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2022-2448 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2022-10-11 | N/A | 4.8 MEDIUM |
| The reSmush.it WordPress plugin before 0.4.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-2823 | 1 Metaslider | 1 Slider\, Gallery\, And Carousel | 2022-10-11 | N/A | 4.8 MEDIUM |
| The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.27.9 does not sanitise and escape some of its Gallery Image parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-2629 | 1 Wpdarko | 1 Top Bar | 2022-10-11 | N/A | 4.8 MEDIUM |
| The Top Bar WordPress plugin before 3.0.4 does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-3442 | 1 Crealogix | 1 Ebics Server | 2022-10-11 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Crealogix EBICS 7.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /ebics-server/ebics.aspx. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-210374 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-3434 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2022-10-11 | N/A | 5.4 MEDIUM |
| A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been rated as problematic. Affected by this issue is the function prepare of the file /Admin/add-student.php. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-210356. | |||||
| CVE-2022-41442 | 1 Picuploader Project | 1 Picuploader | 2022-10-11 | N/A | 6.1 MEDIUM |
| PicUploader v2.6.3 was discovered to contain cross-site scripting (XSS) vulnerability via the setStorageParams function in SettingController.php. | |||||
| CVE-2020-25834 | 1 Microfocus | 1 Arcsight Logger | 2022-10-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS). | |||||
| CVE-2022-39279 | 1 Discourse | 1 Discourse-chat | 2022-10-11 | N/A | 5.4 MEDIUM |
| discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-39285 | 1 Zoneminder | 1 Zoneminder | 2022-10-11 | N/A | 5.4 MEDIUM |
| ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging. | |||||
| CVE-2020-24445 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-10-07 | 3.5 LOW | 9.0 CRITICAL |
| AEM's Cloud Service offering, as well as version 6.5.6.0 (and below), are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2020-7017 | 2 Elasticsearch, Oracle | 4 Kibana, Communications Billing And Revenue Management, Communications Cloud Native Core Network Function Cloud Native Environment and 1 more | 2022-10-07 | 4.6 MEDIUM | 6.7 MEDIUM |
| In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization. | |||||
| CVE-2022-24851 | 2 Debian, Ldap-account-manager | 2 Debian Linux, Ldap Account Manager | 2022-10-07 | 3.5 LOW | 4.8 MEDIUM |
| LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version 7.9.1. | |||||
| CVE-2019-9593 | 1 Mitel | 1 Connect Onsite | 2022-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 18.82.2000.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||||
| CVE-2022-25373 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-10-07 | 3.5 LOW | 5.4 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. | |||||
| CVE-2020-2152 | 1 Jenkins | 1 Subversion Release Manager | 2022-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation, resulting in a reflected cross-site scripting vulnerability. | |||||
| CVE-2022-30578 | 1 Tibco | 1 Ebx Add-ons | 2022-10-07 | N/A | 9.0 CRITICAL |
| The Web Server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 5.4.1 and below. | |||||
| CVE-2019-9592 | 1 Mitel | 1 Connect Onsite | 2022-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 19.45.1602.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||||
| CVE-2019-9591 | 1 Mitel | 1 Connect Onsite | 2022-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE before 19.49.1500.0 allows remote attackers to inject arbitrary web script or HTML via the brandUrl parameter. | |||||
| CVE-2021-31583 | 1 Sipwise | 1 Next Generation Communication Platform | 2022-10-06 | 3.5 LOW | 5.4 MEDIUM |
| Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang). | |||||