Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40408 | 1 Feehi | 1 Feehicms | 2022-10-04 | N/A | 5.4 MEDIUM |
| FeehiCMS v2.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted payload injected into the Comment box under the Single Page module. | |||||
| CVE-2022-36965 | 1 Solarwinds | 1 Solarwinds Platform | 2022-10-04 | N/A | 6.1 MEDIUM |
| Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0). | |||||
| CVE-2021-36855 | 1 Bookingultrapro | 1 Booking Ultra Pro Appointments Booking Calendar | 2022-10-04 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress. | |||||
| CVE-2021-36839 | 1 Spacexchimp | 1 Social Media Follow Buttons Bar | 2022-10-04 | N/A | 4.8 MEDIUM |
| Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Social Media Follow Buttons Bar plugin <= 4.73 at WordPress. | |||||
| CVE-2022-40931 | 1 Dutchcoders | 1 Transfer.sh | 2022-10-03 | N/A | 6.1 MEDIUM |
| dutchcoders Transfer.sh 1.4.0 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-2404 | 1 Themehunk | 1 Wp Popup Builder | 2022-10-03 | N/A | 6.1 MEDIUM |
| The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-42045 | 1 Mediawiki | 1 Mediawiki | 2022-10-03 | N/A | 5.4 MEDIUM |
| An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote. | |||||
| CVE-2022-36747 | 1 Cobub | 1 Razor | 2022-09-30 | N/A | 6.1 MEDIUM |
| Razor v0.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the function uploadchannel(). | |||||
| CVE-2022-35298 | 1 Sap | 1 Netweaver Enterprise Portal | 2022-09-30 | N/A | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal (KMC) - version 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. KMC servlet is vulnerable to XSS attack. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser session. | |||||
| CVE-2022-39207 | 1 Onedev Project | 1 Onedev | 2022-09-30 | N/A | 5.4 MEDIUM |
| Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the webserver in the same context as the UI without any further restrictions. This leads to Cross-Site Scripting (XSS) when a user creates a build artifact that contains HTML. When accessing the artifact, the content is rendered by the browser, including any JavaScript that it contains. Since all cookies (except for the rememberMe one) do not set the HttpOnly flag, an attacker could steal the session of a victim and use it to impersonate them. To exploit this issue, attackers need to be able to modify the content of artifacts, which usually means they need to be able to modify a project's build spec. The exploitation requires the victim to click on an attacker's link. It can be used to elevate privileges by targeting admins of a OneDev instance. In the worst case, this can lead to arbitrary code execution on the server, because admins can create Server Shell Executors and use them to run any command on the server. This issue has been patched in version 7.3.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-2941 | 1 Wp-useronline Project | 1 Wp-useronline | 2022-09-30 | N/A | 4.8 MEDIUM |
| The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the "Naming Conventions" section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2022-3355 | 1 Inventree Project | 1 Inventree | 2022-09-30 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. | |||||
| CVE-2020-5346 | 1 Emc | 1 Rsa Authentication Manager | 2022-09-30 | 3.5 LOW | 4.8 MEDIUM |
| RSA Authentication Manager versions prior to 8.4 P11 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected page, the injected scripts could potentially be executed in their browser. | |||||
| CVE-2020-5339 | 1 Emc | 1 Rsa Authentication Manager | 2022-09-30 | 3.5 LOW | 4.8 MEDIUM |
| RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected report page, the injected scripts could potentially be executed in their browser. | |||||
| CVE-2020-5340 | 1 Emc | 1 Rsa Authentication Manager | 2022-09-30 | 3.5 LOW | 4.8 MEDIUM |
| RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators attempt to change the default security domain mapping, the injected scripts could potentially be executed in their browser. | |||||
| CVE-2021-45843 | 1 Glfusion | 1 Glfusion | 2022-09-30 | N/A | 6.1 MEDIUM |
| glFusion CMS v1.7.9 is affected by a reflected Cross Site Scripting (XSS) vulnerability. The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. This input was echoed unmodified in the application's response. | |||||
| CVE-2022-40626 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2022-09-30 | N/A | 6.1 MEDIUM |
| An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend. | |||||
| CVE-2021-36568 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2022-09-30 | N/A | 5.4 MEDIUM |
| In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7. | |||||
| CVE-2022-1719 | 1 Trudesk Project | 1 Trudesk | 2022-09-30 | N/A | 5.4 MEDIUM |
| Reflected XSS on ticket filter function in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability is capable of executing a malicious javascript code in web page | |||||
| CVE-2022-40912 | 1 Etaplighting | 1 Etap Safety Manager | 2022-09-30 | N/A | 6.1 MEDIUM |
| ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 is vulnerable to Cross Site Scripting (XSS). Input passed to the GET parameter 'action' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site. | |||||