Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-0890 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 3.5 LOW | 5.4 MEDIUM |
| Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue. | |||||
| CVE-2022-39239 | 1 Nuxtjs | 1 Netlify-ipx | 2022-09-27 | N/A | 5.4 MEDIUM |
| netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without requiring those headers to be set. XSS can be achieved by requesting a malicious SVG with embedded scripts, which would then be served from the site domain. Note that this does not apply to images loaded in `<img>` tags, as scripts do not execute in this context. The image URL can be set in the header independently of the request URL, meaning any site images that have not previously been cached can have their cache poisoned. This problem has been fixed in version 1.2.3. As a workaround, cached content can be cleared by re-deploying the site. | |||||
| CVE-2022-40359 | 1 Kfm Project | 1 Kfm | 2022-09-27 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php. | |||||
| CVE-2022-35721 | 3 Ibm, Linux, Microsoft | 4 Aix, Jazz For Service Management, Linux Kernel and 1 more | 2022-09-27 | N/A | 5.4 MEDIUM |
| IBM Jazz for Service Management 1.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231380. | |||||
| CVE-2022-37342 | 1 Add Shortcodes Actions And Filters Project | 1 Add Shortcodes Actions And Filters | 2022-09-27 | N/A | 4.8 MEDIUM |
| Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability Add Shortcodes Actions And Filters plugin <= 2.0.9 at WordPress. | |||||
| CVE-2022-3070 | 1 Zealousweb | 1 Generate Pdf Using Contact Form 7 | 2022-09-26 | N/A | 4.8 MEDIUM |
| The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-3135 | 1 Seo Smart Links Project | 1 Seo Smart Links | 2022-09-26 | N/A | 4.8 MEDIUM |
| The SEO Smart Links WordPress plugin through 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-3062 | 1 Simplefilelist | 1 Simple-file-list | 2022-09-26 | N/A | 6.1 MEDIUM |
| The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-3074 | 1 Quantumcloud | 1 Slider Hero | 2022-09-26 | N/A | 4.8 MEDIUM |
| The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. | |||||
| CVE-2022-3069 | 1 Wordlift | 1 Wordlift | 2022-09-26 | N/A | 4.8 MEDIUM |
| The WordLift WordPress plugin before 3.37.2 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-40358 | 1 Ajaxplorer | 1 Ajaxplorer | 2022-09-26 | N/A | 5.4 MEDIUM |
| An issue was discovered in AjaXplorer 4.2.3, allows attackers to cause cross site scripting vulnerabilities via a crafted svg file upload. | |||||
| CVE-2022-40748 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2022-09-26 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 236586. | |||||
| CVE-2022-38438 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-09-26 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM. | |||||
| CVE-2022-38439 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-09-26 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM. | |||||
| CVE-2022-35251 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-26 | N/A | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. Hence the payloads are stored in messages, it is a persistent attack vector, which will trigger as soon as the message gets viewed. | |||||
| CVE-2022-38460 | 1 Notice Board Project | 1 Notice Board | 2022-09-26 | N/A | 5.4 MEDIUM |
| Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in NOTICE BOARD plugin <= 1.1 at WordPress. | |||||
| CVE-2022-39240 | 1 Mygraph Project | 1 Mygraph | 2022-09-26 | N/A | 5.4 MEDIUM |
| MyGraph is a permission management system. Versions prior to 1.0.4 are vulnerable to a storage XSS vulnerability leading to Remote Code Execution. This issue is patched in version 1.0.4. There is no known workaround. | |||||
| CVE-2022-2937 | 1 Oxilab | 1 Image Hover Effects Ultimate | 2022-09-26 | N/A | 5.4 MEDIUM |
| The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users. | |||||
| CVE-2022-40672 | 1 Wpchill | 1 Cpo Shortcodes | 2022-09-26 | N/A | 4.8 MEDIUM |
| Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CPO Shortcodes plugin <= 1.5.0 at WordPress. | |||||
| CVE-2022-37339 | 1 Fullworksplugins | 1 Meet My Team | 2022-09-26 | N/A | 5.4 MEDIUM |
| Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Meet My Team plugin <= 2.0.5 at WordPress. | |||||