Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-37796 | 1 Simple Online Book Store System Project | 1 Simple Online Book Store System | 2022-09-14 | N/A | 5.4 MEDIUM |
| In Simple Online Book Store System 1.0 in /admin_book.php the Title, Author, and Description parameters are vulnerable to Cross Site Scripting(XSS). | |||||
| CVE-2022-40325 | 1 Sysaid | 1 Help Desk | 2022-09-14 | N/A | 6.1 MEDIUM |
| SysAid Help Desk before 22.1.65 allows XSS via the Asset Dashboard, aka FR# 67262. | |||||
| CVE-2022-40322 | 1 Sysaid | 1 Help Desk | 2022-09-14 | N/A | 6.1 MEDIUM |
| SysAid Help Desk before 22.1.65 allows XSS, aka FR# 66542 and 65579. | |||||
| CVE-2022-40324 | 1 Sysaid | 1 Help Desk | 2022-09-14 | N/A | 6.1 MEDIUM |
| SysAid Help Desk before 22.1.65 allows XSS via the Linked SRs field, aka FR# 67258. | |||||
| CVE-2022-36094 | 1 Xwiki | 1 Xwiki | 2022-09-14 | N/A | 9.0 CRITICAL |
| XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki. | |||||
| CVE-2022-40323 | 1 Sysaid | 1 Help Desk | 2022-09-14 | N/A | 6.1 MEDIUM |
| SysAid Help Desk before 22.1.65 allows XSS in the Password Services module, aka FR# 67241. | |||||
| CVE-2022-40317 | 1 Openkm | 1 Openkm | 2022-09-14 | N/A | 5.4 MEDIUM |
| OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element. | |||||
| CVE-2022-39810 | 1 Wso2 | 1 Enterprise Integrator | 2022-09-14 | N/A | 6.1 MEDIUM |
| An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible. | |||||
| CVE-2022-39809 | 1 Wso2 | 1 Enterprise Integrator | 2022-09-14 | N/A | 6.1 MEDIUM |
| An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible. | |||||
| CVE-2022-38256 | 1 Tastyigniter | 1 Tastyigniter | 2022-09-14 | N/A | 5.4 MEDIUM |
| TastyIgniter v3.5.0 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2022-30874 | 1 Nukeviet | 1 Nukeviet | 2022-09-13 | 3.5 LOW | 5.4 MEDIUM |
| There is a Cross Site Scripting Stored (XSS) vulnerability in NukeViet CMS before 4.5.02. | |||||
| CVE-2022-2925 | 1 Appwrite | 1 Appwrite | 2022-09-13 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1. | |||||
| CVE-2022-38639 | 1 Inkdrop | 1 Markdown Nice | 2022-09-13 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Markdown-Nice v1.8.22 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Community Posting field. | |||||
| CVE-2022-36097 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 6.1 MEDIUM |
| XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch. | |||||
| CVE-2022-36098 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 9.0 CRITICAL |
| XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject. | |||||
| CVE-2022-36096 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 9.0 CRITICAL |
| The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the fix commit. | |||||
| CVE-2022-2695 | 1 Fastlinemedia | 1 Beaver Builder | 2022-09-13 | N/A | 5.4 MEDIUM |
| The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-2936 | 1 Oxilab | 1 Image Hover Effects Ultimate | 2022-09-13 | N/A | 5.4 MEDIUM |
| The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Video Link values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users. | |||||
| CVE-2022-2716 | 1 Fastlinemedia | 1 Beaver Builder | 2022-09-13 | N/A | 5.4 MEDIUM |
| The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Editor' block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-2934 | 1 Fastlinemedia | 1 Beaver Builder | 2022-09-13 | N/A | 5.4 MEDIUM |
| The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image URL' value found in the Media block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||