Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1220 | 1 Foxy-shop | 1 Foxyshop | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-27168 | 1 Litecart | 1 Litecart | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in LiteCart versions prior to 2.4.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-2365 | 1 Trilium Project | 1 Trilium | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.53.3. | |||||
| CVE-2022-35416 | 1 H3c | 1 Ssl Vpn | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnlang cookie XSS. | |||||
| CVE-2022-1910 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-32061 | 1 Snipeitapp | 1 Snipe-it | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2022-31136 | 1 Joinbookwyrm | 1 Bookwyrm | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bookwyrm is an open source social reading and reviewing program. Versions of Bookwyrm prior to 0.4.1 did not properly sanitize html being rendered to users. Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses. These vulnerabilities may be exploited as cross site scripting attacks on users viewing these fields. Users are advised to upgrade to version 0.4.1. There are no known workarounds for this issue. | |||||
| CVE-2022-31063 | 1 Enalean | 1 Tuleap | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.111 the title of a document is not properly escaped in the search result of MyDocmanSearch widget and in the administration page of the locked documents. A malicious user with the capability to create a document could force victim to execute uncontrolled code. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-33098 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-44791 | 1 Apache | 1 Druid | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. | |||||
| CVE-2022-35229 | 1 Zabbix | 1 Zabbix | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | |||||
| CVE-2022-35230 | 1 Zabbix | 1 Zabbix | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | |||||
| CVE-2022-31133 | 1 Humhub | 1 Humhub | 2022-07-14 | 3.5 LOW | 4.8 MEDIUM |
| HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue. | |||||
| CVE-2022-23713 | 1 Elastic | 1 Kibana | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. | |||||
| CVE-2022-32567 | 1 Appfire | 1 Jira Misc Custom Fields | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function. | |||||
| CVE-2022-2342 | 1 Getoutline | 1 Outline | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. | |||||
| CVE-2022-20815 | 1 Cisco | 2 Unified Communications Manager, Unified Communications Manager Im And Presence Service | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2022-20800 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im And Presence Service, Unity Connection | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2022-31127 | 1 Nextauth.js | 1 Next-auth | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven't created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it. | |||||
| CVE-2022-2316 | 1 Devolutions | 1 Devolutions Server | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or redirect a user to another site. | |||||