Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1267 | 1 Bmi Bmr Calculator Project | 1 Bmi Bmr Calculator | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The BMI BMR Calculator WordPress plugin through 1.3 does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1334 | 1 Wp Youtube Live Project | 1 Wp Youtube Live | 2022-05-24 | 3.5 LOW | 4.8 MEDIUM |
| The WP YouTube Live WordPress plugin before 1.8.3 does not validate, sanitise and escape various of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1051 | 1 2code | 1 Wpqa Builder | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks. | |||||
| CVE-2022-30776 | 1 Atmail | 1 Atmail | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter. | |||||
| CVE-2022-30013 | 1 Totaljs | 1 Total.js | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file. | |||||
| CVE-2022-1393 | 1 Wp Subtitle Project | 1 Wp Subtitle | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the key: "wps_subtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button (via AJAX) - and this makes the XSS exploitable by authenticated users with a role as low as contributor. | |||||
| CVE-2020-9467 | 1 Piwigo | 1 Piwigo | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. | |||||
| CVE-2020-9440 | 3 Ckeditor, Fedoraproject, Webspellchecker | 3 Ckeditor, Fedora, Webspellchecker | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor. | |||||
| CVE-2020-8778 | 1 Alfresco | 1 Alfresco | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project. | |||||
| CVE-2020-8776 | 1 Alfresco | 1 Alfresco | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file. | |||||
| CVE-2020-8777 | 1 Alfresco | 1 Alfresco | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document. | |||||
| CVE-2022-1089 | 1 Wpsheeteditor | 1 Bulk Edit And Create User Profiles - Wp Sheet Editor | 2022-05-24 | 3.5 LOW | 4.8 MEDIUM |
| The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1408 | 1 Vikwp | 1 Hotel Booking Engine \& Pms | 2022-05-24 | 3.5 LOW | 4.8 MEDIUM |
| The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2022-1418 | 1 Pluginmirror | 1 Social Stickers | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Stickers WordPress plugin through 2.2.9 does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2022-1435 | 1 Wptaskforce | 1 Track \& Trace | 2022-05-24 | 3.5 LOW | 4.8 MEDIUM |
| The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-1436 | 1 Wptaskforce | 1 Track \& Trace | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks. | |||||
| CVE-2022-1455 | 1 Callnowbutton | 1 Call Now Button | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled | |||||
| CVE-2020-7106 | 5 Cacti, Debian, Fedoraproject and 2 more | 8 Cacti, Debian Linux, Extra Packages For Enterprise Linux and 5 more | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). | |||||
| CVE-2022-1465 | 1 Wpclever | 1 Wpc Smart Wishlist For Woocommerce | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue. | |||||
| CVE-2021-23225 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. | |||||