Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32927 | 1 Uffizio | 1 Gps Tracker | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker. | |||||
| CVE-2022-0876 | 1 Wpdevart | 1 Social Comments | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| The Social comments by WpDevArt WordPress plugin before 2.5.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2021-36895 | 1 Tripetto | 1 Tripetto | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload. | |||||
| CVE-2022-28586 | 1 Hoosk | 1 Hoosk | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars. | |||||
| CVE-2022-28820 | 1 Adobe | 1 Acs Aem Commons | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. | |||||
| CVE-2022-1445 | 1 Snipeitapp | 1 Snipe-it | 2022-05-03 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie. | |||||
| CVE-2022-0953 | 1 Download Anti-malware Security And Brute-force Firewall Project | 1 Download Anti-malware Security And Brute-force Firewall | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters | |||||
| CVE-2022-1027 | 1 Minioragne | 1 Page Restriction | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users. | |||||
| CVE-2022-1153 | 1 Layslider | 1 Layslider | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2022-1156 | 1 Books \& Papers Project | 1 Books \& Papers | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| The Books & Papers WordPress plugin through 0.20210223 does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1228 | 1 Opensea Project | 1 Opeansea | 2022-05-03 | 3.5 LOW | 4.8 MEDIUM |
| The Opensea WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, like its "Referer address" field, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-1152 | 1 Menubar | 1 Menubar | 2022-05-03 | 3.5 LOW | 5.4 MEDIUM |
| The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-46780 | 1 Supsystic | 1 Easy Google Maps | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-46781 | 1 Subsystic | 1 Coming Soon | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Coming Soon by Supsystic WordPress plugin before 1.7.6 does not sanitise and escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-24799 | 1 Wire | 1 Wire-webapp | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** and is already deployed on all Wire managed services. * On-premise instances of wire-webapp need to be updated to docker tag **2022-03-30-production.0-v0.29.2-0-d144552** or wire-server **2022-03-30 (chart/4.8.0)**, so that their applications are no longer affected. ### Workarounds * No workarounds known ### For more information If you have any questions or comments about this advisory feel free to email us at [vulnerability-report@wire.com](mailto:vulnerability-report@wire.com) ### Credits We thank [Posix](https://twitter.com/po6ix) for reporting this vulnerability | |||||
| CVE-2021-41825 | 1 Verint | 1 Workforce Optimization | 2022-05-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Verint Workforce Optimization (WFO) 15.2.5.1033 allows HTML injection via the /wfo/control/signin username parameter. | |||||
| CVE-2022-27237 | 1 Ni | 5 Flexlogger, G Web Development Software, Labview and 2 more | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a cross-site scripting (XSS) vulnerability in an NI Web Server component installed with several NI products. Depending on the product(s) in use, remediation guidance includes: install SystemLink version 2021 R3 or later, install FlexLogger 2022 Q2 or later, install LabVIEW 2021 SP1, install G Web Development 2022 R1 or later, or install Static Test Software Suite version 1.2 or later. | |||||
| CVE-2021-35229 | 1 Solarwinds | 2 Database Performance Analyzer, Database Performance Monitor | 2022-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query | |||||
| CVE-2022-24869 | 1 Glpi-project | 1 Glpi | 2022-05-03 | 3.5 LOW | 5.4 MEDIUM |
| GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade. | |||||
| CVE-2019-9752 | 2 Opensuse, Otrs | 3 Backports Sle, Leap, Otrs | 2022-05-03 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm. | |||||