Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28153 | 1 Jenkins | 1 Sitemonitor | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-28159 | 1 Jenkins | 1 Tests Selector | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-0818 | 1 Yithemes | 1 Woocommerce Affiliate | 2022-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin. | |||||
| CVE-2022-24957 | 1 Dhc-vision | 1 Eqms | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| DHC Vision eQMS through 5.4.8.322 has Persistent XSS due to insufficient encoding of untrusted input/output. To exploit the vulnerability, the attacker has to create or edit a new information object and use the XSS payload as the name. Any user that opens the object's version or history tab will be attacked. | |||||
| CVE-2022-0450 | 1 Freshlightlab | 1 Menu Image\, Icons Made Easy | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| The Menu Image, Icons made easy WordPress plugin before 3.0.8 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend | |||||
| CVE-2022-26980 | 1 Teampass | 1 Teampass | 2022-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO. | |||||
| CVE-2022-28133 | 1 Jenkins | 1 Bitbucket Server Integration | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. | |||||
| CVE-2021-25012 | 1 Popozure | 1 Pz-linkcard | 2022-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24746 | 1 Heateor | 1 Sassy Social Share | 2022-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue. | |||||
| CVE-2021-40906 | 1 Tribe29 | 1 Checkmk | 2022-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication. | |||||
| CVE-2022-1081 | 1 Microfinance Management System Project | 1 Microfinance Management System | 2022-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Microfinance Management System 1.0. It has been declared as problematic. This vulnerability affects the file /mims/app/addcustomerHandler.php. The manipulation of the argument first_name, middle_name, and surname leads to cross site scripting. The attack can be initiated remotely. | |||||
| CVE-2021-45866 | 1 Student Attendance Management System Project | 1 Student Attendance Management System | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Student Attendance Management System 1.0 via the couse filed in index.php. | |||||
| CVE-2022-23903 | 1 Pearadmin | 1 Pear Admin Think | 2022-04-04 | 3.5 LOW | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in pearadmin pear-admin-think <=5.0.6, which allows a login account to access arbitrary functions and cause stored XSS through a fake User-Agent. | |||||
| CVE-2021-27418 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2022-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings. | |||||
| CVE-2021-46144 | 2 Debian, Roundcube | 2 Debian Linux, Roundcube | 2022-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. | |||||
| CVE-2019-11454 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2022-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation. | |||||
| CVE-2022-0647 | 1 Bulk Creator Project | 1 Bulk Creator | 2022-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and escape the post_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-0643 | 1 Bank Mellat Project | 1 Bank Mellat | 2022-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-0641 | 1 Ays-pro | 1 Popup Like Box | 2022-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-0621 | 1 Dtabs Project | 1 Dtabs | 2022-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dTabs WordPress plugin through 1.4 does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | |||||