Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24177 | 1 Exlibrisgroup | 1 Aleph 500 | 2022-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component cgi-bin/ej.cgi of Ex libris ALEPH 500 v18.1 and v20 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2022-23397 | 1 Cedargate | 1 Ez-net Portal | 2022-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. | |||||
| CVE-2022-21158 | 1 Marktext | 1 Marktext | 2022-03-15 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in marktext versions prior to v0.17.0 due to improper handling of the link (with javascript: scheme) inside the document may allow an attacker to execute an arbitrary script on the PC of the user using marktext. | |||||
| CVE-2022-21146 | 1 Ipcomm | 2 Ipdio, Ipdio Firmware | 2022-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting in the web interface of ipDIO allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into a specific parameter. The XSS payload will be executed when a legitimate user attempts to review history. | |||||
| CVE-2021-42856 | 1 Riverbed | 1 Steelcentral Appinternals Dynamic Sampling Agent | 2022-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability. | |||||
| CVE-2022-0352 | 1 Calibre-web Project | 1 Calibre-web | 2022-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16. | |||||
| CVE-2022-25395 | 1 Cosmetics And Beauty Product Online Store Project | 1 Cosmetics And Beauty Product Online Store | 2022-03-14 | 4.3 MEDIUM | 9.6 CRITICAL |
| Cosmetics and Beauty Product Online Store v1.0 was discovered to contain multiple reflected cross-site scripting (XSS) attacks via the search parameter under the /cbpos/ app. | |||||
| CVE-2021-33852 | 1 Metaphorcreations | 1 Post Duplicator | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts. | |||||
| CVE-2021-33851 | 1 Apasionados | 1 Customize Login Image | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin. | |||||
| CVE-2021-32005 | 1 Secomea | 18 Sitemanager 1129, Sitemanager 1129 Firmware, Sitemanager 1139 and 15 more | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in log view of Secomea SiteManager allows a logged in user to store javascript for later execution. This issue affects: Secomea SiteManager Version 9.6.621421014 and all prior versions. | |||||
| CVE-2022-26483 | 1 Veritas | 1 Infoscale Operations Manager | 2022-03-11 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Veritas InfoScale Operations Manager (VIOM) before 7.4.2 Patch 600 and 8.x before 8.0.0 Patch 100. A reflected cross-site scripting (XSS) vulnerability in admin/cgi-bin/listdir.pl allows authenticated remote administrators to inject arbitrary web script or HTML into an HTTP GET parameter (which reflect the user input without sanitization). | |||||
| CVE-2022-0389 | 1 Codepeople | 1 Wp Time Slots Booking Form | 2022-03-11 | 3.5 LOW | 4.8 MEDIUM |
| The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-0347 | 1 Wpbrigade | 1 Loginpress | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The LoginPress | Custom Login Page Customizer WordPress plugin before 1.5.12 does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0205 | 1 Yop-poll | 1 Yop-poll | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-25039 | 1 Obtaininfotech | 1 Multisite Content Copier\/updater | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.0 does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-25038 | 1 Obtaininfotech | 1 Multisite User Sync\/unsync | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress Multisite User Sync/Unsync WordPress plugin before 2.1.2 does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24961 | 1 Iptanus | 2 Wordpress File Upload, Wordpress File Upload Pro | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24953 | 1 Tinywebgallery | 1 Advanced Iframe | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24826 | 1 Custom Content Shortcode Project | 1 Custom Content Shortcode | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed) | |||||
| CVE-2021-41542 | 1 Siemens | 2 Climatix Pol909, Climatix Pol909 Firmware | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The User Management page of affected devices is vulnerable to cross-site scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. | |||||