Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4342 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 161421. | |||||
| CVE-2019-5467 | 1 Gitlab | 1 Gitlab | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6. | |||||
| CVE-2019-10410 | 1 Jenkins | 1 Log Parser | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules. | |||||
| CVE-2019-10406 | 1 Jenkins | 1 Jenkins | 2023-02-22 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2019-10405 | 1 Jenkins | 1 Jenkins | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | |||||
| CVE-2019-10404 | 1 Jenkins | 1 Jenkins | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | |||||
| CVE-2019-10403 | 1 Jenkins | 1 Jenkins | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. | |||||
| CVE-2019-10402 | 1 Jenkins | 1 Jenkins | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. | |||||
| CVE-2018-21012 | 1 Vsourz | 1 Cf7 Invisible Recaptcha | 2023-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS. | |||||
| CVE-2019-16118 | 1 10web | 1 Photo Gallery | 2023-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php. | |||||
| CVE-2019-16117 | 1 10web | 1 Photo Gallery | 2023-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php. | |||||
| CVE-2020-9390 | 1 Squaredup | 1 Squaredup | 2023-02-22 | 3.5 LOW | 5.4 MEDIUM |
| SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script. | |||||
| CVE-2023-23553 | 1 Controlbyweb | 2 X-400, X-400 Firmware | 2023-02-22 | N/A | 6.1 MEDIUM |
| Control By Web X-400 devices are vulnerable to a cross-site scripting attack, which could result in private and session information being transferred to the attacker. | |||||
| CVE-2022-45285 | 1 Vsourz | 1 Advanced Cf7 Db | 2023-02-22 | N/A | 6.1 MEDIUM |
| Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2023-23077 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2023-02-22 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. | |||||
| CVE-2023-23078 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2023-02-22 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. | |||||
| CVE-2023-24648 | 1 Zippy | 1 Zstore | 2023-02-22 | N/A | 6.1 MEDIUM |
| Zstore v6.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php. | |||||
| CVE-2023-22370 | 1 Planex | 1 Cs-wmv02g | 2023-02-22 | N/A | 5.2 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Stored cross-site scripting vulnerability in Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G all versions allows a network-adjacent authenticated attacker to inject an arbitrary script. NOTE: This vulnerability only affects products that are no longer supported by the developer. | |||||
| CVE-2015-10079 | 1 Walrusirc Project | 1 Walrusirc | 2023-02-22 | N/A | 6.1 MEDIUM |
| A vulnerability was found in juju2143 WalrusIRC 0.0.2. It has been rated as problematic. This issue affects the function parseLinks of the file public/parser.js. The manipulation of the argument text leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.0.3 is able to address this issue. The name of the patch is 45fd885895ae13e8d9b3a71e89d59768914f60af. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220751. | |||||
| CVE-2023-25572 | 1 Marmelab | 2 Ra-ui-materialui, React-admin | 2023-02-22 | N/A | 5.4 MEDIUM |
| react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `<RichTextField>` by a custom field doing sanitization by hand. | |||||