Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-47413 | 1 Openkm | 1 Openkm | 2023-02-15 | N/A | 5.4 MEDIUM |
| Given a malicious document provided by an attacker, the OpenKM DMS is vulnerable to a stored (persistent, or "Type II") XSS condition. | |||||
| CVE-2022-47414 | 1 Openkm | 1 Openkm | 2023-02-15 | N/A | 5.4 MEDIUM |
| If an attacker has access to the console for OpenKM (and is authenticated), a stored XSS vulnerability is reachable in the document "note" functionality. | |||||
| CVE-2023-0732 | 1 Online Eyewear Shop Project | 1 Online Eyewear Shop | 2023-02-15 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. Affected by this vulnerability is the function registration of the file oews/classes/Users.php of the component POST Request Handler. The manipulation of the argument firstname/middlename/lastname/email/contact leads to cross site scripting. The attack can be launched remotely. The identifier VDB-220369 was assigned to this vulnerability. | |||||
| CVE-2023-0333 | 1 Templatesnext | 1 Templatesnext Toolkit | 2023-02-15 | N/A | 5.4 MEDIUM |
| The TemplatesNext ToolKit WordPress plugin before 3.2.9 does not validate some of its shortcode attributes before using them to generate an HTML tag, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-0360 | 1 Shapedplugin | 1 Location Weather | 2023-02-15 | N/A | 5.4 MEDIUM |
| The Location Weather WordPress plugin before 1.3.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-0275 | 1 Tipsandtricks-hq | 1 Easy Accept Payments For Paypal | 2023-02-15 | N/A | 5.4 MEDIUM |
| The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-0373 | 1 Smartwp | 1 Lightweight Accordion | 2023-02-15 | N/A | 5.4 MEDIUM |
| The Lightweight Accordion WordPress plugin before 1.5.15 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-0362 | 1 Themify | 1 Portfolio Post | 2023-02-15 | N/A | 5.4 MEDIUM |
| Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-0169 | 1 Zohocorp | 1 Zoho Forms | 2023-02-15 | N/A | 5.4 MEDIUM |
| The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-0166 | 1 Pickplugins | 1 Product Slider For Woocommerce | 2023-02-15 | N/A | 5.4 MEDIUM |
| The Product Slider for WooCommerce by PickPlugins WordPress plugin before 1.13.42 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-0379 | 1 Rebelcode | 1 Spotlight Social Feeds | 2023-02-15 | N/A | 5.4 MEDIUM |
| The Spotlight Social Feeds WordPress plugin before 1.4.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-0270 | 1 Yamaps Project | 1 Yamaps | 2023-02-15 | N/A | 5.4 MEDIUM |
| The YaMaps for WordPress Plugin WordPress plugin before 0.6.26 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-0177 | 1 Wpdevart | 1 Social Like Box And Page | 2023-02-15 | N/A | 5.4 MEDIUM |
| The Social Like Box and Page by WpDevArt WordPress plugin before 0.8.41 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2019-11281 | 4 Debian, Fedoraproject, Pivotal Software and 1 more | 5 Debian Linux, Fedora, Rabbitmq and 2 more | 2023-02-14 | 3.5 LOW | 4.8 MEDIUM |
| Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information. | |||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2023-02-14 | 3.5 LOW | 5.4 MEDIUM |
| In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. | |||||
| CVE-2021-24487 | 1 Sanskruti | 1 St-daily-tip | 2023-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24434 | 1 Codeblab | 1 Glass | 2023-02-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2023-23942 | 1 Nextcloud | 1 Desktop | 2023-02-14 | N/A | 6.1 MEDIUM |
| The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue. | |||||
| CVE-2022-45441 | 1 Zyxel | 2 Nbg-418n, Nbg-418n Firmware | 2023-02-14 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.13)C0, which could allow an attacker to store malicious scripts in the Logs page of the GUI on a vulnerable device. A successful XSS attack could force an authenticated user to execute the stored malicious scripts and then result in a denial-of-service (DoS) condition when the user visits the Logs page of the GUI on the device. | |||||
| CVE-2023-23849 | 1 Synopsys | 1 Coverity | 2023-02-14 | N/A | 6.1 MEDIUM |
| Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability. Any web service hosted on the same sub domain can set a cookie for the whole subdomain which can be used to bypass other mitigations in place for malicious purposes. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C | |||||