Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-47131 | 1 Creativeitem | 1 Academy Lms | 2023-02-09 | N/A | 4.8 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page. | |||||
| CVE-2023-0599 | 1 Rapid7 | 1 Metasploit | 2023-02-09 | N/A | 4.8 MEDIUM |
| Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator. | |||||
| CVE-2022-48140 | 1 Dedecms | 1 Dedecms | 2023-02-08 | N/A | 5.4 MEDIUM |
| DedeCMS v5.7.97 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /file_manage_view.php?fmdo=edit&filename. | |||||
| CVE-2017-18539 | 1 Deepsoft | 1 Weblibrarian | 2023-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes. | |||||
| CVE-2017-18538 | 1 Deepsoft | 1 Weblibrarian | 2023-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The weblibrarian plugin before 3.4.8.5 for WordPress has XSS via front-end short codes. | |||||
| CVE-2017-18540 | 1 Deepsoft | 1 Weblibrarian | 2023-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The weblibrarian plugin before 3.4.8.7 for WordPress has XSS via front-end short codes. | |||||
| CVE-2019-15112 | 1 Wp-slimstat | 1 Slimstat Analytics | 2023-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-slimstat plugin before 4.8.1 for WordPress has XSS. | |||||
| CVE-2023-24508 | 1 Baicells | 6 Nova227, Nova233, Nova243 and 3 more | 2023-02-08 | N/A | 9.6 CRITICAL |
| Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce. | |||||
| CVE-2022-47983 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-02-08 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 243161. | |||||
| CVE-2022-46934 | 1 Keking | 1 Kkfileview | 2023-02-08 | N/A | 6.1 MEDIUM |
| kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java. | |||||
| CVE-2023-23075 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2023-02-08 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation. | |||||
| CVE-2023-0607 | 1 Projectsend | 1 Projectsend | 2023-02-08 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606. | |||||
| CVE-2023-0608 | 1 Microweber | 1 Microweber | 2023-02-08 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2. | |||||
| CVE-2022-47701 | 1 Comfast Project | 2 Cf-wr623n, Cf-wr623n Firmware | 2023-02-07 | N/A | 6.1 MEDIUM |
| COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-47698 | 1 Comfast Project | 2 Cf-wr623n, Cf-wr623n Firmware | 2023-02-07 | N/A | 6.1 MEDIUM |
| COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS) via the URL filtering feature in the router. | |||||
| CVE-2023-23630 | 1 Eta.js | 1 Eta | 2023-02-07 | N/A | 6.1 MEDIUM |
| Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`. | |||||
| CVE-2023-0606 | 1 Ampache | 1 Ampache | 2023-02-07 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository ampache/ampache prior to 5.5.7. | |||||
| CVE-2022-4763 | 1 Wpzoom | 1 Icon Widget | 2023-02-07 | N/A | 5.4 MEDIUM |
| The Icon Widget WordPress plugin before 1.3.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2022-39324 | 1 Grafana | 1 Grafana | 2023-02-07 | N/A | 3.5 LOW |
| Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8. | |||||
| CVE-2022-23552 | 1 Grafana | 1 Grafana | 2023-02-07 | N/A | 5.4 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix. | |||||