Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-47195 | 1 Ghost | 1 Ghost | 2023-01-27 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user. | |||||
| CVE-2022-40844 | 1 Tenda | 2 Ac1200 V-w15ev2, W15e Firmware | 2023-01-27 | N/A | 5.4 MEDIUM |
| In Tenda (Shenzhen Tenda Technology Co., Ltd) AC1200 Router model W15Ev2 V15.11.0.10(1576), a Stored Cross Site Scripting (XSS) issue exists allowing an attacker to execute JavaScript code via the applications website filtering tab, specifically the URL body. | |||||
| CVE-2022-40846 | 1 Tenda | 2 Ac1200 V-w15ev2, W15e Firmware | 2023-01-27 | N/A | 4.8 MEDIUM |
| In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), a Stored Cross Site Scripting (XSS) vulnerability exists allowing an attacker to execute JavaScript code via the applications stored hostname. | |||||
| CVE-2023-24026 | 1 Misp-project | 1 Misp | 2023-01-27 | N/A | 6.1 MEDIUM |
| In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. | |||||
| CVE-2023-22594 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2023-01-27 | N/A | 5.4 MEDIUM |
| IBM Robotic Process Automation for Cloud Pak 20.12.0 through 21.0.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244075. | |||||
| CVE-2023-24027 | 1 Misp | 1 Misp | 2023-01-27 | N/A | 6.1 MEDIUM |
| In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. | |||||
| CVE-2022-41441 | 1 Reqlogic | 1 Reqlogic | 2023-01-27 | N/A | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ReQlogic v11.3 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the POBatch and WaitDuration parameters. | |||||
| CVE-2022-42747 | 1 Auieo | 1 Candidats | 2023-01-26 | N/A | 6.1 MEDIUM |
| CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | |||||
| CVE-2022-42748 | 1 Auieo | 1 Candidats | 2023-01-26 | N/A | 6.1 MEDIUM |
| CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | |||||
| CVE-2022-42746 | 1 Auieo | 1 Candidats | 2023-01-26 | N/A | 6.1 MEDIUM |
| CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | |||||
| CVE-2022-42749 | 1 Auieo | 1 Candidats | 2023-01-26 | N/A | 6.1 MEDIUM |
| CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. | |||||
| CVE-2023-23491 | 1 Fullworksplugins | 1 Quick Event Manager | 2023-01-26 | N/A | 6.1 MEDIUM |
| The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting vulnerability in the 'category' parameter of its 'qem_ajax_calendar' action. | |||||
| CVE-2023-22373 | 1 Contec | 1 Conprosys Hmi System | 2023-01-26 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information. | |||||
| CVE-2023-22910 | 1 Mediawiki | 1 Mediawiki | 2023-01-26 | N/A | 5.4 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. | |||||
| CVE-2023-23024 | 1 Book Store Management System Project | 1 Book Store Management System | 2023-01-26 | N/A | 6.1 MEDIUM |
| Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the writer parameter. | |||||
| CVE-2023-23015 | 1 Kalkun Project | 1 Kalkun | 2023-01-26 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php. | |||||
| CVE-2022-20967 | 1 Cisco | 1 Identity Services Engine | 2023-01-26 | N/A | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. | |||||
| CVE-2022-20966 | 1 Cisco | 1 Identity Services Engine | 2023-01-26 | N/A | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. | |||||
| CVE-2022-4544 | 1 Wpchill | 1 Mashshare | 2023-01-26 | N/A | 5.4 MEDIUM |
| The MashShare WordPress plugin before 3.8.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |||||
| CVE-2022-40697 | 1 3commarketing | 1 3com-asesor-de-cookies | 2023-01-26 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in 3com – Asesor de Cookies para normativa española plugin <= 3.4.3 versions. | |||||