Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40435 | 1 Employee Performance Evaluation System Project | 1 Employee Performance Evaluation System | 2022-12-27 | N/A | 4.8 MEDIUM |
| Employee Performance Evaluation System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via adding new entries under the Departments and Designations module. | |||||
| CVE-2022-23543 | 1 Silverwaregames | 1 Silverwaregames | 2022-12-27 | N/A | 5.4 MEDIUM |
| Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time. | |||||
| CVE-2022-4647 | 1 Microweber | 1 Microweber | 2022-12-24 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2. | |||||
| CVE-2022-4617 | 1 Microweber | 1 Microweber | 2022-12-24 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2. | |||||
| CVE-2022-4614 | 1 Znote | 1 Znote | 2022-12-23 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository alagrede/znote-app prior to 1.7.11. | |||||
| CVE-2022-4615 | 1 Open-emr | 1 Openemr | 2022-12-23 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2. | |||||
| CVE-2022-39160 | 1 Ibm | 1 Cognos Analytics | 2022-12-23 | N/A | 6.1 MEDIUM |
| IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 235064. | |||||
| CVE-2022-4609 | 1 Usememos | 1 Memos | 2022-12-23 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0. | |||||
| CVE-2022-4112 | 1 Vms-studio | 1 Quizlord | 2022-12-23 | N/A | 4.8 MEDIUM |
| The Quizlord WordPress plugin through 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-38653 | 1 Hcltech | 1 Digital Experience | 2022-12-23 | N/A | 5.4 MEDIUM |
| In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded. | |||||
| CVE-2022-31029 | 1 Pi-hole | 1 Adminlte | 2022-12-23 | 3.5 LOW | 4.8 MEDIUM |
| AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-3832 | 1 External Media Project | 1 External Media | 2022-12-22 | N/A | 4.8 MEDIUM |
| The External Media WordPress plugin before 1.0.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-3937 | 1 Noorsplugin | 1 Easy Video Player | 2022-12-22 | N/A | 5.4 MEDIUM |
| The Easy Video Player WordPress plugin before 1.2.2.3 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. | |||||
| CVE-2022-4058 | 1 10web | 1 Photo Gallery | 2022-12-22 | N/A | 5.4 MEDIUM |
| The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control. | |||||
| CVE-2022-3985 | 1 Wphowto | 1 Videojs Html5 Player | 2022-12-22 | N/A | 5.4 MEDIUM |
| The Videojs HTML5 Player WordPress plugin before 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-3983 | 1 Noorsplugin | 1 Checkout For Paypal | 2022-12-22 | N/A | 5.4 MEDIUM |
| The Checkout for PayPal WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-3984 | 1 Wphowto | 1 Flowplayer Video Player | 2022-12-22 | N/A | 5.4 MEDIUM |
| The Flowplayer Video Player WordPress plugin before 1.0.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-3987 | 1 Noorsplugin | 1 Responsive Lightbox2 | 2022-12-22 | N/A | 5.4 MEDIUM |
| The Responsive Lightbox2 WordPress plugin before 1.0.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-3986 | 1 Noorsplugin | 1 Wp Stripe Checkout | 2022-12-22 | N/A | 5.4 MEDIUM |
| The WP Stripe Checkout WordPress plugin before 1.2.2.21 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-24399 | 1 Sap | 1 Focused Run | 2022-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||