Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4456 | 1 Fallingfruit | 1 Falling-fruit | 2022-12-19 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in falling-fruit and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 15adb8e1ea1f1c3e3d152fc266071f621ef0c621. It is recommended to apply a patch to fix this issue. VDB-215446 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-28703 | 1 Lansweeper | 1 Lansweeper | 2022-12-19 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-32763 | 1 Lansweeper | 1 Lansweeper | 2022-12-19 | N/A | 6.1 MEDIUM |
| A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-36572 | 1 Feehi | 1 Feehicms | 2022-12-19 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via the user name field of the login page. | |||||
| CVE-2020-36607 | 1 Feehi | 1 Feehicms | 2022-12-16 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag. | |||||
| CVE-2021-36573 | 1 Feehi | 1 Feehicms | 2022-12-16 | N/A | 5.4 MEDIUM |
| File Upload vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via crafted image upload. | |||||
| CVE-2020-20589 | 1 Feehi | 1 Feehicms | 2022-12-16 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag. | |||||
| CVE-2022-4410 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2022-12-16 | N/A | 5.4 MEDIUM |
| The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 2.2.20.3 due to improper output escaping on post/page/media titles. This makes it possible for attackers to inject arbitrary web scripts on the permalink-manager page if another plugin or theme is installed on the site that allows lower privileged users with unfiltered_html the ability to modify post/page titles with malicious web scripts. | |||||
| CVE-2022-23519 | 1 Rails Html Sanitizer Project | 1 Rails Html Sanitizer | 2022-12-16 | N/A | 6.1 MEDIUM |
| rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both "math" and "style" elements, or allow both "svg" and "style" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include "math" or "svg" and "style" should either upgrade or use the following workaround immediately: Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags. | |||||
| CVE-2022-23520 | 1 Rails Html Sanitizer Project | 1 Rails Html Sanitizer | 2022-12-16 | N/A | 6.1 MEDIUM |
| rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both "select" and "style" should either upgrade or use this workaround: Remove either "select" or "style" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. | |||||
| CVE-2022-31358 | 1 Proxmox | 1 Virtual Environment | 2022-12-16 | N/A | 9.0 CRITICAL |
| A reflected cross-site scripting (XSS) vulnerability in Proxmox Virtual Environment prior to v7.2-3 allows remote attackers to execute arbitrary web scripts or HTML via non-existent endpoints under path /api2/html/. | |||||
| CVE-2022-23518 | 2 Loofah Project, Rails Html Sanitizer Project | 2 Loofah, Rails Html Sanitizer | 2022-12-16 | N/A | 6.1 MEDIUM |
| rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4. | |||||
| CVE-2022-38628 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2022-12-16 | N/A | 6.1 MEDIUM |
| Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. | |||||
| CVE-2022-4207 | 1 Oxilab | 1 Image Hover Effects Ultimate | 2022-12-16 | N/A | 5.4 MEDIUM |
| The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several values that can be added to an Image Hover in versions 9.8.1 to 9.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users. | |||||
| CVE-2022-3073 | 1 Weidmueller | 18 19 Iot Md01 Lan H4 S0011, 19 Iot Md01 Lan H4 S0011 Firmware, Fp Iot Md01 4eu S2 00000 and 15 more | 2022-12-16 | N/A | 6.1 MEDIUM |
| Quanos "SCHEMA ST4" example web templates in version Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 or below are prone to JavaScript injection allowing a remote attacker to hijack existing sessions to e.g. other web services in the same environment or execute scripts in the users browser environment. The affected script is '*-schema.js'. | |||||
| CVE-2020-9419 | 1 Arcadyan | 2 Vrv9506jac23, Vrv9506jac23 Firmware | 2022-12-16 | N/A | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Arcadyan Wifi routers VRV9506JAC23 allow remote attackers to inject arbitrary web script or HTML via the hostName and domain_name parameters present in the LAN configuration section of the administrative dashboard. | |||||
| CVE-2022-23499 | 1 Typo3 | 1 Html Sanitizer | 2022-12-16 | N/A | 6.1 MEDIUM |
| HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a parsing issue in the upstream package masterminds/html5. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. This issue has been fixed in versions 1.5.0 and 2.1.1. | |||||
| CVE-2022-42141 | 1 Deltaww | 2 Dx-2100-l1-cn, Dx-2100-l1-cn Firmware | 2022-12-16 | N/A | 5.4 MEDIUM |
| Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Cross Site Scripting (XSS) via lform/urlfilter. | |||||
| CVE-2022-43996 | 1 Csaf Provider Project | 1 Csaf Provider | 2022-12-16 | N/A | 5.4 MEDIUM |
| The csaf_provider package before 0.8.2 allows XSS via a crafted CSAF document uploaded as text/html. The endpoint upload allows valid CSAF advisories (JSON format) to be uploaded with Content-Type text/html and filenames ending in .html. When subsequently accessed via web browser, these advisories are served and interpreted as HTML pages. Such uploaded advisories can contain JavaScript code that will execute within the browser context of users inspecting the advisory. | |||||
| CVE-2022-46381 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2022-12-16 | N/A | 6.1 MEDIUM |
| Certain Linear eMerge E3-Series devices are vulnerable to XSS via the type parameter (e.g., to the badging/badge_template_v0.php component). This affects 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e. | |||||