Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26955 | 1 Onekeyadmin Project | 1 Onekeyadmin | 2023-03-13 | N/A | 5.4 MEDIUM |
| onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Admin Group module. | |||||
| CVE-2021-44197 | 1 Ubit | 1 Student Information Management System | 2023-03-13 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System.This issue affects Student Information Management System: before 20211126. | |||||
| CVE-2023-0068 | 1 Product Gtin \(ean\, Upc\, Isbn\) For Woocommerce Project | 1 Product Gtin \(ean\, Upc\, Isbn\) For Woocommerce | 2023-03-13 | N/A | 5.4 MEDIUM |
| The Product GTIN (EAN, UPC, ISBN) for WooCommerce WordPress plugin through 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-27474 | 1 Rangerstudio | 1 Directus | 2023-03-13 | N/A | 5.4 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround. | |||||
| CVE-2022-42248 | 1 Qlik | 1 Qlikview | 2023-03-13 | N/A | 5.4 MEDIUM |
| QlikView 12.60.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the QvsViewClient functionality. | |||||
| CVE-2023-22438 | 1 Ec-cube | 1 Ec-cube | 2023-03-13 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script. | |||||
| CVE-2023-22838 | 1 Ec-cube | 1 Ec-cube | 2023-03-13 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. | |||||
| CVE-2023-25077 | 1 Ec-cube | 1 Ec-cube | 2023-03-13 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. | |||||
| CVE-2022-4042 | 1 Paytium | 1 Paytium | 2023-03-13 | N/A | 4.8 MEDIUM |
| The Paytium: Mollie payment forms & donations WordPress plugin before 4.3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-4330 | 1 Wp Attachments Project | 1 Wp Attachments | 2023-03-13 | N/A | 4.8 MEDIUM |
| The WP Attachments WordPress plugin before 5.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-4928 | 1 Learnetic | 1 Icplayer | 2023-03-13 | N/A | 6.1 MEDIUM |
| A vulnerability was found in icplayer up to 0.819. It has been declared as problematic. Affected by this vulnerability is the function AddonText_Selection_create of the file addons/Text_Selection/src/presenter.js. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.820 is able to address this issue. The name of the patch is 2223628e6db1df73f6d633d2c0422d995990f0a3. It is recommended to upgrade the affected component. The identifier VDB-222289 was assigned to this vulnerability. | |||||
| CVE-2022-4929 | 1 Learnetic | 1 Icplayer | 2023-03-13 | N/A | 6.1 MEDIUM |
| A vulnerability was found in icplayer up to 0.818. It has been rated as problematic. Affected by this issue is some unknown functionality of the file addons/Commons/src/tts-utils.js. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.819 is able to address this issue. The name of the patch is fa785969f213c76384f1fe67d47b17d57fcc60c8. It is recommended to upgrade the affected component. VDB-222290 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-44875 | 1 Kioware | 1 Kiowave | 2023-03-13 | N/A | 5.4 MEDIUM |
| KioWare through 8.33 on Windows sets KioScriptingUrlACL.AclActions.AllowHigh for the about:blank origin, which allows attackers to obtain SYSTEM access via KioUtils.Execute in JavaScript code. | |||||
| CVE-2023-26491 | 1 Rsshub | 1 Rsshub | 2023-03-13 | N/A | 6.1 MEDIUM |
| RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. This vulnerability was fixed in version c910c4d28717fb860fbe064736641f379fab2c91. Please upgrade to this or a later version, there are no known workarounds. | |||||
| CVE-2015-10089 | 1 Flame.js Project | 1 Flame.js | 2023-03-13 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in flame.js. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The name of the patch is e6c49b5f6179e31a534b7c3264e1d36aa99728ac. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222291. | |||||
| CVE-2006-10001 | 1 Pluginmirror | 1 Subscribe To Comments | 2023-03-13 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Subscribe to Comments Plugin up to 2.0.7. This affects an unknown part of the file subscribe-to-comments.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.8 is able to address this issue. The name of the patch is 9683bdf462fcac2f32b33be98f0b96497fbd1bb6. It is recommended to upgrade the affected component. The identifier VDB-222321 was assigned to this vulnerability. | |||||
| CVE-2023-27641 | 1 Lsoft | 1 Listserv | 2023-03-13 | N/A | 6.1 MEDIUM |
| The REPORT (after z but before a) parameter in wa.exe in L-Soft LISTSERV 16.5 before 17 allows an attacker to conduct XSS attacks via a crafted URL. | |||||
| CVE-2021-36401 | 1 Moodle | 1 Moodle | 2023-03-13 | N/A | 4.8 MEDIUM |
| In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. | |||||
| CVE-2021-36713 | 1 Sprymedia | 1 Datatables | 2023-03-13 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the DataTables plug-in 1.9.2 for jQuery allows attackers to run arbitrary code via the sBaseName parameter to function _fnCreateCookie. NOTE: 1.9.2 is a version from 2012. | |||||
| CVE-2021-36399 | 1 Moodle | 1 Moodle | 2023-03-13 | N/A | 5.4 MEDIUM |
| In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. | |||||