Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-31740 | 1 Seppmail | 1 Seppmail | 2022-12-02 | N/A | 6.1 MEDIUM |
| SEPPMail's web frontend, user input is not embedded correctly in the web page and therefore leads to cross-site scripting vulnerabilities (XSS). | |||||
| CVE-2022-40849 | 1 Thinkcmf | 1 Thinkcmf | 2022-12-02 | N/A | 5.4 MEDIUM |
| ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID). | |||||
| CVE-2022-38803 | 1 Zkteco | 1 Biotime | 2022-12-02 | N/A | 6.8 MEDIUM |
| Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | |||||
| CVE-2022-38802 | 1 Zkteco | 1 Biotime | 2022-12-02 | N/A | 6.2 MEDIUM |
| Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | |||||
| CVE-2022-4234 | 1 Canteen Management System Project | 1 Canteen Management System | 2022-12-02 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Canteen Management System. It has been rated as problematic. This issue affects the function builtin_echo of the file youthappam/brand.php. The manipulation of the argument brand_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214595. | |||||
| CVE-2022-38801 | 1 Zkteco | 1 Biotime | 2022-12-02 | N/A | 5.4 MEDIUM |
| In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting. | |||||
| CVE-2022-4233 | 1 Event Registration System Project | 1 Event Registration System | 2022-12-02 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in SourceCodester Event Registration System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /event/admin/?page=user/list. The manipulation of the argument First Name/Last Name leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-214591. | |||||
| CVE-2022-46147 | 1 Openedx | 1 Xblock-drag-and-drop-v2 | 2022-12-01 | N/A | 6.1 MEDIUM |
| Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2022-44284 | 1 Dinstar | 2 Dag2000-16o, Dag2000-16o Firmware | 2022-12-01 | N/A | 5.4 MEDIUM |
| Dinstar FXO Analog VoIP Gateway DAG2000-16O is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-4032 | 1 Expresstech | 1 Quiz And Survey Master | 2022-12-01 | N/A | 6.1 MEDIUM |
| The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-4035 | 1 Dwbooster | 1 Appointment Hour Booking | 2022-12-01 | N/A | 6.1 MEDIUM |
| The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page. | |||||
| CVE-2022-46148 | 1 Discourse | 1 Discourse | 2022-12-01 | N/A | 5.4 MEDIUM |
| Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the `stable` branch and versions 2.9.0.beta11 and prior on the `beta` and `tests-passed` branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. | |||||
| CVE-2022-36433 | 1 Amasty | 1 Amasty Blog Pro | 2022-12-01 | N/A | 6.1 MEDIUM |
| The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save. | |||||
| CVE-2022-39338 | 1 Nextcloud | 1 Openid Connect User Backend | 2022-12-01 | N/A | 5.4 MEDIUM |
| user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoid using the Safari web browser. | |||||
| CVE-2022-44355 | 2 Contec, Contect | 2 Solarview Compact, Solarview Compact Firmware | 2022-12-01 | N/A | 6.1 MEDIUM |
| SolarView Compact 7.0 is vulnerable to Cross-site Scripting (XSS) via /network_test.php. | |||||
| CVE-2022-44279 | 1 Garage Management System Project | 1 Garage Management System | 2022-12-01 | N/A | 6.1 MEDIUM |
| Garage Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /garage/php_action/createBrand.php. | |||||
| CVE-2022-4027 | 1 Simple-press | 1 Simple\ | 2022-12-01 | N/A | 5.4 MEDIUM |
| The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when responding to forum threads that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-3896 | 1 Wp Affiliate Platform Project | 1 Wp Affiliate Platform | 2022-12-01 | N/A | 6.1 MEDIUM |
| The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers. | |||||
| CVE-2022-3897 | 1 Wp Affiliate Platform Project | 1 Wp Affiliate Platform | 2022-12-01 | N/A | 4.8 MEDIUM |
| The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-3991 | 1 Photospace Gallery Project | 1 Photospace Gallery | 2022-12-01 | N/A | 5.4 MEDIUM |
| The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||