Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41542 | 1 Siemens | 2 Climatix Pol909, Climatix Pol909 Firmware | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The User Management page of affected devices is vulnerable to cross-site scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. | |||||
| CVE-2021-41541 | 1 Siemens | 2 Climatix Pol909, Climatix Pol909 Firmware | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The Group Management page of affected devices is vulnerable to cross-site scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. | |||||
| CVE-2022-26317 | 1 Mendix | 1 Mendix | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29). When returning the result of a completed Microflow execution call the affected framework does not correctly verify, if the request was initially made by the user requesting the result. Together with predictable identifiers for Microflow execution calls, this could allow a malicious attacker to retrieve information about arbitrary Microflow execution calls made by users within the affected system. | |||||
| CVE-2021-24821 | 1 Nicdark | 1 Cost Calculator | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page) | |||||
| CVE-2022-0877 | 1 Bookstackapp | 1 Bookstack | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository bookstackapp/bookstack prior to v22.02.3. | |||||
| CVE-2021-24810 | 1 Wp-eventmanager | 1 Wp Event Manager | 2022-03-11 | 3.5 LOW | 4.8 MEDIUM |
| The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2022-0756 | 1 Salesagility | 1 Suitecrm | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | |||||
| CVE-2021-24778 | 1 Wpaffiliatefeed | 1 Tradetracker-store | 2022-03-11 | 6.5 MEDIUM | 7.2 HIGH |
| The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2022-0755 | 1 Salesagility | 1 Suitecrm | 2022-03-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.12.5. | |||||
| CVE-2021-24777 | 1 Hotscot | 1 Contact Form | 2022-03-11 | 6.5 MEDIUM | 7.2 HIGH |
| The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection. | |||||
| CVE-2022-0754 | 1 Salesagility | 1 Suitecrm | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5. | |||||
| CVE-2022-0535 | 1 E2pdf | 1 E2pdf | 2022-03-11 | 3.5 LOW | 4.8 MEDIUM |
| The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24216 | 1 Servmask | 1 One-stop Wp Migration | 2022-03-11 | 6.5 MEDIUM | 7.2 HIGH |
| The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations. | |||||
| CVE-2022-0533 | 1 Metaphorcreations | 1 Ditty | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2022-0448 | 1 Dwbooster | 1 Cp Blocks | 2022-03-11 | 3.5 LOW | 4.8 MEDIUM |
| The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2022-0445 | 1 Devowl | 1 Wordpress Real Cookie Banner | 2022-03-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack | |||||
| CVE-2022-0442 | 1 Ayecode | 1 Userswp | 2022-03-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. | |||||
| CVE-2021-44749 | 1 F-secure | 1 Safe | 2022-03-11 | 4.3 MEDIUM | 9.6 CRITICAL |
| A vulnerability affecting F-Secure SAFE browser protection was discovered improper URL handling can be triggered to cause universal cross-site scripting through browsing protection in a SAFE web browser. User interaction is required prior to exploitation. A successful exploitation may lead to arbitrary code execution. | |||||
| CVE-2022-0441 | 1 Stylemixthemes | 1 Masterstudy Lms | 2022-03-11 | 7.5 HIGH | 9.8 CRITICAL |
| The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin | |||||
| CVE-2022-0439 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2022-03-11 | 6.5 MEDIUM | 8.8 HIGH |
| The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link. | |||||