Export limit exceeded: 47137 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (47137 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-3128 | 1 Donation Thermometer Project | 1 Donation Thermometer | 2024-11-21 | 4.8 Medium |
| The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2022-3127 | 1 Diagrams | 1 Drawio | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. | ||||
| CVE-2022-3123 | 2 Dokuwiki, Fedoraproject | 2 Dokuwiki, Fedora | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. | ||||
| CVE-2022-3072 | 1 Rosariosis | 1 Rosariosis | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3. | ||||
| CVE-2022-3036 | 1 Gettext Override Translations Project | 1 Gettext Override Translations | 2024-11-21 | 4.8 Medium |
| The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2022-3035 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.8 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11. | ||||
| CVE-2022-3021 | 1 Diywebmastery | 1 Slickr Flickr | 2024-11-21 | 4.8 Medium |
| The Slickr Flickr WordPress plugin through 2.8.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2022-3002 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | ||||
| CVE-2022-39988 | 1 Centreon | 1 Centreon | 2024-11-21 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML via a crafted payload injected into the Service>Templates service_alias parameter. | ||||
| CVE-2022-39950 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | 8 High |
| An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281. | ||||
| CVE-2022-39840 | 1 Cotonti | 1 Cotonti Siena | 2024-11-21 | 4.8 Medium |
| Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM). | ||||
| CVE-2022-39839 | 1 Cotonti | 1 Cotonti Siena | 2024-11-21 | 4.8 Medium |
| Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post. | ||||
| CVE-2022-39824 | 1 Appsmith | 1 Appsmith | 2024-11-21 | 8.9 High |
| Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak. | ||||
| CVE-2022-39810 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | 6.1 Medium |
| An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible. | ||||
| CVE-2022-39809 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | 6.1 Medium |
| An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible. | ||||
| CVE-2022-39800 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | 6.1 Medium |
| SAP BusinessObjects BI LaunchPad - versions 420, 430, is susceptible to script execution attack by an unauthenticated attacker due to improper sanitization of the user inputs while interacting on the network. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | ||||
| CVE-2022-39172 | 1 Viva-project | 1 Openviva | 2024-11-21 | 5.4 Medium |
| A stored XSS in the process overview (bersicht zugewiesener Vorgaenge) in mbsupport openVIVA c2 20220101 allows a remote, authenticated, low-privileged attacker to execute arbitrary code in the victim's browser via name field of a process. | ||||
| CVE-2022-39050 | 1 Otrs | 1 Otrs | 2024-11-21 | 4.6 Medium |
| An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap | ||||
| CVE-2022-39049 | 1 Otrs | 1 Otrs | 2024-11-21 | 3.5 Low |
| An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. | ||||
| CVE-2022-38972 | 1 Ark-web | 1 A-form | 2024-11-21 | 6.1 Medium |
| Cross-site scripting vulnerability in Movable Type plugin A-Form versions prior to 4.1.1 (for Movable Type 7 Series) and versions prior to 3.9.1 (for Movable Type 6 Series) allows a remote unauthenticated attacker to inject an arbitrary script. | ||||