Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27425 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php.
|
|||||
| CVE-2022-27422 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.
|
|||||
| CVE-2022-27348 | 1 Socialcodia | 1 Social Codia Sms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Social Codia SMS v1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.
|
|||||
| CVE-2022-27330 | 1 E-commerce Website Project | 1 E-commerce Website | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field.
|
|||||
| CVE-2022-27308 | 1 Phprojekt Phpsimplygest Project | 1 Phprojekt Phpsimplygest | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a project title.
|
|||||
| CVE-2022-27280 | 1 Inhandnetworks | 2 Inrouter 900, Inrouter 900 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the web_exec parameter at /apply.cgi.
|
|||||
| CVE-2022-27258 | 1 Hubzilla | 1 Hubzilla | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple Cross-Site Scripting (XSS) vulnerabilities in Hubzilla 7.0.3 and earlier allows remote attacker to include arbitrary web script or HTML via the rpath parameter.
|
|||||
| CVE-2022-27246 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
|
|||||
| CVE-2022-27244 | 1 Misp | 1 Misp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
|
|||||
| CVE-2022-27238 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
|
|||||
| CVE-2022-27237 | 1 Ni | 5 Flexlogger, G Web Development Software, Labview and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There is a cross-site scripting (XSS) vulnerability in an NI Web Server component installed with several NI products. Depending on the product(s) in use, remediation guidance includes: install SystemLink version 2021 R3 or later, install FlexLogger 2022 Q2 or later, install LabVIEW 2021 SP1, install G Web Development 2022 R1 or later, or install Static Test Software Suite version 1.2 or later.
|
|||||
| CVE-2022-27231 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
|
|||||
| CVE-2022-27230 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Guided Configuration | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP APM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of F5 BIG-IP Guided Configuration that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
|
|||||
| CVE-2022-27213 | 1 Jenkins | 1 Environment Dashboard | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
|
|||||
| CVE-2022-27212 | 1 Jenkins | 1 List Git Branches Parameter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name of the 'List Git branches (and more)' parameter, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2022-27207 | 1 Jenkins | 1 Global-build-stats | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Jenkins global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.
|
|||||
| CVE-2022-27202 | 1 Jenkins | 1 Extended Choice Parameter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the value and description of extended choice parameters of radio buttons or check boxes type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
|
|||||
| CVE-2022-27200 | 1 Jenkins | 1 Folder-based Authorization Strategy | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.
|
|||||
| CVE-2022-27197 | 1 Jenkins | 1 Dashboard View | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.
|
|||||
| CVE-2022-27196 | 1 Jenkins | 1 Favorite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure or Item/Create permissions.
|
|||||
| CVE-2022-27183 | 1 Splunk | 1 Splunk | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platform instances. Note that the Cloud Monitoring Console is not impacted.
|
|||||
| CVE-2022-27168 | 1 Litecart | 1 Litecart | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in LiteCart versions prior to 2.4.2 allows a remote attacker to inject an arbitrary script via unspecified vectors.
|
|||||
| CVE-2022-27166 | 1 Apache | 1 Jspwiki | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
|
|||||
| CVE-2022-27156 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection.
|
|||||
| CVE-2022-27125 | 1 Zbzcms | 1 Zbzcms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
zbzcms v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the neirong parameter at /php/ajax.php.
|
|||||
| CVE-2022-27111 | 1 Jflyfox | 1 Jfinal Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.
|
|||||
| CVE-2022-27107 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
|
|||||
| CVE-2022-27105 | 1 Digitus | 1 Inmailx | 2024-11-21 | N/A | 5.4 MEDIUM |
|
InMailX Outlook Plugin < 3.22.0101 is vulnerable to Cross Site Scripting (XSS). InMailX Connection names are not sanitzed in the Outlook tab, which allows a local user or network administrator to execute HTML / Javascript in the Outlook of users.
|
|||||
| CVE-2022-27103 | 1 Element-plus | 1 Element-plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.
|
|||||
| CVE-2022-27063 | 1 Aerocms Project | 1 Aerocms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.
|
|||||
| CVE-2022-27062 | 1 Aerocms Project | 1 Aerocms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.
|
|||||
| CVE-2022-26980 | 1 Teampass | 1 Teampass | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO.
|
|||||
| CVE-2022-26978 | 1 Barco | 1 Control Room Management Suite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /checklogin.jsp endpoint. The os_username parameters is not correctly sanitized, leading to reflected XSS.
|
|||||
| CVE-2022-26977 | 1 Barco | 1 Control Room Management Suite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. Lack of input sanitization of the upload mechanism is leads to stored XSS.
|
|||||
| CVE-2022-26976 | 1 Barco | 1 Control Room Management Suite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. Lack of input sanitization in the upload mechanism is leads to reflected XSS.
|
|||||
| CVE-2022-26974 | 1 Barco | 1 Control Room Management Suite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a file upload mechanism. Lack of input sanitization in the upload mechanism leads to reflected XSS.
|
|||||
| CVE-2022-26972 | 1 Barco | 1 Control Room Management Suite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /cgi-bin endpoint. The URL parameters are not correctly sanitized, leading to reflected XSS.
|
|||||
| CVE-2022-26951 | 1 Rsa | 1 Archer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Archer 6.x through 6.10 (6.10.0.0) contains a reflected XSS vulnerability. A remote SAML-unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application.
|
|||||
| CVE-2022-26947 | 1 Rsa | 1 Archer | 2024-11-21 | 3.5 LOW | 6.3 MEDIUM |
|
Archer 6.x through 6.9 SP3 (6.9.3.0) contains a reflected XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application.
|
|||||
| CVE-2022-26888 | 1 Intel | 1 Quartus Prime | 2024-11-21 | N/A | 2.8 LOW |
|
Cross-site scripting in the Intel(R) Quartus Prime Pro and Standard edition software may allow an authenticated user to potentially enable information disclosure via local access.
|
|||||