Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23068 | 1 Tooljet | 1 Tooljet | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail.
|
|||||
| CVE-2022-23065 | 1 Vendure | 1 Vendure | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.
|
|||||
| CVE-2022-23060 | 1 Shopizer | 1 Shopizer | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab
|
|||||
| CVE-2022-23059 | 1 Shopizer | 1 Shopizer | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code.
|
|||||
| CVE-2022-23058 | 1 Frappe | 1 Erpnext | 2024-11-21 | 3.5 LOW | N/A |
|
ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.
|
|||||
| CVE-2022-23057 | 1 Frappe | 1 Erpnext | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.
|
|||||
| CVE-2022-23056 | 1 Frappe | 1 Erpnext | 2024-11-21 | 3.5 LOW | N/A |
|
In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.
|
|||||
| CVE-2022-23054 | 1 Nasa | 1 Openmct | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Summary Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions.
|
|||||
| CVE-2022-23053 | 1 Nasa | 1 Openmct | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Condition Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions.
|
|||||
| CVE-2022-23051 | 1 Petereport Project | 1 Petereport | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code while adding an 'Attack Tree' by modifying the 'svg_file' parameter.
|
|||||
| CVE-2022-23049 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
|
|||||
| CVE-2022-23047 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"
|
|||||
| CVE-2022-23045 | 1 Phpipam | 1 Phpipam | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.
|
|||||
| CVE-2022-23013 | 1 F5 | 2 Big-ip Domain Name System, Big-ip Global Traffic Manager | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2022-23008 | 1 F5 | 1 Nginx Controller Api Management | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2022-22999 | 1 Westerndigital | 16 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 13 more | 2024-11-21 | N/A | 8.2 HIGH |
|
Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.
|
|||||
| CVE-2022-22944 | 1 Vmware | 1 Workspace One Boxer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. Due to insufficient sanitization and validation, in VMware Workspace ONE Boxer calendar event descriptions, a malicious actor can inject script tags to execute arbitrary script within a user's window.
|
|||||
| CVE-2022-22868 | 1 Gibbonedu | 1 Gibbon | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters.
|
|||||
| CVE-2022-22853 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Name field.
|
|||||
| CVE-2022-22852 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_list.
|
|||||
| CVE-2022-22851 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the specialization parameter in doctors.php
|
|||||
| CVE-2022-22850 | 1 Hospital\'s Patient Records Management System Project | 1 Hospital\'s Patient Records Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types.
|
|||||
| CVE-2022-22818 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
|
|||||
| CVE-2022-22812 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a web session compromise when an attacker injects and then executes arbitrary malicious JavaScript code inside the target browser. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
|
|||||
| CVE-2022-22804 | 1 Schneider-electric | 1 Ecostruxure Power Monitoring Expert | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)
|
|||||
| CVE-2022-22791 | 1 Synel | 1 Eharmony | 2024-11-21 | 3.5 LOW | 6.6 MEDIUM |
|
SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code into the "comments" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system.
|
|||||
| CVE-2022-22777 | 1 Tibco | 1 Businessconnect Trading Community Management | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow an unauthenticated attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below.
|
|||||
| CVE-2022-22776 | 1 Tibco | 1 Businessconnect Trading Community Management | 2024-11-21 | 3.5 LOW | 8.0 HIGH |
|
The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable vulnerabilities that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using these vulnerabilities requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and ...
Show More |
|||||
| CVE-2022-22775 | 1 Tibco | 2 Bpm Enterprise, Bpm Enterprise Distribution For Silver Fabric | 2024-11-21 | 3.5 LOW | 8.1 HIGH |
|
The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silv ...
Show More |
|||||
| CVE-2022-22773 | 1 Tibco | 1 Jasperreports Server | 2024-11-21 | 3.5 LOW | 7.7 HIGH |
|
The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affecte ...
Show More |
|||||
| CVE-2022-22769 | 1 Tibco | 3 Ebx, Ebx Add-ons, Product And Service Catalog Powered By Tibco Ebx | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases ...
Show More |
|||||
| CVE-2022-22682 | 1 Synology | 1 Calendar | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
|
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2022-22577 | 2 Debian, Rubyonrails | 2 Debian Linux, Actionpack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.
|
|||||
| CVE-2022-22571 | 1 Ivanti | 1 Incapptic Connect | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An authenticated high privileged user can perform a stored XSS attack due to incorrect output encoding in Incapptic connect and affects all current versions.
|
|||||
| CVE-2022-22546 | 1 Sap | 1 Businessobjects Web Intelligence | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420.
|
|||||
| CVE-2022-22534 | 1 Sap | 1 Netweaver | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application.
|
|||||
| CVE-2022-22511 | 1 Wago | 49 750-8100, 750-8100 Firmware, 750-8101 and 46 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Various configuration pages of the device are vulnerable to reflected XSS (Cross-Site Scripting) attacks. An authorized attacker with user privileges may use this to gain access to confidential information on a PC that connects to the WBM after it has been compromised.
|
|||||
| CVE-2022-22502 | 1 Ibm | 3 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227124.
|
|||||
| CVE-2022-22477 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2024-11-21 | N/A | 6.1 MEDIUM |
|
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 225605.
|
|||||
| CVE-2022-22456 | 2 Ibm, Linux | 2 Security Verify Governance, Linux Kernel | 2024-11-21 | N/A | 4.2 MEDIUM |
|
IBM Security Verify Governance, Identity Manager 10.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 225004.
|
|||||