Total
38459 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4249 | 1 Movie Ticket Booking System Project | 1 Movie Ticket Booking System | 2024-11-21 | N/A | 3.5 LOW |
| A vulnerability, which was classified as problematic, was found in Movie Ticket Booking System. Affected is an unknown function of the component POST Request Handler. The manipulation of the argument ORDER_ID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-214626 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-4233 | 1 Rinvizle | 1 Event Registration System | 2024-11-21 | N/A | 2.4 LOW |
| A vulnerability has been found in SourceCodester Event Registration System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /event/admin/?page=user/list. The manipulation of the argument First Name/Last Name leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-214591. | |||||
| CVE-2022-4214 | 1 Kibokolabs | 1 Chained Quiz | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ip' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2022-4137 | 1 Redhat | 3 Enterprise Linux, Keycloak, Single Sign-on | 2024-11-21 | N/A | 8.1 HIGH |
| A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. | |||||
| CVE-2022-4105 | 1 Kiwitcms | 1 Kiwi Tcms | 2024-11-21 | N/A | 5.4 MEDIUM |
| A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page. | |||||
| CVE-2022-4089 | 1 Stock Management System Project | 1 Stock Management System | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability was found in rickxy Stock Management System. It has been declared as problematic. This vulnerability affects unknown code of the file /pages/processlogin.php. The manipulation of the argument user leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214324. | |||||
| CVE-2022-4069 | 1 Librenms | 1 Librenms | 2024-11-21 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0. | |||||
| CVE-2022-4068 | 1 Librenms | 1 Librenms | 2024-11-21 | N/A | 5.4 MEDIUM |
| A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account. | |||||
| CVE-2022-4067 | 1 Librenms | 1 Librenms | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0. | |||||
| CVE-2022-4053 | 1 Student Attendance Management System Project | 1 Student Attendance Management System | 2024-11-21 | N/A | 2.4 LOW |
| A vulnerability was found in Student Attendance Management System. It has been classified as problematic. Affected is an unknown function of the file createClass.php. The manipulation of the argument className leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-213846 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-4035 | 1 Dwbooster | 1 Appointment Hour Booking | 2024-11-21 | N/A | 7.2 HIGH |
| The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page. | |||||
| CVE-2022-4032 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | N/A | 7.2 HIGH |
| The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-4029 | 1 Simple-press | 1 Simple\ | 2024-11-21 | N/A | 4.7 MEDIUM |
| The Simple:Press plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sforum_[md5 hash of the WordPress URL]' cookie value in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This would be highly complex to exploit as it would require the attacker to set the cookie a cookie for the targeted user. | |||||
| CVE-2022-4028 | 1 Simple-press | 1 Simple\ | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to inject arbitrary web scripts in pages when modifying a profile signature that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-4027 | 1 Simple-press | 1 Simple\ | 2024-11-21 | N/A | 7.2 HIGH |
| The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when responding to forum threads that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-4022 | 1 Benbodhi | 1 Svg Support | 2024-11-21 | N/A | 6.4 MEDIUM |
| The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to sanitize image as they are uploaded, the plugin defaults to disable sanitization and does not restrict SVG upload to only administrators. This allows authenticated attackers, with author-level privileges and higher, to upload malicious SVG files that can be embedded in posts and pages by higher privileged users. Additionally, the embedded JavaScript is also triggered on visiting the image URL, which allows an attacker to execute malicious code in browsers visiting that URL. | |||||
| CVE-2022-4007 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.4 MEDIUM |
| A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side. | |||||
| CVE-2022-48614 | 1 Semantic-mediawiki | 1 Semantic Mediawiki | 2024-11-21 | N/A | 6.1 MEDIUM |
| Special:Ask in Semantic MediaWiki before 4.0.2 allows Reflected XSS. | |||||
| CVE-2022-48612 | 1 Classlink | 1 Oneclick | 2024-11-21 | N/A | 6.1 MEDIUM |
| A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink OneClick Extension through 10.7 allows remote attackers to inject JavaScript into any webpage, because a regular expression (validating whether a URL is controlled by ClassLink) is not present in all applicable places. | |||||
| CVE-2022-48547 | 1 Cacti | 1 Cacti | 2024-11-21 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php. | |||||