Total
38456 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3014 | 1 Simple Task Managing System Project | 1 Simple Task Managing System | 2024-11-21 | N/A | 3.5 LOW |
| A vulnerability classified as problematic was found in SourceCodester Simple Task Managing System. This vulnerability affects unknown code. The manipulation of the argument student_add leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-207424. | |||||
| CVE-2022-3005 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | |||||
| CVE-2022-3004 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | |||||
| CVE-2022-3002 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | |||||
| CVE-2022-3000 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | |||||
| CVE-2022-39988 | 1 Centreon | 1 Centreon | 2024-11-21 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML via a crafted payload injected into the Service>Templates service_alias parameter. | |||||
| CVE-2022-39950 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | N/A | 8.0 HIGH |
| An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281. | |||||
| CVE-2022-39840 | 1 Cotonti | 1 Cotonti Siena | 2024-11-21 | N/A | 4.8 MEDIUM |
| Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM). | |||||
| CVE-2022-39839 | 1 Cotonti | 1 Cotonti Siena | 2024-11-21 | N/A | 4.8 MEDIUM |
| Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post. | |||||
| CVE-2022-39824 | 1 Appsmith | 1 Appsmith | 2024-11-21 | N/A | 8.9 HIGH |
| Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak. | |||||
| CVE-2022-39810 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | N/A | 6.1 MEDIUM |
| An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible. | |||||
| CVE-2022-39809 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | N/A | 6.1 MEDIUM |
| An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible. | |||||
| CVE-2022-39800 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | N/A | 6.1 MEDIUM |
| SAP BusinessObjects BI LaunchPad - versions 420, 430, is susceptible to script execution attack by an unauthenticated attacker due to improper sanitization of the user inputs while interacting on the network. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-39398 | 1 Infotel | 1 Tasklists | 2024-11-21 | N/A | 8.8 HIGH |
| tasklists is a tasklists plugin for GLPI (Kanban). Versions prior to 2.0.3 are vulnerable to Cross-site Scripting. Cross-site Scripting (XSS) - Create XSS in task content (when add it). This issue is patched in version 2.0.3. There are no known workarounds. | |||||
| CVE-2022-39375 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 4.5 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to create a public RSS feed to inject malicious code in dashboards of other users. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-39373 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 4.9 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to version 10.0.4. | |||||
| CVE-2022-39372 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 3.5 LOW |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-39371 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 7.5 HIGH |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-39350 | 1 Owasp | 1 Dependency-track Frontend | 2024-11-21 | N/A | 5.4 MEDIUM |
| @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: Description, Details, Recommendation, or References. The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerability's page. Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track. However, this attack vector is highly unlikely, and the maintainers of Dependency-Track are not aware of any occurrence of this happening. Note that the `Vulnerability Details` element of the `Audit Vulnerabilities` tab in the project view is not affected. The issue has been fixed in frontend version 4.6.1. | |||||
| CVE-2022-39338 | 1 Nextcloud | 1 Openid Connect User Backend | 2024-11-21 | N/A | 3.5 LOW |
| user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoid using the Safari web browser. | |||||