Total
38440 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39181 | 1 Glpi-project | 1 Reports | 2024-11-21 | N/A | 6.1 MEDIUM |
| GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or emailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. | |||||
| CVE-2022-39172 | 1 Viva-project | 1 Openviva | 2024-11-21 | N/A | 5.4 MEDIUM |
| A stored XSS in the process overview (bersicht zugewiesener Vorgaenge) in mbsupport openVIVA c2 20220101 allows a remote, authenticated, low-privileged attacker to execute arbitrary code in the victim's browser via name field of a process. | |||||
| CVE-2022-39160 | 1 Ibm | 1 Cognos Analytics | 2024-11-21 | N/A | 6.1 MEDIUM |
| IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 235064. | |||||
| CVE-2022-39054 | 1 Cowell Enterprise Travel Management System Project | 1 Cowell Enterprise Travel Management System | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cowell enterprise travel management system has insufficient filtering for special characters within web URL. An unauthenticated remote attacker can inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack. | |||||
| CVE-2022-39053 | 1 Heimavista | 1 Dark Horse Rpage | 2024-11-21 | N/A | 6.1 MEDIUM |
| Heimavista Rpage has insufficient filtering for platform web URL. An unauthenticated remote attacker can inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack. | |||||
| CVE-2022-39050 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 4.6 MEDIUM |
| An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap | |||||
| CVE-2022-39049 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 3.5 LOW |
| An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. | |||||
| CVE-2022-39035 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 6.1 MEDIUM |
| Smart eVision has insufficient filtering for special characters in the POST Data parameter in the specific function. An unauthenticated remote attacker can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack. | |||||
| CVE-2022-39027 | 1 Edetw | 1 U-office Force | 2024-11-21 | N/A | 5.4 MEDIUM |
| U-Office Force Forum function has insufficient filtering for special characters. A remote attacker with general user privilege can inject JavaScript and perform XSS (Stored Cross-Site Scripting) attack. | |||||
| CVE-2022-39026 | 1 Edetw | 1 U-office Force | 2024-11-21 | N/A | 5.4 MEDIUM |
| U-Office Force UserDefault page has insufficient filtering for special characters in the HTTP header fields. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform XSS (Stored Cross-Site Scripting) attack. | |||||
| CVE-2022-39025 | 1 Edetw | 1 U-office Force | 2024-11-21 | N/A | 6.1 MEDIUM |
| U-Office Force PrintMessage function has insufficient filtering for special characters. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack. | |||||
| CVE-2022-39024 | 1 Edetw | 1 U-office Force | 2024-11-21 | N/A | 6.1 MEDIUM |
| U-Office Force Bulletin function has insufficient filtering for special characters. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack. | |||||
| CVE-2022-39020 | 1 Schoolbox | 1 Schoolbox | 2024-11-21 | N/A | 7.6 HIGH |
| Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting. | |||||
| CVE-2022-39017 | 1 M-files | 1 Hubshare | 2024-11-21 | N/A | 8.2 HIGH |
| Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments. | |||||
| CVE-2022-39016 | 1 M-files | 1 Hubshare | 2024-11-21 | N/A | 8.2 HIGH |
| Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload. | |||||
| CVE-2022-38972 | 1 Ark-web | 1 A-form | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Movable Type plugin A-Form versions prior to 4.1.1 (for Movable Type 7 Series) and versions prior to 3.9.1 (for Movable Type 6 Series) allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2022-38971 | 1 Themekraft | 1 Post Form Registration Form Profile Form For User Profiles And Content Forms | 2024-11-21 | N/A | 4.7 MEDIUM |
| Stored Cross-Site Scripting (XSS) vulnerability in ThemeKraft Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions plugin <= 2.7.5 versions. | |||||
| CVE-2022-38845 | 1 Espocrm | 1 Espocrm | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser. | |||||
| CVE-2022-38814 | 1 Fiberhome | 2 An5506-02-b, An5506-02-b Firmware | 2024-11-21 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the auth_settings component of FiberHome AN5506-02-B vRP2521 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the sncfg_loid text field. | |||||
| CVE-2022-38790 | 1 Weave.works | 1 Gitops | 2024-11-21 | N/A | 5.4 MEDIUM |
| Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource. | |||||