Total
38351 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28919 | 2 Dokuwiki, Fedoraproject | 2 Dokuwiki, Fedora | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename. | |||||
| CVE-2022-28867 | 1 Nokia | 1 Netact | 2024-11-21 | N/A | 5.4 MEDIUM |
| An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used. | |||||
| CVE-2022-28865 | 1 Nokia | 1 Netact | 2024-11-21 | N/A | 5.4 MEDIUM |
| An issue was discovered in Nokia NetAct 22 through the Site Configuration Tool website section. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used. | |||||
| CVE-2022-28851 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM. | |||||
| CVE-2022-28820 | 1 Adobe | 1 Acs Aem Commons | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. | |||||
| CVE-2022-28818 | 1 Adobe | 1 Coldfusion | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ColdFusion versions CF2021U3 (and earlier) and CF2018U13 are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. | |||||
| CVE-2022-28816 | 1 Gavazziautomation | 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware | 2024-11-21 | N/A | 6.1 MEDIUM |
| In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service. | |||||
| CVE-2022-28803 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). | |||||
| CVE-2022-28770 | 1 Sap | 1 Sapui5 Library | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to insufficient input validation, SAPUI5 library(vbm) - versions 750, 753, 754, 755, 75, allows an unauthenticated attacker to inject a script into the URL and execute code. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2022-28732 | 1 Apache | 1 Jspwiki | 2024-11-21 | N/A | 6.1 MEDIUM |
| A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later. | |||||
| CVE-2022-28730 | 1 Apache | 1 Jspwiki | 2024-11-21 | N/A | 6.1 MEDIUM |
| A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later. | |||||
| CVE-2022-28717 | 1 Meikyo | 30 Poe Boot Nino Poe8m2, Poe Boot Nino Poe8m2 Firmware, Pose Se10-8a7b1 and 27 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker with the administrative privilege to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-28716 | 1 F5 | 3 Big-ip Advanced Firewall Manager, Big-ip Carrier-grade Nat, Big-ip Policy Enforcement Manager | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
| On 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP AFM, CGNAT, and PEM Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-28715 | 1 Cybozu | 1 Office | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in the specific parameters of Cybozu Office 10.0.0 to 10.8.5 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-28712 | 1 Wwbn | 1 Avideo | 2024-11-21 | N/A | 9.0 CRITICAL |
| A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||
| CVE-2022-28707 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2024-11-21 | 3.5 LOW | 8.0 HIGH |
| On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-28703 | 1 Lansweeper | 1 Lansweeper | 2024-11-21 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-28650 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 7.3 HIGH |
| In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI | |||||
| CVE-2022-28648 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered | |||||
| CVE-2022-28624 | 1 Hpe | 4 Flexfabric 5945, Flexfabric 5945 Firmware, Flexnetwork 5130 Ei and 1 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A potential security vulnerability has been identified in certain HPE FlexNetwork and FlexFabric switch products. The vulnerability could be remotely exploited to allow cross site scripting (XSS). HPE has made the following software updates to resolve the vulnerability. HPE FlexNetwork 5130EL_7.10.R3507P02 and HPE FlexFabric 5945_7.10.R6635. | |||||