Total
38256 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25307 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 7.2 HIGH |
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25306 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 7.2 HIGH |
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25305 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 7.2 HIGH |
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25303 | 1 Whoogle-search Project | 1 Whoogle-search | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped. | |||||
| CVE-2022-25269 | 1 Passwork | 1 Passwork | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Passwork On-Premise Edition before 4.6.13 has multiple XSS issues. | |||||
| CVE-2022-25261 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS. | |||||
| CVE-2022-25259 | 1 Jetbrains | 1 Hub | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS. | |||||
| CVE-2022-25256 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfs_request_backlabel_list and saspfs_request_backurl_list. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing the button, e.g., a malicious web page. In addition, the second parameter executes JavaScript, which means XSS is possible by adding a javascript: URL. | |||||
| CVE-2022-25238 | 1 Silverstripe | 1 Framework | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code. | |||||
| CVE-2022-25229 | 1 Popcorn Time Project | 1 Popcorn Time | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands. | |||||
| CVE-2022-25224 | 1 Proton Project | 1 Proton | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands. | |||||
| CVE-2022-25221 | 1 Money Transfer Management System Project | 1 Money Transfer Management System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code. | |||||
| CVE-2022-25220 | 1 Petereport Project | 1 Petereport | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code inside the markdown descriptions while creating a product, report or finding. | |||||
| CVE-2022-25203 | 1 Jenkins | 1 Team Views | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Read permission. | |||||
| CVE-2022-25202 | 1 Jenkins | 1 Promoted Builds \(simple\) | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name of custom promotion levels, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2022-25191 | 1 Jenkins | 1 Agent Server Parameter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-25189 | 1 Jenkins | 1 Custom Checkbox Parameter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not escape parameter names of custom checkbox parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-25185 | 1 Jenkins | 1 Generic Webhook Trigger | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build cause when using the webhook, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-25138 | 1 Axelor | 1 Open Suite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Axelor Open Suite v5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Name parameter. | |||||
| CVE-2022-25114 | 1 Event Management Project | 1 Event Management | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Event Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the full_name parameter under register.php. | |||||