Total
38114 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22293 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter. | |||||
| CVE-2022-22242 | 1 Juniper | 1 Junos | 2024-11-21 | N/A | 6.1 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. This issue affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2. | |||||
| CVE-2022-22229 | 1 Juniper | 1 Paragon Active Assurance Control Center | 2024-11-21 | N/A | 8.4 HIGH |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, a stored XSS (or persistent), in the Control Center Controller web pages of Juniper Networks Paragon Active Assurance (Formerly Netrounds) allows a high-privilege attacker with 'WRITE' permissions to store one or more malicious scripts that will infect any other authorized user's account when they accidentally trigger the malicious script(s) while managing the device. Triggering these attacks enables the attacker to execute commands with the permissions up to that of the superuser account. This issue affects: Juniper Networks Paragon Active Assurance (Formerly Netrounds) All versions prior to 3.1.1; 3.2 versions prior to 3.2.1. | |||||
| CVE-2022-22182 | 1 Juniper | 1 Junos | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| A Cross-site Scripting (XSS) vulnerability in Juniper Networks Junos OS J-Web allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S19; 15.1 versions prior to 15.1R7-S10; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S10, 18.4R3-S9; 19.1 versions prior to 19.1R2-S3, 19.1R3-S6; 19.2 versions prior to 19.2R1-S8, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2; 21.2 versions prior to 21.2R1-S1, 21.2R2. | |||||
| CVE-2022-22181 | 1 Juniper | 1 Junos | 2024-11-21 | 3.5 LOW | 8.0 HIGH |
| A reflected Cross-site Scripting (XSS) vulnerability in J-Web of Juniper Networks Junos OS allows a network-based authenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web. This may allow the attacker to gain control of the device or attack other authenticated user sessions. This issue affects: Juniper Networks Junos OS All versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S4; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. | |||||
| CVE-2022-22146 | 1 Dounokouno | 1 Transmitmail | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in TransmitMail 2.5.0 to 2.6.1 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-22142 | 1 Econosys-system | 1 Php Mailform | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in the checkbox of php_mailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-22126 | 1 Nasa | 1 Openmct | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Web Page” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions. | |||||
| CVE-2022-22125 | 1 Halo | 1 Halo | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server. | |||||
| CVE-2022-22124 | 1 Fit2cloud | 1 Halo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser. | |||||
| CVE-2022-22123 | 1 Fit2cloud | 1 Halo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server. | |||||
| CVE-2022-22117 | 1 Rangerstudio | 1 Directus | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered. | |||||
| CVE-2022-22116 | 1 Rangerstudio | 1 Directus | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser when they open the image URL. | |||||
| CVE-2022-22115 | 1 Sismics | 1 Teedy | 2024-11-21 | 3.5 LOW | 9.0 CRITICAL |
| In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation. | |||||
| CVE-2022-22114 | 1 Sismics | 1 Teedy | 2024-11-21 | 4.3 MEDIUM | 9.6 CRITICAL |
| In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victim’s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker. | |||||
| CVE-2022-22112 | 1 Daybydaycrm | 1 Daybyday | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an application-wide Client-Side Template Injection (CSTI). A low privileged attacker can input template injection payloads in the application at various locations to execute JavaScript on the client browser. | |||||
| CVE-2022-22109 | 1 Daybydaycrm | 1 Daybyday Crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks. | |||||
| CVE-2022-21948 | 1 Opensuse | 1 Paste | 2024-11-21 | N/A | 4.3 MEDIUM |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in paste allows remote attackers to place Javascript into SVG files. This issue affects: openSUSE paste paste version b57b9f87e303a3db9465776e657378e96845493b and prior versions. | |||||
| CVE-2022-21938 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-11-21 | 3.5 LOW | 8.1 HIGH |
| Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. | |||||
| CVE-2022-21937 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-11-21 | 2.1 LOW | 8.7 HIGH |
| Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. | |||||