Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24722 | 1 Github | 1 Viewcomponent | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
| VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the `translate` method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround, avoid passing user input to the `translate` function, or sanitize the inputs before passing them. | |||||
| CVE-2022-24717 | 1 Finastra | 1 Ssr-pages | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). In versions prior to 0.1.5, a cross site scripting (XSS) issue can occur when providing untrusted input to the `redirect.link` property as an argument to the `build(MessagePageOptions)` function. While there is no known workaround at this time, there is a patch in version 0.1.5. | |||||
| CVE-2022-24710 | 1 Weblate | 1 Weblate | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic. | |||||
| CVE-2022-24709 | 1 Amazon | 1 Awsui\/components-react | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| @awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. Multiple components in versions before 3.0.367 have been found to not properly neutralize user input and may allow for javascript injection. Users are advised to upgrade to version 3.0.367 or later. There are no known workarounds for this issue. | |||||
| CVE-2022-24708 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed. This is vulnerability has been fixed in version 1.20.0.5646. Users who are unable to upgrade may modify ttUser.class.php to use an additional call to htmlspecialchars when printing group name. | |||||
| CVE-2022-24692 | 1 Dsk | 1 Dsknet | 2024-11-21 | N/A | 5.4 MEDIUM |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution. | |||||
| CVE-2022-24681 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. | |||||
| CVE-2022-24656 | 1 Hexoeditor Project | 1 Hexoeditor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| HexoEditor 1.1.8 is affected by Cross Site Scripting (XSS). By putting a common XSS payload in a markdown file, if opened with the app, will execute several times. | |||||
| CVE-2022-24654 | 1 Intelbras | 2 Ata 200, Ata 200 Firmware | 2024-11-21 | N/A | 5.4 MEDIUM |
| Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload. | |||||
| CVE-2022-24643 | 1 Open-emr | 1 Openemr | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0. | |||||
| CVE-2022-24631 | 1 Audiocodes | 1 Device Manager Express | 2024-11-21 | N/A | 5.4 MEDIUM |
| An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is stored XSS via the ajaxTenants.php desc parameter. | |||||
| CVE-2022-24620 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access. | |||||
| CVE-2022-24612 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS. | |||||
| CVE-2022-24608 | 1 Luocms Project | 1 Luocms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Luocms v2.0 is affected by Cross Site Scripting (XSS) in /admin/news/sort_add.php and /inc/function.php. | |||||
| CVE-2022-24590 | 1 Backdropcms | 1 Backdrop | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2022-24589 | 1 Burden Project | 1 Burden | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the task parameter. | |||||
| CVE-2022-24588 | 1 Flatpress | 1 Flatpress | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function. | |||||
| CVE-2022-24587 | 1 Pluxml | 1 Pluxml | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2022-24586 | 1 Pluxml | 1 Pluxml | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters. | |||||
| CVE-2022-24585 | 1 Pluxml | 1 Pluxml | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter. | |||||