Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23544 | 1 Metersphere | 1 Metersphere | 2024-11-21 | N/A | 7.2 HIGH |
| MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in `IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds. | |||||
| CVE-2022-23543 | 1 Silverwaregames | 1 Silverwaregames | 2024-11-21 | N/A | 6.3 MEDIUM |
| Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time. | |||||
| CVE-2022-23499 | 1 Typo3 | 1 Html Sanitizer | 2024-11-21 | N/A | 6.1 MEDIUM |
| HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a parsing issue in the upstream package masterminds/html5. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. This issue has been fixed in versions 1.5.0 and 2.1.1. | |||||
| CVE-2022-23494 | 1 Tiny | 1 Tinymce | 2024-11-21 | N/A | 5.4 MEDIUM |
| tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation. | |||||
| CVE-2022-23475 | 1 Daloradius | 1 Daloradius | 2024-11-21 | N/A | 8.8 HIGH |
| daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy. | |||||
| CVE-2022-23474 | 1 Codex | 1 Editor.js | 2024-11-21 | N/A | 6.1 MEDIUM |
| Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0. | |||||
| CVE-2022-23466 | 1 Teler Project | 1 Teler | 2024-11-21 | N/A | 5.4 MEDIUM |
| teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-23461 | 1 Xdsoft | 1 Jodit Editor | 2024-11-21 | N/A | 5.4 MEDIUM |
| Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds. | |||||
| CVE-2022-23458 | 1 Nhn | 1 Toast Ui Grid | 2024-11-21 | N/A | 6.1 MEDIUM |
| Toast UI Grid is a component to display and edit data. Versions prior to 4.21.3 are vulnerable to cross-site scripting attacks when pasting specially crafted content into editable cells. This issue was fixed in version 4.21.3. There are no known workarounds. | |||||
| CVE-2022-23438 | 1 Fortinet | 1 Fortios | 2024-11-21 | N/A | 4.7 MEDIUM |
| An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in FortiOS version 7.0.5 and prior and 6.4.9 and prior may allow an unauthenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the captive portal authentication replacement page. | |||||
| CVE-2022-23397 | 1 Cedargate | 1 Ez-net Portal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. NOTE: the vendor disputes this because the ado.im reference has "no clear steps of reproduction." | |||||
| CVE-2022-23391 | 1 Pybbs Project | 1 Pybbs | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Pybbs v6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Search box. | |||||
| CVE-2022-23378 | 1 Tastyigniter | 1 Tastyigniter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable. | |||||
| CVE-2022-23376 | 1 Wikidocs | 1 Wikidocs | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| WikiDocs version 0.1.18 has multiple reflected XSS vulnerabilities on different pages. | |||||
| CVE-2022-23367 | 1 Fulusso Project | 1 Fulusso | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user's device via open redirection. | |||||
| CVE-2022-23350 | 1 Bigantsoft | 1 Bigant Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| BigAnt Software BigAnt Server v5.6.06 was discovered to contain a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-23321 | 1 Xerox | 1 Xmpie Ustore | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0. | |||||
| CVE-2022-23312 | 1 Siemens | 1 Spectrum Power 4 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP9 Security Patch 1). The integrated web application "Online Help" in affected product contains a Cross-Site Scripting (XSS) vulnerability that could be exploited if unsuspecting users are tricked into accessing a malicious link. | |||||
| CVE-2022-23239 | 1 Netapp | 1 Active Iq Unified Manager | 2024-11-21 | N/A | 4.8 MEDIUM |
| Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows administrative users to perform a Stored Cross-Site Scripting (XSS) attack. | |||||
| CVE-2022-23201 | 1 Adobe | 1 Robohelp | 2024-11-21 | N/A | 6.1 MEDIUM |
| Adobe RoboHelp versions 2020.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. | |||||