U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 21,161 matching records.
Displaying matches 501 through 520.
Vuln ID Summary CVSS Severity
CVE-2022-45049

A reflected XSS vulnerability has been found in Axiell Iguana CMS, allowing an attacker to execute code in a victim's browser. The url parameter on the novelist.php endpoint does not properly neutralise user input, resulting in the vulnerability.

Published: January 04, 2023; 2:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-22461

The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds

Published: January 04, 2023; 10:15:09 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-42710

Nice (formerly Nortek) Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e devices are vulnerable to Stored Cross-Site Scripting (XSS).

Published: January 03, 2023; 6:15:10 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-41336

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter.

Published: January 03, 2023; 12:15:10 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-0801

Inappropriate implementation in HTML parser in Google Chrome prior to 99.0.4844.51 allowed a remote attacker to bypass XSS preventions via a crafted HTML page. (Chrome security severity: Medium)

Published: January 02, 2023; 6:15:10 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-48197

** UNSUPPORTED WHEN ASSIGNED ** Reflected cross-site scripting (XSS) exists in the TreeView of YUI2 through 2800: up.php sam.php renderhidden.php removechildren.php removeall.php readd.php overflow.php newnode2.php newnode.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Published: January 02, 2023; 11:15:10 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-40711

PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section. A user with the RA Administrator role can inject an XSS payload to target higher-privilege users.

Published: January 01, 2023; 3:15:10 AM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-37787

An issue was discovered in WeCube platform 3.2.2. A DOM XSS vulnerability has been found on the plugin database execution page.

Published: January 01, 2023; 3:15:10 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-34323

Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Filters and Display model features (OnlineBanking > Web Monitoring > Settings > Filters / Display models). The name of a filter or a display model is interpreted as HTML and can thus embed JavaScript code, which is executed when displayed. This is a stored XSS. Another issue is present in the Notification feature (OnlineBanking > Configuration > Notifications and alerts > Alerts *). The name of an alert is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a stored XSS. (Also, an issue is present in the File download feature, accessible via /OnlineBanking/cgi/isapi.dll/DOWNLOADFRS. When requesting to show the list of downloadable files, the contents of three form fields are embedded in the JavaScript code without prior sanitization. This is essentially a self-XSS.)

Published: January 01, 2023; 3:15:10 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-34322

Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature. A user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS, and can lead to privilege escalation in the context of the application. (Another issue is present in the Favorites tab. The name of a favorite or a folder of favorites is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a self-XSS.)

Published: January 01, 2023; 3:15:10 AM -0500
V3.1: 9.0 CRITICAL
V2.0:(not available)
CVE-2021-41823

The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism.

Published: January 01, 2023; 1:15:09 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-0028

Cross-site Scripting (XSS) - Stored in GitHub repository linagora/twake prior to 2023.Q1.1200+.

Published: December 31, 2022; 8:15:12 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-4866

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Published: December 31, 2022; 4:15:11 AM -0500
V3.1: 9.0 CRITICAL
V2.0:(not available)
CVE-2022-4865

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Published: December 31, 2022; 4:15:08 AM -0500
V3.1: 9.0 CRITICAL
V2.0:(not available)
CVE-2022-30519

XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.

Published: December 29, 2022; 6:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-38209

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.

Published: December 29, 2022; 3:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-38207

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked which could execute arbitrary JavaScript code in the victim’s browser.

Published: December 29, 2022; 3:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-38206

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.

Published: December 29, 2022; 3:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-38204

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

Published: December 29, 2022; 3:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-46181

Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory.

Published: December 29, 2022; 2:15:08 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)