U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 20,807 matching records.
Displaying matches 601 through 620.
Vuln ID Summary CVSS Severity
CVE-2021-37781

Employee Record Management System v 1.2 is vulnerable to Cross Site Scripting (XSS) via editempprofile.php.

Published: October 28, 2022; 11:15:13 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-35388

Hospital Management System v 4.0 is vulnerable to Cross Site Scripting (XSS) via /hospital/hms/admin/patient-search.php.

Published: October 28, 2022; 11:15:13 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-32407

Softr v2.0 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the First Name parameter under the Create A New Account module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Published: October 27, 2022; 3:15:17 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-42054

Multiple stored cross-site scripting (XSS) vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Company Name and Description text fields.

Published: October 27, 2022; 2:15:11 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-40183

An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.

Published: October 27, 2022; 1:15:10 PM -0400
V3.1: 4.7 MEDIUM
V2.0:(not available)
CVE-2022-42993

Password Storage Application v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Setup page.

Published: October 27, 2022; 10:15:13 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-42991

A stored cross-site scripting (XSS) vulnerability in Simple Online Public Access Catalog v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Account Full Name field.

Published: October 27, 2022; 10:15:13 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-42992

Multiple stored cross-site scripting (XSS) vulnerabilities in Train Scheduler App v1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Train Code, Train Name, and Destination text fields.

Published: October 27, 2022; 8:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-45476

Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability.

Published: October 27, 2022; 6:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-20959

A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by persuading an authenticated administrator of the web-based management interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Published: October 26, 2022; 11:15:15 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-25849

The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site Scripting (XSS) because the module of parse markdown does not filter the href attribute very well.

Published: October 26, 2022; 1:15:08 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-38162

Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a malicious input.

Published: October 25, 2022; 3:15:11 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-31468

OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.

Published: October 25, 2022; 3:15:10 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-27913

An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

Published: October 25, 2022; 3:15:10 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-39350

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: Description, Details, Recommendation, or References. The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerability's page. Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track. However, this attack vector is highly unlikely, and the maintainers of Dependency-Track are not aware of any occurrence of this happening. Note that the `Vulnerability Details` element of the `Audit Vulnerabilities` tab in the project view is not affected. The issue has been fixed in frontend version 4.6.1.

Published: October 25, 2022; 1:15:56 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-36783

AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) A malicious user injects JavaScript code into a parameter called IntersectudRule on the search/result.html page. The malicious user changes the request from POST to GET and sends the URL to another user (victim). JavaScript code is executed on the browser of the other user.

Published: October 25, 2022; 1:15:55 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-34870

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.

Published: October 25, 2022; 1:15:53 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-41638

Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress.

Published: October 21, 2022; 12:15:11 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-40311

Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress.

Published: October 21, 2022; 12:15:11 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-42206

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php.

Published: October 21, 2022; 9:15:09 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)