U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 20,822 matching records.
Displaying matches 701 through 720.
Vuln ID Summary CVSS Severity
CVE-2022-3442

A vulnerability was found in Crealogix EBICS 7.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /ebics-server/ebics.aspx. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-210374 is the identifier assigned to this vulnerability.

Published: October 10, 2022; 10:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-41442

PicUploader v2.6.3 was discovered to contain cross-site scripting (XSS) vulnerability via the setStorageParams function in SettingController.php.

Published: October 07, 2022; 6:15:18 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-39285

ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging.

Published: October 07, 2022; 5:15:11 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-41392

A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings.

Published: October 07, 2022; 3:15:13 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-37896

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InstantOS that address this security vulnerability.

Published: October 07, 2022; 3:15:13 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-37892

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address this security vulnerability.

Published: October 07, 2022; 2:15:21 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-39279

discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue.

Published: October 06, 2022; 4:15:34 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-3002

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

Published: October 06, 2022; 2:16:19 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-39988

A cross-site scripting (XSS) vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML via a crafted payload injected into the Service>Templates service_alias parameter.

Published: October 06, 2022; 2:16:19 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-32172

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete template functionality. When an authenticated user deletes a template with a XSS payload in the name field, the Javascript payload will be executed and allow an attacker to access the user’s credentials.

Published: October 06, 2022; 2:16:03 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-32171

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the user’s credentials.

Published: October 06, 2022; 2:16:02 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-42247

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.

Published: October 03, 2022; 12:15:14 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-35155

Bus Pass Management System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the searchdata parameter.

Published: September 30, 2022; 3:15:15 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-40313

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.

Published: September 30, 2022; 1:15:13 PM -0400
V3.1: 7.1 HIGH
V2.0:(not available)
CVE-2022-36965

Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).

Published: September 30, 2022; 1:15:13 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-28851

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.

Published: September 30, 2022; 1:15:12 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-21826

Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.

Published: September 30, 2022; 1:15:12 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-36855

Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress.

Published: September 30, 2022; 1:15:11 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2021-36839

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Social Media Follow Buttons Bar plugin <= 4.73 at WordPress.

Published: September 30, 2022; 1:15:11 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2021-36830

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Comment Guestbook plugin <= 0.8.0 at WordPress.

Published: September 30, 2022; 1:15:11 PM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)