U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): xss
  • Search Type: Search All
There are 20,820 matching records.
Displaying matches 721 through 740.
Vuln ID Summary CVSS Severity
CVE-2022-40879

kkFileView v4.1.0 is vulnerable to Cross Site Scripting (XSS) via the parameter 'errorMsg.'

Published: September 29, 2022; 1:15:54 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-40931

dutchcoders Transfer.sh 1.4.0 is vulnerable to Cross Site Scripting (XSS).

Published: September 29, 2022; 12:15:10 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-40408

FeehiCMS v2.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted payload injected into the Comment box under the Single Page module.

Published: September 29, 2022; 10:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-3355

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.

Published: September 29, 2022; 6:15:09 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-1719

Reflected XSS on ticket filter function in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability is capable of executing a malicious javascript code in web page

Published: September 28, 2022; 11:15:15 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-45843

glFusion CMS v1.7.9 is affected by a reflected Cross Site Scripting (XSS) vulnerability. The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. This input was echoed unmodified in the application's response.

Published: September 28, 2022; 11:15:15 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2021-42047

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload (such as alert) via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback.

Published: September 28, 2022; 11:15:14 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2020-15339

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS.

Published: September 28, 2022; 11:15:13 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-3215

NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and "inject" those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws. This issue was resolved by adding validation to the HTTPHeaders type, ensuring that there's no whitespace incorrectly present in the HTTP headers provided by users. As the existing API surface is non-failable, all invalid characters are replaced by linear whitespace.

Published: September 28, 2022; 4:15:17 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-3193

An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.

Published: September 28, 2022; 3:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2021-41434

A stored Cross-Site Scripting (XSS) vulnerability exists in version 1.0 of the Expense Management System application that allows for arbitrary execution of JavaScript commands through index.php.

Published: September 28, 2022; 1:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-40912

ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 is vulnerable to Cross Site Scripting (XSS). Input passed to the GET parameter 'action' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Published: September 28, 2022; 10:15:11 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-28816

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.

Published: September 28, 2022; 10:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-39054

Cowell enterprise travel management system has insufficient filtering for special characters within web URL. An unauthenticated remote attacker can inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack.

Published: September 28, 2022; 12:15:15 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-39053

Heimavista Rpage has insufficient filtering for platform web URL. An unauthenticated remote attacker can inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack.

Published: September 28, 2022; 12:15:15 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-39035

Smart eVision has insufficient filtering for special characters in the POST Data parameter in the specific function. An unauthenticated remote attacker can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.

Published: September 28, 2022; 12:15:15 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-38335

Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.

Published: September 27, 2022; 7:15:15 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-37028

ISAMS 22.2.3.2 is prone to stored Cross-site Scripting (XSS) attack on the title field for groups, allowing an attacker to store a JavaScript payload that will be executed when another user uses the application.

Published: September 27, 2022; 7:15:14 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-30003

Sourcecodester Online Market Place Site 1.0 is vulnerable to Cross Site Scripting (XSS), allowing attackers to register as a Seller then create new products containing XSS payloads in the 'Product Title' and 'Short Description' fields.

Published: September 26, 2022; 3:15:09 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-40044

Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

Published: September 26, 2022; 12:15:14 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)