Search Results (Refine Search)
- Keyword (text search): xss
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-0930 |
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Published: March 12, 2022; 9:15:07 AM -0500 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2022-0929 |
XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11. Published: March 12, 2022; 6:15:08 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-0926 |
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. Published: March 12, 2022; 5:15:08 AM -0500 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-32478 |
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. Published: March 11, 2022; 1:15:19 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-32475 |
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. Published: March 11, 2022; 1:15:16 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-26874 |
lib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via an OpenOffice document, leading to account takeover in Horde Groupware Webmail Edition. This occurs after XSLT rendering. Published: March 11, 2022; 2:15:08 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-24432 |
Persistent cross-site scripting (XSS) in the web interface of ipDIO allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into specific fields. The XSS payload will be executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services). Published: March 10, 2022; 12:46:13 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-21146 |
Persistent cross-site scripting in the web interface of ipDIO allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into a specific parameter. The XSS payload will be executed when a legitimate user attempts to review history. Published: March 10, 2022; 12:45:09 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-42856 |
It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability. Published: March 10, 2022; 12:44:07 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-33852 |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts. Published: March 10, 2022; 12:42:36 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2021-33851 |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin. Published: March 10, 2022; 12:42:36 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-0906 |
Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12. Published: March 10, 2022; 10:15:10 AM -0500 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2022-24349 |
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. Published: March 09, 2022; 3:15:08 PM -0500 |
V4.0:(not available) V3.1: 4.4 MEDIUM V2.0: 2.1 LOW |
CVE-2022-22511 |
Various configuration pages of the device are vulnerable to reflected XSS (Cross-Site Scripting) attacks. An authorized attacker with user privileges may use this to gain access to confidential information on a PC that connects to the WBM after it has been compromised. Published: March 09, 2022; 3:15:08 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-26332 |
Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field. Published: February 28, 2022; 8:15:08 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-26155 |
An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. XSS can occur via a payload in the SAMLResponse parameter of the HTTP request body. Published: February 28, 2022; 11:15:08 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-25642 |
Obyte (formerly Byteball) Wallet before 3.4.1 allows XSS. A crafted chat message can lead to remote code execution. Published: February 28, 2022; 10:15:08 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-23988 |
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission Published: February 28, 2022; 4:15:09 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-24977 |
The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues Published: February 28, 2022; 4:15:08 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2022-26146 |
Tricentis qTest before 10.4 allows stored XSS by an authenticated attacker. Published: February 26, 2022; 3:15:07 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |