Vulnerabilities (CVE)

Filtered by CWE-79
Total 18572 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-2601 1 Jenkins 1 Jenkins 2022-05-17 3.5 LOW 5.4 MEDIUM
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
CVE-2022-1104 1 Code-atlantic 1 Popup Maker 2022-05-17 3.5 LOW 4.8 MEDIUM
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2022-29413 1 Hermit Project 1 Hermit 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress via &title parameter.
CVE-2022-29172 1 Auth0 1 Lock 2022-05-16 2.6 LOW 6.1 MEDIUM
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`.
CVE-2021-22822 1 Schneider-electric 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
A CWE-79 Improper Neutralization of Input During Web Page Generation (?Cross-site Scripting?) vulnerability exists that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
CVE-2021-24410 1 Telugu Bible Verse Daily Project 1 Telugu Bible Verse Daily 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
The తెల�గ� బైబిల� వచనమ�ల� WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues
CVE-2020-6324 1 Sap 1 Netweaver As Abap Business Server Pages 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
SAP Netweaver AS ABAP(BSP Test Application sbspext_table), version-700,701,720,730,731,740,750,751,752,753,754,755, allows an unauthenticated attacker to send polluted URL to the victim, when the victim clicks on this URL, the attacker can read, modify the information available in the victim?s browser leading to Reflected Cross Site Scripting.
CVE-2018-19615 1 Rockwellautomation 2 Powermonitor 1000, Powermonitor 1000 Firmware 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A remote attacker could inject arbitrary code into a targeted userâ??s web browser to gain access to the affected device.
CVE-2021-27442 2022-05-16 N/A N/A
The Weintek cMT product line is vulnerable to a cross-site scripting vulnerability, which could allow an unauthenticated remote attacker to inject malicious JavaScript code.
CVE-2021-33021 2022-05-16 N/A N/A
xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘edate’ of the resource xhisalarm.htm, which may allow an unauthorized attacker to execute arbitrary code.
CVE-2021-33025 2022-05-16 N/A N/A
xArrow SCADA versions 7.2 and prior permits unvalidated registry keys to be run with application-level privileges.
CVE-2021-33001 2022-05-16 N/A N/A
xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘bdate’ of the resource xhisvalue.htm, which may allow an unauthorized attacker to execute arbitrary code.
CVE-2019-8331 4 F5, Getbootstrap, Redhat and 1 more 16 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 13 more 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CVE-2022-0625 1 Admin Menu Editor Project 1 Admin Menu Editor 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
The Admin Menu Editor WordPress plugin through 1.0.4 does not sanitize and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-29420 1 Edmonsoft 1 Countdown Builder 2022-05-16 3.5 LOW 4.8 MEDIUM
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters.
CVE-2022-29422 1 Edmonsoft 1 Countdown Builder 2022-05-16 3.5 LOW 4.8 MEDIUM
Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters.
CVE-2022-29421 1 Edmonsoft 1 Countdown Builder 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
Reflected Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin on WordPress via &ycd_type vulnerable parameter.
CVE-2021-39024 1 Ibm 1 Guardium Data Encryption 2022-05-16 4.3 MEDIUM 6.1 MEDIUM
IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213862.
CVE-2022-28545 1 Fudforum 1 Fudforum 2022-05-16 3.5 LOW 5.4 MEDIUM
FUDforum 3.1.1 is vulnerable to Stored XSS.
CVE-2022-1303 1 Slide Anything Project 1 Slide Anything 2022-05-16 3.5 LOW 4.8 MEDIUM
The Slide Anything WordPress plugin before 2.3.44 does not sanitize and escape sliders' description, which could allow high privilege users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed