Vulnerabilities (CVE)

Filtered by CWE-79
Total 18948 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-29894 1 Strapi 1 Strapi 2022-06-22 3.5 LOW 4.8 MEDIUM
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
CVE-2022-24399 1 Sap 1 Focused Run 2022-06-21 4.3 MEDIUM 6.1 MEDIUM
The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability.
CVE-2022-26101 1 Sap 1 Fiori Launchpad 2022-06-21 4.3 MEDIUM 6.1 MEDIUM
Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
CVE-2022-0209 1 Facebook-wall-and-social-integration Project 1 Facebook-wall-and-social-integration 2022-06-21 3.5 LOW 4.8 MEDIUM
The Mitsol Social Post Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.10 due to insufficient input sanitization and output escaping on the application id parameters. This makes it possible for authenticated (admin+) attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html is disabled.
CVE-2022-1750 1 Sticky Popup Project 1 Sticky Popup 2022-06-21 3.5 LOW 4.8 MEDIUM
The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue mostly affects sites where unfiltered_html has been disabled for administrators and on multi-site installations where unfiltered_html is disabled for administrators.
CVE-2022-1961 1 Gtm4wp 1 Gtm4wp 2022-06-21 3.5 LOW 4.8 MEDIUM
The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the `gtm4wp-options[scroller-contentid]` parameter found in the `~/public/frontend.php` file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
CVE-2022-1820 1 Androidbubbles 1 Keep Backup Daily 2022-06-21 4.3 MEDIUM 6.1 MEDIUM
The Keep Backup Daily plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘t’ parameter in versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2022-1773 1 Wp Athletics Project 1 Wp Athletics 2022-06-21 4.3 MEDIUM 6.1 MEDIUM
The WP Athletics WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2022-1772 1 Google Places Reviews Project 1 Google Places Reviews 2022-06-21 2.1 LOW 4.8 MEDIUM
The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.
CVE-2022-1814 1 Wp Admin Style Project 1 Wp Admin Style 2022-06-21 3.5 LOW 4.8 MEDIUM
The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
CVE-2022-1822 1 Zephyrproject 1 Zephyr 2022-06-21 4.3 MEDIUM 6.1 MEDIUM
The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2018-25039 1 Technicolor 2 Thomson Tcw710, Thomson Tcw710 Firmware 2022-06-21 3.5 LOW 5.4 MEDIUM
A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/RgUrlBlock.asp. The manipulation of the argument BasicParentalNewKeyword with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2018-25038 1 Technicolor 2 Thomson Tcw710, Thomson Tcw710 Firmware 2022-06-21 3.5 LOW 5.4 MEDIUM
A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been classified as problematic. This affects an unknown part of the file /goform/RgDhcp. The manipulation of the argument PppUserName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2018-25037 1 Technicolor 2 Thomson Tcw710, Thomson Tcw710 Firmware 2022-06-21 3.5 LOW 5.4 MEDIUM
A vulnerability was found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this issue is some unknown functionality of the file /goform/RgDdns. The manipulation of the argument DdnsHostName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2018-25036 1 Technicolor 2 Thomson Tcw710, Thomson Tcw710 Firmware 2022-06-21 3.5 LOW 5.4 MEDIUM
A vulnerability has been found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /goform/RgTime. The manipulation of the argument TimeServer1/TimeServer2/TimeServer3 with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2018-25035 1 Technicolor 2 Thomson Tcw710, Thomson Tcw710 Firmware 2022-06-21 3.5 LOW 5.4 MEDIUM
A vulnerability, which was classified as problematic, was found in Thomson TCW710 ST5D.10.05. Affected is an unknown function of the file /goform/RGFirewallEL. The manipulation of the argument EmailAddress/SmtpServerName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2018-25034 1 Technicolor 2 Thomson Tcw710, Thomson Tcw710 Firmware 2022-06-21 3.5 LOW 5.4 MEDIUM
A vulnerability, which was classified as problematic, has been found in Thomson TCW710 ST5D.10.05. This issue affects some unknown processing of the file /goform/wlanPrimaryNetwork. The manipulation of the argument ServiceSetIdentifier with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2022-1896 2022-06-21 N/A N/A
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
CVE-2022-23072 2022-06-21 N/A 5.4 MEDIUM
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.
CVE-2021-25088 2022-06-21 N/A N/A
The XML Sitemaps WordPress plugin before 4.1.3 does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)