Total
251 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26047 | 1 Kitabisa | 1 Teler-waf | 2023-03-10 | N/A | 6.1 MEDIUM |
| teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and horizontal tab is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been patched in version 0.2.0. | |||||
| CVE-2022-39348 | 2 Debian, Twistedmatrix | 2 Debian Linux, Twisted | 2023-03-08 | N/A | 5.4 MEDIUM |
| Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds. | |||||
| CVE-2022-23543 | 1 Silverwaregames | 1 Silverwaregames | 2022-12-27 | N/A | 5.4 MEDIUM |
| Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time. | |||||
| CVE-2022-28703 | 1 Lansweeper | 1 Lansweeper | 2022-12-19 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-46350 | 1 Siemens | 10 6gk5204-0ba00-2kb2, 6gk5204-0ba00-2kb2 Firmware, 6gk5204-0ba00-2mb2 and 7 more | 2022-12-15 | N/A | 6.1 MEDIUM |
| A vulnerability has been identified in SCALANCE X204RNA (HSR) (All versions < V3.2.7), SCALANCE X204RNA (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (HSR) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP/HSR) (All versions < V3.2.7). The integrated web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. This can be used by an attacker to trigger a malicious request on the affected device. | |||||
| CVE-2018-4848 | 1 Siemens | 6 Scalance X-200, Scalance X-200 Firmware, Scalance X-200 Irt and 3 more | 2022-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). The integrated configuration web server of the affected devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it. | |||||
| CVE-2022-35278 | 2 Apache, Netapp | 3 Activemq Artemis, Active Iq Unified Manager, Oncommand Workflow Automation | 2022-12-13 | N/A | 6.1 MEDIUM |
| In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue. | |||||
| CVE-2018-19956 | 1 Qnap | 1 Photo Station | 2022-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10. | |||||
| CVE-2018-19955 | 1 Qnap | 1 Photo Station | 2022-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10. | |||||
| CVE-2018-19954 | 1 Qnap | 1 Photo Station | 2022-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10. | |||||
| CVE-2018-19951 | 1 Qnap | 2 Music Station, Qts | 2022-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. | |||||
| CVE-2022-39372 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 5.4 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-39371 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 5.4 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-39277 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 4.8 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to GLPI 10.0.4. There are currently no known workarounds. | |||||
| CVE-2017-20043 | 1 Vendavo | 1 Pricepoint | 2022-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Navetti PricePoint 4.6.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting (Persistent). The attack may be launched remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20044 | 1 Vendavo | 1 Pricepoint | 2022-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to basic cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2022-39240 | 1 Mygraph Project | 1 Mygraph | 2022-09-26 | N/A | 5.4 MEDIUM |
| MyGraph is a permission management system. Versions prior to 1.0.4 are vulnerable to a storage XSS vulnerability leading to Remote Code Execution. This issue is patched in version 1.0.4. There is no known workaround. | |||||
| CVE-2022-36094 | 1 Xwiki | 1 Xwiki | 2022-09-14 | N/A | 9.0 CRITICAL |
| XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki. | |||||
| CVE-2022-36097 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 6.1 MEDIUM |
| XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch. | |||||
| CVE-2022-36096 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 9.0 CRITICAL |
| The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the fix commit. | |||||