Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-1990

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-27 Jun, 2022 | 08:59
Updated At-20 Nov, 2024 | 15:45
Rejected At-
Credits

Nested Pages < 3.1.21 - Admin+ Stored Cross Site Scripting

The Nested Pages WordPress plugin before 3.1.21 does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:27 Jun, 2022 | 08:59
Updated At:20 Nov, 2024 | 15:45
Rejected At:
▼CVE Numbering Authority (CNA)
Nested Pages < 3.1.21 - Admin+ Stored Cross Site Scripting

The Nested Pages WordPress plugin before 3.1.21 does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed

Affected Products
Vendor
Unknown
Product
Nested Pages
Versions
Affected
  • From 3.1.21 before 3.1.21 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Sachin Bahl from eSec Forte Technologies Pvt Ltd
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/42f1bf1f-95a8-41ee-a637-88deb80ab870
x_refsource_MISC
Hyperlink: https://wpscan.com/vulnerability/42f1bf1f-95a8-41ee-a637-88deb80ab870
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpscan.com/vulnerability/42f1bf1f-95a8-41ee-a637-88deb80ab870
x_refsource_MISC
x_transferred
Hyperlink: https://wpscan.com/vulnerability/42f1bf1f-95a8-41ee-a637-88deb80ab870
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:27 Jun, 2022 | 09:15
Updated At:18 Dec, 2023 | 15:32

The Nested Pages WordPress plugin before 3.1.21 does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches

kylephillips
kylephillips
>>nested_pages>>Versions before 3.1.21(exclusive)
cpe:2.3:a:kylephillips:nested_pages:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarycontact@wpscan.com
CWE ID: CWE-79
Type: Primary
Source: contact@wpscan.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://wpscan.com/vulnerability/42f1bf1f-95a8-41ee-a637-88deb80ab870contact@wpscan.com
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/42f1bf1f-95a8-41ee-a637-88deb80ab870
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

8385Records found

CVE-2021-33682
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.22%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 11:08
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Lumira Server version 2.4 does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with basic level privileges to store a malicious script on SAP Lumira Server. The execution of the script content, by a victim registered on SAP Lumira Server, could compromise the confidentiality and integrity of SAP Lumira content.

Action-Not Available
Vendor-SAP SE
Product-lumira_serverSAP Lumira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12814
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.50% / 65.04%
||
7 Day CHG~0.00%
Published-02 Nov, 2021 | 17:56
Updated-25 Oct, 2024 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerFortinet FortiAnalyzer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33562
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.33% / 54.84%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 22:33
Updated-03 Aug, 2024 | 23:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.

Action-Not Available
Vendor-shopizern/a
Product-shopizern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-1289
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.68% / 70.54%
||
7 Day CHG~0.00%
Published-09 Jun, 2020 | 19:43
Updated-04 Aug, 2024 | 06:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'. This CVE ID is unique from CVE-2020-1148.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_foundationMicrosoft SharePoint Foundation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-3255
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.8||MEDIUM
EPSS-0.00% / 0.07%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 12:00
Updated-28 May, 2025 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

Action-Not Available
Vendor-Pimcore
Product-pimcorepimcore/pimcore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12849
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.63% / 69.38%
||
7 Day CHG~0.00%
Published-05 Jun, 2020 | 12:52
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user.

Action-Not Available
Vendor-pydion/a
Product-cellsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29532
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.29% / 51.73%
||
7 Day CHG~0.00%
Published-20 Apr, 2022 | 00:00
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.

Action-Not Available
Vendor-mispn/a
Product-mispn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-1227
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 61.71%
||
7 Day CHG~0.00%
Published-11 Sep, 2020 | 17:09
Updated-04 Aug, 2024 | 06:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Office SharePoint XSS Vulnerability

<p>A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.</p> <p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p> <p>The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.</p>

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serversharepoint_foundationsharepoint_enterprise_serverMicrosoft SharePoint Server 2019Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Enterprise Server 2013 Service Pack 1
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11768
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.25% / 48.46%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 13:44
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by Stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbk20r8900_firmwarerbr40_firmwarerbs20_firmwared7800rbk40r7500_firmwarerbr20xr500_firmwarerbk40_firmwarexr700_firmwarerax120xr500rbs40d7800_firmwarer8900r9000_firmwarerbs40_firmwarerbs20rbs50_firmwarerbr40rbs50r9000r7500rbr50_firmwarerbr50r7800rax120_firmwarerbr20_firmwarerbk50r7800_firmwarerbk50_firmwarerbk20_firmwarexr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11775
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.43% / 61.43%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 13:53
Updated-04 Aug, 2024 | 11:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbk20r8900_firmwarerbr40_firmwarerbs20_firmwared7800rbk40r7500_firmwarerbr20xr500_firmwarerbk40_firmwarexr700_firmwarerax120xr500rbs40d7800_firmwarer8900r9000_firmwarerbs40_firmwarerbs20rbs50_firmwarerbr40rbs50r9000r7500rbr50_firmwarerbr50r7800rax120_firmwarerbr20_firmwarerbk50r7800_firmwarerbk50_firmwarerbk20_firmwarexr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17868
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.24% / 46.32%
||
7 Day CHG~0.00%
Published-01 Oct, 2018 | 23:00
Updated-05 Aug, 2024 | 11:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DASAN H660GW devices have Stored XSS in the Port Forwarding functionality.

Action-Not Available
Vendor-dasann/a
Product-h660gwh660gw_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12438
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 51.09%
||
7 Day CHG~0.00%
Published-28 Apr, 2020 | 20:51
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.

Action-Not Available
Vendor-php-fusionn/a
Product-php-fusionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12706
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.45% / 79.97%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 19:09
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php

Action-Not Available
Vendor-php-fusionn/a
Product-php-fusionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-1688
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.08%
||
7 Day CHG~0.00%
Published-27 Nov, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134063.

Action-Not Available
Vendor-IBM Corporation
Product-rational_doors_next_generationRational DOORS Next Generation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29424
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.06% / 18.09%
||
7 Day CHG~0.00%
Published-26 Jun, 2023 | 07:17
Updated-10 Oct, 2024 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ShiftController Employee Shift Scheduling Plugin <= 4.9.23 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Plainware ShiftController Employee Shift Scheduling plugin <= 4.9.23 versions.

Action-Not Available
Vendor-plainwarePlainware
Product-shiftcontrollerShiftController Employee Shift Scheduling
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28612
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.10%
||
7 Day CHG~0.00%
Published-15 Jun, 2022 | 19:34
Updated-20 Feb, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Popup Builder plugin <= 1.3.1 - Improper Access Control vulnerability leading to multiple Authenticated Stored XSS

Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at WordPress.

Action-Not Available
Vendor-custom_popup_builder_projectMuneeb
Product-custom_popup_builderCustom Popup Builder (WordPress plugin)
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-1183
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.05% / 76.64%
||
7 Day CHG~0.00%
Published-09 Jun, 2020 | 19:43
Updated-28 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1177, CVE-2020-1297, CVE-2020-1298, CVE-2020-1318, CVE-2020-1320.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_enterprise_serversharepoint_foundationsharepoint_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint FoundationMicrosoft SharePoint Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11838
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 42.98%
||
7 Day CHG~0.00%
Published-16 Jun, 2020 | 13:13
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure.

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-arcsight_management_centerArcSight Management Center.
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-1177
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-1.05% / 76.64%
||
7 Day CHG~0.00%
Published-09 Jun, 2020 | 19:43
Updated-28 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1183, CVE-2020-1297, CVE-2020-1298, CVE-2020-1318, CVE-2020-1320.

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_enterprise_serversharepoint_foundationsharepoint_serverMicrosoft SharePoint Enterprise ServerMicrosoft SharePoint FoundationMicrosoft SharePoint Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28717
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.19% / 40.95%
||
7 Day CHG~0.00%
Published-18 May, 2022 | 09:50
Updated-03 Aug, 2024 | 06:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker with the administrative privilege to inject an arbitrary script via unspecified vectors.

Action-Not Available
Vendor-meikyoMEIKYO ELECTRIC CO.,LTD.
Product-watch_boot_nino_rpc-m2c_firmwarewatch_boot_light_rpc-m5cs_firmwaretime_boot_mini_rsc-mt4hspoe_boot_nino_poe8m2_firmwarewatch_boot_nino_rpc-m2cs_firmwaretime_boot_mini_rsc-mt4h_firmwarewatch_boot_mini_rpc-m4htime_boot_rsc-mt8fs_firmwarewatch_boot_light_rpc-m5c_firmwarewatch_boot_l-zero_rpc-m4l_firmwarewatch_boot_nino_rpc-m2cssignage_rebooter_rpc-m4hsipoe_boot_nino_poe8m2watch_boot_l-zero_rpc-m4lstime_boot_mini_rsc-mt4hpose_se10-8a7b1signage_rebooter_rpc-m4hsi_firmwaretime_boot_mini_rsc-mt4hs_firmwaretime_boot_rsc-mt8fspose_se10-8a7b1_firmwarewatch_boot_light_rpc-m5cswatch_boot_l-zero_rpc-m4ltime_boot_rsc-mt8ftime_boot_rsc-mt8fp_firmwarewatch_boot_light_rpc-m5ctime_boot_rsc-mt8fpwatch_boot_mini_rpc-m4h_firmwaretime_boot_rsc-mt8f_firmwarewatch_boot_l-zero_rpc-m4ls_firmwarewatch_boot_nino_rpc-m2cRebooter, PoE Rebooter, Scheduler, and Contact Converter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11786
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.36% / 57.39%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 17:01
Updated-04 Aug, 2024 | 11:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwarexr700d7800rbs50_firmwarerbs50r9000r7500rbr50_firmwarer7500_firmwarerbr50r7800rax120_firmwarexr500_firmwarerbk50r7800_firmwarexr700_firmwarerbk50_firmwarerax120xr500n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-35587
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 29.69%
||
7 Day CHG+0.04%
Published-12 Aug, 2022 | 15:54
Updated-03 Aug, 2024 | 09:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter

Action-Not Available
Vendor-fork-cmsn/a
Product-fork_cmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11773
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.21% / 43.88%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 13:51
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwared7800r9000r7500r7500_firmwarer7800rax120_firmwarexr500xr500_firmwarer7800_firmwarexr700_firmwarerax120xr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11784
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.23% / 45.84%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 16:06
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwarexr700d7800rbs50_firmwarerbs50r9000r7500rbr50_firmwarer7500_firmwarerbr50r7800rax120_firmwarexr500_firmwarerbk50r7800_firmwarexr700_firmwarerbk50_firmwarerax120xr500n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11776
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.43% / 61.43%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 13:54
Updated-04 Aug, 2024 | 11:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwared7800r9000r7500r7500_firmwarer7800rax120_firmwarexr500xr500_firmwarer7800_firmwarexr700_firmwarerax120xr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29848
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 38.21%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bang Resto 1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the itemName parameter in the admin/menu.php Add New Menu function.

Action-Not Available
Vendor-hockeycomputindon/a
Product-bang_reston/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12512
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-7.5||HIGH
EPSS-0.72% / 71.58%
||
7 Day CHG~0.00%
Published-22 Jan, 2021 | 19:01
Updated-17 Sep, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pepper+Fuchs Comtrol IO-Link Master Cross-Site Scripting

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting

Action-Not Available
Vendor-pepperl-fuchsPepper+Fuchs
Product-io-link_master_dr-8-eip_firmwareio-link_master_dr-8-pnio-p_firmwareio-link_master_dr-8-pnio-tio-link_master_dr-8-eipio-link_master_dr-8-eip-t_firmwareio-link_master_4-eip_firmwareio-link_master_dr-8-eip-p_firmwareio-link_master_4-pnioio-link_master_8-pnio-lio-link_master_8-pnio-l_firmwareio-link_master_4-pnio_firmwareio-link_master_dr-8-pnio-t_firmwareio-link_master_4-eipio-link_master_8-eip-lio-link_master_8-pnio_firmwareio-link_master_8-eip_firmwareio-link_master_8-eip-l_firmwareio-link_master_dr-8-pnio-pio-link_master_dr-8-eip-pio-link_master_8-pnioio-link_master_8-eipio-link_master_dr-8-pnio_firmwareio-link_master_dr-8-eip-tio-link_master_dr-8-pnioComtrol IO-Link Master
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29037
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-25.85% / 96.06%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 19:50
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Action-Not Available
Vendor-Jenkins
Product-cvsJenkins CVS Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2010-4355
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.20% / 42.35%
||
7 Day CHG~0.00%
Published-01 Dec, 2010 | 16:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in DaDaBIK before 4.3 beta2, when the insert or edit feature is enabled, allows remote authenticated users to inject arbitrary web script or HTML via the select_single parameter.

Action-Not Available
Vendor-dadabikn/a
Product-dadabikn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2947
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.7||MEDIUM
EPSS-20.40% / 95.32%
||
7 Day CHG~0.00%
Published-27 May, 2023 | 00:00
Updated-14 Jan, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in openemr/openemr

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12262
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-2.98% / 86.01%
||
7 Day CHG~0.00%
Published-26 Nov, 2020 | 23:41
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS.

Action-Not Available
Vendor-intelbrasn/a
Product-tip300_firmwaretip200_firmwaretip200litetip300tip200tip200lite_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11769
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.25% / 48.46%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 13:45
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBK50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rbk20r8900_firmwarerbr40_firmwarerbs20_firmwared7800rbk40r7500_firmwarerbr20xr500_firmwarerbk40_firmwarexr700_firmwarerax120xr500rbs40d7800_firmwarer8900r9000_firmwarerbs40_firmwarerbs20rbs50_firmwarerbr40rbs50r9000r7500r7800rax120_firmwarerbr20_firmwarerbk50r7800_firmwarerbk50_firmwarerbk20_firmwarexr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-17556
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 41.24%
||
7 Day CHG~0.00%
Published-26 Sep, 2018 | 20:00
Updated-17 Sep, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Source action.

Action-Not Available
Vendor-modxn/a
Product-modx_revolutionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10643
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.22%
||
7 Day CHG~0.00%
Published-27 Jul, 2020 | 21:20
Updated-16 Sep, 2024 | 23:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OSIsoft PI System

An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component.

Action-Not Available
Vendor-osisoftOSIsoft
Product-pi_visionPI Vision
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12259
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-65.81% / 98.44%
||
7 Day CHG~0.00%
Published-18 May, 2020 | 13:00
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-29707
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.07% / 21.38%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 00:00
Updated-06 Dec, 2024 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in GBCOM LAC WEB Control Center version lac-1.3.x, allows attackers to create an arbitrary device.

Action-Not Available
Vendor-gbcomn/a
Product-lac_web_control_centern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12082
Matching Score-4
Assigner-Flexera Software LLC
ShareView Details
Matching Score-4
Assigner-Flexera Software LLC
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 42.98%
||
7 Day CHG~0.00%
Published-17 Sep, 2021 | 17:45
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).

Action-Not Available
Vendor-flexeran/a
Product-flexnet_code_insightn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12718
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 53.52%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 23:29
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.

Action-Not Available
Vendor-php-fusionn/a
Product-php-fusionn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11783
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.36% / 57.39%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 15:11
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwared7800r9000r7500r7500_firmwarer7800rax120_firmwarexr500xr500_firmwarer7800_firmwarexr700_firmwarerax120xr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11813
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 51.09%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 16:30
Updated-04 Aug, 2024 | 11:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.

Action-Not Available
Vendor-rukovoditeln/a
Product-rukovoditeln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-12629
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.70%
||
7 Day CHG~0.00%
Published-04 May, 2020 | 12:28
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.

Action-Not Available
Vendor-enhancesoftn/a
Product-osticketn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3351
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 40.54%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 05:22
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page.

Action-Not Available
Vendor-openplcprojectn/a
Product-openplcn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-36057
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 21.13%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 19:30
Updated-23 Apr, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse-Chat Cross-Site Scripting issue for channel names and descriptions

Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse-chatdiscourse-chat
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2020-11780
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.36% / 57.39%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 15:08
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwared7800r9000r7500r7500_firmwarer7800rax120_firmwarexr500xr500_firmwarer7800_firmwarexr700_firmwarerax120xr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28650
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-7.3||HIGH
EPSS-0.01% / 0.64%
||
7 Day CHG~0.00%
Published-05 Apr, 2022 | 17:55
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

Action-Not Available
Vendor-JetBrains s.r.o.
Product-youtrackYouTrack
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29426
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.71%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 20:03
Updated-20 Feb, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Slideshow, Image Slider by 2J plugin <= 1.3.54 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated (contributor or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team's Slideshow, Image Slider by 2J plugin <= 1.3.54 at WordPress.

Action-Not Available
Vendor-2joomla2J Slideshow Team
Product-2j_slideshowSlideshow, Image Slider by 2J (WordPress plugin)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-3546
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.4||LOW
EPSS-0.76% / 72.30%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 01:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Simple Cold Storage Management System Create User cross site scripting

A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /csms/admin/?page=user/list of the component Create User Handler. The manipulation of the argument First Name/Last Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-211046 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-simple_cold_storage_management_systemSimple Cold Storage Management System
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11782
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6||MEDIUM
EPSS-0.36% / 57.39%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 15:10
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwarer8900r9000_firmwarer8900_firmwared7800r9000r7500r7500_firmwarer7800rax120_firmwarexr500xr500_firmwarer7800_firmwarexr700_firmwarerax120xr700n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-29043
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.4||MEDIUM
EPSS-31.60% / 96.64%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 19:50
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Action-Not Available
Vendor-Jenkins
Product-mask_passwordsJenkins Mask Passwords Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-16551
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 42.98%
||
7 Day CHG~0.00%
Published-05 Sep, 2018 | 22:00
Updated-05 Aug, 2024 | 10:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.

Action-Not Available
Vendor-lavaliten/a
Product-lavaliten/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 5
  • 6
  • 7
  • ...
  • 167
  • 168
  • Next
Details not found