Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-34768

Summary
Assigner-INCD
Assigner Org ID-a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f
Published At-05 Aug, 2022 | 15:24
Updated At-16 Sep, 2024 | 17:48
Rejected At-
Credits

Synel - eHarmony Stored XSS

insert HTML / js code inside input how to get to the vulnerable input : Workers > worker nickname > inject in this input the code.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:INCD
Assigner Org ID:a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f
Published At:05 Aug, 2022 | 15:24
Updated At:16 Sep, 2024 | 17:48
Rejected At:
▼CVE Numbering Authority (CNA)
Synel - eHarmony Stored XSS

insert HTML / js code inside input how to get to the vulnerable input : Workers > worker nickname > inject in this input the code.

Affected Products
Vendor
Synel
Product
eHarmony
Versions
Affected
  • From v11 before v11* (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update to eHarmony v11.

Configurations
Workarounds
Exploits
Credits
Moriel Harush - Sophtix Security LTD
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.gov.il/en/departments/faq/cve_advisories
x_refsource_MISC
Hyperlink: https://www.gov.il/en/departments/faq/cve_advisories
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.gov.il/en/departments/faq/cve_advisories
x_refsource_MISC
x_transferred
Hyperlink: https://www.gov.il/en/departments/faq/cve_advisories
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@cyber.gov.il
Published At:05 Aug, 2022 | 16:15
Updated At:01 Sep, 2022 | 17:15

insert HTML / js code inside input how to get to the vulnerable input : Workers > worker nickname > inject in this input the code.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Secondary3.16.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CPE Matches
supersmart
supersmart
>>supersmart.me_-_walk_through>>-
cpe:2.3:a:supersmart:supersmart.me_-_walk_through:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-79Secondarycna@cyber.gov.il
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: cna@cyber.gov.il
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.gov.il/en/departments/faq/cve_advisoriescna@cyber.gov.il
N/A
Hyperlink: https://www.gov.il/en/departments/faq/cve_advisories
Source: cna@cyber.gov.il
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

13Records found
CVE-2022-36778
Matching Score-10
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-10
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 23.16%
||
7 Day CHG~0.00%
Published-13 Sep, 2022 | 14:58
Updated-17 Sep, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Synel - eHarmony Stored XSS

insert HTML / js code inside input how to get to the vulnerable input : Workers > worker nickname > inject in this input the code.

Action-Not Available
Vendor-synelSynel
Product-eharmonyeHarmony
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-44471
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.44% / 62.24%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-16 Sep, 2024 | 23:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Delta Electronics DIAEnergie (Update A)

DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “name” of the script “DIAE_HandlerAlarmGroup.ashx”.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-diaenergieDIAEnergie
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-44544
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.31%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-17 Sep, 2024 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Delta Electronics DIAEnergie (Update A)

DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter “name” of the script “HandlerEnergyType.ashx”.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-diaenergieDIAEnergie
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-44080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.19%
||
7 Day CHG+0.03%
Published-29 Oct, 2024 | 00:00
Updated-10 Jul, 2025 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Jitsi Meet before 2.0.9779, the functionality to share an image using giphy was implemented in an insecure way, resulting in clients loading GIFs from any arbitrary URL if a message from another participant contains a URL encoded in the expected format.

Action-Not Available
Vendor-8x8n/ajitsi
Product-jitsi_meetn/ameet
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20209
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.99% / 75.98%
||
7 Day CHG~0.00%
Published-13 Jan, 2020 | 17:05
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.

Action-Not Available
Vendor-cththemesn/a
Product-easybooktownhubcitybookn/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-18857
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.34% / 56.29%
||
7 Day CHG~0.00%
Published-11 Nov, 2019 | 14:34
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript	:alert substring.

Action-Not Available
Vendor-svg-sanitizer_projectn/a
Product-svg-sanitizern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-17214
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.44% / 62.10%
||
7 Day CHG~0.00%
Published-06 Oct, 2019 | 13:21
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WebARX plugin 1.3.0 for WordPress allows firewall bypass by appending &cc=1 to a URI.

Action-Not Available
Vendor-webarxsecurityn/a
Product-webarxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-49952
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.78%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 00:00
Updated-07 May, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.

Action-Not Available
Vendor-joinmastodonn/ajoinmastodon
Product-mastodonn/amastodon
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28648
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.77% / 72.64%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 20:06
Updated-16 Jan, 2025 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-28648

Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Action-Not Available
Vendor-propumpserviceProPump and Controls, Inc.
Product-osprey_pump_controller_firmwareosprey_pump_controllerOsprey Pump Controller
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23228
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.16% / 36.98%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-17 Sep, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Delta Electronics DIAEnergie (Update A)

DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by “.NET Request.QueryString”.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-diaenergieDIAEnergie
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-36783
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 21.08%
||
7 Day CHG~0.00%
Published-25 Oct, 2022 | 00:50
Updated-07 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS)

AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) A malicious user injects JavaScript code into a parameter called IntersectudRule on the search/result.html page. The malicious user changes the request from POST to GET and sends the URL to another user (victim). JavaScript code is executed on the browser of the other user.

Action-Not Available
Vendor-AlgoSec Inc.
Product-fireflowFireFlow A32.0FireFlow A32.20FireFlow A32.10
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-24853
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.30% / 52.78%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 08:42
Updated-04 Aug, 2025 | 13:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing

A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later.

Action-Not Available
Vendor-The Apache Software Foundation
Product-jspwikiApache JSPWiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0282
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.68% / 70.52%
||
7 Day CHG~0.00%
Published-20 Jan, 2022 | 11:15
Updated-02 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting in microweber/microweber

Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.

Action-Not Available
Vendor-Microweber (‘Microweber Academy’ Foundation)
Product-microwebermicroweber/microweber
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details not found