CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 1 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-30970 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
2 CVE-2022-30968 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
3 CVE-2022-30967 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
4 CVE-2022-30966 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
5 CVE-2022-30965 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
6 CVE-2022-30964 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
7 CVE-2022-30963 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
8 CVE-2022-30962 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
9 CVE-2022-30961 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
10 CVE-2022-30960 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
11 CVE-2022-30072 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via \admin\pages\sections_save.php namesection2 parameters.
12 CVE-2022-30057 79 XSS 2022-05-11 2022-05-20
3.5
None Remote Medium ??? None Partial None
Shopwind <=v3.4.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability.
13 CVE-2022-30013 79 XSS 2022-05-16 2022-05-24
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file.
14 CVE-2022-29976 79 XSS 2022-05-11 2022-05-17
3.5
None Remote Medium ??? None Partial None
An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 .
15 CVE-2022-29975 79 XSS 2022-05-11 2022-05-17
3.5
None Remote Medium ??? None Partial None
An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 .
16 CVE-2022-29973 770 +Info 2022-05-02 2022-05-11
1.9
None Local Medium Not required Partial None None
relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength.
17 CVE-2022-29940 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.
18 CVE-2022-29939 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities.
19 CVE-2022-29868 312 Bypass 2022-05-09 2022-05-18
2.1
None Local Low Not required Partial None None
1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password.
20 CVE-2022-29820 668 2022-04-28 2022-05-05
3.3
None Local Network Low Not required Partial None None
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible
21 CVE-2022-29818 346 2022-04-28 2022-05-05
3.6
None Local Low Not required Partial Partial None
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed
22 CVE-2022-29816 74 2022-04-28 2022-05-05
2.1
None Local Low Not required None Partial None
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
23 CVE-2022-29812 2022-04-28 2022-05-05
2.1
None Local Low Not required None Partial None
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient
24 CVE-2022-29811 79 XSS 2022-04-28 2022-05-05
3.5
None Remote Medium ??? None Partial None
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
25 CVE-2022-29810 532 2022-04-27 2022-05-10
2.1
None Local Low Not required Partial None None
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
26 CVE-2022-29727 79 XSS 2022-05-11 2022-05-23
3.5
None Remote Medium ??? None Partial None
Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting (XSS) vulnerability in the Signup parameter.
27 CVE-2022-29610 79 XSS 2022-05-11 2022-05-19
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.
28 CVE-2022-29584 79 XSS 2022-04-28 2022-05-06
3.5
None Remote Medium ??? None Partial None
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action.
29 CVE-2022-29532 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
30 CVE-2022-29531 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
31 CVE-2022-29530 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
32 CVE-2022-29529 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
33 CVE-2022-29449 79 XSS 2022-05-19 2022-05-25
3.5
None Remote Medium ??? None Partial None
Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin <= 1.2.7 at WordPress.
34 CVE-2022-29444 264 XSS 2022-05-02 2022-05-09
3.5
None Remote Medium ??? None Partial None
Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack.
35 CVE-2022-29433 79 XSS 2022-05-13 2022-05-23
3.5
None Remote Medium ??? None Partial None
Authenticated (contributor or higher role) Cross-Site Scripting (XSS) vulnerability in Donations plugin <= 1.8 on WordPress.
36 CVE-2022-29422 79 XSS 2022-05-06 2022-05-16
3.5
None Remote Medium ??? None Partial None
Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters.
37 CVE-2022-29420 79 XSS 2022-05-06 2022-05-16
3.5
None Remote Medium ??? None Partial None
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters.
38 CVE-2022-29418 79 XSS 2022-04-25 2022-05-05
3.5
None Remote Medium ??? None Partial None
Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color].
39 CVE-2022-29302 552 2022-05-12 2022-05-20
2.1
None Local Low Not required Partial None None
SolarView Compact ver.6.00 was discovered to contain a local file disclosure via /html/Solar_Ftp.php.
40 CVE-2022-29172 79 XSS 2022-05-05 2022-05-16
2.6
None Remote High Not required None Partial None
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`.
41 CVE-2022-29140 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Print Spooler Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29114.
42 CVE-2022-29134 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29122, CVE-2022-29123.
43 CVE-2022-29127 Bypass 2022-05-10 2022-05-23
1.9
None Local Medium Not required Partial None None
BitLocker Security Feature Bypass Vulnerability.
44 CVE-2022-29123 668 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29122, CVE-2022-29134.
45 CVE-2022-29122 668 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29123, CVE-2022-29134.
46 CVE-2022-29121 400 DoS 2022-05-10 2022-05-25
3.3
None Local Network Low Not required None None Partial
Windows WLAN AutoConfig Service Denial of Service Vulnerability.
47 CVE-2022-29114 863 2022-05-10 2022-05-23
2.1
None Local Low Not required Partial None None
Windows Print Spooler Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29140.
48 CVE-2022-29046 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
49 CVE-2022-29045 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
50 CVE-2022-29044 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Node and Label parameter Plugin 1.10.3 and earlier does not escape the name and description of Node and Label parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.