CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-29976 79 XSS 2022-05-11 2022-05-17
3.5
None Remote Medium ??? None Partial None
An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 .
2 CVE-2022-29975 79 XSS 2022-05-11 2022-05-17
3.5
None Remote Medium ??? None Partial None
An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 .
3 CVE-2022-29940 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.
4 CVE-2022-29939 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities.
5 CVE-2022-29820 668 2022-04-28 2022-05-05
3.3
None Local Network Low Not required Partial None None
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible
6 CVE-2022-29818 346 2022-04-28 2022-05-05
3.6
None Local Low Not required Partial Partial None
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed
7 CVE-2022-29816 74 2022-04-28 2022-05-05
2.1
None Local Low Not required None Partial None
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
8 CVE-2022-29812 2022-04-28 2022-05-05
2.1
None Local Low Not required None Partial None
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient
9 CVE-2022-29811 79 XSS 2022-04-28 2022-05-05
3.5
None Remote Medium ??? None Partial None
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
10 CVE-2022-29810 532 2022-04-27 2022-05-10
2.1
None Local Low Not required Partial None None
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
11 CVE-2022-29584 79 XSS 2022-04-28 2022-05-06
3.5
None Remote Medium ??? None Partial None
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action.
12 CVE-2022-29532 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
13 CVE-2022-29531 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
14 CVE-2022-29530 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
15 CVE-2022-29529 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
16 CVE-2022-29444 264 XSS 2022-05-02 2022-05-09
3.5
None Remote Medium ??? None Partial None
Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack.
17 CVE-2022-29422 79 XSS 2022-05-06 2022-05-16
3.5
None Remote Medium ??? None Partial None
Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters.
18 CVE-2022-29420 79 XSS 2022-05-06 2022-05-16
3.5
None Remote Medium ??? None Partial None
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters.
19 CVE-2022-29418 79 XSS 2022-04-25 2022-05-05
3.5
None Remote Medium ??? None Partial None
Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color].
20 CVE-2022-29172 79 XSS 2022-05-05 2022-05-16
2.6
None Remote High Not required None Partial None
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`.
21 CVE-2022-29046 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
22 CVE-2022-29045 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
23 CVE-2022-29044 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Node and Label parameter Plugin 1.10.3 and earlier does not escape the name and description of Node and Label parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
24 CVE-2022-29043 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
25 CVE-2022-29042 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Job Generator Plugin 1.22 and earlier does not escape the name and description of Generator Parameter and Generator Choice parameters on Job Generator jobs' Build With Parameters views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
26 CVE-2022-29041 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
27 CVE-2022-29040 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Git Parameter Plugin 0.9.15 and earlier does not escape the name and description of Git parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
28 CVE-2022-29039 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Gerrit Trigger Plugin 2.35.2 and earlier does not escape the name and description of Base64 Encoded String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
29 CVE-2022-29038 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the name and description of Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
30 CVE-2022-29037 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
31 CVE-2022-29036 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
32 CVE-2022-28793 754 2022-05-03 2022-05-11
2.1
None Local Low Not required None Partial None
Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE. The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time.
33 CVE-2022-28791 20 2022-05-03 2022-05-11
2.1
None Local Low Not required None Partial None
Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. The patch adds proper protection to prevent overwrite to existing files.
34 CVE-2022-28790 287 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device. The patch adds proper caller signature check logic.
35 CVE-2022-28789 862 2022-05-03 2022-05-11
2.1
None Local Low Not required Partial None None
Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities.
36 CVE-2022-28788 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
37 CVE-2022-28787 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in wmfextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
38 CVE-2022-28786 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
39 CVE-2022-28785 125 DoS 2022-05-03 2022-05-11
2.1
None Local Low Not required None None Partial
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.
40 CVE-2022-28784 22 Dir. Trav. 2022-05-03 2022-05-11
2.1
None Local Low Not required Partial None None
Path traversal vulnerability in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to list file names in arbitrary directory as system user. The patch addresses incorrect implementation of file path validation check logic.
41 CVE-2022-28783 20 2022-05-03 2022-05-11
3.6
None Local Low Not required None Partial Partial
Improper validation of removing package name in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to uninstall arbitrary packages without permission. The patch adds proper validation logic for removing package name.
42 CVE-2022-28782 863 2022-05-03 2022-05-11
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard. The patch blocks entry point of the vulnerability.
43 CVE-2022-28780 2022-05-03 2022-05-11
2.1
None Local Low Not required Partial None None
Improper access control vulnerability in Weather prior to SMR May-2022 Release 1 allows that attackers can access location information that set in Weather without permission. The patch adds proper protection to prevent access to location information.
44 CVE-2022-28778 863 2022-04-11 2022-04-19
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Samsung Security Supporter prior to version 1.2.40.0 allows attacker to set the arbitrary folder as Secret Folder without Samsung Security Supporter permission
45 CVE-2022-28777 863 2022-04-11 2022-04-19
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Samsung Members prior to version 13.6.08.5 allows local attacker to execute call function without CALL_PHONE permission.
46 CVE-2022-28775 863 2022-04-11 2022-04-21
2.1
None Local Low Not required None Partial None
Improper access control vulnerability in Samsung Flow prior to version 4.8.06.5 allows attacker to write the file without Samsung Flow permission.
47 CVE-2022-28707 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
48 CVE-2022-28651 522 2022-04-05 2022-04-18
2.1
None Local Low Not required Partial None None
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields
49 CVE-2022-28650 79 XSS 2022-04-05 2022-04-18
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
50 CVE-2022-28649 1021 2022-04-05 2022-04-18
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.