CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-30970 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
2 CVE-2022-30968 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
3 CVE-2022-30967 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
4 CVE-2022-30966 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
5 CVE-2022-30965 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
6 CVE-2022-30964 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
7 CVE-2022-30963 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
8 CVE-2022-30962 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
9 CVE-2022-30961 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
10 CVE-2022-30960 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
11 CVE-2022-30072 79 XSS 2022-05-17 2022-05-25
3.5
None Remote Medium ??? None Partial None
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via \admin\pages\sections_save.php namesection2 parameters.
12 CVE-2022-30057 79 XSS 2022-05-11 2022-05-20
3.5
None Remote Medium ??? None Partial None
Shopwind <=v3.4.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability.
13 CVE-2022-30013 79 XSS 2022-05-16 2022-05-24
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file.
14 CVE-2022-29976 79 XSS 2022-05-11 2022-05-17
3.5
None Remote Medium ??? None Partial None
An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 .
15 CVE-2022-29975 79 XSS 2022-05-11 2022-05-17
3.5
None Remote Medium ??? None Partial None
An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 .
16 CVE-2022-29940 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.
17 CVE-2022-29939 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities.
18 CVE-2022-29820 668 2022-04-28 2022-05-05
3.3
None Local Network Low Not required Partial None None
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible
19 CVE-2022-29818 346 2022-04-28 2022-05-05
3.6
None Local Low Not required Partial Partial None
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed
20 CVE-2022-29811 79 XSS 2022-04-28 2022-05-05
3.5
None Remote Medium ??? None Partial None
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
21 CVE-2022-29727 79 XSS 2022-05-11 2022-05-23
3.5
None Remote Medium ??? None Partial None
Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting (XSS) vulnerability in the Signup parameter.
22 CVE-2022-29610 79 XSS 2022-05-11 2022-05-19
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.
23 CVE-2022-29584 79 XSS 2022-04-28 2022-05-06
3.5
None Remote Medium ??? None Partial None
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action.
24 CVE-2022-29532 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
25 CVE-2022-29531 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
26 CVE-2022-29530 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
27 CVE-2022-29529 79 XSS 2022-04-20 2022-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
28 CVE-2022-29449 79 XSS 2022-05-19 2022-05-25
3.5
None Remote Medium ??? None Partial None
Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin <= 1.2.7 at WordPress.
29 CVE-2022-29444 264 XSS 2022-05-02 2022-05-09
3.5
None Remote Medium ??? None Partial None
Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack.
30 CVE-2022-29433 79 XSS 2022-05-13 2022-05-23
3.5
None Remote Medium ??? None Partial None
Authenticated (contributor or higher role) Cross-Site Scripting (XSS) vulnerability in Donations plugin <= 1.8 on WordPress.
31 CVE-2022-29422 79 XSS 2022-05-06 2022-05-16
3.5
None Remote Medium ??? None Partial None
Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters.
32 CVE-2022-29420 79 XSS 2022-05-06 2022-05-16
3.5
None Remote Medium ??? None Partial None
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters.
33 CVE-2022-29418 79 XSS 2022-04-25 2022-05-05
3.5
None Remote Medium ??? None Partial None
Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color].
34 CVE-2022-29121 400 DoS 2022-05-10 2022-05-25
3.3
None Local Network Low Not required None None Partial
Windows WLAN AutoConfig Service Denial of Service Vulnerability.
35 CVE-2022-29046 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
36 CVE-2022-29045 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
37 CVE-2022-29044 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Node and Label parameter Plugin 1.10.3 and earlier does not escape the name and description of Node and Label parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
38 CVE-2022-29043 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
39 CVE-2022-29042 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Job Generator Plugin 1.22 and earlier does not escape the name and description of Generator Parameter and Generator Choice parameters on Job Generator jobs' Build With Parameters views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
40 CVE-2022-29041 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
41 CVE-2022-29040 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Git Parameter Plugin 0.9.15 and earlier does not escape the name and description of Git parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
42 CVE-2022-29039 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Gerrit Trigger Plugin 2.35.2 and earlier does not escape the name and description of Base64 Encoded String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
43 CVE-2022-29038 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the name and description of Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
44 CVE-2022-29037 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
45 CVE-2022-29036 79 XSS 2022-04-12 2022-04-20
3.5
None Remote Medium ??? None Partial None
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
46 CVE-2022-28920 79 XSS 2022-05-12 2022-05-21
3.5
None Remote Medium ??? None Partial None
Tieba-Cloud-Sign v4.9 was discovered to contain a cross-site scripting (XSS) vulnerability via the function strip_tags.
47 CVE-2022-28783 20 2022-05-03 2022-05-11
3.6
None Local Low Not required None Partial Partial
Improper validation of removing package name in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to uninstall arbitrary packages without permission. The patch adds proper validation logic for removing package name.
48 CVE-2022-28707 79 XSS 2022-05-05 2022-05-12
3.5
None Remote Medium ??? None Partial None
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
49 CVE-2022-28650 79 XSS 2022-04-05 2022-04-18
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
50 CVE-2022-28649 1021 2022-04-05 2022-04-18
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.