The CC Child Pages WordPress plugin before 1.43 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CWE-79
CVE-2022-4738
A vulnerability classified as problematic has been found in SourceCodester Blood Bank Management System 1.0. Affected is an unknown function of the file index.php?page=users of the component User Registration Handler. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. VDB-216774 is the identifier assigned to this vulnerability.
CVE-2022-4740
A vulnerability, which was classified as problematic, has been found in kkFileView. Affected by this issue is the function setWatermarkAttribute of the file /picturesPreview. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-216776.
CVE-2022-47412
Given a malicious document provided by an attacker, the ONLYOFFICE Workspace DMS is vulnerable to a stored (persistent, or “Type II”) cross-site scripting (XSS) condition.
CVE-2022-47413
Given a malicious document provided by an attacker, the OpenKM DMS is vulnerable to a stored (persistent, or “Type II”) XSS condition.
CVE-2022-47414
If an attacker has access to the console for OpenKM (and is authenticated), a stored XSS vulnerability is reachable in the document “note” functionality.
