Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.
CWE-79
CVE-2022-41611
Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application.
CVE-2022-41615
Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Store Locator plugin <= 1.4.5 on WordPress.
CVE-2022-41638
Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress.
CVE-2022-41643
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Accessibility plugin <= 1.0.3 on WordPress.
CVE-2022-41651
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the SetPF API.