Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26885 | 1 2sic | 1 2sxc | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in 2sic 2sxc before 11.22. A XSS vulnerability in the sxcver parameter of dnn/ui.html allows an attacker to craft a malicious URL that executes a JavaScript payload in a victim's browser. | |||||
| CVE-2021-24313 | 1 Goprayer | 1 Wp Prayer | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| The WP Prayer WordPress plugin before 1.6.2 provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The 'prayer request' and 'praise request' fields do not use proper input validation and can be used to store XSS payloads. | |||||
| CVE-2021-24331 | 1 Smooth Scroll Page Up\/down Buttons Project | 1 Smooth Scroll Page Up\/down Buttons | 2021-06-11 | 3.5 LOW | 4.8 MEDIUM |
| The Smooth Scroll Page Up/Down Buttons WordPress plugin before 1.4 did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them | |||||
| CVE-2021-24334 | 1 Connekthq | 1 Instant Images - One Click Unsplash Uploads | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2020-24668 | 1 Tracefinancial | 1 Crestbridge | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Trace Financial Crest Bridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03. | |||||
| CVE-2020-24663 | 1 Tracefinanacial | 1 Crestbridge | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Trace Financial CRESTBridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03. | |||||
| CVE-2021-24317 | 1 Purethemes | 1 Listeo | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues | |||||
| CVE-2021-24335 | 1 Smartdatasoft | 1 Car Repair Services \& Auto Mechanic | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24322 | 1 Deliciousbrains | 1 Database Backup | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2020-36384 | 1 Pagelayer | 1 Pagelayer | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| PageLayer before 1.3.5 allows reflected XSS via color settings. | |||||
| CVE-2021-26584 | 1 Hp | 1 Oneview For Vmware Vcenter | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security vulnerability in HPE OneView for VMware vCenter (OV4VC) could be exploited remotely to allow Cross-Site Scripting. HPE has released the following software update to resolve the vulnerability in HPE OneView for VMware vCenter (OV4VC). | |||||
| CVE-2021-25932 | 1 Opennms | 2 Meridian, Opennms | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database. | |||||
| CVE-2020-36383 | 1 Pagelayer | 1 Pagelayer | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| PageLayer before 1.3.5 allows reflected XSS via the font-size parameter. | |||||
| CVE-2021-31738 | 1 Adiscon | 1 Loganalyzer | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adiscon LogAnalyzer 4.1.10 and 4.1.11 allow login.php XSS. | |||||
| CVE-2021-24342 | 1 Jnews | 1 Jnews | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The JNews WordPress theme before 8.0.6 did not sanitise the cat_id parameter in the POST request /?ajax-request=jnews (with action=jnews_build_mega_category_*), leading to a Reflected Cross-Site Scripting (XSS) issue. | |||||
| CVE-2021-34364 | 1 Refined-github Project | 1 Refined-github | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Refined GitHub browser extension before 21.6.8 might allow XSS via a link in a document. NOTE: github.com sends Content-Security-Policy headers to, in general, address XSS and other concerns. | |||||
| CVE-2020-21003 | 1 Pbootcms | 1 Pbootcms | 2021-06-10 | 3.5 LOW | 4.8 MEDIUM |
| Pbootcms v2.0.3 is vulnerable to Cross Site Scripting (XSS) via admin.php. | |||||
| CVE-2021-30133 | 1 Cloverdx | 1 Cloverdx | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in CloverDX Server 5.9.0, CloverDX 5.8.1, CloverDX 5.7.0, and earlier allows remote attackers to inject arbitrary web script or HTML via the sessionToken parameter of multiple methods in Simple HTTP API. This is resolved in 5.9.1 and 5.10. | |||||
| CVE-2011-3656 | 1 Mozilla | 1 Firefox | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7 allows remote attackers to inject arbitrary web script or HTML via vectors involving HTTP 0.9 errors, non-default ports, and content-sniffing. | |||||
| CVE-2021-24329 | 1 Automattic | 1 Wp Super Cache | 2021-06-10 | 3.5 LOW | 5.4 MEDIUM |
| The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24316 | 1 Wowthemes | 1 Mediumish | 2021-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue. | |||||
| CVE-2021-28806 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3. | |||||
| CVE-2021-32616 | 1 1cdn Project | 1 1cdn | 2021-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| 1CDN is open-source file sharing software. In 1CDN before commit f88a2730fa50fc2c2aeab09011f6f142fd90ec25, there is a basic cross-site scripting vulnerability that allows an attacker to inject /<script>//code</script> and execute JavaScript code on the client side. | |||||
| CVE-2020-26669 | 1 Bigtreecms | 1 Bigtree Cms | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update. | |||||
| CVE-2020-27377 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-06-09 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability was discovered in the Administrator panel on the 'Setting News' module on CMS Made Simple 2.2.14 which allows an attacker to execute arbitrary web scripts. | |||||
| CVE-2020-26693 | 1 Pfsense | 1 Pfsense | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function. | |||||
| CVE-2020-35973 | 1 Zzcms | 1 Zzcms | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in zzcms2020. There is a XSS vulnerability that can insert and execute JS code arbitrarily via /user/manage.php. | |||||
| CVE-2020-35971 | 1 Yzmcms | 1 Yzmcms | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A storage XSS vulnerability is found in YzmCMS v5.8, which can be used by attackers to inject JS code and attack malicious XSS on the /admin/system_manage/user_config_edit.html page. | |||||
| CVE-2021-24310 | 1 10web | 1 Photo Gallery | 2021-06-09 | 3.5 LOW | 4.8 MEDIUM |
| The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117 | |||||
| CVE-2021-24309 | 1 Weekly Schedule Project | 1 Weekly Schedule | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags and cause a stored XSS issue | |||||
| CVE-2020-36139 | 1 Bloofox | 1 Bloofoxcms | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| BloofoxCMS 0.5.2.1 allows Reflected Cross-Site Scripting (XSS) vulnerability by inserting a XSS payload within the 'fileurl' parameter. | |||||
| CVE-2021-31643 | 1 Chiyu-tech | 22 Bf-630, Bf-630 Firmware, Bf-631 and 19 more | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter. | |||||
| CVE-2021-31641 | 1 Chiyu-tech | 30 Bf-430, Bf-430 Firmware, Bf-431 and 27 more | 2021-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated. | |||||
| CVE-2021-31250 | 1 Chiyu-tech | 6 Bf-430, Bf-430 Firmware, Bf-431 and 3 more | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi. | |||||
| CVE-2021-32540 | 1 Hundredplus | 1 101eip | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| Add announcement function in the 101EIP system does not filter special characters, which allows authenticated users to inject JavaScript and perform a stored XSS attack. | |||||
| CVE-2021-32539 | 1 Hundredplus | 1 101eip | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| Add event in calendar function in the 101EIP system does not filter special characters in specific fields, which allows remote authenticated users to inject JavaScript and perform a stored XSS attack. | |||||
| CVE-2021-21259 | 1 Hedgedoc | 1 Hedgedoc | 2021-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content. | |||||
| CVE-2020-25715 | 1 Dogtagpki | 1 Dogtagpki | 2021-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity. | |||||
| CVE-2020-4977 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Lifecycle Optimization - Publishing is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192470. | |||||
| CVE-2021-29668 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199406. | |||||
| CVE-2021-29670 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199408. | |||||
| CVE-2021-20338 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194449. | |||||
| CVE-2020-5030 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 193737. | |||||
| CVE-2020-36007 | 1 Appcms | 1 Appcms | 2021-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| AppCMS 2.0.101 in /admin/template/tpl_app.php has a cross site scripting attack vulnerability which allows the attacker to obtain sensitive information of other users. | |||||
| CVE-2021-29271 | 1 Remark42 | 1 Remark42 | 2021-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload. This is related to backend/app/store/comment.go and backend/app/store/service/service.go. | |||||
| CVE-2021-29272 | 1 Microco | 1 Bluemonday | 2021-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string. | |||||
| CVE-2021-28935 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-06-04 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field. | |||||
| CVE-2020-26642 | 1 Seacms | 1 Seacms | 2021-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML. | |||||
| CVE-2021-24306 | 1 Ultimatemember | 1 Ultimate Member | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link. | |||||
| CVE-2021-3151 | 1 I-doit | 1 I-doit | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__MONITORING__CONFIG__ADDRESS, or SM2__C__MONITORING__CONFIG__ADDRESS. | |||||