Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28109 | 1 Compassplus | 1 Tranzware Fimi | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS). | |||||
| CVE-2021-24128 | 1 Wpdarko | 1 Team Members | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | |||||
| CVE-2021-27436 | 1 Advantech | 1 Webaccess\/scada | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions. | |||||
| CVE-2021-28126 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability | |||||
| CVE-2021-24127 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation. | |||||
| CVE-2020-6578 | 1 Zen-cart | 1 Zen Cart | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php. | |||||
| CVE-2021-29025 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/my_images.php URI. | |||||
| CVE-2021-24136 | 1 Axelerant | 1 Testimonials Widget | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL | |||||
| CVE-2021-24126 | 1 Enviragallery | 1 Envira Gallery | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation. | |||||
| CVE-2021-27309 | 1 Csphere | 1 Clansphere | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "module" parameter. | |||||
| CVE-2021-27310 | 1 Csphere | 1 Clansphere | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "language" parameter. | |||||
| CVE-2021-25922 | 1 Open-emr | 1 Openemr | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code. | |||||
| CVE-2021-25919 | 1 Open-emr | 1 Openemr | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2021-25921 | 1 Open-emr | 1 Openemr | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit. | |||||
| CVE-2021-28968 | 1 Gnu | 1 Punbb | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in PunBB before 1.4.6. An XSS vulnerability in the [email] BBcode tag allows (with authentication) injecting arbitrary JavaScript into any forum message. | |||||
| CVE-2021-24129 | 1 Themify | 1 Portfolio Post | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. | |||||
| CVE-2021-24134 | 1 Constantcontact | 1 Constant Contact Forms | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed. | |||||
| CVE-2021-24135 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or HTML. | |||||
| CVE-2021-29032 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/preferences.php URI. | |||||
| CVE-2021-29031 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/users_import.php URI. | |||||
| CVE-2021-29033 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/edit_group.php URI. | |||||
| CVE-2021-29030 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/index.php URI. | |||||
| CVE-2021-29029 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/edit_personal_page.php URI. | |||||
| CVE-2021-29027 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/index.php URI. | |||||
| CVE-2021-29028 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/user_activity.php URI. | |||||
| CVE-2021-29026 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/permissions.php URI. | |||||
| CVE-2021-24147 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. | |||||
| CVE-2021-21383 | 1 Requarks | 1 Wiki.js | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Wiki.js an open-source wiki app built on Node.js. Wiki.js before version 2.5.191 is vulnerable to stored cross-site scripting through mustache expressions in code blocks. This vulnerability exists due to mustache expressions being parsed by Vue during content injection even though it is contained within a `<pre>` element. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. For an example see referenced GitHub Security Advisory. Commit 5ffa189383dd716f12b56b8cae2ba0d075996cf1 fixes this vulnerability by adding the v-pre directive to all `<pre>` tags during the render. | |||||
| CVE-2021-20279 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-03-23 | 3.5 LOW | 5.4 MEDIUM |
| The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2019-18233 | 1 Advantech | 2 Spectre Rt Ert351, Spectre Rt Ert351 Firmware | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Advantech Spectre RT Industrial Routers ERT351 5.1.3 and prior, the affected product does not neutralize special characters in the error response, allowing attackers to use a reflected XSS attack. | |||||
| CVE-2021-24124 | 1 Terryl | 1 Wp Shieldon | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation. | |||||
| CVE-2021-20628 | 2 Cybozu, Mozilla | 2 Office, Firefox | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. Note that this vulnerability occurs only when using Mozilla Firefox. | |||||
| CVE-2021-20627 | 1 Cybozu | 1 Office | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20629 | 1 Cybozu | 1 Office | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in E-mail of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2019-12905 | 1 Afian | 1 Filerun | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman§ion=do&page=up URI. This issue has been fixed in FileRun 2019.06.01. | |||||
| CVE-2021-25277 | 1 Ftapi | 1 Ftapi | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| FTAPI 4.0 - 4.10 allows XSS via a crafted filename to the alternative text hover box in the file submission component. | |||||
| CVE-2021-25278 | 1 Ftapi | 1 Ftapi | 2021-03-22 | 3.5 LOW | 4.8 MEDIUM |
| FTAPI 4.0 through 4.10 allows XSS via an SVG document to the Background Image upload feature in the Submit Box Template Editor. | |||||
| CVE-2021-20663 | 1 Movabletype | 4 Movable Type, Movable Type Advanced, Movable Type Premium and 1 more | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20665 | 1 Movabletype | 4 Movable Type, Movable Type Advanced, Movable Type Premium and 1 more | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20664 | 1 Movabletype | 4 Movable Type, Movable Type Advanced, Movable Type Premium and 1 more | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-28380 | 1 Aimeos Project | 1 Aimeos | 2021-03-22 | 3.5 LOW | 5.4 MEDIUM |
| The aimeos (aka Aimeos shop and e-commerce framework) extension before 19.10.12 and 20.x before 20.10.5 for TYPO3 allows XSS via a backend user account. | |||||
| CVE-2021-27938 | 1 Symbiote | 1 Silverstripe Queued Jobs | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL. | |||||
| CVE-2020-24912 | 1 Qcubed | 1 Qcubed | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users. | |||||
| CVE-2016-9473 | 1 Brave | 1 Browser | 2021-03-19 | 4.3 MEDIUM | 4.7 MEDIUM |
| Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and earlier suffer from Full Address Bar Spoofing, allowing attackers to trick a victim by displaying a malicious page for legitimate domain names. | |||||
| CVE-2021-28161 | 1 Eclipse | 1 Theia | 2021-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. | |||||
| CVE-2021-26924 | 1 Linuxfoundation | 1 Argo-cd | 2021-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header. | |||||
| CVE-2021-27695 | 1 Openmaint | 1 Openmaint | 2021-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name and Code Parameters. | |||||
| CVE-2021-26776 | 1 Cszcms | 1 Csz Cms | 2021-03-17 | 3.5 LOW | 5.4 MEDIUM |
| CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name. | |||||
| CVE-2020-35228 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2021-03-17 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the administration web panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote attackers to inject arbitrary web script or HTML via the language parameter. | |||||
| CVE-2021-20673 | 1 Weseek | 1 Growi | 2021-03-17 | 3.5 LOW | 4.8 MEDIUM |
| Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. | |||||