Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20336 | 1 Ibm | 1 Tivoli Netcool\/omnibus Webgui | 2021-03-17 | 3.5 LOW | 5.4 MEDIUM |
| IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2021-21325 | 1 Glpi-project | 1 Glpi | 2021-03-17 | 3.5 LOW | 4.8 MEDIUM |
| GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a cross-site scripting attack. To exploit this endpoint attacker need to be authenticated. This is fixed in version 9.5.4. | |||||
| CVE-2021-20672 | 1 Weseek | 1 Growi | 2021-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-27949 | 1 Mybb | 1 Mybb | 2021-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools. | |||||
| CVE-2020-14988 | 1 Bloomreach | 1 Experience Manager | 2021-03-16 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows XSS in the login page via the loginmessage parameter, the text editor via the src attribute of HTML elements, the translations menu via the foldername parameter, the author page via the link URL, or the upload image functionality via an SVG document containing JavaScript. | |||||
| CVE-2020-35752 | 1 Baby Care System Project | 1 Baby Care System | 2021-03-16 | 3.5 LOW | 5.4 MEDIUM |
| Baby Care System 1.0 is affected by a cross-site scripting (XSS) vulnerability in the Edit Page tab through the Post title parameter. | |||||
| CVE-2021-28007 | 1 Web Based Quiz System Project | 1 Web Based Quiz System | 2021-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in register.php through the name parameter. | |||||
| CVE-2021-23273 | 1 Tibco | 4 Analytics Platform, Spotfire Analyst, Spotfire Desktop and 1 more | 2021-03-15 | 3.5 LOW | 5.4 MEDIUM |
| The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a stored Cross Site Scripting (XSS) attack on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 10.3.3 and below, versions 10.10.0, 10.10.1, and 10.10.2, versions 10.7.0, 10.8.0, 10.9.0, 11.0.0, and 11.1.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 11.1.0 and below, TIBCO Spotfire Desktop: versions 10.3.3 and below, versions 10.10.0, 10.10.1, and 10.10.2, versions 10.7.0, 10.8.0, 10.9.0, 11.0.0, and 11.1.0, and TIBCO Spotfire Server: versions 10.3.11 and below, versions 10.10.0, 10.10.1, 10.10.2, and 10.10.3, versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 11.0.0, and 11.1.0. | |||||
| CVE-2021-20667 | 1 Weseek | 1 Growi | 2021-03-15 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content. | |||||
| CVE-2020-8020 | 2 Debian, Opensuse | 2 Debian Linux, Open Build Service | 2021-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. | |||||
| CVE-2021-25313 | 1 Rancher | 1 Rancher | 2021-03-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects: SUSE Rancher Rancher versions prior to 2.5.6. | |||||
| CVE-2021-28115 | 1 Ougc Feedback Project | 1 Ougc Feedback | 2021-03-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation. | |||||
| CVE-2021-27678 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Snippets in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27677 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Galleries in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27679 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Navigation in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-28088 | 1 Impresscms | 1 Impresscms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field. | |||||
| CVE-2020-23721 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in FUEL CMS V1.4.7. An attacker can use a XSS payload and bypass a filter via /fuelCM/fuel/pages/edit/1?lang=english. | |||||
| CVE-2021-27907 | 1 Apache | 1 Superset | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code. | |||||
| CVE-2020-29029 | 1 Secomea | 1 Gatemanager Firmware | 2021-03-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper Input Validation, Cross-site Scripting (XSS) vulnerability in Web GUI of Secomea GateManager allows an attacker to execute arbitrary javascript code. This issue affects: Secomea GateManager all versions prior to 9.4. | |||||
| CVE-2021-3224 | 1 Cszcms | 1 Csz Cms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter. | |||||
| CVE-2020-35594 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7066 allows XSS. | |||||
| CVE-2020-27576 | 1 Maxum | 1 Rumpus | 2021-03-11 | 3.5 LOW | 5.4 MEDIUM |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2021-27222 | 1 Obss | 1 Time In Status | 2021-03-11 | 3.5 LOW | 5.4 MEDIUM |
| In the "Time in Status" app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS. | |||||
| CVE-2017-17780 | 1 Mediaburst | 8 Booking Calendar Sms, Clockwork Sms Notfications, Contact Form 7 Sms and 5 more | 2021-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5. | |||||
| CVE-2021-26967 | 1 Arubanetworks | 1 Airwave | 2021-03-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote reflected cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the web-based management interface of AirWave could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of certain components of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the AirWave management interface. | |||||
| CVE-2021-26968 | 1 Arubanetworks | 1 Airwave | 2021-03-10 | 3.5 LOW | 4.8 MEDIUM |
| A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the web-based management interface of AirWave could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. | |||||
| CVE-2020-29028 | 1 Secomea | 1 Gatemanager Firmware | 2021-03-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in web GUI of Secomea GateManager allows an attacker to inject arbitrary javascript code. This issue affects: Secomea GateManager all versions prior to 9.4. | |||||
| CVE-2021-28006 | 1 Web Based Quiz System Project | 1 Web Based Quiz System | 2021-03-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in admin.php through the options parameter. | |||||
| CVE-2021-22183 | 1 Gitlab | 1 Gitlab | 2021-03-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions. | |||||
| CVE-2020-4975 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-10 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192435. | |||||
| CVE-2021-21312 | 1 Glpi-project | 1 Glpi | 2021-03-10 | 3.5 LOW | 4.8 MEDIUM |
| GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/document.form.php endpoint), indeed one of the form field: "Web Link" is not properly sanitized and a malicious user (who has document upload rights) can use it to deliver JavaScript payload. For example if you use the following payload: " accesskey="x" onclick="alert(1)" x=", the content will be saved within the database without any control. And then once you return to the summary documents page, by clicking on the "Web Link" of the newly created file it will create a new empty tab, but on the initial tab the pop-up "1" will appear. | |||||
| CVE-2020-1936 | 1 Apache | 1 Ambari | 2021-03-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4. | |||||
| CVE-2021-27940 | 1 Openark | 1 Orchestrator | 2021-03-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter. | |||||
| CVE-2021-21314 | 1 Glpi-project | 1 Glpi | 2021-03-09 | 3.5 LOW | 4.8 MEDIUM |
| GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket. | |||||
| CVE-2021-23347 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2021-03-09 | 3.5 LOW | 4.8 MEDIUM |
| The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user. | |||||
| CVE-2020-15937 | 1 Fortinet | 1 Fortios | 2021-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard. | |||||
| CVE-2021-27888 | 1 Zend | 1 Zendto | 2021-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. | |||||
| CVE-2021-21258 | 1 Glpi-project | 1 Glpi | 2021-03-09 | 3.5 LOW | 5.4 MEDIUM |
| GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using ajax/kanban.php. This is fixed in version 9.5.4. | |||||
| CVE-2020-12530 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an XSS issue in the redirect.php allowing an attacker to inject code via a get parameter. | |||||
| CVE-2021-3377 | 1 Ansi Up Project | 1 Ansi Up | 2021-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0. | |||||
| CVE-2021-27318 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter. | |||||
| CVE-2021-27317 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter. | |||||
| CVE-2020-23518 | 1 Ultimatekode | 1 Neo Billing | 2021-03-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2021-21515 | 1 Dell | 1 Emc Sourceone | 2021-03-08 | 3.5 LOW | 5.4 MEDIUM |
| Dell EMC SourceOne, versions 7.2SP10 and prior, contain a Stored Cross-Site Scripting vulnerability. A remote low privileged attacker may potentially exploit this vulnerability, to hijack user sessions or to trick a victim application user to unknowingly send arbitrary requests to the server. | |||||
| CVE-2020-13409 | 1 Tufin | 1 Securetrack | 2021-03-08 | 2.3 LOW | 5.9 MEDIUM |
| Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 3 of 3) | |||||
| CVE-2020-13408 | 1 Tufin | 1 Securetrack | 2021-03-08 | 2.3 LOW | 5.9 MEDIUM |
| Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 2 of 3) | |||||
| CVE-2020-13407 | 1 Tufin | 1 Securetrack | 2021-03-08 | 2.3 LOW | 5.9 MEDIUM |
| Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 1 of 3) | |||||
| CVE-2021-27731 | 1 Accellion | 1 Fta | 2021-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed version is FTA_9_12_444 and later. | |||||
| CVE-2021-23129 | 1 Joomla | 1 Joomla\! | 2021-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues. | |||||
| CVE-2020-4856 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190459. | |||||