Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2021-12-27 | 3.5 LOW | 5.4 MEDIUM |
| The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-24907 | 1 Wpeverest | 1 Everest Forms | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24956 | 1 Adenion | 1 Blog2social | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24941 | 1 Icegram | 1 Icegram | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-38966 | 1 Ibm | 2 Cloud Pak For Automation, Workflow Process Service | 2021-12-23 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 212357. | |||||
| CVE-2020-20600 | 1 Metinfo | 1 Metinfo | 2021-12-23 | 3.5 LOW | 5.4 MEDIUM |
| MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn. | |||||
| CVE-2020-20605 | 1 Personal Blog Cms Project | 1 Personal Blog Cms | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blog CMS v1.0 contains a cross-site scripting (XSS) vulnerability in the /controller/CommentAdminController.java component. | |||||
| CVE-2021-36885 | 1 Ciphercoin | 1 Contact Form 7 Database Addon - Cfdb7 | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.6.1). | |||||
| CVE-2020-20598 | 1 Mossle | 1 Lemon | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the Editing component of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-20597 | 1 Mossle | 1 Lemon | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the potrtalItemName parameter in \web\PortalController.java of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-20425 | 1 S-cms | 1 S-cms | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in the search function. | |||||
| CVE-2020-20426 | 1 S-cms | 1 S-cms | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php. | |||||
| CVE-2021-43440 | 1 Iorder Project | 1 Iorder | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Stored XSS Vulnerabilities in the Source Code of iOrder 1.0 allow remote attackers to execute arbitrary code via signup form in the Name and Phone number field. | |||||
| CVE-2021-36889 | 1 Tarteaucitron.js - Cookies Legislation \& Gdpr Project | 1 Tarteaucitron.js - Cookies Legislation \& Gdpr | 2021-12-22 | 3.5 LOW | 4.8 MEDIUM |
| Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities were discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.6). | |||||
| CVE-2021-38701 | 1 Motorola | 20 T008, T008 Firmware, T100 and 17 more | 2021-12-22 | 3.5 LOW | 4.8 MEDIUM |
| Certain Motorola Solutions Avigilon devices allow XSS in the administrative UI. This affects T200/201 before 4.10.0.68; T290 before 4.4.0.80; T008 before 2.2.0.86; T205 before 4.12.0.62; T204 before 3.28.0.166; and T100, T101, T102, and T103 before 2.6.0.180. | |||||
| CVE-2020-3867 | 3 Apple, Opensuse, Webkitgtk | 8 Icloud, Ipados, Iphone Os and 5 more | 2021-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||
| CVE-2021-43438 | 1 Iresturant Project | 1 Iresturant | 2021-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in Signup Form in iResturant 1.0 Allows Remote Attacker to Inject Arbitrary code via NAME and ADDRESS field | |||||
| CVE-2021-41261 | 1 Galette | 1 Galette | 2021-12-21 | 3.5 LOW | 4.8 MEDIUM |
| Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to stored cross site scripting attacks via the preferences footer. The preference footer can only be altered by a site admin. This issue has been resolved in the 0.9.6 release and all users are advised to upgrade. There are no known workarounds. | |||||
| CVE-2021-38883 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2021-12-21 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165. | |||||
| CVE-2018-10228 | 1 Limesurvey | 1 Limesurvey | 2021-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI. | |||||
| CVE-2021-4132 | 1 Livehelperchat | 1 Live Helper Chat | 2021-12-21 | 3.5 LOW | 5.4 MEDIUM |
| livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-43678 | 1 Wechat-php-sdk Project | 1 Wechat-php-sdk | 2021-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php. | |||||
| CVE-2021-4108 | 1 Snipeitapp | 1 Snipe-it | 2021-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-42584 | 1 Convos | 1 Convos | 2021-12-21 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before 6.32. | |||||
| CVE-2019-18210 | 1 Moodle | 1 Moodle | 2021-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug." | |||||
| CVE-2019-15253 | 1 Cisco | 1 Dna Center | 2021-12-21 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.0.6 and 1.3.1.4. | |||||
| CVE-2020-9447 | 1 Gwtupload Project | 1 Gwtupload | 2021-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is an XSS (cross-site scripting) vulnerability in GwtUpload 1.0.3 in the file upload functionality. Someone can upload a file with a malicious filename, which contains JavaScript code, which would result in XSS. Cross-site scripting enables attackers to steal data, change the appearance of a website, and perform other malicious activities like phishing or drive-by hacking. | |||||
| CVE-2020-3939 | 1 Sysjust | 1 Syuan-gu-da-shin | 2021-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SysJust Syuan-Gu-Da-Shih, versions before 20191223, contain vulnerability of Cross-Site Scripting(XSS), personal information may be leaked to attackers via the vulnerability. | |||||
| CVE-2021-39183 | 1 Owncast Project | 1 Owncast | 2021-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player. | |||||
| CVE-2021-44043 | 1 Uipath | 1 App Studio | 2021-12-20 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in UiPath App Studio 21.4.4. There is a persistent XSS vulnerability in the file-upload functionality for uploading icons when attempting to create new Apps. An attacker with minimal privileges in the application can build their own App and upload a malicious file containing an XSS payload, by uploading an arbitrary file and modifying the MIME type in a subsequent HTTP request. This then allows the file to be stored and retrieved from the server by other users in the same organization. | |||||
| CVE-2020-18984 | 1 Synacor | 1 Zimbra Collaboration Suite | 2021-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12 allows unauthenticated attackers to execute arbitrary web scripts or HTML via a host header injection. | |||||
| CVE-2021-45018 | 1 Catfish-cms | 1 Catfish Cms | 2021-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Catfish <=6.3.0 via a Google search in url:/catfishcms/index.php/admin/Index/addmenu.htmland then the .html file on the website that uses this editor (the file suffix is allowed). | |||||
| CVE-2021-44116 | 1 Anchorcms | 1 Anchor Cms | 2021-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12.7 in posts.php. Attackers can use the posts column to upload the title and content containing malicious code to achieve the purpose of obtaining the administrator cookie, thereby achieving other malicious operations. | |||||
| CVE-2021-4121 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2021-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-4124 | 1 Meetecho | 1 Janus | 2021-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-41962 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2021-12-20 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Owner fullname parameter in a Send Service Request in vehicle_service. | |||||
| CVE-2021-41557 | 1 Sofico | 1 Miles Rich Internet Application | 2021-12-17 | 3.5 LOW | 5.4 MEDIUM |
| Sofico Miles RIA 2020.2 Build 127964T is affected by Stored Cross Site Scripting (XSS). An attacker with access to a user account of the RIA IT or the Fleet role can create a crafted work order in the damage reports section (or change existing work orders). The XSS payload is in the work order number. | |||||
| CVE-2021-43675 | 1 Lycheeorganisation | 1 Lychee | 2021-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. The function exit will terminate the script and print the message to the user. The message will contain albumID which is controlled by the user. | |||||
| CVE-2021-4116 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2021-12-17 | 3.5 LOW | 5.4 MEDIUM |
| yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-41871 | 1 Socomec | 2 Remote View Pro, Remote View Pro Firmware | 2021-12-17 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Socomec REMOTE VIEW PRO 2.0.41.4. Improper validation of input into the username field makes it possible to place a stored XSS payload. This is executed if an administrator views the System Event Log. | |||||
| CVE-2021-41836 | 1 Conva | 1 Fathom Analytics | 2021-12-17 | 3.5 LOW | 4.8 MEDIUM |
| The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the $site_id parameter found in the ~/fathom-analytics.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-42367 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2021-12-17 | 3.5 LOW | 5.4 MEDIUM |
| The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability. | |||||
| CVE-2021-24955 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2021-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-42549 | 1 Wpcloudplugins | 1 Lets-box | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient Input Validation in the search functionality of Wordpress plugin Lets-Box prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | |||||
| CVE-2021-24871 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2021-12-16 | 3.5 LOW | 5.4 MEDIUM |
| The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-40882 | 1 Piwigo | 1 Piwigo | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location. | |||||
| CVE-2021-42061 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-12-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will never be able to modify the document and publish these modifications to the server. It impacts the "Quick Prompt" workflow. | |||||
| CVE-2021-44025 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | |||||
| CVE-2021-24815 | 1 Wpplugin | 1 Accept Donations With Paypal | 2021-12-16 | 3.5 LOW | 4.8 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.2 does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-25273 | 1 Sophos | 1 Unified Threat Management | 2021-12-16 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706. | |||||