Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28378 | 1 Gitea | 1 Gitea | 2021-12-16 | 3.5 LOW | 5.4 MEDIUM |
| Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations. | |||||
| CVE-2021-24729 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2021-12-16 | 3.5 LOW | 5.4 MEDIUM |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase. | |||||
| CVE-2021-42547 | 1 Wpcloudplugins | 1 Out-of-the-box | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient Input Validation in the search functionality of Wordpress plugin Out-of-the-Box prior to 1.20.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | |||||
| CVE-2021-42548 | 1 Wpcloudplugins | 1 Share-one-drive | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient Input Validation in the search functionality of Wordpress plugin Share-one-Drive prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | |||||
| CVE-2021-24855 | 1 Display Post Metadata Project | 1 Display Post Metadata | 2021-12-16 | 3.5 LOW | 5.4 MEDIUM |
| The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-42546 | 1 Wpcloudplugins | 1 Use-your-drive | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient Input Validation in the search functionality of Wordpress plugin Use-Your-Drive prior to 1.18.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. | |||||
| CVE-2021-24817 | 1 Ultimate Nofollow Project | 1 Ultimate Nofollow | 2021-12-16 | 3.5 LOW | 5.4 MEDIUM |
| The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24972 | 1 Fatcatapps | 1 Pixel Cat | 2021-12-16 | 3.5 LOW | 4.8 MEDIUM |
| The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2021-39319 | 1 Duogeek | 1 Duofaq-responsive-flat-simple-faq | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The duoFAQ - Responsive, Flat, Simple FAQ WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/duogeek/duogeek-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.8. | |||||
| CVE-2021-39318 | 1 H5p-css-editor Project | 1 H5p-css-editor | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The H5P CSS Editor WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the h5p-css-file parameter found in the ~/h5p-css-editor.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-24954 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-39313 | 1 Duogeek | 1 Simple Image Gallery | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Image Gallery WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/simple-image-gallery.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6. | |||||
| CVE-2021-39311 | 1 Link-list-manager Project | 1 Link-list-manager | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The link-list-manager WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the category parameter found in the ~/llm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-3831 | 1 Gnuboard | 1 Gnuboard5 | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| gnuboard5 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2020-19042 | 1 Zzcms | 1 Zzcms | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php. | |||||
| CVE-2021-39315 | 1 Magic-post-voice Project | 1 Magic-post-voice | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the ids parameter found in the ~/inc/admin/main.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-39314 | 1 Wanderlust-webdesign | 1 Woo-enviopack | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dataid parameter found in the ~/includes/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-24792 | 1 Wpeden | 1 Shiny Buttons | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-39310 | 1 Windyroad | 1 Real Wysiwyg | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHP_SELF in the ~/real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2. | |||||
| CVE-2021-38361 | 1 Htaccess-redirect Project | 1 Htaccess-redirect | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The .htaccess Redirect WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the link parameter found in the ~/htaccess-redirect.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.3.1. | |||||
| CVE-2021-39309 | 1 Dpsoft | 1 Parsian Bank Gateway For Woocommerce | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Parsian Bank Gateway for Woocommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via and parameter due to a var_dump() on $_POST variables found in the ~/vendor/dpsoft/parsian-payment/sample/rollback-payment.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-39308 | 1 Woo-myghpay-payment-gateway Project | 1 Woo-myghpay-payment-gateway | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce myghpay Payment Gateway WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the clientref parameter found in the ~/processresponse.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.0. | |||||
| CVE-2021-36450 | 1 Verint | 1 Workforce Optimization | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter. | |||||
| CVE-2021-42051 | 1 Abantecart | 1 Abantecart | 2021-12-15 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload. | |||||
| CVE-2021-42050 | 1 Abantecart | 1 Abantecart | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in AbanteCart before 1.3.2. It allows DOM Based XSS. | |||||
| CVE-2021-26787 | 1 Genesys | 1 Workforce Management | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability in Genesys Workforce Management 8.5.214.20 can occur (during record deletion) via the Time-off parameter. | |||||
| CVE-2021-43817 | 1 Collabora | 1 Online | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Collabora Online is a collaborative online office suite based on LibreOffice technology. In affected versions a reflected XSS vulnerability was found in Collabora Online. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set of user settings stored in the browser, as well as the session's authentication token which was also passed in at iframe creation time. Users should upgrade to Collabora Online 6.4.16 or higher or Collabora Online 4.2.20 or higher. Collabora Online Development Edition 21.11 is not affected. | |||||
| CVE-2021-42220 | 1 Dolibarr | 1 Dolibarr | 2021-12-15 | 3.5 LOW | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box. | |||||
| CVE-2021-24932 | 1 Cm-wp | 1 Auto Featured Image | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24896 | 1 Calderaforms | 1 Caldera Forms | 2021-12-15 | 3.5 LOW | 4.8 MEDIUM |
| The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-4107 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-24925 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24891 | 1 Elementor | 1 Website Builder | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. | |||||
| CVE-2021-24782 | 1 Flex Local Fonts Project | 1 Flex Local Fonts | 2021-12-15 | 3.5 LOW | 4.8 MEDIUM |
| The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2020-9390 | 1 Squaredup | 1 Squaredup | 2021-12-15 | 3.5 LOW | 5.4 MEDIUM |
| SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script. | |||||
| CVE-2021-24771 | 1 Inspirational Quote Rotator Project | 1 Inspirational Quote Rotator | 2021-12-15 | 3.5 LOW | 4.8 MEDIUM |
| The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24756 | 1 Wp System Log Project | 1 Wp System Log | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs. | |||||
| CVE-2021-24705 | 1 Basixonline | 1 Nex-forms | 2021-12-15 | 3.5 LOW | 4.8 MEDIUM |
| The NEX-Forms WordPress plugin through 7.9.4 does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-43687 | 1 Chamilo | 1 Chamilo | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. | |||||
| CVE-2021-24918 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2021-12-15 | 3.5 LOW | 5.4 MEDIUM |
| The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages. | |||||
| CVE-2021-39201 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2021-12-14 | 3.5 LOW | 5.4 MEDIUM |
| WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) | |||||
| CVE-2021-40096 | 1 Squaredup | 1 Squaredup | 2021-12-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in integration configuration in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via modification of the authorisationUrl in some integration configurations. | |||||
| CVE-2021-23860 | 1 Bosch | 4 Bosch Video Management System, Divar Ip 5000 Firmware, Divar Ip 7000 Firmware and 1 more | 2021-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An error in a page handler of the VRM may lead to a reflected cross site scripting (XSS) in the web-based interface. To exploit this vulnerability an attack must be able to modify the HTTP header that is sent. This issue also affects installations of the DIVAR IP and BVMS with VRM installed. | |||||
| CVE-2021-41697 | 1 Globaldatingsoftware | 1 Premiumdatingscript | 2021-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross Site Scripting (XSS) vulnerability exists in Premiumdatingscript 4.2.7.7 via the aerror_description parameter in assets/sources/instagram.php script. | |||||
| CVE-2021-36911 | 1 Comment Engine Pro Project | 1 Comment Engine Pro | 2021-12-14 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Comment Engine Pro plugin (versions <= 1.0), could be exploited by users with Editor or higher role. | |||||
| CVE-2021-36720 | 1 Pineapp | 1 Mail Secure | 2021-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=<script>alert(1)</script> and stealing cookies . | |||||
| CVE-2020-19683 | 1 Zzzcms | 1 Zzzcms | 2021-12-13 | 3.5 LOW | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) exists in ZZZCMS V1.7.1 via an editfile action in save.php. | |||||
| CVE-2021-4084 | 1 Pimcore | 1 Pimcore | 2021-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-20137 | 1 Gryphonconnect | 2 Gryphon Tower, Gryphon Tower Firmware | 2021-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability exists in the url parameter of the /cgi-bin/luci/site_access/ page on the Gryphon Tower router's web interface. An attacker could exploit this issue by tricking a user into following a specially crafted link, granting the attacker javascript execution in the context of the victim's browser. | |||||
| CVE-2019-20102 | 1 Atlassian | 1 Confluence Server | 2021-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter. | |||||