Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36352 | 1 Care2x | 1 Hospital Information Management | 2021-09-01 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in Care2x Hospital Information Management 2.7 Alpha. The vulnerability has found POST requests in /modules/registration_admission/patient_register.php page with "name_middle", "addr_str", "station", "name_maiden", "name_2", "name_3" parameters. | |||||
| CVE-2020-19703 | 1 Dzzoffice | 1 Dzzoffice | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2020-19704 | 1 Spring-boot-admin Project | 1 Spring-boot-admin | 2021-09-01 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability via ResourceController.java in spring-boot-admin as of 20190710 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-18998 | 1 Blog Mini Project | 1 Blog Mini | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Blog_mini v1.0 allows remote attackers to execute arbitrary code via the component '/admin/custom/blog-plugin/add'. | |||||
| CVE-2020-19002 | 1 Jupo | 1 Mezzanine | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Mezzanine v4.3.1 allows remote attackers to execute arbitrary code via the 'Description' field of the component 'admin/blog/blogpost/add/'. This issue is different than CVE-2018-16632. | |||||
| CVE-2020-18999 | 1 Blog Mini Project | 1 Blog Mini | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Blog_mini v1.0 allows remote attackers to execute arbitrary code via the component '/admin/submit-articles'. | |||||
| CVE-2020-19000 | 1 Simiki Project | 1 Simiki | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary code via line 54 of the component 'simiki/blob/master/simiki/generators.py'. | |||||
| CVE-2016-4827 | 1 Collne | 1 Welcart E-commerce | 2021-08-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826. | |||||
| CVE-2016-9261 | 1 Tenable | 1 Log Correlation Engine | 2021-08-31 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Tenable Log Correlation Engine (aka LCE) before 4.8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-7251 | 1 Piengine | 1 Pi | 2021-08-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) was discovered in pi-engine/pi 2.5.0. The vulnerability exists due to insufficient filtration of user-supplied data (preview) passed to the "pi-develop/www/script/editor/markitup/preview/markdown.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2021-22242 | 1 Gitlab | 1 Gitlab | 2021-08-31 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown | |||||
| CVE-2021-28628 | 1 Adobe | 1 Experience Manager | 2021-08-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager Cloud Service offering, as well as versions 6.5.8.0 (and below) is affected by a Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-28625 | 1 Adobe | 1 Experience Manager | 2021-08-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager Cloud Service offering, as well as versions 6.5.8.0 (and below) is affected by a Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-39599 | 1 Cxuu | 1 Cxuucms | 2021-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exists in CXUUCMS 3.1 in the search and c parameters in (1) public/search.php and in the (2) c parameter in admin.php. | |||||
| CVE-2021-39362 | 1 Recaptcha Solver Project | 1 Recaptcha Solver | 2021-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in ReCaptcha Solver 5.7. A response from Anti-Captcha.com, RuCaptcha.com, 2captcha.com, DEATHbyCAPTCHA.com, ImageTyperz.com, or BestCaptchaSolver.com in setCaptchaCode() is inserted into the DOM as HTML, resulting in full control over the user's browser by these servers. | |||||
| CVE-2021-39136 | 1 Basercms | 1 Basercms | 2021-08-30 | 3.5 LOW | 5.4 MEDIUM |
| baserCMS is an open source content management system with a focus on Japanese language support. In affected versions there is a cross-site scripting vulnerability in the file upload function of the management system of baserCMS. Users are advised to update as soon as possible. No workaround are available to mitigate this issue. | |||||
| CVE-2021-24561 | 1 Veronalabs | 1 Wp Sms | 2021-08-30 | 3.5 LOW | 5.4 MEDIUM |
| The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2020-18468 | 1 Qdpm | 1 Qdpm | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in qdPM 9.1 in the Heading field found in the Login Page page under the General menu via a crafted website name by doing an authenticated POST HTTP request to /qdPM_9.1/index.php/configuration. | |||||
| CVE-2020-18467 | 1 Bigtreecms | 1 Bigtree Cms | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerabilty exists in BigTree-CMS 4.4.3 in the tag name field found in the Tags page under the General menu via a crafted website name by doing an authenticated POST HTTP request to admin/tags/create. | |||||
| CVE-2021-38559 | 1 Digitaldruid | 1 Hoteldruid | 2021-08-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenota.php affecting the fineperiodo1 parameter. | |||||
| CVE-2020-18469 | 1 Rukovoditel | 1 Rukovoditel | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to /rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application. | |||||
| CVE-2020-18475 | 1 Hucart | 1 Hucart | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerabilty exists in Hucart CMS 5.7.4 is via the mes_title field. The first user inserts a malicious script into the header field of the outbox and sends it to other users. When other users open the email, the malicious code will be executed. | |||||
| CVE-2020-18470 | 1 Rukovoditel | 1 Rukovoditel | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to rukovoditel_2.4.1/install/index.php. | |||||
| CVE-2021-24558 | 1 3.7designs | 1 Project Status | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue | |||||
| CVE-2021-30044 | 1 Remoteclinic | 1 Remote Clinic | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Remote Clinic v2.0 via the First Name or Last Name field on staff/register.php. | |||||
| CVE-2021-30042 | 1 Remoteclinic | 1 Remote Clinic | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on clinics/register.php | |||||
| CVE-2021-30039 | 1 Remoteclinic | 1 Remote Clinic | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php. | |||||
| CVE-2021-30030 | 1 Remoteclinic | 1 Remote Clinic | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php. | |||||
| CVE-2021-30034 | 1 Remoteclinic | 1 Remote Clinic | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php. | |||||
| CVE-2019-18223 | 1 Eleveo | 1 Call Recording | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config. | |||||
| CVE-2021-24564 | 1 Wpfront | 1 Scroll Top | 2021-08-27 | 3.5 LOW | 5.4 MEDIUM |
| The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24658 | 1 Erident Custom Login And Dashboard Project | 1 Erident Custom Login And Dashboard | 2021-08-27 | 3.5 LOW | 4.8 MEDIUM |
| The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled) | |||||
| CVE-2021-24574 | 1 Simple Banner Project | 1 Simple Banner | 2021-08-27 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24556 | 1 Email-subscriber Project | 1 Email-subscriber | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue. | |||||
| CVE-2021-24571 | 1 Harmonicdesign | 1 Hd Quiz | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24486 | 1 Wpbrigade | 1 Simple Social Media Share Buttons | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The Simple Social Media Share Buttons – Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2021-24529 | 1 Awplife | 1 Grid Gallery | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability. | |||||
| CVE-2021-24533 | 1 Webfactoryltd | 1 Maintenance | 2021-08-26 | 3.5 LOW | 4.8 MEDIUM |
| The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend | |||||
| CVE-2021-24524 | 1 Givewp | 1 Givewp | 2021-08-26 | 3.5 LOW | 4.8 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them. | |||||
| CVE-2021-24547 | 1 Kn Fix Your Title Project | 1 Kn Fix Your Title | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field. | |||||
| CVE-2021-24531 | 1 Wpcharitable | 1 Charitable | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. | |||||
| CVE-2021-39368 | 1 Canon | 1 Oce Print Exec Workgroup | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter. | |||||
| CVE-2021-34223 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field. | |||||
| CVE-2021-34220 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field. | |||||
| CVE-2021-34215 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field. | |||||
| CVE-2021-34207 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field. | |||||
| CVE-2021-34228 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field. | |||||
| CVE-2021-22238 | 1 Gitlab | 1 Gitlab | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues. | |||||
| CVE-2021-32602 | 1 Fortinet | 1 Fortiportal | 2021-08-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value. | |||||
| CVE-2021-39250 | 1 Invisioncommunity | 1 Invision Power Board | 2021-08-25 | 3.5 LOW | 5.4 MEDIUM |
| Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML). | |||||