Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24518 | 1 Wpfront | 1 Notification Bar | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24445 | 1 Draftpress | 1 My Site Audit | 2021-08-23 | 3.5 LOW | 5.5 MEDIUM |
| The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24535 | 1 Light Messages Project | 1 Light Messages | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend. | |||||
| CVE-2021-24466 | 1 Verse-o-matic Project | 1 Verse-o-matic | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24519 | 1 Vikwp | 1 Car Rental Management System | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-38607 | 1 Crocoblock | 1 Jetengine | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. | |||||
| CVE-2021-38752 | 1 Online Catering Reservation System Project | 1 Online Catering Reservation System | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar. | |||||
| CVE-2021-38757 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php. | |||||
| CVE-2021-38756 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php. | |||||
| CVE-2021-24526 | 1 10web | 1 Form Maker | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24538 | 1 Current Book Project | 1 Current Book | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||
| CVE-2021-24534 | 1 Phonetrack | 1 Phonetrack Meu Site Manager | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue. | |||||
| CVE-2021-24540 | 1 Wonderplugin | 1 Wonder Video Embed | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24541 | 1 Wonderplugin | 1 Wonder Pdf Embed | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24548 | 1 Mimetic | 1 Mimetic Books | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page. | |||||
| CVE-2021-24536 | 1 Custom Login Redirect Project | 1 Custom Login Redirect | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24512 | 1 Videowhisper | 1 Video Posts Webcam Recorder | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos. | |||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack | |||||
| CVE-2021-24362 | 1 10web | 1 Photo Gallery | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue | |||||
| CVE-2021-38708 | 1 Compo | 1 Composr Cms | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS. | |||||
| CVE-2021-28002 | 1 Textpattern | 1 Textpattern | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the 'Articles' page. | |||||
| CVE-2021-28001 | 1 Textpattern | 1 Textpattern | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting https://site.com/articles/welcome-to-your-site#comments-head. | |||||
| CVE-2021-28000 | 1 Local Services Search Engine Management System Project | 1 Local Services Search Engine Management System | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| A persistent cross-site scripting vulnerability was discovered in Local Services Search Engine Management System Project 1.0 which allows remote attackers to execute arbitrary code via crafted payloads entered into the Name and Address fields. | |||||
| CVE-2020-18748 | 1 Typora | 1 Typora | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Typora v0.9.65 allows attackers to execute arbitrary code via mathjax syntax due to a mathjax configuration error in the mathematical formula blocks. This is a different vulnerability from CVE-2020-18221. | |||||
| CVE-2020-20645 | 1 Eyoucms | 1 Eyoucms | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area. | |||||
| CVE-2018-6447 | 1 Broadcom | 1 Fabric Operating System | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A Reflective XSS Vulnerability in HTTP Management Interface in Brocade Fabric OS versions before Brocade Fabric OS v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, v7.4.2g could allow authenticated attackers with access to the web interface to hijack a user’s session and take over the account. | |||||
| CVE-2021-37700 | 1 Paste-markdown Project | 1 Paste-markdown | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| @github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string `<table>`, a **div** is dynamically created, and the clipboard content is copied into its **innerHTML** property without any sanitization, resulting in improper execution of JavaScript in the browser of the victim (the user who pasted the code). Users directed to copy text from a malicious website and paste it into pages that utilize this library are affected. This is fixed in version 0.3.4. Refer the to the referenced GitHub Advisory for more details including an example exploit. | |||||
| CVE-2021-36785 | 1 Miniorange | 1 Saml | 2021-08-20 | 3.5 LOW | 5.4 MEDIUM |
| The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows XSS. | |||||
| CVE-2021-35955 | 1 Contao | 1 Contao | 2021-08-20 | 3.5 LOW | 4.8 MEDIUM |
| Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7. | |||||
| CVE-2021-38087 | 1 Acronis | 1 Cyber Protect | 2021-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) was possible on the login page in Acronis Cyber Protect 15 prior to build 27009. | |||||
| CVE-2021-36788 | 1 Yoast | 1 Yoast Seo | 2021-08-20 | 3.5 LOW | 5.4 MEDIUM |
| The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS. | |||||
| CVE-2021-36790 | 1 Dated News Project | 1 Dated News | 2021-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows XSS. | |||||
| CVE-2021-34640 | 1 Securimage-wp-fixed Project | 1 Securimage-wp-fixed | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4. | |||||
| CVE-2021-38534 | 1 Netgear | 86 D3600, D3600 Firmware, D6000 and 83 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, D6100 before 1.0.0.60, D6200 before 1.1.00.36, D6220 before 1.0.0.52, D6400 before 1.0.0.86, D7000 before 1.0.1.70, D7000v2 before 1.0.0.53, D8500 before 1.0.3.44, DC112A before 1.0.0.42, DGN2200v4 before 1.0.0.110, DGND2200Bv4 before 1.0.0.109, DM200 before 1.0.0.61, JR6150 before 1.0.1.18, PR2000 before 1.0.0.28, R6020 before 1.0.0.42, R6050 before 1.0.1.18, R6080 before 1.0.0.42, R6220 before 1.1.0.80, R6230 before 1.1.0.80, R6250 before 1.0.4.34, R6260 before 1.1.0.64, R6300v2 before 1.0.4.34, R6400 before 1.0.1.46, R6400v2 before 1.0.2.62, R6700 before 1.0.2.6, R6700v2 before 1.2.0.36, R6700v3 before 1.0.2.62, R6800 before 1.2.0.36, R6900 before 1.0.2.4, R6900P before 1.3.1.64, R6900v2 before 1.2.0.36, R7000 before 1.0.9.60, R7000P before 1.3.1.64, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7450 before 1.2.0.36, R7900 before 1.0.3.8, R7900P before 1.4.1.50, R8000 before 1.0.4.28, R8000P before 1.4.1.50, R8300 before 1.0.2.130, R8500 before 1.0.2.130, WNDR3400v3 before 1.0.1.24, WNR2020 before 1.1.0.62, WNR3500Lv2 before 1.2.0.62, XR450 before 2.3.2.40, and XR500 before 2.3.2.40. | |||||
| CVE-2021-37391 | 1 Chamilo | 1 Chamilo Lms | 2021-08-19 | 3.5 LOW | 5.4 MEDIUM |
| A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature. | |||||
| CVE-2021-38535 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.76, R6260 before 1.1.0.78, R6700v2 before 1.2.0.76, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, RAX35 before 1.0.3.62, and RAX40 before 1.0.3.62. | |||||
| CVE-2021-38536 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.66, R6260 before 1.1.0.78, R6700v2 before 1.2.0.76, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, RAX35 before 1.0.3.62, and RAX40 before 1.0.3.62. | |||||
| CVE-2021-38537 | 1 Netgear | 36 Ac2100, Ac2100 Firmware, Ac2400 and 33 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.66, R6260 before 1.1.0.78, R6700v2 before 1.2.0.76, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, and RAX40 before 1.0.3.62. | |||||
| CVE-2021-32768 | 1 Typo3 | 1 Typo3 | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described. | |||||
| CVE-2021-38538 | 1 Netgear | 30 D7800, D7800 Firmware, R7800 and 27 more | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, R8900 before 1.0.4.26, R9000 before 1.0.4.26, RAX120 before 1.0.0.78, RBK20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and XR500 before 2.3.2.56. | |||||
| CVE-2021-36601 | 1 Get-simple | 1 Getsimplecms | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| GetSimpleCMS 3.3.16 contains a cross-site Scripting (XSS) vulnerability, where Function TSL does not filter check settings.php Website URL: "siteURL" parameter. | |||||
| CVE-2021-38533 | 1 Netgear | 2 Rax40, Rax40 Firmware | 2021-08-19 | 3.5 LOW | 5.4 MEDIUM |
| NETGEAR RAX40 devices before 1.0.3.64 are affected by stored XSS. | |||||
| CVE-2017-17837 | 1 Apache | 1 Deltaspike | 2021-08-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1. | |||||
| CVE-2021-24495 | 1 Marmoset | 1 Marmoset Viewer | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-22676 | 1 Advantech | 1 Webaccess\/scada | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). | |||||
| CVE-2021-20068 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the error handling functionality of web pages. | |||||
| CVE-2021-20070 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the virtualization.php dialogs. | |||||
| CVE-2021-20069 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the regionalSettings.php dialogs. | |||||
| CVE-2021-20071 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the sms.php dialogs. | |||||
| CVE-2021-24502 | 1 Flippercode | 1 Wp Google Map | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| The WP Google Map WordPress plugin before 1.7.7 did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed | |||||