Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34821 | 1 Aat | 1 Novus Management System | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in AAT Novus Management System through 1.51.2. The WebUI has wrong HTTP 404 error handling implemented. A remote, unauthenticated attacker may be able to exploit the issue by sending malicious HTTP requests to non-existing URIs. The value of the URL path filename is copied into the HTML document as plain text tags. | |||||
| CVE-2021-34617 | 1 Aruba | 1 Aruba Instant | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote cross-site scripting (XSS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.13 and below; Aruba Instant 6.5.x: 6.5.4.13 and below; Aruba Instant 8.3.x: 8.3.0.7 and below; Aruba Instant 8.4.x: 8.4.0.5 and below; Aruba Instant 8.5.x: 8.5.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. | |||||
| CVE-2021-36772 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. | |||||
| CVE-2021-36771 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. | |||||
| CVE-2021-22723 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-siteScripting) through Cross-Site Request Forgery (CSRF) vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server. | |||||
| CVE-2021-24482 | 1 Never5 | 1 Related Posts | 2021-07-28 | 3.5 LOW | 4.8 MEDIUM |
| The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-24436 | 1 Boldgrid | 1 W3 Total Cache | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise. | |||||
| CVE-2021-24452 | 1 Boldgrid | 1 W3 Total Cache | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise. | |||||
| CVE-2021-22706 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server. | |||||
| CVE-2021-22722 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-27 | 3.5 LOW | 5.4 MEDIUM |
| A CWE-79: Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting') vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could cause code injection when importing a CSV file or changing station parameters. | |||||
| CVE-2021-3279 | 1 Fortics | 1 Szchat | 2021-07-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| sz.chat version 4 allows injection of web scripts and HTML in the message box. | |||||
| CVE-2021-34817 | 1 Etherpad | 1 Etherpad | 2021-07-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad. | |||||
| CVE-2021-36755 | 1 Cgm-remote-monitor Project | 1 Cgm-remote-monitor | 2021-07-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nightscout Web Monitor (aka cgm-remote-monitor) 14.2.2 allows XSS via a crafted X-Forwarded-For header. | |||||
| CVE-2021-3043 | 1 Paloaltonetworks | 1 Prisma Cloud | 2021-07-27 | 3.5 LOW | 4.8 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the Prisma Cloud Compute web console that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console while an authenticated administrator is using that web interface. Prisma Cloud Compute SaaS versions were automatically upgraded to the fixed release. No additional action is required for these instances. This issue impacts: Prisma Cloud Compute 20.12 versions earlier than Prisma Cloud Compute 20.12.552; Prisma Cloud Compute 21.04 versions earlier than Prisma Cloud Compute 21.04.439. | |||||
| CVE-2020-5031 | 1 Ibm | 6 Engineering Lifecycle Optimization, Engineering Workflow Management, Rational Collaborative Lifecycle Management and 3 more | 2021-07-26 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 193738. | |||||
| CVE-2021-20507 | 1 Ibm | 7 Engineering Lifecycle Optimization, Engineering Requirements Quality Assistant On-premises, Engineering Workflow Management and 4 more | 2021-07-26 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198235. | |||||
| CVE-2020-13959 | 2 Apache, Debian | 2 Velocity Tools, Debian Linux | 2021-07-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks. | |||||
| CVE-2021-36747 | 1 Blackboard | 1 Blackboard Learn | 2021-07-23 | 3.5 LOW | 5.4 MEDIUM |
| Blackboard Learn through 9.1 allows XSS by an authenticated user via the Feedback to Learner form. | |||||
| CVE-2021-36746 | 1 Blackboard | 1 Blackboard Learn | 2021-07-23 | 3.5 LOW | 5.4 MEDIUM |
| Blackboard Learn through 9.1 allows XSS by an authenticated user via the Assignment Instructions HTML editor. | |||||
| CVE-2018-20677 | 1 Getbootstrap | 1 Bootstrap | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. | |||||
| CVE-2016-10735 | 1 Getbootstrap | 1 Bootstrap | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. | |||||
| CVE-2018-14040 | 2 Debian, Getbootstrap | 2 Debian Linux, Bootstrap | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. | |||||
| CVE-2018-20676 | 1 Getbootstrap | 1 Bootstrap | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. | |||||
| CVE-2018-14042 | 1 Getbootstrap | 1 Bootstrap | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. | |||||
| CVE-2018-20816 | 1 Salesagility | 1 Suitecrm | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed. | |||||
| CVE-2021-3111 | 1 Concretecms | 1 Concrete Cms | 2021-07-22 | 3.5 LOW | 4.8 MEDIUM |
| The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. | |||||
| CVE-2020-35240 | 1 Fluxbb | 1 Fluxbb | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in "Blog Content" and each time any user will visit the blog, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. | |||||
| CVE-2020-25611 | 1 Mitel | 1 Micollab | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The AWV portal of Mitel MiCollab before 9.2 could allow an attacker to gain access to conference information by sending arbitrary code due to improper input validation, aka XSS. Successful exploitation could allow an attacker to view user conference information. | |||||
| CVE-2019-16385 | 1 Cybelesoft | 1 Thinfinity Virtualui | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed. | |||||
| CVE-2020-13260 | 1 Rad | 2 Secflow-1v, Secflow-1v Firmware | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScript file, with a stored XSS payload, that will remain stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. This payload will execute each time a user opens an affected web page. This could be exploited in conjunction with CVE-2020-13259. | |||||
| CVE-2020-23631 | 1 Wdja | 1 Wdja Cms | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter. | |||||
| CVE-2019-11547 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues. | |||||
| CVE-2019-13127 | 2 Draw, Jgraph | 2 Draw.io Diagrams, Mxgraph | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in mxGraph through 4.0.0, related to the "draw.io Diagrams" plugin before 8.3.14 for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js. | |||||
| CVE-2020-13262 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link | |||||
| CVE-2020-3953 | 1 Vmware | 1 Vrealize Log Insight | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in VMware vRealize Log Insight prior to 8.1.0 due to improper Input validation. | |||||
| CVE-2020-25606 | 1 Mitel | 1 Micollab | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The AWV component of Mitel MiCollab before 9.2 could allow an attacker to view system information by sending arbitrary code due to improper input validation, aka XSS. | |||||
| CVE-2020-35677 | 1 Bigprof | 1 Online Invoicing System | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection. | |||||
| CVE-2020-7017 | 1 Elasticsearch | 1 Kibana | 2021-07-20 | 4.6 MEDIUM | 6.7 MEDIUM |
| In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization. | |||||
| CVE-2020-27783 | 2 Lxml, Redhat | 3 Lxml, Enterprise Linux, Software Collections | 2021-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. | |||||
| CVE-2017-14735 | 1 Antisamy Project | 1 Antisamy | 2021-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL. | |||||
| CVE-2020-1941 | 2 Apache, Oracle | 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more | 2021-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. | |||||
| CVE-2021-33710 | 1 Siemens | 1 Teamcenter Active Workspace | 2021-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Teamcenter Active Workspace V4 (All versions < V4.3.9), Teamcenter Active Workspace V5.0 (All versions < V5.0.7), Teamcenter Active Workspace V5.1 (All versions < V5.1.4). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected devices that could allow an attacker to execute malicious JavaScript code by tricking users into accessing a malicious link. | |||||
| CVE-2020-18664 | 1 Webport | 1 Web Port | 2021-07-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in WebPort <=1.19.1via the connection name parameter in type-conn. | |||||
| CVE-2021-22227 | 1 Gitlab | 1 Gitlab | 2021-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it | |||||
| CVE-2021-35451 | 1 Teradici | 1 Pcoip Management Console | 2021-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Teradici PCoIP Management Console-Enterprise 20.07.0, an unauthenticated user can inject arbitrary text into user browser via the Web application. | |||||
| CVE-2020-24145 | 1 Cminds | 1 Cm Download Manager | 2021-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted deletescreenshot action. | |||||
| CVE-2020-25925 | 1 Icewarp | 1 Webclient | 2021-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Webmail Calender in IceWarp WebClient 10.3.5 allows remote attackers to inject arbitrary web script or HTML via the "p4" field. | |||||
| CVE-2021-22225 | 1 Gitlab | 1 Gitlab | 2021-07-09 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown | |||||
| CVE-2021-24494 | 1 Deliciousbrains | 1 Wp Offload Ses Lite | 2021-07-09 | 3.5 LOW | 5.4 MEDIUM |
| The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin. | |||||
| CVE-2021-27930 | 1 Irislink | 1 Irisnext | 2021-07-09 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated (or compromised) user to inject malicious JavaScript in folder/file name within the application in order to grab other users’ sessions or execute malicious code in their browsers (1-click RCE). | |||||