Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24387 | 1 Contempothemes | 1 Real Estate 7 | 2021-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context | |||||
| CVE-2021-22223 | 1 Gitlab | 1 Gitlab | 2021-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link | |||||
| CVE-2021-24386 | 1 Kubiq | 1 Wp Svg Images | 2021-07-09 | 3.5 LOW | 5.4 MEDIUM |
| The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended. | |||||
| CVE-2021-34625 | 1 Wp-upload-restriction Project | 1 Wp-upload-restriction | 2021-07-08 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the saveCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to inject arbitrary web scripts. This issue affects versions 2.2.3 and prior. | |||||
| CVE-2021-36212 | 1 Misp | 1 Misp | 2021-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||||
| CVE-2021-34190 | 1 Issabel | 1 Pbx | 2021-07-08 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Name" or "Prefix" fields under the "Create New Rate" module. | |||||
| CVE-2020-23697 | 1 Monstra | 1 Monstra Cms | 2021-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php. | |||||
| CVE-2021-33192 | 1 Apache | 1 Jena Fuseki | 2021-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. This issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0 (inclusive). | |||||
| CVE-2017-13678 | 1 Broadcom | 2 Advanced Secure Gateway, Symantec Proxysg | 2021-07-08 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can inject arbitrary JavaScript code in the management console web client application. | |||||
| CVE-2018-18370 | 1 Broadcom | 2 Advanced Secure Gateway, Symantec Proxysg | 2021-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. A stored cross-site scripting (XSS) vulnerability in the WebFTP mode allows a remote attacker to inject malicious JavaScript code in ASG/ProxySG's web listing of a remote FTP server. Exploiting the vulnerability requires the attacker to be able to upload crafted files to the remote FTP server. Affected versions: ASG 6.6 and 6.7 prior to 6.7.4.2; ProxySG 6.5 prior to 6.5.10.15, 6.6, and 6.7 prior to 6.7.4.2. | |||||
| CVE-2016-10257 | 1 Broadcom | 2 Advanced Secure Gateway, Symantec Proxysg | 2021-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7.2.1), ProxySG 6.5 (prior to 6.5.10.6), ProxySG 6.6, and ProxySG 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10256. | |||||
| CVE-2021-20750 | 1 Ec-cube | 1 Ec-cube | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation. | |||||
| CVE-2021-20751 | 1 Ec-cube | 1 Ec-cube | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation. | |||||
| CVE-2021-20749 | 1 Nendeb | 3 Fudousan Plugin, Fudousan Plugin Pro Multi-user, Fudousan Plugin Pro Single-user | 2021-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Fudousan plugin ver5.7.0 and earlier, Fudousan Plugin Pro Single-User Type ver5.7.0 and earlier, and Fudousan Plugin Pro Multi-User Type ver5.7.0 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-24407 | 1 Tielabs | 1 Jannah | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-35440 | 1 Smashing Project | 1 Smashing | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment (e.g. if re-using internal URL's for deploying, or cookies that are very permissive) private information may be retrieved by the attacker. | |||||
| CVE-2021-26035 | 1 Joomla | 1 Joomla\! | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability. | |||||
| CVE-2020-22251 | 1 Phplist | 1 Phplist | 2021-07-07 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin. | |||||
| CVE-2021-26039 | 1 Joomla | 1 Joomla\! | 2021-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability. | |||||
| CVE-2021-36130 | 1 Mediawiki | 1 Mediawiki | 2021-07-07 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easily propagate across many pages for many users. | |||||
| CVE-2021-36131 | 1 Mediawiki | 1 Mediawiki | 2021-07-07 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users. | |||||
| CVE-2020-4935 | 2 Ibm, Microsoft | 2 Datacap Navigator, Windows | 2021-07-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Datacap Fastdoc Capture (IBM Datacap Navigator 9.1.7 ) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191753. | |||||
| CVE-2021-28803 | 1 Qnap | 1 Q\'center | 2021-07-07 | 3.5 LOW | 5.4 MEDIUM |
| This issue affects: QNAP Systems Inc. Q'center versions prior to 1.11.1004. | |||||
| CVE-2021-20752 | 1 Ikalka Rss Reader Project | 1 Ikalka Rss Reader | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in IkaIka RSS Reader all versions allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-32735 | 1 Getkirby | 1 Kirby | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form. | |||||
| CVE-2020-36196 | 1 Qnap | 1 Qulog Center | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QuLog Center versions prior to 1.2.0. | |||||
| CVE-2020-36194 | 1 Qnap | 2 Qts, Quts Hero | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. | |||||
| CVE-2021-27902 | 1 Craftcms | 1 Craft Cms | 2021-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. | |||||
| CVE-2021-35956 | 1 Akcp | 10 Sensorprobe2, Sensorprobe2 Firmware, Sensorprobe4 and 7 more | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. | |||||
| CVE-2020-23205 | 1 Monstra | 1 Monstra Cms | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field under the "Site Settings" module. | |||||
| CVE-2020-23179 | 1 Php-fusion | 1 Php-fusion | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Site footer" field. | |||||
| CVE-2020-23181 | 1 Php-fusion | 1 Php-fusion | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme" field. | |||||
| CVE-2020-23184 | 1 Php-fusion | 1 Php-fusion | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration" field. | |||||
| CVE-2020-23185 | 1 Php-fusion | 1 Php-fusion | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2020-23209 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "List Description" field under the "Edit A List" module. | |||||
| CVE-2020-23208 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Send test" field under the "Start or continue campaign" module. | |||||
| CVE-2020-23207 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Edit Values" field under the "Configure Attributes" module. | |||||
| CVE-2020-23190 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the "Import emails" module in phplist 3.5.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2020-23214 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Configure categories" field under the "Categorise Lists" module. | |||||
| CVE-2020-23217 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add a list" field under the "Import Emails" module. | |||||
| CVE-2020-23192 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the "admin" parameter under the "Manage administrators" module. | |||||
| CVE-2020-23194 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the "Import Subscribers" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2020-36396 | 1 Lavalite | 1 Lavalite | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | |||||
| CVE-2020-36395 | 1 Lavalite | 1 Lavalite | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | |||||
| CVE-2020-36397 | 1 Lavalite | 1 Lavalite | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | |||||
| CVE-2020-36398 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "Campaign" field under the "Send a campaign" module. | |||||
| CVE-2020-36399 | 1 Phplist | 1 Phplist | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "rule1" parameter under the "Bounce Rules" module. | |||||
| CVE-2020-36408 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Shortcut" parameter under the "Manage Shortcuts" module. | |||||
| CVE-2020-36409 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Category" parameter under the "Categories" module. | |||||
| CVE-2020-36411 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-07-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Path for the {page_image} tag:" or "Path for thumbnail field:" parameters under the "Content Editing Settings" module. | |||||