Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21422 | 1 Mongo-express Project | 1 Mongo-express | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible. | |||||
| CVE-2016-5078 | 1 Paessler | 1 Prtg Network Monitor | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Paessler PRTG before 16.2.24.4045 has XSS via SNMP. | |||||
| CVE-2018-14683 | 1 Paessler | 1 Prtg Network Monitor | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| PRTG before 19.1.49.1966 has Cross Site Scripting (XSS) in the WEBGUI. | |||||
| CVE-2021-20741 | 1 Hitachi | 1 Application Server V10 Manual | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Hitachi Application Server Help (Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier and Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier) allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2020-18661 | 1 Gnuboard | 1 Gnuboard5 | 2021-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in gnuboard5 <=v5.3.2.8 via the url parameter to bbs/login.php. | |||||
| CVE-2020-18663 | 1 Gnuboard | 1 Gnuboard5 | 2021-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in gnuboard5 <=v5.3.2.8 via the act parameter in bbs/move_update.php. | |||||
| CVE-2021-26078 | 1 Atlassian | 2 Data Center, Jira | 2021-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. | |||||
| CVE-2020-18657 | 1 Get-simple | 1 Getsimplecms | 2021-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function. | |||||
| CVE-2020-23962 | 1 Catfish-cms | 1 Catfish Cms | 2021-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability in Catfish CMS 4.9.90 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "announcement_gonggao" parameter. | |||||
| CVE-2020-18659 | 1 Get-simple | 1 Getsimplecms | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php | |||||
| CVE-2020-18658 | 1 Get-simple | 1 Getsimplecms | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php. | |||||
| CVE-2020-20389 | 1 Get-simple | 1 Getsimplecms | 2021-06-25 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php. | |||||
| CVE-2021-28977 | 1 Get-simple | 1 Getsimplecms | 2021-06-25 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files, | |||||
| CVE-2020-20391 | 1 Get-simple | 1 Getsimplecms | 2021-06-25 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets. | |||||
| CVE-2010-4264 | 1 Vanillaforums | 1 Vanilla Forums | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| It was found in vanilla forums before 2.0.10 a cross-site scripting vulnerability where a filename could contain arbitrary code to execute on the client side. | |||||
| CVE-2021-24369 | 1 Ayecode | 1 Getpaid | 2021-06-25 | 3.5 LOW | 5.4 MEDIUM |
| In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation. | |||||
| CVE-2021-34243 | 1 Icehrm | 1 Icehrm | 2021-06-25 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file. | |||||
| CVE-2021-35045 | 1 Icehrm | 1 Icehrm | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint. | |||||
| CVE-2021-24378 | 1 Autoptimize | 1 Autoptimize | 2021-06-25 | 3.5 LOW | 4.8 MEDIUM |
| The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory. | |||||
| CVE-2021-24373 | 1 Getastra | 1 Wp Hardening | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24372 | 1 Getastra | 1 Wp Hardening | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $_SERVER['REQUEST_URI'] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24367 | 1 Wp Config File Editor Project | 1 Wp Config File Editor | 2021-06-25 | 3.5 LOW | 5.4 MEDIUM |
| The WP Config File Editor WordPress plugin through 1.7.1 was affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24366 | 1 Admincolumns | 1 Admin Columns | 2021-06-25 | 3.5 LOW | 5.4 MEDIUM |
| The Admin Columns Free WordPress plugin before 4.3 and Admin Columns Pro WordPress plugin before 5.5.1, rendered input on the posted pages with improper input validation on the value passed into the field 'Label' parameter, by taking this as an advantage an authenticated attacker can supply a crafted arbitrary script and execute it. | |||||
| CVE-2021-24364 | 1 Tielabs | 1 Jannah | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24383 | 1 Codecabin | 1 Wp Google Maps | 2021-06-25 | 3.5 LOW | 5.4 MEDIUM |
| The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24368 | 1 Expresstech | 1 Quiz And Survey Master | 2021-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link | |||||
| CVE-2021-35438 | 1 Phpipam | 1 Phpipam | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator. | |||||
| CVE-2021-24339 | 1 Podsfoundation | 1 Pods | 2021-06-24 | 3.5 LOW | 5.4 MEDIUM |
| The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Menu Label' field parameter. | |||||
| CVE-2021-24338 | 1 Podsfoundation | 1 Pods | 2021-06-24 | 3.5 LOW | 5.4 MEDIUM |
| The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Singular Label' field parameter. | |||||
| CVE-2020-19511 | 1 Typesettercms | 1 Typesetter | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes, | |||||
| CVE-2016-10256 | 1 Broadcom | 1 Symantec Proxysg | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Symantec ProxySG 6.5 (prior to 6.5.10.6), 6.6, and 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10257. | |||||
| CVE-2021-20734 | 1 Collne | 1 Welcart | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20742 | 1 Ec-cube | 2 Business Form Output, Ec-cube | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE Business form output plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1 allows a remote attacker to inject an arbitrary script via unspecified vector. | |||||
| CVE-2021-20743 | 1 Ec-cube | 2 Ec-cube, Email Newsletters Management | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE Email newsletters management plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.4 allows a remote attacker to inject an arbitrary script by leading a user to a specially crafted page and to perform a specific operation. | |||||
| CVE-2021-20744 | 1 Ec-cube | 2 Business Form Output, Ec-cube | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE Category contents plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1 allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation. | |||||
| CVE-2021-32536 | 1 Mcusystem | 1 Mcusystem | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The login page in the MCUsystem does not filter with special characters, which allows remote attackers can inject JavaScript without privilege and thus perform reflected XSS attacks. | |||||
| CVE-2015-2973 | 1 Collne | 1 Welcart | 2021-06-24 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php. | |||||
| CVE-2021-32426 | 1 Trendnet | 2 Tw100-s4w1ca, Tw100-s4w1ca Firmware | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command. | |||||
| CVE-2020-18654 | 1 Wuzhicms | 1 Wuzhicms | 2021-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Wuzhi CMS v4.1.0 allows remote attackers to execute arbitrary code via the "Title" parameter in the component "/coreframe/app/guestbook/myissue.php". | |||||
| CVE-2021-1571 | 1 Cisco | 18 Sf220-24, Sf220-24 Firmware, Sf220-24p and 15 more | 2021-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting (XSS) attack Conduct an HTML injection attack For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-32683 | 1 Wire | 1 Wire-webapp | 2021-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| wire-webapp is the web version of Wire, an open-source messenger. A cross-site scripting vulnerability exists in wire-webapp prior to version 2021-06-01-production.0. If a user is instructed to open an image in a new tab (right click -> open in new tab, or copy the URL and paste it in the URL bar), an the image payload is executed on the domain hosting the app (app.wire.com). In particular, if an image contains malicious code in addition to the actual picture, this code is executed on app.wire.com. This allows the attacker to fully control the user account. The vulnerability was patched in version 2021-06-01-production.0. As a workaround, users should not try to open image URLs. | |||||
| CVE-2018-10609 | 1 Martem | 4 Telem-gw6, Telem-gw6 Firmware, Telem-gwm and 1 more | 2021-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior allow improper sanitization of data over a Websocket which may allow cross-site scripting and client-side code execution with target user privileges. | |||||
| CVE-2021-32245 | 1 Pagekit | 1 Pagekit | 2021-06-23 | 3.5 LOW | 5.4 MEDIUM |
| In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" that will point to http://localhost/pagekit/storage/exp.svg. When a user comes along to click that link, it will trigger a XSS attack. | |||||
| CVE-2021-32681 | 1 Torchbox | 1 Wagtail | 2021-06-23 | 3.5 LOW | 5.4 MEDIUM |
| Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`. | |||||
| CVE-2020-2495 | 1 Qnap | 2 Qts, Quts Hero | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later | |||||
| CVE-2020-2496 | 1 Qnap | 2 Qts, Quts Hero | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later | |||||
| CVE-2020-2497 | 1 Qnap | 2 Qts, Quts Hero | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later | |||||
| CVE-2021-24382 | 1 Nextendweb | 1 Smart Slider | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed. | |||||
| CVE-2021-3535 | 1 Rapid7 | 1 Nexpose | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. This issue affects version 6.6.80 and prior, and is fixed in 6.6.81. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to the latest version. | |||||
| CVE-2019-25047 | 1 Greenbone | 2 Greenbone Os, Greenbone Security Assistant | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Greenbone Security Assistant (GSA) before 8.0.2 and Greenbone OS (GOS) before 5.0.10 allow XSS during 404 URL handling in gsad. | |||||