Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-21130 | 1 Hisiphp | 1 Hisiphp | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in HisiPHP 2.0.8 via the group name in addgroup.html. | |||||
| CVE-2020-21517 | 1 Metinfo | 1 Metinfo | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in MetInfo 7.0.0 via the gourl parameter in login.php. | |||||
| CVE-2021-27887 | 1 Hitachiabb-powergrids | 1 Ellipse Asset Performance Management | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids Ellipse APM 5.3 version 5.3.0.1 and prior versions; 5.2 version 5.2.0.3 and prior versions; 5.1 version 5.1.0.6 and prior versions. | |||||
| CVE-2020-19202 | 1 Ipfire | 1 Ipfire | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges to execute Stored Cross-site Scripting in the Captive Portal page. | |||||
| CVE-2017-6225 | 2 Broadcom, Brocade | 2 Fabric Operating System, Fabric Os | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the web-based management interface of Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow remote attackers to execute arbitrary code or access sensitive browser-based information. | |||||
| CVE-2020-35373 | 1 Fiyo | 1 Fiyo Cms | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack. | |||||
| CVE-2020-29215 | 1 Employee Management System Project | 1 Employee Management System | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| A Cross Site Scripting in SourceCodester Employee Management System 1.0 allows the user to execute alert messages via /Employee Management System/addemp.php on admin account. | |||||
| CVE-2021-21668 | 1 Jenkins | 1 Scriptler | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. | |||||
| CVE-2021-21667 | 1 Jenkins | 1 Scriptler | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. | |||||
| CVE-2021-1395 | 1 Cisco | 4 Packaged Contact Center Enterprise, Unified Contact Center Enterprise, Unified Contact Center Express and 1 more | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-5000 | 1 Ibm | 1 Financial Transaction Manager | 2021-06-22 | 3.5 LOW | 5.4 MEDIUM |
| IBM Financial Transaction Manager 3.0.2 and 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192952. | |||||
| CVE-2020-21316 | 1 Zrlog | 1 Zrlog | 2021-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability exists in the comment section in ZrLog 2.1.3, which allows remote attackers to inject arbitrary web script and stolen administrator cookies via the nickname parameter and gain access to the admin panel. | |||||
| CVE-2021-26834 | 1 Znote | 1 Znote | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode. | |||||
| CVE-2021-26835 | 1 Zettlr | 1 Zettlr | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file. | |||||
| CVE-2021-33347 | 1 Jpress | 1 Jpress | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in JPress v3.3.0 and below. There are XSS vulnerabilities in the template module and tag management module. If you log in to the background by means of weak password, the storage XSS vulnerability can occur. | |||||
| CVE-2021-31521 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| Trend Micro InterScan Web Security Virtual Appliance version 6.5 was found to have a reflected cross-site scripting (XSS) vulnerability in the product's Captive Portal. | |||||
| CVE-2021-33666 | 1 Sap | 1 Commerce Cloud | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation. | |||||
| CVE-2021-34815 | 1 Checksec | 1 Canopy | 2021-06-21 | 3.5 LOW | 4.8 MEDIUM |
| CheckSec Canopy before 3.5.2 allows XSS attacks against the login page via the LOGIN_PAGE_DISCLAIMER parameter. | |||||
| CVE-2018-12715 | 1 Digisol | 2 Dg-hr3400, Dg-hr3400 Firmware | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIGISOL DG-HR3400 devices have XSS via a modified SSID when the apssid value is unchanged. | |||||
| CVE-2021-24346 | 1 Stock In \& Out Project | 1 Stock In \& Out | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| The Stock in & out WordPress plugin through 1.0.4 has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue | |||||
| CVE-2020-13688 | 1 Drupal | 1 Drupal | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6. | |||||
| CVE-2021-26829 | 1 Openplcproject | 1 Scadabr | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. | |||||
| CVE-2021-34540 | 1 Advantech | 1 Webaccess | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard. | |||||
| CVE-2018-19942 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QTS 4.5.1.1456 build 20201015 (and later) QTS 4.3.6.1446 build 20200929 (and later) QTS 4.3.4.1463 build 20201006 (and later) QTS 4.3.3.1432 build 20201006 (and later) QTS 4.2.6 build 20210327 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.4.1601 build 20210309 (and later) QuTScloud c4.5.3.1454 build 20201013 (and later) | |||||
| CVE-2021-24351 | 1 Posimyth | 1 The Plus Addons For Elementor | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users) | |||||
| CVE-2021-32244 | 1 Moodle | 1 Moodle | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field. | |||||
| CVE-2021-27479 | 1 Zoll | 1 Defibrillator Dashboard | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users. | |||||
| CVE-2021-33557 | 1 Mantisbt | 1 Mantisbt | 2021-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field. | |||||
| CVE-2021-24357 | 1 Fooplugins | 1 Foogallery | 2021-06-18 | 3.5 LOW | 5.4 MEDIUM |
| In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue. | |||||
| CVE-2021-24350 | 1 Bestwebsoft | 1 Visitors Online | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Visitors WordPress plugin through 0.3 is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel. | |||||
| CVE-2020-35761 | 1 Bloofox | 1 Bloofoxcms | 2021-06-17 | 3.5 LOW | 5.4 MEDIUM |
| bloofoxCMS 0.5.2.1 is infected with XSS that allows remote attackers to execute arbitrary JS/HTML Code. | |||||
| CVE-2021-23848 | 1 Bosch | 10 Cpp13, Cpp13 Firmware, Cpp4 and 7 more | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user. | |||||
| CVE-2019-25046 | 1 Cerberusftp | 1 Ftp Server | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Web Client in Cerberus FTP Server Enterprise before 10.0.19 and 11.x before 11.0.4 allows XSS via an SVG document. | |||||
| CVE-2019-17573 | 2 Apache, Oracle | 7 Cxf, Commerce Guided Search, Communications Element Manager and 4 more | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable. | |||||
| CVE-2020-22789 | 1 Safe | 1 Fme Server | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is executed when an administrator accesses the logs. | |||||
| CVE-2020-22790 | 1 Safe | 1 Fme Server | 2021-06-17 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator access the logs. | |||||
| CVE-2021-23854 | 1 Bosch | 8 Cpp13, Cpp13 Firmware, Cpp6 and 5 more | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An error in the handling of a page parameter in Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. This issue only affects versions 7.7x and 7.6x. All other versions are not affected. | |||||
| CVE-2021-32671 | 1 Flarum | 1 Flarum | 2021-06-17 | 4.3 MEDIUM | 10.0 CRITICAL |
| Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 (our last beta before v1.0.0) and was not noticed or documented. This allowed for any user to type malicious HTML markup within certain user input fields and have this execute on client browsers. The example which led to the discovery of this vulnerability was in the forum search box. Entering faux-malicious HTML markup, such as <script>alert('test')</script> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targetted towards a privileged user. All Flarum communities that run flarum v1.0.0 or v1.0.1 are impacted. The vulnerability has been fixed and published as flarum/core v1.0.2. All communities running Flarum v1.0 have to upgrade as soon as possible to v1.0.2. | |||||
| CVE-2021-32091 | 1 Localstack | 1 Localstack | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability exists in StackLift LocalStack 0.12.6. | |||||
| CVE-2020-24662 | 1 Smartstream | 1 Transaction Lifecycle Management Reconciliations-premium | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SmartStream Transaction Lifecycle Management (TLM) Reconciliation Premium (RP) <3.1.0 allows XSS. This was fixed in TLM RP 3.1.0. | |||||
| CVE-2021-32641 | 1 Auth0 | 1 Lock | 2021-06-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1. | |||||
| CVE-2016-6812 | 1 Apache | 1 Cxf | 2021-06-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. | |||||
| CVE-2021-29049 | 1 Liferay | 1 Dxp | 2021-06-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter. | |||||
| CVE-2021-33665 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-33664 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-27615 | 1 Sap | 1 Manufacturing Execution | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2021-26079 | 1 Atlassian | 2 Data Center, Jira | 2021-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. | |||||
| CVE-2021-21666 | 1 Jenkins | 1 Kiuwan | 2021-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2021-3529 | 1 Redhat | 2 Noobaa-operator, Openshift Container Platform | 2021-06-15 | 6.8 MEDIUM | 7.1 HIGH |
| A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity. | |||||
| CVE-2021-21490 | 1 Sap | 1 Netweaver As Abap | 2021-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. | |||||