Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26517 | 1 Intland | 1 Codebeamer Application Lifecycle Management | 2021-06-15 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. It is possible to perform XSS attacks through using the WebDAV functionality to upload files to a project (Authn users), using the users import functionality (Admin only), and changing the login text in the application configuration (Admin only). | |||||
| CVE-2019-17632 | 1 Eclipse | 1 Jetty | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. | |||||
| CVE-2018-14041 | 1 Getbootstrap | 1 Bootstrap | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. | |||||
| CVE-2021-32670 | 1 Datasette | 1 Datasette | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters. | |||||
| CVE-2021-28382 | 1 Zohocorp | 1 Manageengine Key Manager Plus | 2021-06-14 | 3.5 LOW | 5.4 MEDIUM |
| Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD. | |||||
| CVE-2021-24344 | 1 Easy Preloader Project | 1 Easy Preloader | 2021-06-14 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Preloader WordPress plugin through 1.0.0 does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues | |||||
| CVE-2020-26885 | 1 2sic | 1 2sxc | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in 2sic 2sxc before 11.22. A XSS vulnerability in the sxcver parameter of dnn/ui.html allows an attacker to craft a malicious URL that executes a JavaScript payload in a victim's browser. | |||||
| CVE-2021-24313 | 1 Goprayer | 1 Wp Prayer | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| The WP Prayer WordPress plugin before 1.6.2 provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The 'prayer request' and 'praise request' fields do not use proper input validation and can be used to store XSS payloads. | |||||
| CVE-2021-24331 | 1 Smooth Scroll Page Up\/down Buttons Project | 1 Smooth Scroll Page Up\/down Buttons | 2021-06-11 | 3.5 LOW | 4.8 MEDIUM |
| The Smooth Scroll Page Up/Down Buttons WordPress plugin before 1.4 did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them | |||||
| CVE-2021-24334 | 1 Connekthq | 1 Instant Images - One Click Unsplash Uploads | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2020-24663 | 1 Tracefinanacial | 1 Crestbridge | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Trace Financial CRESTBridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03. | |||||
| CVE-2020-24668 | 1 Tracefinancial | 1 Crestbridge | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Trace Financial Crest Bridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03. | |||||
| CVE-2021-24317 | 1 Purethemes | 1 Listeo | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues | |||||
| CVE-2021-24335 | 1 Smartdatasoft | 1 Car Repair Services \& Auto Mechanic | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24322 | 1 Deliciousbrains | 1 Database Backup | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2020-36384 | 1 Pagelayer | 1 Pagelayer | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| PageLayer before 1.3.5 allows reflected XSS via color settings. | |||||
| CVE-2021-26584 | 1 Hp | 1 Oneview For Vmware Vcenter | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security vulnerability in HPE OneView for VMware vCenter (OV4VC) could be exploited remotely to allow Cross-Site Scripting. HPE has released the following software update to resolve the vulnerability in HPE OneView for VMware vCenter (OV4VC). | |||||
| CVE-2021-25932 | 1 Opennms | 2 Meridian, Opennms | 2021-06-11 | 3.5 LOW | 5.4 MEDIUM |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database. | |||||
| CVE-2020-36383 | 1 Pagelayer | 1 Pagelayer | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| PageLayer before 1.3.5 allows reflected XSS via the font-size parameter. | |||||
| CVE-2021-31738 | 1 Adiscon | 1 Loganalyzer | 2021-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adiscon LogAnalyzer 4.1.10 and 4.1.11 allow login.php XSS. | |||||
| CVE-2021-24342 | 1 Jnews | 1 Jnews | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The JNews WordPress theme before 8.0.6 did not sanitise the cat_id parameter in the POST request /?ajax-request=jnews (with action=jnews_build_mega_category_*), leading to a Reflected Cross-Site Scripting (XSS) issue. | |||||
| CVE-2021-34364 | 1 Refined-github Project | 1 Refined-github | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Refined GitHub browser extension before 21.6.8 might allow XSS via a link in a document. NOTE: github.com sends Content-Security-Policy headers to, in general, address XSS and other concerns. | |||||
| CVE-2020-21003 | 1 Pbootcms | 1 Pbootcms | 2021-06-10 | 3.5 LOW | 4.8 MEDIUM |
| Pbootcms v2.0.3 is vulnerable to Cross Site Scripting (XSS) via admin.php. | |||||
| CVE-2021-30133 | 1 Cloverdx | 1 Cloverdx | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in CloverDX Server 5.9.0, CloverDX 5.8.1, CloverDX 5.7.0, and earlier allows remote attackers to inject arbitrary web script or HTML via the sessionToken parameter of multiple methods in Simple HTTP API. This is resolved in 5.9.1 and 5.10. | |||||
| CVE-2011-3656 | 1 Mozilla | 1 Firefox | 2021-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7 allows remote attackers to inject arbitrary web script or HTML via vectors involving HTTP 0.9 errors, non-default ports, and content-sniffing. | |||||
| CVE-2021-24329 | 1 Automattic | 1 Wp Super Cache | 2021-06-10 | 3.5 LOW | 5.4 MEDIUM |
| The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24316 | 1 Wowthemes | 1 Mediumish | 2021-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue. | |||||
| CVE-2021-28806 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3. | |||||
| CVE-2021-32616 | 1 1cdn Project | 1 1cdn | 2021-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| 1CDN is open-source file sharing software. In 1CDN before commit f88a2730fa50fc2c2aeab09011f6f142fd90ec25, there is a basic cross-site scripting vulnerability that allows an attacker to inject /<script>//code</script> and execute JavaScript code on the client side. | |||||
| CVE-2020-26669 | 1 Bigtreecms | 1 Bigtree Cms | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update. | |||||
| CVE-2019-13538 | 1 Codesys | 1 Codesys | 2021-06-09 | 6.8 MEDIUM | 8.6 HIGH |
| 3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the contents of manipulated libraries to be displayed or executed. The issue also exists for source libraries, but 3S-Smart Software Solutions GmbH strongly recommends distributing compiled libraries only. | |||||
| CVE-2020-27377 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-06-09 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability was discovered in the Administrator panel on the 'Setting News' module on CMS Made Simple 2.2.14 which allows an attacker to execute arbitrary web scripts. | |||||
| CVE-2020-26693 | 1 Pfsense | 1 Pfsense | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function. | |||||
| CVE-2020-35973 | 1 Zzcms | 1 Zzcms | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in zzcms2020. There is a XSS vulnerability that can insert and execute JS code arbitrarily via /user/manage.php. | |||||
| CVE-2020-35971 | 1 Yzmcms | 1 Yzmcms | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| A storage XSS vulnerability is found in YzmCMS v5.8, which can be used by attackers to inject JS code and attack malicious XSS on the /admin/system_manage/user_config_edit.html page. | |||||
| CVE-2021-24310 | 1 10web | 1 Photo Gallery | 2021-06-09 | 3.5 LOW | 4.8 MEDIUM |
| The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117 | |||||
| CVE-2021-24309 | 1 Weekly Schedule Project | 1 Weekly Schedule | 2021-06-09 | 3.5 LOW | 5.4 MEDIUM |
| The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags and cause a stored XSS issue | |||||
| CVE-2020-36139 | 1 Bloofox | 1 Bloofoxcms | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| BloofoxCMS 0.5.2.1 allows Reflected Cross-Site Scripting (XSS) vulnerability by inserting a XSS payload within the 'fileurl' parameter. | |||||
| CVE-2021-31643 | 1 Chiyu-tech | 22 Bf-630, Bf-630 Firmware, Bf-631 and 19 more | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter. | |||||
| CVE-2021-31641 | 1 Chiyu-tech | 30 Bf-430, Bf-430 Firmware, Bf-431 and 27 more | 2021-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated. | |||||
| CVE-2021-31250 | 1 Chiyu-tech | 6 Bf-430, Bf-430 Firmware, Bf-431 and 3 more | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi. | |||||
| CVE-2021-32540 | 1 Hundredplus | 1 101eip | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| Add announcement function in the 101EIP system does not filter special characters, which allows authenticated users to inject JavaScript and perform a stored XSS attack. | |||||
| CVE-2021-32539 | 1 Hundredplus | 1 101eip | 2021-06-08 | 3.5 LOW | 5.4 MEDIUM |
| Add event in calendar function in the 101EIP system does not filter special characters in specific fields, which allows remote authenticated users to inject JavaScript and perform a stored XSS attack. | |||||
| CVE-2021-21259 | 1 Hedgedoc | 1 Hedgedoc | 2021-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.2. As a workaround, disallow loading JavaScript from 3rd party sites using the `Content-Security-Policy` header. Note that this will break some embedded content. | |||||
| CVE-2020-27832 | 1 Redhat | 1 Quay | 2021-06-08 | 6.0 MEDIUM | 9.0 CRITICAL |
| A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. This flaw allows an attacker to trick a user into performing a malicious action to impersonate the target user. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |||||
| CVE-2020-25715 | 1 Dogtagpki | 1 Dogtagpki | 2021-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity. | |||||
| CVE-2020-4977 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Lifecycle Optimization - Publishing is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192470. | |||||
| CVE-2021-29668 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199406. | |||||
| CVE-2021-29670 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199408. | |||||
| CVE-2021-20338 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194449. | |||||