Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5030 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 193737. | |||||
| CVE-2020-36007 | 1 Appcms | 1 Appcms | 2021-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| AppCMS 2.0.101 in /admin/template/tpl_app.php has a cross site scripting attack vulnerability which allows the attacker to obtain sensitive information of other users. | |||||
| CVE-2007-5000 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2007-6388 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2007-6421 | 1 Apache | 1 Http Server | 2021-06-06 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL. | |||||
| CVE-2012-2687 | 1 Apache | 1 Http Server | 2021-06-06 | 2.6 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. | |||||
| CVE-2008-2939 | 4 Apache, Apple, Canonical and 1 more | 4 Http Server, Mac Os X, Ubuntu Linux and 1 more | 2021-06-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. | |||||
| CVE-2008-0455 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file. | |||||
| CVE-2012-4558 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. | |||||
| CVE-2008-0005 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. | |||||
| CVE-2012-3499 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. | |||||
| CVE-2000-1205 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant. | |||||
| CVE-2021-29271 | 1 Remark42 | 1 Remark42 | 2021-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload. This is related to backend/app/store/comment.go and backend/app/store/service/service.go. | |||||
| CVE-2021-29272 | 1 Microco | 1 Bluemonday | 2021-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string. | |||||
| CVE-2021-28935 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-06-04 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field. | |||||
| CVE-2020-26642 | 1 Seacms | 1 Seacms | 2021-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML. | |||||
| CVE-2021-24306 | 1 Ultimatemember | 1 Ultimate Member | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link. | |||||
| CVE-2021-3151 | 1 I-doit | 1 I-doit | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__MONITORING__CONFIG__ADDRESS, or SM2__C__MONITORING__CONFIG__ADDRESS. | |||||
| CVE-2021-27821 | 1 Openwrt | 1 Luci | 2021-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. | |||||
| CVE-2021-25934 | 1 Opennms | 2 Horizon, Meridian | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database. | |||||
| CVE-2021-25935 | 1 Opennms | 2 Horizon, Meridian | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary script which will be stored in the database. | |||||
| CVE-2021-24308 | 1 Lifterlms | 1 Lifterlms | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile. | |||||
| CVE-2017-11650 | 1 Draytek | 2 Vigorap 910c, Vigorap 910c Firmware | 2021-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to inject arbitrary web script or HTML via vectors involving home.asp. | |||||
| CVE-2021-29201 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2021-06-02 | 3.5 LOW | 4.8 MEDIUM |
| A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29204 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2021-06-02 | 3.5 LOW | 4.8 MEDIUM |
| A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29205 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2021-06-02 | 3.5 LOW | 4.8 MEDIUM |
| A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29206 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2021-06-02 | 3.5 LOW | 4.8 MEDIUM |
| A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29211 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2021-06-02 | 3.5 LOW | 4.8 MEDIUM |
| A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-29207 | 1 Hp | 29 Integrated Lights-out 4, Integrated Lights-out 5, Proliant Bl460c Gen10 Server Blade and 26 more | 2021-06-02 | 3.5 LOW | 4.8 MEDIUM |
| A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | |||||
| CVE-2021-24187 | 1 Clogica | 1 Seo Redirection | 2021-06-02 | 3.5 LOW | 5.4 MEDIUM |
| The setting page of the SEO Redirection Plugin - 301 Redirect Manager WordPress plugin before 6.4 is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before being output in an attribute. | |||||
| CVE-2021-29252 | 1 Rsa | 1 Archer | 2021-06-01 | 3.5 LOW | 5.4 MEDIUM |
| RSA Archer before 6.9 SP1 P1 (6.9.1.1) contains a stored XSS vulnerability. A remote authenticated malicious Archer user with access to modify link name fields could potentially exploit this vulnerability to execute code in a victim's browser. | |||||
| CVE-2021-20727 | 1 Zettlr | 1 Zettlr | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Zettlr from 0.20.0 to 1.8.8 allows an attacker to execute an arbitrary script by loading a file or code snippet containing an invalid iframe into Zettlr. | |||||
| CVE-2021-3486 | 1 Glpi-project | 1 Glpi | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execute JavaScript code. | |||||
| CVE-2020-36306 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field. | |||||
| CVE-2020-36307 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links. | |||||
| CVE-2017-17678 | 1 Bmc | 1 Remedy Mid-tier | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS). A DOM-based cross-site scripting vulnerability was discovered in a legacy utility. | |||||
| CVE-2020-26680 | 1 Vfairs | 1 Vfairs | 2021-06-01 | 3.5 LOW | 5.4 MEDIUM |
| In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. The user data stored by the database includes HTML tags that are intentionally rendered out onto the page, and this can be abused to perform XSS attacks. | |||||
| CVE-2021-21660 | 1 Jenkins | 1 Markdown Formatter | 2021-06-01 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter. | |||||
| CVE-2020-18221 | 1 Typora | 1 Typora | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Typora v0.9.65 and earlier allows remote attackers to execute arbitrary code by injecting commands during block rendering of a mathematical formula. | |||||
| CVE-2021-24301 | 1 Bluemedicinelabs | 1 Hotjar Connecticator | 2021-05-28 | 3.5 LOW | 5.4 MEDIUM |
| The Hotjar Connecticator WordPress plugin through 1.1.1 is vulnerable to Stored Cross-Site Scripting (XSS) in the 'hotjar script' textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users. | |||||
| CVE-2021-24305 | 1 Targetfirst | 1 Watcheezy | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the 'weeWzKey' parameter that will be save as the 'weeID option and is not sanitized. | |||||
| CVE-2021-24302 | 1 Neox | 1 Hana Flv Player | 2021-05-28 | 3.5 LOW | 5.4 MEDIUM |
| The Hana Flv Player WordPress plugin through 3.1.3 is vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the 'Default Skin' field. | |||||
| CVE-2021-24332 | 1 Autoptimize | 1 Autoptimize | 2021-05-28 | 3.5 LOW | 4.8 MEDIUM |
| The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues | |||||
| CVE-2020-28903 | 1 Nagios | 1 Fusion | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS. | |||||
| CVE-2021-24300 | 1 Pickplugins | 1 Product Slider For Woocommerce | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue | |||||
| CVE-2021-24298 | 1 Ibenic | 1 Simple Giveaways | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS | |||||
| CVE-2021-24297 | 1 Boostifythemes | 1 Goto | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24296 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2021-05-28 | 3.5 LOW | 4.8 MEDIUM |
| The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled | |||||
| CVE-2021-24294 | 1 Mlfactory | 1 Dsgvo All In One For Wp | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs. | |||||
| CVE-2021-27676 | 1 Centreon | 1 Centreon | 2021-05-28 | 3.5 LOW | 5.4 MEDIUM |
| Centreon version 20.10.2 is affected by a cross-site scripting (XSS) vulnerability. The dep_description (Dependency Description) and dep_name (Dependency Name) parameters are vulnerable to stored XSS. A user has to log in and go to the Configuration > Notifications > Hosts page. | |||||