Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-23369 | 1 Yzmcms | 1 Yzmcms | 2021-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3. | |||||
| CVE-2020-23371 | 1 5none | 1 Nonecms | 2021-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter. | |||||
| CVE-2021-3315 | 1 Jetbrains | 1 Teamcity | 2021-05-13 | 3.5 LOW | 5.4 MEDIUM |
| In JetBrains TeamCity before 2020.2.2, stored XSS on a tests page was possible. | |||||
| CVE-2021-31908 | 1 Jetbrains | 1 Teamcity | 2021-05-13 | 3.5 LOW | 5.4 MEDIUM |
| In JetBrains TeamCity before 2020.2.3, stored XSS was possible on several pages. | |||||
| CVE-2021-24250 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2021-05-13 | 3.5 LOW | 5.4 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin. | |||||
| CVE-2021-24214 | 1 Daggerhartlab | 1 Openid Connect Generic Client | 2021-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration. | |||||
| CVE-2021-24243 | 1 Wpbakery Page Builder Clipboard Project | 1 Wpbakery Page Builder Clipboard | 2021-05-13 | 3.5 LOW | 5.4 MEDIUM |
| An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages. | |||||
| CVE-2021-24246 | 1 Purethemes | 2 Workscout, Workscout Core | 2021-05-13 | 3.5 LOW | 5.4 MEDIUM |
| The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues | |||||
| CVE-2021-32092 | 1 Nsa | 1 Emissary | 2021-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the uuid parameter. | |||||
| CVE-2021-24293 | 1 Imagely | 1 Nextgen Gallery | 2021-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call get_cart_items via photocrati_ajax , after that the settings[shipping_address][name] is able to inject malicious javascript. | |||||
| CVE-2020-23373 | 1 5none | 1 Nonecms | 2021-05-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter. | |||||
| CVE-2020-23374 | 1 5none | 1 Nonecms | 2021-05-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter. | |||||
| CVE-2019-3485 | 1 Hp | 1 Arcsight Logger | 2021-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mitigates a stored cross site scripting issue in ArcSight Logger versions prior to 6.7.1 | |||||
| CVE-2019-3486 | 1 Hp | 1 Arcsight Management Center | 2021-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mitigates a stored cross site scripting issue in ArcSight Security Management Center versions prior to 2.9.1 | |||||
| CVE-2019-11649 | 1 Microfocus | 1 Fortify Software Security Center | 2021-05-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting vulnerability in Micro Focus Fortify Software Security Center Server, versions 17.2, 18.1, 18.2, has been identified in Micro Focus Software Security Center. The vulnerability could be exploited to execute JavaScript code in user’s browser. The vulnerability could be exploited to execute JavaScript code in user’s browser. | |||||
| CVE-2020-23263 | 1 Fork-cms | 1 Fork Cms | 2021-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add. | |||||
| CVE-2021-32470 | 1 Craftcms | 1 Craft Cms | 2021-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 3.6.13 has an XSS vulnerability. | |||||
| CVE-2019-11825 | 1 Synology | 1 Calendar | 2021-05-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter. | |||||
| CVE-2021-26123 | 1 Livinglogic | 1 Xist4c | 2021-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| LivingLogic XIST4C before 0.107.8 allows XSS via login.htm, login.wihtm, or login-form.htm. | |||||
| CVE-2021-26122 | 1 Livinglogic | 1 Xist4c | 2021-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm. | |||||
| CVE-2021-25179 | 1 Solarwinds | 1 Serv-u File Server | 2021-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header. | |||||
| CVE-2021-32103 | 1 Open-emr | 1 Openemr | 2021-05-11 | 3.5 LOW | 4.8 MEDIUM |
| A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. | |||||
| CVE-2021-24266 | 1 Posimyth | 1 The Plus Addons For Elementor Page Builder Lite | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “The Plus Addons for Elementor Page Builder Lite” WordPress Plugin before 2.0.6 has four widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24264 | 1 Blocksera | 1 Image Hover Effects | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Image Hover Effects – Elementor Addon” WordPress Plugin before 1.3.4 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24265 | 1 Apollo13themes | 1 Rife Elementor Extensions \& Templates | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Rife Elementor Extensions & Templates” WordPress Plugin before 1.1.6 has a widget that is vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24263 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Elementor Addons – PowerPack Addons for Elementor” WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24270 | 1 Dethemekit For Elementor Project | 1 Dethemekit For Elementor | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “DeTheme Kit for Elementor” WordPress Plugin before 1.5.5.5 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24267 | 1 Themesgrove | 1 All-in-one Addons For Elementor | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “All-in-One Addons for Elementor – WidgetKit” WordPress Plugin before 2.3.10 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24269 | 1 Sinaextra | 1 Sina Extension For Elementor | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Sina Extension for Elementor” WordPress Plugin before 3.3.12 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24260 | 1 Livemeshelementor | 1 Addons For Elementor | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Livemesh Addons for Elementor” WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24261 | 1 Hasthemes | 1 Ht Mega - Absolute Addons For Elementor Page Builder | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24262 | 1 Hasthemes | 1 Woolentor - Woocommerce Elementor Addons \+ Builder | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “WooLentor – WooCommerce Elementor Addons + Builder” WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24255 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method. | |||||
| CVE-2021-24257 | 1 Leap13 | 1 Premium Addons For Elementor | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24256 | 1 Brainstormforce | 1 Elementor - Header\, Footer \& Blocks Template | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24258 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2021-05-11 | 4.0 MEDIUM | 5.4 MEDIUM |
| The Elements Kit Lite and Elements Kit Pro WordPress Plugins before 2.2.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-24259 | 1 Webtechstreet | 1 Elementor Addon Elements | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| The “Elementor Addon Elements” WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||
| CVE-2021-29250 | 1 Btcpayserver | 1 Btcpay Server | 2021-05-11 | 3.5 LOW | 5.4 MEDIUM |
| BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. This enables cookie stealing. | |||||
| CVE-2021-25161 | 1 Arubanetworks | 1 Instant | 2021-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote cross-site scripting (xss) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. | |||||
| CVE-2020-1721 | 1 Dogtagpki | 1 Dogtagpki | 2021-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10.10.5 where it did not properly sanitize the recovery ID during a key recovery request, enabling a reflected cross-site scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code. | |||||
| CVE-2020-21101 | 1 Screenly | 1 Screenly | 2021-05-10 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scriptiong vulnerabilityin Screenly screenly-ose all versions, including v1.8.2 (2019-09-25-Screenly-OSE-lite.img), in the 'Add Asset' page via manipulation of a 'URL' field, which could let a remote malicious user execute arbitrary code. | |||||
| CVE-2020-21987 | 1 Homeautomation Project | 1 Homeautomation | 2021-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting (XSS). XSS vulnerabilities occur when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session. | |||||
| CVE-2021-21543 | 1 Dell | 1 Idrac9 Firmware | 2021-05-10 | 3.5 LOW | 4.8 MEDIUM |
| Dell EMC iDRAC9 versions prior to 4.40.00.00 contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges could potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected parameters. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | |||||
| CVE-2021-21542 | 1 Dell | 1 Idrac9 Firmware | 2021-05-10 | 3.5 LOW | 4.8 MEDIUM |
| Dell EMC iDRAC9 versions prior to 4.40.10.00 contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges could potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected while generating a certificate. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | |||||
| CVE-2021-21541 | 1 Dell | 1 Idrac9 Firmware | 2021-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a DOM-based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to DOM environment in the browser. The malicious code is then executed by the web browser in the context of the vulnerable web application. | |||||
| CVE-2020-18022 | 1 Qibosoft | 1 Qibocms | 2021-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Qibosoft QiboCMS v7 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information by injecting arbitrary commands in a HTTP request to the "ewebeditor\3.1.1\kindeditor.js" component. | |||||
| CVE-2021-29460 | 1 Getkirby | 1 Kirby | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can only use this attack vector if your site allows SVG file uploads in frontend forms and you don't already sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use `File::create()`, you are protected by updating to 3.5.4+. As a work around you can disable the upload of SVG files in your file blueprints. | |||||
| CVE-2021-29146 | 1 Arubanetworks | 1 Clearpass | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-29666 | 2 Ibm, Linux | 2 Spectrum Scale, Linux Kernel | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199400. | |||||
| CVE-2021-24268 | 1 Crocoblock | 1 Jetwidgets For Elementor | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| The “JetWidgets For Elementor” WordPress Plugin before 1.0.9 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | |||||