Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-1566 | 1 Apache | 1 Guacamole | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. NOTE: this vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed. | |||||
| CVE-2020-13666 | 1 Drupal | 1 Drupal | 2021-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | |||||
| CVE-2021-31778 | 1 Media2click Project | 1 Media2click | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account. | |||||
| CVE-2021-29142 | 1 Arubanetworks | 1 Clearpass | 2021-05-07 | 3.5 LOW | 4.8 MEDIUM |
| A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-29139 | 1 Arubanetworks | 1 Clearpass | 2021-05-07 | 3.5 LOW | 4.8 MEDIUM |
| A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2020-4929 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191706. | |||||
| CVE-2021-20397 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2021-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196017. | |||||
| CVE-2020-28945 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  that is mishandled in the App Suite UI on a smartphone. | |||||
| CVE-2021-31935 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view. | |||||
| CVE-2021-21365 | 1 Typo3 | 1 Typo3 | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Users of the extension, who have overwritten the affected templates with custom code must manually apply the security fix. Update to version 7.1.2, 8.0.8, 9.1.4, 10.0.10 or 11.0.3 of the Bootstrap Package that fix the problem described. Updated version are available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/bootstrap_package/. | |||||
| CVE-2021-31803 | 1 Cpanel | 1 Cpanel | 2021-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581). | |||||
| CVE-2020-35542 | 1 Unisys | 1 Data Exchange Management Studio | 2021-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Unisys Data Exchange Management Studio through 5.0.34 doesn't sanitize the input to a HTML document field. This could be used for an XSS attack. | |||||
| CVE-2020-18084 | 1 Yzmcms | 1 Yzmcms | 2021-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in yzmCMS v5.2 allows remote attackers to execute arbitrary code by injecting commands into the "referer" field of a POST request to the component "/member/index/login.html" when logging in. | |||||
| CVE-2021-20680 | 1 Nec | 34 Aterm W1200ex, Aterm W1200ex-ms, Aterm W1200ex-ms Firmware and 31 more | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in NEC Aterm devices (Aterm WG1900HP2 firmware Ver.1.3.1 and earlier, Aterm WG1900HP firmware Ver.2.5.1 and earlier, Aterm WG1800HP4 firmware Ver.1.3.1 and earlier, Aterm WG1800HP3 firmware Ver.1.5.1 and earlier, Aterm WG1200HS2 firmware Ver.2.5.0 and earlier, Aterm WG1200HP3 firmware Ver.1.3.1 and earlier, Aterm WG1200HP2 firmware Ver.2.5.0 and earlier, Aterm W1200EX firmware Ver.1.3.1 and earlier, Aterm W1200EX-MS firmware Ver.1.3.1 and earlier, Aterm WG1200HS firmware all versions Aterm WG1200HP firmware all versions Aterm WF800HP firmware all versions Aterm WF300HP2 firmware all versions Aterm WR8165N firmware all versions Aterm W500P firmware all versions, and Aterm W300P firmware all versions) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-29388 | 1 Budget Management System Project | 1 Budget Management System | 2021-05-05 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in SourceCodester Budget Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php via vulnerable field 'Budget Title'. | |||||
| CVE-2021-29387 | 1 Equipment Inventory System Project | 1 Equipment Inventory System | 2021-05-05 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Sourcecodester Equipment Inventory System 1.0 allow remote attackers to inject arbitrary javascript via any "Add" sections, such as Add Item , Employee and Position or others in the Name Parameters. | |||||
| CVE-2020-21993 | 1 Wems | 1 Enterprise Manager | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WEMS Limited Enterprise Manager 2.58, input passed to the GET parameter 'email' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site. | |||||
| CVE-2021-29159 | 1 Sonatype | 1 Nexus Repository Manager | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed by an administrator, can execute arbitrary JavaScript in the context of the NXRM application. | |||||
| CVE-2020-17999 | 1 1234n | 1 Minicms | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in MiniCMS v1.10 allows remote attackers to execute arbitrary code by injecting commands via a crafted HTTP request to the component "/mc-admin/post-edit.php". | |||||
| CVE-2021-25810 | 1 Mercusys | 2 Mercury X18g, Mercury X18g Firmware | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site Scripting (XSS) vulnerability in MERCUSYS Mercury X18G 1.0.5 devices, via crafted values to the 'src_dport_start', 'src_dport_end', and 'dest_port' parameters. | |||||
| CVE-2019-25027 | 1 Vaadin | 2 Flow, Vaadin | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL | |||||
| CVE-2019-25028 | 1 Vaadin | 1 Vaadin | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector | |||||
| CVE-2021-1457 | 1 Cisco | 1 Firepower Management Center | 2021-05-05 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2021-1456 | 1 Cisco | 1 Firepower Management Center | 2021-05-05 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-22808 | 1 Fecmall Project | 1 Fecmall | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was found in yii2_fecshop 2.x. There is a reflected XSS vulnerability in the check cart page. | |||||
| CVE-2021-1458 | 1 Cisco | 1 Firepower Management Center | 2021-05-05 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2021-1455 | 1 Cisco | 1 Firepower Management Center | 2021-05-05 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2018-19288 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API. | |||||
| CVE-2018-20339 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section. | |||||
| CVE-2018-19921 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller. | |||||
| CVE-2018-18716 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability. | |||||
| CVE-2018-18715 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS. | |||||
| CVE-2018-18262 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine OpManager 12.3 before build 123214 has XSS. | |||||
| CVE-2013-4492 | 1 I18n Project | 1 I18n | 2021-05-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. | |||||
| CVE-2020-13944 | 1 Apache | 1 Airflow | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | |||||
| CVE-2020-17515 | 1 Apache | 1 Airflow | 2021-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. | |||||
| CVE-2020-13285 | 1 Gitlab | 1 Gitlab | 2021-05-03 | 3.5 LOW | 5.4 MEDIUM |
| For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip. | |||||
| CVE-2021-20549 | 3 Ibm, Linux, Microsoft | 4 Aix, Content Navigator, Linux Kernel and 1 more | 2021-05-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199167. | |||||
| CVE-2021-20550 | 3 Ibm, Linux, Microsoft | 4 Aix, Content Navigator, Linux Kernel and 1 more | 2021-05-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199168. | |||||
| CVE-2021-20448 | 3 Ibm, Linux, Microsoft | 4 Aix, Content Navigator, Linux Kernel and 1 more | 2021-05-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196624. | |||||
| CVE-2020-18035 | 1 Jeesns | 1 Jeesns | 2021-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Jeesns v1.4.2 allows remote attackers to execute arbitrary code by injecting commands into the "CKEditorFuncNum" parameter in the component "CkeditorUploadController.java". | |||||
| CVE-2021-31792 | 1 Salesagility | 1 Suitecrm | 2021-05-03 | 3.5 LOW | 5.4 MEDIUM |
| XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field | |||||
| CVE-2021-30227 | 1 Emlog | 1 Emlog | 2021-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the article comments feature in emlog 6.0. | |||||
| CVE-2014-9342 | 1 F5 | 1 Big-ip | 2021-05-03 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the tree view (pl_tree.php) feature in Application Security Manager (ASM) in F5 BIG-IP 11.3.0 allows remote attackers to inject arbitrary web script or HTML by accessing a crafted URL during automatic policy generation. | |||||
| CVE-2021-31794 | 1 Directum | 1 Directum | 2021-05-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Settings.aspx?view=About in Directum 5.8.2 allows XSS via the HTTP User-Agent header. | |||||
| CVE-2021-27933 | 1 Pfsense | 1 Pfsense | 2021-05-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. | |||||
| CVE-2021-28079 | 1 Jamovi | 1 Jamovi | 2021-04-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jamovi <=1.6.18 is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered. | |||||
| CVE-2010-2250 | 1 Drupal | 1 Drupal | 2021-04-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | |||||
| CVE-2020-17542 | 1 Dotcms | 1 Dotcms | 2021-04-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component. | |||||