Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24237 | 1 Purethemes | 2 Findeo, Realteo | 2021-04-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24239 | 1 Genetechsolutions | 1 Pie Register | 2021-04-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin before 3.7.0.1 does not sanitise the invitaion_code GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-22199 | 1 Gitlab | 1 Gitlab | 2021-04-30 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. | |||||
| CVE-2021-24241 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. | |||||
| CVE-2021-29459 | 1 Xwiki | 1 Xwiki | 2021-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information and (if they have edit rights) fill the values of static lists using App Within Minutes. There is no easy workaround except upgrading XWiki. The vulnerability has been patched on XWiki 12.8 and 12.6.3. | |||||
| CVE-2021-24235 | 1 Boostifythemes | 1 Goto | 2021-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Goto WordPress theme before 2.0 does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24232 | 1 Elbtide | 1 Advanced Booking Calendar | 2021-04-29 | 3.5 LOW | 5.4 MEDIUM |
| The Advanced Booking Calendar WordPress plugin before 1.6.8 does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue | |||||
| CVE-2021-24233 | 1 Boxystudio | 1 Cooked | 2021-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Cooked Pro WordPress plugin before 1.7.5.6 was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute. | |||||
| CVE-2021-24234 | 1 Ivorysearch | 1 Ivory Search | 2021-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack. | |||||
| CVE-2021-29467 | 1 Wrongthink Project | 1 Wrongthink | 2021-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wrongthink is an encrypted peer-to-peer chat program. A user could check their fingerprint into the service and enter a script to run arbitrary JavaScript on the site. No workarounds exist, but a patch exists in version 2.4.1. | |||||
| CVE-2006-0779 | 1 Xmb Forum | 1 Xmb | 2021-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in u2u.php in XMB Forums 1.9.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter, as demonstrated using a URL-encoded iframe tag. | |||||
| CVE-2007-0519 | 1 Xmb Software | 1 U2u Instant Messenger | 2021-04-29 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in memcp.php in XMB U2U Instant Messenger allows remote authenticated users to inject arbitrary web script or HTML via the recipient field. | |||||
| CVE-2004-1863 | 1 Xmb Forum | 1 Xmb | 2021-04-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allow remote attackers to inject arbitrary web script or HTML via (1) the u2uheader parameter in editprofile.php, the restrict parameter in (2) member.php, (3) misc.php, and (4) today.php, and (5) an arbitrary parameter in phpinfo.php. | |||||
| CVE-2007-6728 | 1 Xmb Forum | 1 Xmb | 2021-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in XMB 1.5 allows remote attackers to inject arbitrary web script or HTML via the MSN field during user registration. | |||||
| CVE-2021-29434 | 1 Torchbox | 1 Wagtail | 2021-04-29 | 3.5 LOW | 4.8 MEDIUM |
| Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch). | |||||
| CVE-2021-0268 | 1 Juniper | 1 Junos | 2021-04-28 | 5.8 MEDIUM | 9.3 CRITICAL |
| An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') weakness in J-web of Juniper Networks Junos OS leads to buffer overflows, segment faults, or other impacts, which allows an attacker to modify the integrity of the device and exfiltration information from the device without authentication. The weakness can be exploited to facilitate cross-site scripting (XSS), cookie manipulation (modifying session cookies, stealing cookies) and more. This weakness can also be exploited by directing a user to a seemingly legitimate link from the affected site. The attacker requires no special access or permissions to the device to carry out such attacks. This issue affects: Juniper Networks Junos OS: 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S3; 19.1 versions prior to 19.1R2-S2, 19.1R3-S2; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2, 19.4R3; 20.1 versions prior to 20.1R1-S2, 20.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.1R1. | |||||
| CVE-2021-25838 | 1 Minthcm | 1 Minthcm | 2021-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Import function in MintHCM RELEASE 3.0.8 allows an attacker to execute a cross-site scripting (XSS) payload in file-upload. | |||||
| CVE-2021-20710 | 1 Aterm | 2 Wg2600hs, Wg2600hs Firmware | 2021-04-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.5.1 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-28827 | 1 Tibco | 2 Administrator, Runtime Agent | 2021-04-27 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition for z/Linux, TIBCO Administrator - Enterprise Edition for z/Linux, TIBCO Runtime Agent, TIBCO Runtime Agent, TIBCO Runtime Agent for z/Linux, and TIBCO Runtime Agent for z/Linux contains an easily exploitable vulnerability that allows an unauthenticated attacker to social engineer a legitimate user with network access to execute a Stored XSS attack targeting the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.11.0 and 5.11.1, TIBCO Runtime Agent: versions 5.10.2 and below, TIBCO Runtime Agent: versions 5.11.0 and 5.11.1, TIBCO Runtime Agent for z/Linux: versions 5.10.2 and below, and TIBCO Runtime Agent for z/Linux: versions 5.11.0 and 5.11.1. | |||||
| CVE-2021-31550 | 1 Mediawiki | 1 Mediawiki | 2021-04-27 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers. | |||||
| CVE-2021-22540 | 1 Dart | 1 Dart Software Development Kit | 2021-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags. | |||||
| CVE-2020-36324 | 1 Wikimedia | 1 Analytics-quarry-web | 2021-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows Reflected XSS because app.py does not explicitly set the application/json content type. | |||||
| CVE-2021-25680 | 1 Adtran | 3 Netvanta 7060, Netvanta 7100, Personal Phone Manager | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. | |||||
| CVE-2021-25679 | 1 Adtran | 3 Netvanta 7060, Netvanta 7100, Personal Phone Manager | 2021-04-23 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. | |||||
| CVE-2019-14338 | 1 Dlink | 4 6600-ap, 6600-ap Firmware, Dwl-3600ap and 1 more | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface. | |||||
| CVE-2017-16765 | 1 Dlink | 2 Dwr-933, Dwr-933 Firmware | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. | |||||
| CVE-2019-6969 | 1 Dlink | 2 Dva-5592, Dva-5592 Firmware | 2021-04-23 | 5.0 MEDIUM | 7.5 HIGH |
| The web interface of the D-Link DVA-5592 20180823 is vulnerable to an authentication bypass that allows an unauthenticated user to have access to sensitive information such as the Wi-Fi password and the phone number (if VoIP is in use). | |||||
| CVE-2019-6968 | 1 Dlink | 2 Dva-5592, Dva-5592 Firmware | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web interface of the D-Link DVA-5592 20180823 is vulnerable to XSS because HTML form parameters are directly reflected. | |||||
| CVE-2020-25786 | 1 Dlink | 12 Dir-645, Dir-645 Firmware, Dir-803 and 9 more | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: this is typically not exploitable because of URL encoding (except in Internet Explorer) and because a web page cannot specify that a client should make an additional HTTP request with an arbitrary Referer header. | |||||
| CVE-2019-19742 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2021-04-23 | 3.5 LOW | 4.8 MEDIUM |
| On D-Link DIR-615 devices, the User Account Configuration page is vulnerable to blind XSS via the name field. | |||||
| CVE-2018-15874 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20.07 allows an attacker to inject JavaScript into the "Status -> Active Client Table" page via the hostname field in a DHCP request. | |||||
| CVE-2018-15875 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20.07 allows attackers to inject JavaScript into the router's admin UPnP page via the description field in an AddPortMapping UPnP SOAP request. | |||||
| CVE-2020-25864 | 1 Hashicorp | 1 Consul | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | |||||
| CVE-2018-16605 | 1 Dlink | 2 Dir-600m, Dir-600m Firmware | 2021-04-23 | 3.5 LOW | 5.4 MEDIUM |
| D-Link DIR-600M devices allow XSS via the Hostname and Username fields in the Dynamic DNS Configuration page. | |||||
| CVE-2021-29370 | 1 Cheetah Browser Project | 1 Cheetah Browser | 2021-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website. | |||||
| CVE-2019-11017 | 1 Dlink | 2 Di-524, Di-524 Firmware | 2021-04-23 | 3.5 LOW | 4.8 MEDIUM |
| On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter. | |||||
| CVE-2020-28141 | 1 Online Discussion Forum Project | 1 Online Discussion Forum | 2021-04-23 | 3.5 LOW | 5.4 MEDIUM |
| The messaging subsystem in the Online Discussion Forum 1.0 is vulnerable to XSS in the message body. An authenticated user can send messages to arbitrary users on the system that include javascript that will execute when viewing the messages page. | |||||
| CVE-2017-3890 | 1 Blackberry | 2 Appliance-x, Workspaces Vapp | 2021-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in the BlackBerry WatchDox Server components Appliance-X, version 1.8.1 and earlier, and vAPP, versions 4.6.0 to 5.4.1, allows remote attackers to execute script commands in the context of the affected browser by persuading a user to click an attacker-supplied malicious link. | |||||
| CVE-2019-17663 | 1 D-link | 2 Dir-866l, Dir-866l Firmware | 2021-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| D-Link DIR-866L 1.03B04 devices allow XSS via HtmlResponseMessage in the device common gateway interface, leading to common injection. | |||||
| CVE-2021-31551 | 1 Mediawiki | 1 Mediawiki | 2021-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages. | |||||
| CVE-2021-29399 | 2 Php, Xmbforum2 | 2 Php, Xmb | 2021-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or 1.9.11.16. | |||||
| CVE-2021-31327 | 1 Remoteclinic | 1 Remote Clinic | 2021-04-22 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in Remote Clinic v2.0 in /medicines due to Medicine Name Field. | |||||
| CVE-2021-31329 | 1 Remoteclinic | 1 Remote Clinic | 2021-04-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Chat" and "Personal Address" field on staff/register.php | |||||
| CVE-2021-26030 | 1 Joomla | 1 Joomla\! | 2021-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page | |||||
| CVE-2021-26582 | 3 Hp, Microsoft, Redhat | 4 Hp-ux, Icewall Sso Dgfw, Windows and 1 more | 2021-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security vulnerability in HPE IceWall SSO Domain Gateway Option (Dgfw) module version 10.0 on RHEL 5/6/7, version 10.0 on HP-UX 11i v3, version 10.0 on Windows and 11.0 on Windows could be exploited remotely to allow cross-site scripting (XSS). | |||||
| CVE-2021-27370 | 1 Monicahq | 1 Monica | 2021-04-22 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field. | |||||
| CVE-2020-29247 | 1 Wondercms | 1 Wondercms | 2021-04-22 | 3.5 LOW | 4.8 MEDIUM |
| WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel. An attacker can inject the XSS payload in Page keywords and each time any user will visit the website, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload. | |||||
| CVE-2008-6495 | 1 Zirkon Box | 1 Yappa-ng | 2021-04-22 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in Fritz Berger yet another php photo album - next generation (yappa-ng) 2.3.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter. | |||||
| CVE-2020-29593 | 1 Orchardproject | 1 Orchard | 2021-04-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Orchard before 1.10. The Media Settings Allowed File Types list field allows an attacker to add a XSS payload that will execute when users attempt to upload a disallowed file type, causing the error to display. | |||||
| CVE-2020-36288 | 1 Atlassian | 2 Data Center, Jira | 2021-04-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution. | |||||