Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26812 | 1 Jitsi | 1 Meet | 2021-04-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject javascript code to be run by the application. | |||||
| CVE-2020-15803 | 1 Zabbix | 1 Zabbix | 2021-04-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. | |||||
| CVE-2021-27180 | 1 Altn | 1 Mdaemon | 2021-04-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user. | |||||
| CVE-2018-2504 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. | |||||
| CVE-2020-21088 | 1 X2engine | 1 X2crm | 2021-04-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page" | |||||
| CVE-2021-27288 | 1 X2engine | 1 X2crm | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page. | |||||
| CVE-2021-3243 | 1 Wfiltericf | 1 Wfilter Internet Content Filter | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function. | |||||
| CVE-2017-11458 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. | |||||
| CVE-2018-2452 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2016-3975 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375. | |||||
| CVE-2021-27601 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. | |||||
| CVE-2021-24225 | 1 Elbtide | 1 Advanced Booking Calendar | 2021-04-20 | 3.5 LOW | 5.4 MEDIUM |
| The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue | |||||
| CVE-2008-1133 | 1 Drupal | 1 Drupal | 2021-04-20 | 4.3 MEDIUM | N/A |
| The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | |||||
| CVE-2019-10909 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2021-04-20 | 3.5 LOW | 5.4 MEDIUM |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. | |||||
| CVE-2017-11175 | 1 Siemens | 1 Fin Stack | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In J2 Innovations FIN Stack 4.0, the authentication webform is vulnerable to reflected XSS via the query string to /login. | |||||
| CVE-2021-25926 | 1 Sickrage | 1 Sickrage | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In SiCKRAGE, versions 9.3.54.dev1 to 10.0.11.dev1 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly in the `quicksearch` feature. Therefore, an attacker can steal a user's sessionID to masquerade as a victim user, to carry out any actions in the context of the user. | |||||
| CVE-2021-25925 | 1 Sickrage | 1 Sickrage | 2021-04-20 | 3.5 LOW | 5.4 MEDIUM |
| in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly when processed by the server. Therefore, an attacker can inject arbitrary JavaScript code inside the application, and possibly steal a user’s sensitive information. | |||||
| CVE-2021-24213 | 1 Givewp | 1 Give | 2021-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page. | |||||
| CVE-2020-28124 | 1 Lavalite | 1 Lavalite | 2021-04-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field. | |||||
| CVE-2008-3218 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-19 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values. | |||||
| CVE-2021-26929 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2021-04-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses. | |||||
| CVE-2021-26832 | 1 Priority-software | 1 Priority Enterprise Management System | 2021-04-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site. | |||||
| CVE-2020-35418 | 1 Group-office | 1 Group Office | 2021-04-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file. | |||||
| CVE-2020-35419 | 1 Group-office | 1 Group Office | 2021-04-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter. | |||||
| CVE-2020-35660 | 1 Monicahq | 1 Monica | 2021-04-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page. | |||||
| CVE-2021-27129 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-04-19 | 3.5 LOW | 5.4 MEDIUM |
| CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter. | |||||
| CVE-2021-20080 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-04-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. | |||||
| CVE-2021-29438 | 1 Nextcloud\/dialogs Project | 1 Nextcloud\/dialogs | 2021-04-19 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version 3.1.2 If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag. | |||||
| CVE-2007-0136 | 1 Drupal | 1 Drupal | 2021-04-19 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2019-16935 | 1 Python | 1 Python | 2021-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. | |||||
| CVE-2020-21087 | 1 X2engine | 1 X2crm | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool. | |||||
| CVE-2021-1407 | 1 Cisco | 1 Unified Communications Manager | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2021-1409 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im \& Presence Service, Unity Connection | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2021-1408 | 1 Cisco | 1 Unified Communications Manager | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2021-27600 | 1 Sap | 1 Manufacturing Execution | 2021-04-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server cannot be impacted. | |||||
| CVE-2021-27989 | 1 Appspace | 1 Appspace | 2021-04-16 | 3.5 LOW | 5.4 MEDIUM |
| Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx. | |||||
| CVE-2021-30637 | 1 Htmly | 1 Htmly | 2021-04-16 | 3.5 LOW | 5.4 MEDIUM |
| htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. | |||||
| CVE-2018-0388 | 1 Cisco | 1 Wireless Lan Controller Software | 2021-04-16 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based interface of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web-based interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. | |||||
| CVE-2020-24138 | 1 Wcms | 1 Wcms | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in wcms 0.3.2 allows remote attackers to inject arbitrary web script and HTML via the pagename parameter to wex/html.php. | |||||
| CVE-2020-24135 | 1 Wcms | 1 Wcms | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Wcms 0.3.2, which allows remote attackers to inject arbitrary web script and HTML via the type parameter to wex/cssjs.php. | |||||
| CVE-2020-15500 | 1 Tileserver | 1 Tileservergl | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS. | |||||
| CVE-2012-5569 | 3 Basic Webmail Project, Drupal, Jason Flatt | 3 Basic Webmail, Drupal, Basic Webmail | 2021-04-15 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) page title or (2) crafted email message. | |||||
| CVE-2021-25894 | 1 Magnolia-cms | 1 Magnolia Cms | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the /magnoliaPublic/travel/members/login.html mgnlUserId parameter. | |||||
| CVE-2021-25893 | 1 Magnolia-cms | 1 Magnolia Cms | 2021-04-15 | 3.5 LOW | 5.4 MEDIUM |
| Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the setText parameter of /magnoliaAuthor/.magnolia/. | |||||
| CVE-2008-3219 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-15 | 4.3 MEDIUM | N/A |
| The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. | |||||
| CVE-2021-27945 | 1 Squirro | 1 Squirro | 2021-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. | |||||
| CVE-2021-24228 | 1 Patreon | 1 Patreon Wordpress | 2021-04-14 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2. The WordPress login form (wp-login.php) is hooked by the plugin and offers to allow users to authenticate on the site using their Patreon account. Unfortunately, some of the error logging logic behind the scene allowed user-controlled input to be reflected on the login page, unsanitized. | |||||
| CVE-2021-24229 | 1 Patreon | 1 Patreon Wordpress | 2021-04-14 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2. This AJAX hook is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible for user accounts with the ‘manage_options’ privilege (i.e.., only administrators). Unfortunately, one of the parameters used in this AJAX endpoint is not sanitized before being printed back to the user, so the risk it represents is the same as the previous XSS vulnerability. | |||||
| CVE-2021-20519 | 1 Ibm | 12 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 9 more | 2021-04-13 | 4.3 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198441. | |||||
| CVE-2020-4920 | 1 Ibm | 12 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 9 more | 2021-04-13 | 4.3 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Team Server products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191396. | |||||