Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-1380 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im \& Presence Service, Unity Connection | 2021-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2021-1463 | 1 Cisco | 2 Unified Contact Center Express, Unified Intelligence Center | 2021-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2016-1599 | 1 Microfocus | 1 Self Service Password Reset | 2021-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2012-0428 | 1 Microfocus | 1 Edirectory | 2021-04-13 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in NetIQ eDirectory 8.8.6.x before 8.8.6.7 and 8.8.7.x before 8.8.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2021-22510 | 1 Microfocus | 1 Application Automation Tools | 2021-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects all version 6.7 and earlier versions. | |||||
| CVE-2021-30113 | 1 Web-school | 1 Enterprise Resource Planning | 2021-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A blind XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in event name and description fields. An attacker can inject a JavaScript code that will be stored in the page. If any visitor sees the event, then the payload will be executed and sends the victim's information to the attacker website. | |||||
| CVE-2021-30111 | 1 Web-school | 1 Enterprise Resource Planning | 2021-04-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any visitor sees the events, then the payload will be executed. | |||||
| CVE-2020-23762 | 1 Larsens Calendar Project | 1 Larsens Calendar | 2021-04-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the Larsens Calender plugin Version <= 1.2 for WordPress allows remote attackers to execute arbitrary web script via the "titel" column on the "Eintrage hinzufugen" tab. | |||||
| CVE-2020-23761 | 1 Intelliants | 1 Subrion | 2021-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab. | |||||
| CVE-2021-30146 | 1 Seafile | 1 Seafile | 2021-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality." | |||||
| CVE-2021-28924 | 1 Nagios | 1 Network Analyzer | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page. | |||||
| CVE-2021-20684 | 1 Magazinegerz Project | 1 Magazinegerz | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in MagazinegerZ v.1.01 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20688 | 1 Click-ranker | 1 Click Ranker | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Click Ranker Ver.3.5 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-22157 | 1 Proofpoint | 1 Insider Threat Management | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.11.1 allows stored XSS. | |||||
| CVE-2015-2827 | 1 Broadcom | 1 Spectrum | 2021-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and 9.3.x before 9.3 H02 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-5968 | 2 Broadcom, Ca | 2 Siteminder, Web Agents | 2021-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CA SiteMinder 12.0 through 12.51, and SiteMinder 6 Web Agents, allows remote attackers to inject arbitrary web script or HTML via vectors involving a " (double quote) character. | |||||
| CVE-2014-8247 | 1 Broadcom | 1 Release Automation | 2021-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CA Release Automation (formerly iTKO LISA Release Automation) before 4.7.1 b448 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-8699 | 1 Broadcom | 1 Release Automation | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-13825 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient input validation in the gridExcelExport functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to execute reflected cross-site scripting attacks. | |||||
| CVE-2021-24208 | 1 Themeum | 1 Wp Page Builder | 2021-04-12 | 3.5 LOW | 5.4 MEDIUM |
| The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is also possible to insert malicious JavaScript via the “wppb_page_css” parameter (this can be done by closing out the style tag and opening a script tag) when performing the “wppb_page_save” AJAX action. | |||||
| CVE-2017-6958 | 1 Mantisbt | 1 Source Integration | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability in the MantisBT Source Integration Plugin (before 2.0.2) search result page allows an attacker to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by crafting any valid parameter. | |||||
| CVE-2021-24211 | 1 Wphive | 1 Wordpress Related Posts | 2021-04-12 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser. | |||||
| CVE-2021-29996 | 1 Marktext | 1 Marktext | 2021-04-12 | 6.8 MEDIUM | 9.6 CRITICAL |
| Mark Text through 0.16.3 allows attackers arbitrary command execution. This could lead to Remote Code Execution (RCE) by opening .md files containing a mutation Cross Site Scripting (XSS) payload. | |||||
| CVE-2021-24153 | 1 Yoast | 1 Yoast Seo | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found. | |||||
| CVE-2013-2630 | 1 Broadcom | 1 Service Desk Manager | 2021-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CA Service Desk Manager 12.5 through 12.7 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2008-4119 | 2 Broadcom, Ca | 2 Service Desk, Cmdb | 2021-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CA Service Desk 11.2 and CMDB 11.0 through 11.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "multiple web forms." | |||||
| CVE-2021-30151 | 1 Contribsys | 1 Sidekiq | 2021-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. | |||||
| CVE-2021-24196 | 1 Cm-wp | 1 Social Slider Widget | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echoed without being sanitized | |||||
| CVE-2021-24203 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘text’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24204 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24201 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24202 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘title’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24205 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24206 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2007-5472 | 1 Broadcom | 1 Host-based Intrusion Prevention System | 2021-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer. | |||||
| CVE-2007-6406 | 1 Broadcom | 1 Etrust Threat Management Console | 2021-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CA (formerly Computer Associates) eTrust Threat Management Console allow remote attackers to inject arbitrary web script or HTML via the IP Address field and other unspecified fields. | |||||
| CVE-2021-24157 | 1 Themeisle | 1 Orbit Fox | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious. | |||||
| CVE-2014-5216 | 1 Microfocus | 1 Access Manager | 2021-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to nidp/jsp/x509err.jsp, (3) the lang parameter to sslvpn/applet_agent.jsp, or (4) the secureLoggingServersA parameter to roma/system/cntl, a different issue than CVE-2014-9412. | |||||
| CVE-2014-9412 | 1 Microfocus | 1 Access Manager | 2021-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216. | |||||
| CVE-2007-5923 | 1 Broadcom | 1 Etrust Siteminder | 2021-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in forms/smpwservices.fcc in CA (formerly Computer Associates) eTrust SiteMinder Agent allows remote attackers to inject arbitrary web script or HTML via the SMAUTHREASON parameter, a different vector than CVE-2005-2204. | |||||
| CVE-2018-7681 | 1 Microfocus | 1 Solutions Business Manager | 2021-04-09 | 3.5 LOW | 4.8 MEDIUM |
| Micro Focus Solutions Business Manager versions prior to 11.4 allows JavaScript to be embedded in URLs placed in "Favorites" folder. If the user has certain administrative privileges then this vulnerability can impact other users in the system. | |||||
| CVE-2018-7680 | 1 Microfocus | 1 Solutions Business Manager | 2021-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Micro Focus Solutions Business Manager versions prior to 11.4 can reflect back HTTP header values. | |||||
| CVE-2021-24180 | 1 Never5 | 1 Related Posts | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding within the Related Posts for WordPress plugin before 2.0.4 lead to a Reflected Cross-Site Scripting (XSS) vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL. | |||||
| CVE-2021-24177 | 1 Webdesi9 | 1 File Manager | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response. | |||||
| CVE-2015-2944 | 1 Apache | 2 Sling Api, Sling Servlets Post | 2021-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse. | |||||
| CVE-2021-24168 | 1 Easy Contact Form Pro Project | 1 Easy Contact Form Pro | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator. | |||||
| CVE-2021-1879 | 1 Apple | 3 Ipad Os, Iphone Os, Watchos | 2021-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| This issue was addressed by improved management of object lifetimes. This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3. Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.. | |||||
| CVE-2021-30150 | 1 Ocproducts | 1 Composr | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Composr 10.0.36 allows XSS in an XML script. | |||||
| CVE-2021-30125 | 1 Jamf | 1 Jamf | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jamf Pro before 10.28.0 allows XSS related to inventory history, aka PI-009376. | |||||
| CVE-2021-30109 | 1 Froala | 1 Froala Editor | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under certain conditions, a base64 crafted string leads to persistent Cross-site scripting (XSS) vulnerability within the hyperlink creation module. | |||||