Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13418 | 1 Openiam | 1 Openiam | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenIAM before 4.2.0.3 allows XSS in the Add New User feature. | |||||
| CVE-2021-24156 | 1 Testimonial Rotator Project | 1 Testimonial Rotator | 2021-04-08 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users (Contributor) to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation | |||||
| CVE-2020-4792 | 1 Ibm | 1 Edge Application Manager | 2021-04-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Edge 4.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 189441. | |||||
| CVE-2020-4997 | 1 Ibm | 1 Infosphere Information Server | 2021-04-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192914 | |||||
| CVE-2021-30056 | 1 Eng | 1 Knowage | 2021-04-08 | 3.5 LOW | 5.4 MEDIUM |
| Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in /restful-services/publish via the 'EXEC_FROM' parameter that can lead to data leakage. | |||||
| CVE-2021-30058 | 1 Eng | 1 Knowage | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). An attacker can inject arbitrary external script in '/knowagecockpitengine/api/1.0/pages/execute' via the 'SBI_HOST' parameter. | |||||
| CVE-2021-24152 | 1 Sygnoos | 1 Popup Builder | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. | |||||
| CVE-2021-30074 | 1 Docsifyjs | 1 Docsify | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| docsify 4.12.1 is affected by Cross Site Scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the " character. | |||||
| CVE-2021-20685 | 1 Daifukuya | 1 Kagemai | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Kagemai 0.8.8 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20686 | 1 Daifukuya | 1 Kagemai | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Kagemai 0.8.8 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20689 | 1 Yomi-search Project | 1 Yomi-search | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Yomi-Search Ver4.22 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20690 | 1 Yomi-search Project | 1 Yomi-search | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Yomi-Search Ver4.22 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20691 | 1 Yomi-search Project | 1 Yomi-search | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Yomi-Search Ver4.22 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2018-6590 | 1 Broadcom | 1 Ca Api Developer Portal | 2021-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| CA API Developer Portal 4.x, prior to v4.2.5.3 and v4.2.7.1, has an unspecified reflected cross-site scripting vulnerability. | |||||
| CVE-2021-29661 | 1 Softing | 1 Opc Toolbox | 2021-04-08 | 3.5 LOW | 5.4 MEDIUM |
| Softing AG OPC Toolbox through 4.10.1.13035 allows /en/diag_values.html Stored XSS via the ITEMLISTVALUES##ITEMID parameter, resulting in JavaScript payload injection into the trace file. This payload will then be triggered every time an authenticated user browses the page containing it. | |||||
| CVE-2020-9995 | 1 Apple | 1 Macos Server | 2021-04-07 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue existed in the parsing of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Server 5.11. Processing a maliciously crafted URL may lead to an open redirect or cross site scripting. | |||||
| CVE-2019-6504 | 1 Broadcom | 1 Automic Workload Automation | 2021-04-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient output sanitization in the Automic Web Interface (AWI), in CA Automic Workload Automation 12.0 to 12.2, allow attackers to potentially conduct persistent cross site scripting (XSS) attacks via a crafted object. | |||||
| CVE-2021-22196 | 1 Gitlab | 1 Gitlab | 2021-04-07 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name. | |||||
| CVE-2021-30003 | 1 Nokia | 2 G-120w-f, G-120w-f Firmware | 2021-04-07 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered on Nokia G-120W-F 3FE46606AGAB91 devices. There is Stored XSS in the administrative interface via urlfilter.cgi?add url_address. | |||||
| CVE-2021-28047 | 1 Devolutions | 1 Remote Desktop Manager | 2021-04-06 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting (XSS) in Administrative Reports in Devolutions Remote Desktop Manager before 2021.1 allows remote authenticated users to inject arbitrary web script or HTML via multiple input fields. | |||||
| CVE-2021-23006 | 1 F5 | 1 Big-iq Centralized Management | 2021-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-23922 | 1 Devolutions | 1 Remote Desktop Manager | 2021-04-06 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Devolutions Remote Desktop Manager before 2020.2.12. There is a cross-site scripting (XSS) vulnerability in webviews. | |||||
| CVE-2021-23925 | 1 Devolutions | 1 Devolutions Server | 2021-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Devolutions Server before 2020.3. There is a cross-site scripting (XSS) vulnerability in entries of type Document. | |||||
| CVE-2012-1254 | 1 Segue Project | 1 Segue | 2021-04-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Segue 2.2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2021-29663 | 1 Course Registration Management System Project | 1 Course Registration Management System | 2021-04-06 | 3.5 LOW | 4.8 MEDIUM |
| CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page. | |||||
| CVE-2018-13380 | 1 Fortinet | 2 Fortios, Fortiproxy | 2021-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters. | |||||
| CVE-2019-12962 | 1 Livezilla | 1 Livezilla | 2021-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header. | |||||
| CVE-2015-5532 | 1 Strangerstudios | 1 Paid Memberships Pro | 2021-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php. | |||||
| CVE-2021-21418 | 1 Prestashop | 1 Ps Emailsubscription | 2021-04-06 | 3.5 LOW | 5.4 MEDIUM |
| ps_emailsubscription is a newsletter subscription module for the PrestaShop platform. An employee can inject javascript in the newsletter condition field that will then be executed on the front office The issue has been fixed in 2.6.1 | |||||
| CVE-2021-22993 | 1 F5 | 2 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager | 2021-04-05 | 6.8 MEDIUM | 8.8 HIGH |
| On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, DOM-based XSS on DoS Profile properties page. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-22994 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2021-04-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-21635 | 1 Jenkins | 1 Rest List Parameter | 2021-04-05 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2021-27349 | 1 Algolplus | 1 Advanced Order Export | 2021-04-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Advanced Order Export before 3.1.8 for WooCommerce allows XSS, a different vulnerability than CVE-2020-11727. | |||||
| CVE-2020-19618 | 1 Mblog Project | 1 Mblog | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post content field to /post/editing. | |||||
| CVE-2020-19617 | 1 Mblog Project | 1 Mblog | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the nickname field to /settings/profile. | |||||
| CVE-2020-19616 | 1 Mblog Project | 1 Mblog | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post header field to /post/editing. | |||||
| CVE-2020-19619 | 1 Mblog Project | 1 Mblog | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the signature field to /settings/profile. | |||||
| CVE-2021-21398 | 1 Prestashop | 1 Prestashop | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fixed in 1.7.7.3 | |||||
| CVE-2021-21630 | 1 Jenkins | 1 Extra Columns | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2021-21628 | 1 Jenkins | 1 Build With Parameters | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2021-27969 | 1 Boonex | 1 Dolphin | 2021-04-02 | 3.5 LOW | 4.8 MEDIUM |
| Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter. | |||||
| CVE-2020-23839 | 1 Get-simple | 1 Getsimple Cms | 2021-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form. | |||||
| CVE-2020-25840 | 1 Microfocus | 1 Access Manager | 2021-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction. | |||||
| CVE-2020-25902 | 1 Blackboard | 1 Collaborate Ultra | 2021-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability. The XSS payload will execute on the class room, which leads to stealing cookies from users who join the class. NOTE: Third-parties dispute the validity of this entry as a possible false positive during research. | |||||
| CVE-2021-26596 | 1 Nokia | 1 Netact | 2021-04-01 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used. | |||||
| CVE-2020-19643 | 1 Insma | 2 Wifi Mini Spy 1080p Hd Security Ip Camera, Wifi Mini Spy 1080p Hd Security Ip Camera Firmware | 2021-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B via all fields in the FTP settings page to the "goform/formSetFtpCfg" settings page. | |||||
| CVE-2020-20545 | 1 Seeyon | 1 G6 Government Collaborative System | 2021-04-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in Zhiyuan G6 Government Collaboration System V6.1SP1, via the 'method' parameter to 'seeyon/hrSalary.do'. | |||||
| CVE-2021-3275 | 1 Tp-link | 10 Archer-c3150, Archer-c3150 Firmware, Td-w9977 and 7 more | 2021-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization. | |||||
| CVE-2019-3826 | 2 Prometheus, Redhat | 2 Prometheus, Openshift Container Platform | 2021-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. | |||||
| CVE-2021-20447 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196623. | |||||