Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20352 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194710. | |||||
| CVE-2016-10510 | 2 Debian, Kohanaframework | 2 Debian Linux, Kohana | 2021-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php. | |||||
| CVE-2021-20518 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198437. | |||||
| CVE-2021-20520 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198572. | |||||
| CVE-2021-20506 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198231. | |||||
| CVE-2021-20504 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198231. | |||||
| CVE-2021-20503 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198182. | |||||
| CVE-2021-29267 | 1 Sherlockim | 1 Sherlockim | 2021-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature. | |||||
| CVE-2017-7725 | 1 Concrete5 | 1 Concrete5 | 2021-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any domain name in the Host header; this is stored and allows for arbitrary domains to be set for certain links displayed to subsequent visitors, potentially an XSS vector. | |||||
| CVE-2020-6816 | 1 Mozilla | 1 Bleach | 2021-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. | |||||
| CVE-2020-15275 | 1 Moinmo | 1 Moinmoin | 2021-03-30 | 3.5 LOW | 5.4 MEDIUM |
| MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes. | |||||
| CVE-2020-14042 | 1 Codiad | 1 Codiad | 2021-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Site Scripting (XSS) vulnerability was found in Codiad v1.7.8 and later. The vulnerability occurs because of improper sanitization of the folder's name $path variable in components/filemanager/class.filemanager.php. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | |||||
| CVE-2020-6802 | 2 Fedoraproject, Mozilla | 2 Fedora, Bleach | 2021-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. | |||||
| CVE-2021-29274 | 1 Redmine | 1 Redmine | 2021-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. | |||||
| CVE-2021-22886 | 1 Rocket.chat | 1 Rocket.chat | 2021-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app. | |||||
| CVE-2021-23889 | 1 Mcafee | 1 Epolicy Orchestrator | 2021-03-30 | 3.5 LOW | 4.8 MEDIUM |
| Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. | |||||
| CVE-2020-35856 | 1 Solarwinds | 1 Orion Platform | 2021-03-29 | 3.5 LOW | 4.8 MEDIUM |
| SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page. | |||||
| CVE-2011-3983 | 1 Kent-web | 1 Web Forum | 2021-03-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to cookies. | |||||
| CVE-2021-1374 | 1 Cisco | 1 Ios Xe | 2021-03-29 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco IOS XE Wireless Controller software for the Catalyst 9000 Family of switches could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against another user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by authenticating to the device as a high-privileged user, adding certain configurations with malicious code in one of its fields, and persuading another user to click on it. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. | |||||
| CVE-2021-25918 | 1 Open-emr | 1 Openemr | 2021-03-29 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2021-25917 | 1 Open-emr | 1 Openemr | 2021-03-29 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2021-28247 | 1 Ca | 1 Ehealth Performance Manager | 2021-03-29 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS). The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the platform users. The affected endpoints are: cgi/nhWeb with the parameter report, aviewbin/filtermibobjects.pl with the parameter namefilter, and aviewbin/query.pl with the parameters System, SystemText, Group, and GroupText. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-20681 | 1 Basercms | 1 Basercms | 2021-03-29 | 3.5 LOW | 5.4 MEDIUM |
| Improper neutralization of JavaScript input in the page editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20683 | 1 Basercms | 1 Basercms | 2021-03-29 | 3.5 LOW | 5.4 MEDIUM |
| Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2014-3786 | 1 Lucidcrew | 1 Pixie | 2021-03-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the contact module (admin/modules/contact.php) in Pixie CMS 1.04 allow remote attackers to inject arbitrary web script or HTML via the (1) uemail or (2) subject parameter in the Contact form to contact/. | |||||
| CVE-2017-7363 | 1 Lucidcrew | 1 Pixie | 2021-03-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pixie 1.0.4 allows an admin/index.php s=publish&m=module&x= XSS attack. | |||||
| CVE-2017-7360 | 1 Lucidcrew | 1 Pixie | 2021-03-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pixie 1.0.4 allows an admin/index.php s=settings&x= XSS attack. | |||||
| CVE-2017-7362 | 1 Lucidcrew | 1 Pixie | 2021-03-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pixie 1.0.4 allows an admin/index.php s=publish&m=dynamic&x= XSS attack. | |||||
| CVE-2017-7361 | 1 Lucidcrew | 1 Pixie | 2021-03-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pixie 1.0.4 allows an admin/index.php s=publish&m=static&x= XSS attack. | |||||
| CVE-2017-7359 | 1 Lucidcrew | 1 Pixie | 2021-03-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pixie 1.0.4 allows an admin/index.php s=login&m= XSS attack. | |||||
| CVE-2020-23517 | 1 Aryanic | 1 High Cms | 2021-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm. | |||||
| CVE-2021-22889 | 1 Revive-adserver | 1 Revive Adserver | 2021-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `statsBreakdown` parameter of stats.php (and possibly other scripts) due to single quotes not being escaped. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and pressing a certain key combination to execute injected JavaScript code. | |||||
| CVE-2021-22888 | 1 Revive-adserver | 1 Revive Adserver | 2021-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `status` parameter of campaign-zone-zones.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code. | |||||
| CVE-2018-10078 | 1 Vertiv | 1 Watchdog Console | 2021-03-27 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via a server description. | |||||
| CVE-2021-3124 | 1 Newtarget | 1 Custom Global Variables | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) in form field in robust.systems product Custom Global Variables v 1.0.5 allows a remote attacker to inject arbitrary code via the vars[0][name] field. | |||||
| CVE-2021-29009 | 1 Seopanel | 1 Seo Panel | 2021-03-26 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php in the "type" parameter. | |||||
| CVE-2021-29008 | 1 Seopanel | 1 Seo Panel | 2021-03-26 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via webmaster-tools.php in the "to_time" parameter. | |||||
| CVE-2021-29010 | 1 Seopanel | 1 Seo Panel | 2021-03-26 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php in the "report_type" parameter. | |||||
| CVE-2020-19626 | 1 Craftcms | 1 Craft Cms | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. | |||||
| CVE-2021-21340 | 1 Typo3 | 1 Typo3 | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 . | |||||
| CVE-2021-21358 | 1 Typo3 | 1 Typo3 | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1. | |||||
| CVE-2021-21370 | 1 Typo3 | 1 Typo3 | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | |||||
| CVE-2021-22185 | 1 Gitlab | 1 Gitlab | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki | |||||
| CVE-2020-17457 | 1 Fujitsu | 1 Serverview Remote Management | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCU_FILE_INIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages. | |||||
| CVE-2021-3327 | 1 Ovation | 1 Dynamic Content | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter. | |||||
| CVE-2021-27530 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allow remote attacker to inject javascript via URI in /index.php. | |||||
| CVE-2021-27528 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "refID" parameter. | |||||
| CVE-2021-27527 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "valueID" parameter. | |||||
| CVE-2021-27529 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "limit" parameter. | |||||
| CVE-2021-27531 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "query" parameter. | |||||