Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27526 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "page" parameter. | |||||
| CVE-2020-24408 | 1 Magento | 1 Magento | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file. | |||||
| CVE-2020-27224 | 1 Eclipse | 1 Theia | 2021-03-25 | 9.3 HIGH | 9.6 CRITICAL |
| In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code. | |||||
| CVE-2012-6708 | 1 Jquery | 1 Jquery | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. | |||||
| CVE-2021-28160 | 1 Acexy Wireless-n Wifi Repeater Project | 2 Acexy Wireless-n Wifi Repeater, Acexy Wireless-n Wifi Repeater Firmware | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) suffers from a reflected XSS vulnerability due to unsanitized SSID value when the latter is displayed in the /repeater.html page ("Repeater Wizard" homepage section). | |||||
| CVE-2021-28109 | 1 Compassplus | 1 Tranzware Fimi | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS). | |||||
| CVE-2021-24128 | 1 Wpdarko | 1 Team Members | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | |||||
| CVE-2021-27436 | 1 Advantech | 1 Webaccess\/scada | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions. | |||||
| CVE-2021-28126 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability | |||||
| CVE-2021-24127 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation. | |||||
| CVE-2020-6578 | 1 Zen-cart | 1 Zen Cart | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php. | |||||
| CVE-2021-29025 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/my_images.php URI. | |||||
| CVE-2021-24136 | 1 Axelerant | 1 Testimonials Widget | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL | |||||
| CVE-2021-24126 | 1 Enviragallery | 1 Envira Gallery | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation. | |||||
| CVE-2021-27309 | 1 Csphere | 1 Clansphere | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "module" parameter. | |||||
| CVE-2021-27310 | 1 Csphere | 1 Clansphere | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "language" parameter. | |||||
| CVE-2021-25922 | 1 Open-emr | 1 Openemr | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code. | |||||
| CVE-2021-25919 | 1 Open-emr | 1 Openemr | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user. | |||||
| CVE-2021-25921 | 1 Open-emr | 1 Openemr | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit. | |||||
| CVE-2021-28968 | 1 Gnu | 1 Punbb | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in PunBB before 1.4.6. An XSS vulnerability in the [email] BBcode tag allows (with authentication) injecting arbitrary JavaScript into any forum message. | |||||
| CVE-2021-24129 | 1 Themify | 1 Portfolio Post | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. | |||||
| CVE-2021-24134 | 1 Constantcontact | 1 Constant Contact Forms | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed. | |||||
| CVE-2021-24135 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or HTML. | |||||
| CVE-2021-29033 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/edit_group.php URI. | |||||
| CVE-2021-29032 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/preferences.php URI. | |||||
| CVE-2021-29031 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/users_import.php URI. | |||||
| CVE-2021-29030 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/index.php URI. | |||||
| CVE-2021-29029 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/edit_personal_page.php URI. | |||||
| CVE-2021-29026 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/permissions.php URI. | |||||
| CVE-2021-29027 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/index.php URI. | |||||
| CVE-2021-29028 | 1 Bitweaver | 1 Bitweaver | 2021-03-24 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/user_activity.php URI. | |||||
| CVE-2020-28149 | 1 Mydbr | 1 Mydbr | 2021-03-24 | 6.8 MEDIUM | 9.6 CRITICAL |
| myDBR 5.8.3/4262 is affected by: Cross Site Scripting (XSS). The impact is: execute arbitrary code (remote). The component is: CSRF Token. The attack vector is: CSRF token injection to XSS. | |||||
| CVE-2021-24147 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. | |||||
| CVE-2021-21383 | 1 Requarks | 1 Wiki.js | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Wiki.js an open-source wiki app built on Node.js. Wiki.js before version 2.5.191 is vulnerable to stored cross-site scripting through mustache expressions in code blocks. This vulnerability exists due to mustache expressions being parsed by Vue during content injection even though it is contained within a `<pre>` element. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. For an example see referenced GitHub Security Advisory. Commit 5ffa189383dd716f12b56b8cae2ba0d075996cf1 fixes this vulnerability by adding the v-pre directive to all `<pre>` tags during the render. | |||||
| CVE-2021-20279 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-03-23 | 3.5 LOW | 5.4 MEDIUM |
| The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2019-18233 | 1 Advantech | 2 Spectre Rt Ert351, Spectre Rt Ert351 Firmware | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Advantech Spectre RT Industrial Routers ERT351 5.1.3 and prior, the affected product does not neutralize special characters in the error response, allowing attackers to use a reflected XSS attack. | |||||
| CVE-2021-24124 | 1 Terryl | 1 Wp Shieldon | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation. | |||||
| CVE-2021-20628 | 2 Cybozu, Mozilla | 2 Office, Firefox | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. Note that this vulnerability occurs only when using Mozilla Firefox. | |||||
| CVE-2021-20627 | 1 Cybozu | 1 Office | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20629 | 1 Cybozu | 1 Office | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in E-mail of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2019-12905 | 1 Afian | 1 Filerun | 2021-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman§ion=do&page=up URI. This issue has been fixed in FileRun 2019.06.01. | |||||
| CVE-2021-25277 | 1 Ftapi | 1 Ftapi | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| FTAPI 4.0 - 4.10 allows XSS via a crafted filename to the alternative text hover box in the file submission component. | |||||
| CVE-2021-25278 | 1 Ftapi | 1 Ftapi | 2021-03-22 | 3.5 LOW | 4.8 MEDIUM |
| FTAPI 4.0 through 4.10 allows XSS via an SVG document to the Background Image upload feature in the Submit Box Template Editor. | |||||
| CVE-2021-20665 | 1 Movabletype | 4 Movable Type, Movable Type Advanced, Movable Type Premium and 1 more | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20664 | 1 Movabletype | 4 Movable Type, Movable Type Advanced, Movable Type Premium and 1 more | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20663 | 1 Movabletype | 4 Movable Type, Movable Type Advanced, Movable Type Premium and 1 more | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-28380 | 1 Aimeos Project | 1 Aimeos | 2021-03-22 | 3.5 LOW | 5.4 MEDIUM |
| The aimeos (aka Aimeos shop and e-commerce framework) extension before 19.10.12 and 20.x before 20.10.5 for TYPO3 allows XSS via a backend user account. | |||||
| CVE-2021-27938 | 1 Symbiote | 1 Silverstripe Queued Jobs | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL. | |||||
| CVE-2020-24912 | 1 Qcubed | 1 Qcubed | 2021-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users. | |||||
| CVE-2016-9473 | 1 Brave | 1 Browser | 2021-03-19 | 4.3 MEDIUM | 4.7 MEDIUM |
| Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and earlier suffer from Full Address Bar Spoofing, allowing attackers to trick a victim by displaying a malicious page for legitimate domain names. | |||||