Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3473 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2021-03-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template. | |||||
| CVE-2013-6858 | 3 Canonical, Openstack, Opensuse | 3 Ubuntu Linux, Horizon, Opensuse | 2021-03-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page. | |||||
| CVE-2021-27318 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter. | |||||
| CVE-2021-27317 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter. | |||||
| CVE-2020-23518 | 1 Ultimatekode | 1 Neo Billing | 2021-03-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2021-21515 | 1 Dell | 1 Emc Sourceone | 2021-03-08 | 3.5 LOW | 5.4 MEDIUM |
| Dell EMC SourceOne, versions 7.2SP10 and prior, contain a Stored Cross-Site Scripting vulnerability. A remote low privileged attacker may potentially exploit this vulnerability, to hijack user sessions or to trick a victim application user to unknowingly send arbitrary requests to the server. | |||||
| CVE-2020-13409 | 1 Tufin | 1 Securetrack | 2021-03-08 | 2.3 LOW | 5.9 MEDIUM |
| Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 3 of 3) | |||||
| CVE-2020-13408 | 1 Tufin | 1 Securetrack | 2021-03-08 | 2.3 LOW | 5.9 MEDIUM |
| Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 2 of 3) | |||||
| CVE-2020-13407 | 1 Tufin | 1 Securetrack | 2021-03-08 | 2.3 LOW | 5.9 MEDIUM |
| Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 1 of 3) | |||||
| CVE-2021-27731 | 1 Accellion | 1 Fta | 2021-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed version is FTA_9_12_444 and later. | |||||
| CVE-2021-23129 | 1 Joomla | 1 Joomla\! | 2021-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues. | |||||
| CVE-2020-4856 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190459. | |||||
| CVE-2021-23130 | 1 Joomla | 1 Joomla\! | 2021-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues. | |||||
| CVE-2021-20350 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194707. | |||||
| CVE-2021-20340 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194451. | |||||
| CVE-2020-4857 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190460. | |||||
| CVE-2020-4863 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190566. | |||||
| CVE-2021-20351 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194708. | |||||
| CVE-2020-4866 | 1 Ibm | 9 Doors Next, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 6 more | 2021-03-05 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190742. | |||||
| CVE-2021-26723 | 1 Jenzabar | 1 Jenzabar | 2021-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS. | |||||
| CVE-2020-35328 | 1 Courier Management System Project | 1 Courier Management System | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| Courier Management System 1.0 - 'First Name' Stored XSS | |||||
| CVE-2021-25299 | 1 Nagios | 1 Nagios Xi | 2021-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server. | |||||
| CVE-2020-26609 | 1 Fastadmin | 1 Fastadmin | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| fastadmin V1.0.0.20200506_beta contains a cross-site scripting (XSS) vulnerability which may allow an attacker to obtain administrator credentials to log in to the background. | |||||
| CVE-2014-9271 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2021-03-04 | 4.3 MEDIUM | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. | |||||
| CVE-2020-7575 | 1 Siemens | 4 Climatix Pol908, Climatix Pol908 Firmware, Climatix Pol909 and 1 more | 2021-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions < V11.32). A persistent cross-site scripting (XSS) vulnerability exists in the web server access log page of the affected devices that could allow an attacker to inject arbitrary JavaScript code via specially crafted GET requests. The code could be potentially executed later by another (privileged) user. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires no system privileges. An attacker could use the vulnerability to compromise the confidentiality and integrity of other users' web sessions. | |||||
| CVE-2020-7574 | 1 Siemens | 4 Climatix Pol908, Climatix Pol908 Firmware, Climatix Pol909 and 1 more | 2021-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions < V11.32). A persistent cross-site scripting (XSS) vulnerability exists in the "Server Config" web interface of the affected devices that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires no system privileges. An attacker could use the vulnerability to compromise the confidentiality and integrity of other users' web session. | |||||
| CVE-2021-21447 | 1 Sap | 1 Businessobjects Business Intelligence | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting. | |||||
| CVE-2021-26938 | 1 Henriquedornas | 1 Henriquedornas | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** A stored XSS issue exists in henriquedornas 5.2.17 via online live chat. NOTE: Third parties report that no such product exists. That henriquedornas is the web design agency and 5.2.17 is simply the PHP version running on this hosts. | |||||
| CVE-2021-22182 | 1 Gitlab | 1 Gitlab | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request. | |||||
| CVE-2021-3355 | 1 Lightcms Project | 1 Lightcms | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored-self XSS exists in LightCMS v1.3.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords. | |||||
| CVE-2021-26702 | 1 Eprints | 1 Eprints | 2021-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI. | |||||
| CVE-2021-26475 | 1 Eprints | 1 Eprints | 2021-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI. | |||||
| CVE-2021-3010 | 1 Opentext | 1 Content Server | 2021-03-04 | 3.5 LOW | 5.4 MEDIUM |
| There are multiple persistent cross-site scripting (XSS) vulnerabilities in the web interface of OpenText Content Server Version 20.3. The application allows a remote attacker to introduce arbitrary JavaScript by crafting malicious form values that are later not sanitized. | |||||
| CVE-2021-26903 | 1 Isida | 1 Retriever | 2021-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| LMA ISIDA Retriever 5.2 is vulnerable to XSS via query['text']. | |||||
| CVE-2021-23959 | 1 Mozilla | 1 Firefox | 2021-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85. | |||||
| CVE-2021-27330 | 1 Triconsole | 1 Datepicker Calendar | 2021-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents. | |||||
| CVE-2021-27671 | 1 Comrak Project | 1 Comrak | 2021-03-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack. | |||||
| CVE-2021-26678 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote unauthenticated stored cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface of ClearPass could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. | |||||
| CVE-2019-18942 | 1 Microfocus | 1 Solutions Business Manager | 2021-03-01 | 2.3 LOW | 4.8 MEDIUM |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding. | |||||
| CVE-2019-18944 | 1 Microfocus | 1 Solutions Business Manager | 2021-03-01 | 2.3 LOW | 4.8 MEDIUM |
| Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS. | |||||
| CVE-2021-20660 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-21616 | 1 Jenkins | 1 Active Choices | 2021-02-27 | 3.5 LOW | 4.6 MEDIUM |
| Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2021-21618 | 1 Jenkins | 1 Repository Connector | 2021-02-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2021-21619 | 1 Jenkins | 1 Claim | 2021-02-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins. | |||||
| CVE-2021-21622 | 1 Jenkins | 1 Artifact Repository Parameter | 2021-02-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-35852 | 1 Getgist | 1 Chatbox | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chatbox is affected by cross-site scripting (XSS). An attacker has to upload any XSS payload with SVG, XML file in Chatbox. There is no restriction on file upload in Chatbox which leads to stored XSS. | |||||
| CVE-2021-26682 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote reflected cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the guest portal interface of ClearPass could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the portal. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the guest portal interface. | |||||
| CVE-2020-13697 | 1 Nanohttpd | 1 Nanohttpd | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization. | |||||
| CVE-2020-19762 | 1 Carrier | 1 Webctrl System | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Automated Logic Corporation (ALC) WebCTRL System 6.5 and prior allows remote attackers to execute any JavaScript code via a XSS payload for the first parameter in a GET request. | |||||
| CVE-2021-27564 | 1 Appspace | 1 Appspace | 2021-02-26 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS issue exists in Appspace 6.2.4. After a user is authenticated and enters an XSS payload under the groups section of the network tab, it is stored as the group name. Whenever another member visits that group, this payload executes. | |||||