Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27279 | 1 Mybb | 1 Mybb | 2021-02-26 | 3.5 LOW | 5.4 MEDIUM |
| MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode). | |||||
| CVE-2021-26544 | 1 Apache | 1 Livy | 2021-02-26 | 3.5 LOW | 5.4 MEDIUM |
| Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating. | |||||
| CVE-2021-26716 | 1 Openenergymonitor | 1 Emoncms | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Modules/input/Views/schedule.php in Emoncms through 10.2.7 allows XSS via the node parameter. | |||||
| CVE-2020-35571 | 1 Mantisbt | 1 Mantisbt | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the custom field name is not sanitized. This may be problematic depending on CSP settings. | |||||
| CVE-2020-35664 | 1 Acronis | 1 Cyber Protect | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Acronis Cyber Protect before 15 Update 1 build 26172. There is cross-site scripting (XSS) in the console. | |||||
| CVE-2021-23342 | 1 Docsifyjs | 1 Docsify | 2021-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters | |||||
| CVE-2021-3210 | 1 Bloodhound Project | 1 Bloodhound | 2021-02-25 | 9.3 HIGH | 9.6 CRITICAL |
| components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrary system commands when the victim imports a malicious data file containing JavaScript in the objectId parameter. | |||||
| CVE-2021-27403 | 1 Asus | 2 Askey Rtf8115vw, Askey Rtf8115vw Firmware | 2021-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS. | |||||
| CVE-2020-18724 | 1 Altn | 1 Mdaemon Webmail | 2021-02-25 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated stored cross-site scripting (XSS) in the contact name field in the distribution list of MDaemon webmail 19.5.5 allows an attacker to executes code and perform a XSS attack while opening a contact list. | |||||
| CVE-2020-18723 | 1 Altn | 1 Mdaemon Webmail | 2021-02-25 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities. | |||||
| CVE-2020-28001 | 1 Solarwinds | 1 Serv-u | 2021-02-25 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS. | |||||
| CVE-2021-26746 | 1 Chamilo | 1 Chamilo | 2021-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. | |||||
| CVE-2020-35128 | 1 Acquia | 1 Mautic | 2021-02-24 | 6.0 MEDIUM | 9.0 CRITICAL |
| Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system. | |||||
| CVE-2020-7680 | 1 Docsifyjs | 1 Docsify | 2021-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/ (domain.com/#//attacker.com) and render arbitrary JavaScript/HTML inside docsify page. | |||||
| CVE-2019-9576 | 1 Adenion | 1 Blog2social | 2021-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admin.php?page=blog2social-ship XSS. | |||||
| CVE-2020-35592 | 1 Pi-hole | 1 Pi-hole | 2021-02-24 | 3.5 LOW | 5.4 MEDIUM |
| Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie. | |||||
| CVE-2021-3271 | 1 Pressbooks | 1 Pressbooks | 2021-02-24 | 3.5 LOW | 4.8 MEDIUM |
| PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info's Long Description Body, and all actions to open or preview the books page will result in the triggering the stored XSS. | |||||
| CVE-2021-22978 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2021-02-24 | 5.1 MEDIUM | 8.3 HIGH |
| On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-27559 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. | |||||
| CVE-2021-27371 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the Description field. | |||||
| CVE-2021-27368 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the First Name field. | |||||
| CVE-2021-27369 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field. | |||||
| CVE-2017-14753 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the filter parameter to module/module_filters/index.php. | |||||
| CVE-2017-15188 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 4.8 MEDIUM |
| A persistent (stored) XSS vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the hosts array parameter to module/admin_device/index.php. | |||||
| CVE-2017-14983 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the object parameter to module/admin_conf/index.php. | |||||
| CVE-2017-14984 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the bp_name parameter to /module/admin_bp/add_services.php. | |||||
| CVE-2017-14985 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the url parameter to module/module_frame/index.php. | |||||
| CVE-2020-4933 | 3 Ibm, Linux, Microsoft | 3 Jazz Reporting Service, Linux Kernel, Windows | 2021-02-22 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191751. | |||||
| CVE-2021-20444 | 3 Ibm, Linux, Microsoft | 3 Maximo For Civil Infrastructure, Linux Kernel, Windows | 2021-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196620. | |||||
| CVE-2020-2502 | 1 Qnap | 1 Photo Station | 2021-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code. QANP We have already fixed this vulnerability in the following versions of Photo Station. Photo Station 6.0.11 and later | |||||
| CVE-2018-1000887 | 1 Peel | 1 Peel Shopping | 2021-02-22 | 3.5 LOW | 4.8 MEDIUM |
| Peel shopping peel-shopping_9_1_0 version contains a Cross Site Scripting (XSS) vulnerability that can result in an authenticated user injecting java script code in the "Site Name EN" parameter. This attack appears to be exploitable if the malicious user has access to the administration account. | |||||
| CVE-2018-20848 | 1 Peel | 1 Peel Shopping | 2021-02-22 | 6.8 MEDIUM | 8.8 HIGH |
| Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.php and en/achat/caddie_affichage.php, as demonstrated by an XSS payload in the couleurId[0] parameter to the latter. | |||||
| CVE-2020-35753 | 3 Linux, Microsoft, Persis | 3 Linux Kernel, Windows, Human Resource Management Portal | 2021-02-22 | 2.6 LOW | 6.1 MEDIUM |
| The job posting recommendation form in Persis Human Resource Management Portal (Versions 17.2.00 through 17.2.35 and 19.0.00 through 19.0.20), when the "Recommend job posting" function is enabled, allows XSS via the SENDER parameter. | |||||
| CVE-2020-29025 | 1 Secomea | 1 Sitemanager Embedded | 2021-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in SiteManager-Embedded (SM-E) Web server which may allow attacker to construct a URL that if visited by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. This issue affects all versions and variants of SM-E prior to version 9.3 | |||||
| CVE-2020-35563 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-02-19 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page. | |||||
| CVE-2020-35569 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page. | |||||
| CVE-2021-20446 | 3 Ibm, Linux, Microsoft | 3 Maximo For Civil Infrastructure, Linux Kernel, Windows | 2021-02-19 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196622. | |||||
| CVE-2021-22979 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2021-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-26925 | 2 Fedoraproject, Roundcube | 2 Fedora, Roundcube | 2021-02-19 | 3.5 LOW | 5.4 MEDIUM |
| Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. | |||||
| CVE-2020-36236 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2021-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. | |||||
| CVE-2020-14210 | 1 Monitorapp | 2 Application Insight Web Application, Web Application Firewall | 2021-02-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in MONITORAPP WAF in which script can be executed when responding to Request URL information. It provides a function to response to Request URL information when blocking. | |||||
| CVE-2021-22983 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2021-02-18 | 3.5 LOW | 5.4 MEDIUM |
| On BIG-IP AFM version 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.5, authenticated users accessing the Configuration utility for AFM are vulnerable to a cross-site scripting attack if they attempt to access a maliciously-crafted URL. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2020-29027 | 1 Secomea | 18 Sitemanager 1129, Sitemanager 1129 Firmware, Sitemanager 1139 and 15 more | 2021-02-18 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in GUI of Secomea SiteManager could allow an attacker to cause an XSS Attack. This issue affects: Secomea SiteManager all versions prior to 9.3. | |||||
| CVE-2020-36234 | 1 Atlassian | 2 Data Center, Jira | 2021-02-18 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. | |||||
| CVE-2021-27237 | 1 Blackcat-cms | 1 Blackcat Cms | 2021-02-17 | 3.5 LOW | 4.8 MEDIUM |
| The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php. | |||||
| CVE-2021-3294 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-02-17 | 3.5 LOW | 5.4 MEDIUM |
| CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website. | |||||
| CVE-2020-22841 | 1 B2evolution | 1 B2evolution | 2021-02-17 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module. | |||||
| CVE-2020-8031 | 1 Opensuse | 1 Open Build Service | 2021-02-17 | 3.5 LOW | 5.4 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8. | |||||
| CVE-2021-20654 | 1 Wekan Project | 1 Wekan | 2021-02-16 | 3.5 LOW | 5.4 MEDIUM |
| Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named 'Fieldbleed' in the vendor's site. | |||||
| CVE-2021-26549 | 1 Smartfoxserver | 1 Smartfoxserver | 2021-02-16 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in SmartFoxServer 2.17.0. Input passed to the AdminTool console is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site. | |||||