Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43842 | 1 Requarks | 1 Wiki.js | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal `<img>` tags. Commit 5d3e81496fba1f0fbd64eeb855f30f69a9040718 fixes this vulnerability by adding an optional (enabled by default) SVG sanitization step to all file uploads that match the SVG mime type. As a workaround, disable file upload for all non-trusted users. Wiki.js version 2.5.260 is the first production version to contain a patch. Version 2.5.258 is the first development build to contain a patch and is available only as a Docker image as requarks/wiki:canary-2.5.258. | |||||
| CVE-2021-4072 | 1 Elgg | 1 Elgg | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2020-8960 | 1 Westerndigital | 1 Mycloud.com | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Western Digital mycloud.com before Web Version 2.2.0-134 allows XSS. | |||||
| CVE-2020-9019 | 1 Wpjobboard | 1 Wpjobboard | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description. | |||||
| CVE-2020-8952 | 1 Fiserv | 1 Accurate Reconciliation | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fiserv Accurate Reconciliation 2.19.0, fixed in 3.0.0 or higher, allows XSS via the logout.jsp timeOut parameter. | |||||
| CVE-2020-15497 | 1 Jalios | 1 Jcms | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build-20200224104759 allows XSS via the types parameter. Note: It is asserted that this vulnerability is not present in the standard installation of Jalios JCMS. | |||||
| CVE-2020-25828 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) | |||||
| CVE-2020-25815 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). | |||||
| CVE-2020-25812 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. | |||||
| CVE-2020-25814 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. | |||||
| CVE-2020-25071 | 1 Niftypm | 1 Nifty | 2022-01-01 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** Nifty Project Management Web Application 2020-08-26 allows XSS, via Add Task, that is rendered upon a Project Home visit. Note: It has been argued that this is not reproducible. "The original issue was that the task would be created and an alert would be shown on the screen. Now the task would be created, but the alert won't be executed as those attributes are now stripped." | |||||
| CVE-2021-32052 | 3 Djangoproject, Fedoraproject, Python | 3 Django, Fedora, Python | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. | |||||
| CVE-2020-4987 | 1 Ibm | 2 Flashsystem 900, Flashsystem 900 Firmware | 2022-01-01 | 3.5 LOW | 5.4 MEDIUM |
| The IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting in code versions 1.5.2.8 and prior and 1.6.1.2 and prior. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2021-22878 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2022-01-01 | 3.5 LOW | 4.8 MEDIUM |
| Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. | |||||
| CVE-2020-9038 | 1 Joplin Project | 1 Joplin | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| Joplin through 1.0.184 allows Arbitrary File Read via XSS. | |||||
| CVE-2021-43551 | 1 Osisoft | 1 Pi Vision | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim's user permissions. | |||||
| CVE-2012-20001 | 1 Prestashop | 1 Prestashop | 2021-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field. | |||||
| CVE-2020-19770 | 1 Wuzhicms | 1 Wuzhi Cms | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the system bulletin component of WUZHI CMS v4.1.0 allows attackers to steal the admin's cookie. | |||||
| CVE-2021-4169 | 1 Livehelperchat | 1 Live Helper Chat | 2021-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2020-8951 | 1 Fiserv | 1 Accurate Reconciliation | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| Fiserv Accurate Reconciliation 2.19.0, fixed in 3.0.0 or higher, allows XSS via the Source or Destination field of the Configuration Manager (Configuration Parameter Translation) page. | |||||
| CVE-2020-8825 | 1 Vanillaforums | 1 Vanilla | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS. | |||||
| CVE-2021-3977 | 1 Invoiceninja | 1 Invoice Ninja | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| invoiceninja is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-44543 | 1 Privoxy | 1 Privoxy | 2021-12-29 | 2.6 LOW | 6.1 MEDIUM |
| An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself. | |||||
| CVE-2017-1002201 | 1 Haml | 1 Haml | 2021-12-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code. | |||||
| CVE-2021-44544 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter “name” of the script “HandlerEnergyType.ashx”. | |||||
| CVE-2021-31558 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “descr” of the script “DIAE_hierarchyHandler.ashx”. | |||||
| CVE-2021-23228 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by “.NET Request.QueryString”. | |||||
| CVE-2021-44471 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “name” of the script “DIAE_HandlerAlarmGroup.ashx”. | |||||
| CVE-2017-18635 | 1 Novnc | 1 Novnc | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name. | |||||
| CVE-2019-11454 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation. | |||||
| CVE-2021-44030 | 1 Quest | 1 Kace Desktop Authority | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quest KACE Desktop Authority before 11.2 allows XSS because it does not prevent untrusted HTML from reaching the jQuery.htmlPrefilter method of jQuery. | |||||
| CVE-2021-44163 | 1 Chinasea | 1 Qb Smart Service Robot | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication. | |||||
| CVE-2021-38893 | 1 Ibm | 3 Business Automation Workflow, Business Process Manager, Workflow Process Service | 2021-12-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209512. | |||||
| CVE-2021-24578 | 1 Themeboy | 1 Sportspress | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2021-12-27 | 3.5 LOW | 5.4 MEDIUM |
| The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-24907 | 1 Wpeverest | 1 Everest Forms | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24956 | 1 Adenion | 1 Blog2social | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24941 | 1 Icegram | 1 Icegram | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-38966 | 1 Ibm | 2 Cloud Pak For Automation, Workflow Process Service | 2021-12-23 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 212357. | |||||
| CVE-2020-20600 | 1 Metinfo | 1 Metinfo | 2021-12-23 | 3.5 LOW | 5.4 MEDIUM |
| MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn. | |||||
| CVE-2020-20605 | 1 Personal Blog Cms Project | 1 Personal Blog Cms | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blog CMS v1.0 contains a cross-site scripting (XSS) vulnerability in the /controller/CommentAdminController.java component. | |||||
| CVE-2021-36885 | 1 Ciphercoin | 1 Contact Form 7 Database Addon - Cfdb7 | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.6.1). | |||||
| CVE-2020-20598 | 1 Mossle | 1 Lemon | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the Editing component of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-20597 | 1 Mossle | 1 Lemon | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the potrtalItemName parameter in \web\PortalController.java of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-20425 | 1 S-cms | 1 S-cms | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in the search function. | |||||
| CVE-2020-20426 | 1 S-cms | 1 S-cms | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php. | |||||
| CVE-2021-43440 | 1 Iorder Project | 1 Iorder | 2021-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Stored XSS Vulnerabilities in the Source Code of iOrder 1.0 allow remote attackers to execute arbitrary code via signup form in the Name and Phone number field. | |||||
| CVE-2021-36889 | 1 Tarteaucitron.js - Cookies Legislation \& Gdpr Project | 1 Tarteaucitron.js - Cookies Legislation \& Gdpr | 2021-12-22 | 3.5 LOW | 4.8 MEDIUM |
| Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities were discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.6). | |||||
| CVE-2021-38701 | 1 Motorola | 20 T008, T008 Firmware, T100 and 17 more | 2021-12-22 | 3.5 LOW | 4.8 MEDIUM |
| Certain Motorola Solutions Avigilon devices allow XSS in the administrative UI. This affects T200/201 before 4.10.0.68; T290 before 4.4.0.80; T008 before 2.2.0.86; T205 before 4.12.0.62; T204 before 3.28.0.166; and T100, T101, T102, and T103 before 2.6.0.180. | |||||
| CVE-2020-3867 | 3 Apple, Opensuse, Webkitgtk | 8 Icloud, Ipados, Iphone Os and 5 more | 2021-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||