Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43696 | 1 Twmap Project | 1 Twmap | 2021-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| twmap v2.91_v4.33 is affected by a Cross Site Scripting (XSS) vulnerability. In file list.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST then there is a XSS vulnerability. | |||||
| CVE-2021-4050 | 1 Livehelperchat | 1 Live Helper Chat | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-43063 | 1 Fortinet | 1 Fortiweb | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage. | |||||
| CVE-2021-41015 | 1 Fortinet | 1 Fortiweb | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to SAML login handler | |||||
| CVE-2021-42752 | 1 Fortinet | 1 Fortiwlm | 2021-12-09 | 3.5 LOW | 5.4 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute malicious javascript code on victim's host via crafted HTTP requests | |||||
| CVE-2021-41029 | 1 Fortinet | 1 Fortiwlm | 2021-12-09 | 3.5 LOW | 5.4 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to store malicious javascript code in the device and trigger it via crafted HTTP requests | |||||
| CVE-2021-43810 | 1 Admidio | 1 Admidio | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12. | |||||
| CVE-2021-42567 | 1 Apereo | 1 Central Authentication Service | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. | |||||
| CVE-2021-36760 | 1 Wso2 | 4 Api Manager, Identity Server, Identity Server As Key Manager and 1 more | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.) | |||||
| CVE-2021-44148 | 1 Gl-inet | 2 Gl-ar150, Gl-ar150 Firmware | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allow cgi-bin/router_cgi?action=scanwifi XSS when an attacker creates an SSID with an XSS payload as the name. | |||||
| CVE-2021-3370 | 1 Douco | 1 Douphp | 2021-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| DouPHP v1.6 was discovered to contain a cross-site scripting (XSS) vulnerability via /admin/cloud.php. | |||||
| CVE-2021-29002 | 1 Plone | 1 Plone | 2021-12-08 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter. | |||||
| CVE-2021-28796 | 1 Increments | 1 Qiita\ | 2021-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Increments Qiita::Markdown before 0.33.0 allows XSS in transformers. | |||||
| CVE-2021-30458 | 1 Wikimedia | 1 Parsoid | 2021-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS. | |||||
| CVE-2021-31761 | 1 Webmin | 1 Webmin | 2021-12-08 | 6.8 MEDIUM | 9.6 CRITICAL |
| Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature. | |||||
| CVE-2021-43808 | 1 Laravel | 1 Framework | 2021-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request. | |||||
| CVE-2020-27356 | 1 Debug Meta Data Project | 1 Debug Meta Data | 2021-12-08 | 3.5 LOW | 5.4 MEDIUM |
| The debug-meta-data plugin 1.1.2 for WordPress allows XSS. | |||||
| CVE-2021-44726 | 1 Knime | 1 Knime Server | 2021-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| KNIME Server before 4.13.4 allows XSS via the old WebPortal login page. | |||||
| CVE-2020-22421 | 1 74cms | 1 74cms | 2021-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| 74CMS v6.0.4 was discovered to contain a cross-site scripting (XSS) vulnerability via /index.php?m=&c=help&a=help_list&key. | |||||
| CVE-2019-18413 | 1 Typestack Class-validator Project | 1 Typestack Class-validator | 2021-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product. | |||||
| CVE-2021-27190 | 1 Peel | 1 Peel Shopping | 2021-12-07 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. | |||||
| CVE-2021-24768 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2021-12-07 | 3.5 LOW | 4.8 MEDIUM |
| The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues. | |||||
| CVE-2020-19611 | 1 Racktables Project | 1 Racktables | 2021-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in redirect module of Racktables version 0.21.2, allows an attacker to inject arbitrary web script or HTML via the op parameter. | |||||
| CVE-2021-40094 | 1 Squaredup | 1 Squaredup | 2021-12-07 | 3.5 LOW | 5.4 MEDIUM |
| A DOM-based XSS vulnerability affects SquaredUp for SCOM 5.2.1.6654. If successfully exploited, this vulnerability may allow attackers to inject malicious code into a user's device. | |||||
| CVE-2021-40093 | 1 Squaredup | 1 Squaredup | 2021-12-07 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in integration configuration in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via dashboard actions. | |||||
| CVE-2021-40092 | 1 Squaredup | 1 Squaredup | 2021-12-07 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Image Tile in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via an SVG file. | |||||
| CVE-2021-24930 | 1 Bookly Project | 1 Bookly | 2021-12-07 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-25041 | 1 10web | 1 Photo Gallery | 2021-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action | |||||
| CVE-2021-28957 | 5 Debian, Fedoraproject, Lxml and 2 more | 5 Debian Linux, Fedora, Lxml and 2 more | 2021-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3. | |||||
| CVE-2021-24939 | 1 Profilepress | 1 Loginwp | 2021-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24935 | 1 Wp Google Fonts Project | 1 Wp Google Fonts | 2021-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24938 | 1 Woocommerce | 1 Woocommerce Currency Switcher | 2021-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | |||||
| CVE-2021-24714 | 1 Soflyy | 1 Wp All Import | 2021-12-06 | 3.5 LOW | 4.8 MEDIUM |
| The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2016-10925 | 1 Profilepress | 1 Loginwp | 2021-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The peters-login-redirect plugin before 2.9.1 for WordPress has XSS during the editing of redirect URLs. | |||||
| CVE-2021-24718 | 1 Reputeinfosystems | 1 Contact Form\, Survey \& Popup Form Plugin For Wordpress - Arforms Form Builder | 2021-12-06 | 3.5 LOW | 4.8 MEDIUM |
| The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24759 | 1 Pdf.js Viewer Project | 1 Pdf.js Viewer | 2021-12-06 | 3.5 LOW | 5.4 MEDIUM |
| The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24924 | 1 Email Log Project | 1 Email Log | 2021-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-35415 | 1 Chamilo | 1 Chamilo Lms | 2021-12-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields. | |||||
| CVE-2021-43991 | 1 Kentico | 1 Xperience | 2021-12-06 | 3.5 LOW | 5.4 MEDIUM |
| The Kentico Xperience CMS version 13.0 – 13.0.43 is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users. The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data. | |||||
| CVE-2015-20105 | 1 Cbads | 1 Clickbank Affiliate Ads | 2021-12-04 | 6.8 MEDIUM | 9.6 CRITICAL |
| The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2015-20106 | 1 Cbads | 1 Clickbank Affiliate Ads | 2021-12-04 | 3.5 LOW | 4.8 MEDIUM |
| The ClickBank Affiliate Ads WordPress plugin through 1.20 does not escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2020-13947 | 2 Apache, Oracle | 3 Activemq, Communications Session Report Manager, Communications Session Route Manager | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0. | |||||
| CVE-2021-40577 | 1 Online Enrollment Management System Project | 1 Online Enrollment Management System | 2021-12-03 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 in the Add-Users page via the Name parameter. | |||||
| CVE-2021-24247 | 1 Mooveagency | 1 Contact Form Check Tester | 2021-12-03 | 3.5 LOW | 5.4 MEDIUM |
| The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin. | |||||
| CVE-2021-25785 | 1 Taogogo | 1 Taocms | 2021-12-03 | 3.5 LOW | 4.8 MEDIUM |
| Taocms v2.5Beta5 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Management column. | |||||
| CVE-2021-24169 | 1 Algolplus | 1 Advanced Order Export | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. | |||||
| CVE-2021-27520 | 1 Fudforum | 1 Fudforum | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter. | |||||
| CVE-2021-27519 | 1 Fudforum | 1 Fudforum | 2021-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter. | |||||
| CVE-2021-28420 | 1 Seopanel | 1 Seo Panel | 2021-12-03 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter. | |||||
| CVE-2021-28418 | 1 Seopanel | 1 Seo Panel | 2021-12-03 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter. | |||||