Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-42363 | 1 Preview E-mails For Woocommerce Project | 1 Preview E-mails For Woocommerce | 2021-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8. | |||||
| CVE-2021-42360 | 1 Brainstormforce | 1 Starter Templates | 2021-11-19 | 3.5 LOW | 5.4 MEDIUM |
| On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page. | |||||
| CVE-2021-43047 | 1 Tibco | 1 Partnerexpress | 2021-11-19 | 8.5 HIGH | 9.0 CRITICAL |
| The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below. | |||||
| CVE-2021-24796 | 1 My Tickets Project | 1 My Tickets | 2021-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins | |||||
| CVE-2021-24598 | 1 Wpshopmart | 1 Testimonial Builder | 2021-11-19 | 3.5 LOW | 4.8 MEDIUM |
| The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24834 | 1 Yop-poll | 1 Yop Poll | 2021-11-18 | 4.3 MEDIUM | 5.4 MEDIUM |
| The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label. | |||||
| CVE-2021-24833 | 1 Yop-poll | 1 Yop Poll | 2021-11-18 | 3.5 LOW | 5.4 MEDIUM |
| The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module. | |||||
| CVE-2021-24850 | 1 Insert Pages Project | 1 Insert Pages | 2021-11-18 | 3.5 LOW | 5.4 MEDIUM |
| The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields. | |||||
| CVE-2021-24841 | 1 Helpful Project | 1 Helpful | 2021-11-18 | 3.5 LOW | 4.8 MEDIUM |
| The Helpful WordPress plugin before 4.4.59 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-43977 | 1 Smartertools | 1 Smartermail | 2021-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS. | |||||
| CVE-2021-24856 | 1 Tammersoft | 1 Shared Files | 2021-11-18 | 3.5 LOW | 4.8 MEDIUM |
| The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24854 | 1 Qr Redirector Project | 1 Qr Redirector | 2021-11-18 | 3.5 LOW | 5.4 MEDIUM |
| The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2021-24787 | 1 Webventures | 1 Client Invoicing By Sprout Invoices | 2021-11-18 | 3.5 LOW | 4.8 MEDIUM |
| The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-41258 | 1 Getkirby | 1 Kirby | 2021-11-18 | 2.1 LOW | 5.4 MEDIUM |
| Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against cross-site scripting (XSS) attacks. The default snippet for the image block unfortunately did not use our escaping helper. This made it possible to include malicious HTML code in the source, alt and link fields of the image block, which would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated Panel users in order to exploit this weakness. Users who do not make use of the blocks field are not affected. This issue has been patched in Kirby version 3.5.8 by escaping special HTML characters in the output from the default image block snippet. Please update to this or a later version to fix the vulnerability. | |||||
| CVE-2021-41252 | 1 Getkirby | 1 Kirby | 2021-11-18 | 2.1 LOW | 5.4 MEDIUM |
| Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Because the writer field did not securely sanitize its contents on save, it was possible to inject malicious HTML code into the content file by sending it to Kirby's API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated Panel users in order to exploit this weakness. Users who do not make use of the writer field are not affected. This issue has been patched in Kirby 3.5.8 by sanitizing all writer field contents on the backend whenever the content is modified via Kirby's API. Please update to this or a later version to fix the vulnerability. | |||||
| CVE-2020-15241 | 1 Typo3 | 2 Fluid Engine, Typo3 | 2021-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). | |||||
| CVE-2021-42361 | 1 Codepeople | 1 Contact Form Email | 2021-11-18 | 2.1 LOW | 4.8 MEDIUM |
| The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2020-21639 | 1 Ruijie | 2 Rg-uac 6000-e50, Rg-uac 6000-e50 Firmware | 2021-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ruijie RG-UAC 6000-E50 commit 9071227 was discovered to contain a cross-site scripting (XSS) vulnerability via the rule_name parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-28145 | 1 Concretecms | 1 Concrete Cms | 2021-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges. | |||||
| CVE-2021-39222 | 1 Nextcloud | 1 Talk | 2021-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Talk application is upgraded to patched versions 10.0.7, 10.1.4, 11.1.2, 11.2.0 or 12.0.0. As a workaround, use a browser that has support for Content-Security-Policy. | |||||
| CVE-2021-41951 | 1 Montala | 1 Resourcespace | 2021-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter. If an attacker is able to persuade a victim to visit a crafted URL, malicious JavaScript content may be executed within the context of the victim's browser. | |||||
| CVE-2021-25984 | 1 Darwin | 1 Factor | 2021-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.3 to v1.8.30, are vulnerable to stored Cross-Site Scripting (XSS) at the “post reply” section. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies. | |||||
| CVE-2021-25983 | 1 Darwin | 1 Factor | 2021-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.8 to v1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “tags” and “category” parameters in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies. | |||||
| CVE-2021-43574 | 1 Atmail | 1 Atmail | 2021-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** WebAdmin Control Panel in Atmail 6.5.0 (a version released in 2012) allows XSS via the format parameter to the default URI. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-25982 | 1 Darwin | 1 Factor | 2021-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Factor (App Framework & Headless CMS) forum plugin, versions 1.3.5 to 1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “search” parameter in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies. | |||||
| CVE-2021-24515 | 1 Origincode | 1 Video Gallery | 2021-11-17 | 3.5 LOW | 4.8 MEDIUM |
| The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24664 | 1 Igexsolutions | 1 Wpschoolpress | 2021-11-17 | 3.5 LOW | 4.8 MEDIUM |
| The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues. | |||||
| CVE-2021-42662 | 1 Online Event Booking And Reservation System Project | 1 Online Event Booking And Reservation System | 2021-11-17 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more. | |||||
| CVE-2021-42664 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-11-17 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more. | |||||
| CVE-2021-42703 | 1 Advantech | 1 Webaccess Hmi Designer | 2021-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action. | |||||
| CVE-2021-3945 | 1 Django-helpdesk Project | 1 Django-helpdesk | 2021-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3938 | 1 Snipeitapp | 1 Snipe-it | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-38982 | 3 Ibm, Linux, Microsoft | 5 Aix, Security Guardium Key Lifecycle Manager, Security Key Lifecycle Manager and 2 more | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 212791. | |||||
| CVE-2020-14424 | 1 Cacti | 1 Cacti | 2021-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. | |||||
| CVE-2021-42838 | 1 Vice | 1 Webopac | 2021-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grand Vice info Co. webopac7 book search field parameter does not properly restrict the input of special characters, thus unauthenticated attackers can inject JavaScript syntax remotely, and further perform reflective XSS attacks. | |||||
| CVE-2020-4140 | 1 Ibm | 1 Security Siteprotector System | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security SiteProtector System 3.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174052. | |||||
| CVE-2021-34357 | 1 Qnap | 2 Nas, Qmailagent | 2021-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QmailAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later | |||||
| CVE-2021-43561 | 1 Pega-sus | 1 Google For Jobs | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in the google_for_jobs (aka Google for Jobs) extension before 1.5.1 and 2.x before 2.1.1 for TYPO3. The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability. | |||||
| CVE-2019-18914 | 1 Hp | 755 Digital Sender Flow 8500 Fn2 Document Capture Workstation L2762a, Futuresmart 3, Futuresmart 4 and 752 more | 2021-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A potential security vulnerability has been identified for certain HP printers and MFPs that would allow redirection page Cross-Site Scripting in a client’s browser by clicking on a third-party malicious link. | |||||
| CVE-2021-43523 | 2 Uclibc, Uclibc-ng Project | 2 Uclibc, Uclibc-ng | 2021-11-15 | 6.8 MEDIUM | 9.6 CRITICAL |
| In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur. | |||||
| CVE-2021-40261 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCodester CASAP Automated Enrollment System 1.0 via the (1) user_username and (2) category parameters in save_class.php, the (3) firstname, (4) class, and (5) status parameters in student_table.php, the (6) category and (7) class_name parameters in add_class1.php, the (8) fname, (9) mname,(10) lname, (11) address, (12) class, (13) gfname, (14) gmname, (15) glname, (16) rship, (17) status, (18) transport, and (19) route parameters in add_student.php, the (20) fname, (21) mname, (22) lname, (23) address, (24) class, (25) fgname, (26) gmname, (27) glname, (28) rship, (29) status, (30) transport, and (31) route parameters in save_stud.php,the (32) status, (33) fname, and (34) lname parameters in add_user.php, the (35) username, (36) firstname, and (37) status parameters in users.php, the (38) fname, (39) lname, and (40) status parameters in save_user.php, and the (41) activity_log, (42) aprjun, (43) class, (44) janmar, (45) Julsep,(46) octdec, (47) Students and (48) users parameters in table_name. | |||||
| CVE-2021-40260 | 1 Tailor Management System Project | 1 Tailor Management System | 2021-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCodester Tailor Management 1.0 via the (1) eid parameter in (a) partedit.php and (b) customeredit.php, the (2) id parameter in (a) editmeasurement.php and (b) addpayment.php, and the (3) error parameter in index.php. | |||||
| CVE-2021-39420 | 1 Vfront | 1 Vfront | 2021-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exist in VFront 0.99.5 via the (1) s parameter in search_all.php and the (2) msg parameter in add.attach.php. | |||||
| CVE-2021-41427 | 1 Beeline | 2 Smart Box, Smart Box Firmware | 2021-11-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Beeline Smart Box 2.0.38 is vulnerable to Cross Site Scripting (XSS) via the choose_mac parameter to setup.cgi. | |||||
| CVE-2021-40517 | 1 Airangel | 10 Hsmx-app-100, Hsmx-app-1000, Hsmx-app-1000 Firmware and 7 more | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| Airangel HSMX Gateway devices through 5.2.04 is vulnerable to stored Cross Site Scripting. XSS Payload is placed in the name column of the updates table using database access. | |||||
| CVE-2021-33618 | 1 Dolibarr | 1 Dolibarr | 2021-11-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature. | |||||
| CVE-2021-25975 | 1 Publify Project | 1 Publify | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file. | |||||
| CVE-2021-25974 | 1 Publify Project | 1 Publify | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article. | |||||
| CVE-2021-43184 | 1 Jetbrains | 1 Youtrack | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| In JetBrains YouTrack before 2021.3.21051, stored XSS is possible. | |||||
| CVE-2021-24697 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2021-11-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||