Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24710 | 1 Print-o-matic Project | 1 Print-o-matic | 2021-11-11 | 3.5 LOW | 4.8 MEDIUM |
| The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24474 | 1 Awesome Weather Widget Project | 1 Awesome Weather Widget | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Awesome Weather Widget WordPress plugin through 3.0.2 does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) Vulnerability. | |||||
| CVE-2021-24693 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2021-11-10 | 6.0 MEDIUM | 9.0 CRITICAL |
| The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin | |||||
| CVE-2021-24706 | 1 Qwizcards Project | 1 Qwizcards | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Qwizcards – online quizzes and flashcards WordPress plugin before 3.62 does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24701 | 1 Quiz Tool Lite Project | 1 Quiz Tool Lite | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Quiz Tool Lite WordPress plugin through 2.3.15 does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24607 | 1 Wooassist | 1 Storefront Footer Text | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Storefront Footer Text WordPress plugin through 1.0.1 does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed. | |||||
| CVE-2021-35488 | 1 Thruk | 1 Thruk | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it. | |||||
| CVE-2021-35489 | 1 Thruk | 1 Thruk | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTNAME]&service={SERVICENAME]&backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it. | |||||
| CVE-2021-24798 | 1 Androidbubbles | 1 Wp Header Images | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24708 | 1 Wp All Export Project | 1 Wp All Export | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-43181 | 1 Jetbrains | 1 Hub | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains Hub before 2021.1.13690, stored XSS is possible. | |||||
| CVE-2021-32482 | 1 Cloudera | 1 Cloudera Manager | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS via the path parameter. | |||||
| CVE-2021-24616 | 1 Addtoany | 1 Addtoany Share Buttons | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-29243 | 1 Cloudera | 1 Cloudera Manager | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS. | |||||
| CVE-2021-24594 | 1 Gtranslate | 1 Google Language Translator | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-29735 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2021-11-10 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, and 11.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2021-43186 | 1 Jetbrains | 1 Youtrack | 2021-11-09 | 3.5 LOW | 5.4 MEDIUM |
| JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS. | |||||
| CVE-2021-43197 | 1 Jetbrains | 1 Teamcity | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS. | |||||
| CVE-2021-43198 | 1 Jetbrains | 1 Teamcity | 2021-11-09 | 3.5 LOW | 5.4 MEDIUM |
| In JetBrains TeamCity before 2021.1.2, stored XSS is possible. | |||||
| CVE-2021-32481 | 1 Cloudera | 1 Hue | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cloudera Hue 4.6.0 allows XSS via the type parameter. | |||||
| CVE-2021-29994 | 1 Cloudera | 1 Hue | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cloudera Hue 4.6.0 allows XSS. | |||||
| CVE-2021-42078 | 1 Php Event Calendar Project | 1 Php Event Calendar | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site. | |||||
| CVE-2021-24807 | 1 Schiocco | 1 Support Board | 2021-11-09 | 3.5 LOW | 5.4 MEDIUM |
| The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed. | |||||
| CVE-2020-4153 | 1 Ibm | 1 Qradar Network Security | 2021-11-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM QRadar Network Security 5.4.0 and 5.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174269. | |||||
| CVE-2012-6555 | 1 Vanillaforums | 1 Latestcomment | 2021-11-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1.1 for Vanilla Forums allows remote attackers to inject arbitrary web script or HTML via the discussion title. | |||||
| CVE-2021-24808 | 1 Wordplus | 1 Better Messages | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-43265 | 1 Mahara | 1 Mahara | 2021-11-09 | 3.5 LOW | 5.4 MEDIUM |
| In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could be used for XSS, such as via a SCRIPT element. | |||||
| CVE-2021-25978 | 1 Apostrophecms | 1 Apostrophecms | 2021-11-09 | 3.5 LOW | 5.4 MEDIUM |
| Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed. | |||||
| CVE-2021-41249 | 1 Graphql | 1 Playground | 2021-11-09 | 2.6 LOW | 4.7 MEDIUM |
| GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than graphql-playground-react@1.7.28 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals. If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later. | |||||
| CVE-2021-41248 | 1 Graphql | 1 Graphiql | 2021-11-09 | 2.6 LOW | 4.7 MEDIUM |
| GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older than graphiql@1.4.7 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur. By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or examples, leaving only very complex attack vectors. If a custom implementation of graphiql's fetcher allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-playground, or a database provided value, then this custom graphiql implementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL. It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this. This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It does impact all forks of graphiql, and every released version of graphiql. | |||||
| CVE-2021-26844 | 1 Poweradmin | 1 Pa Server Monitor | 2021-11-09 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Power Admin PA Server Monitor 8.2.1.1 allows remote attackers to inject arbitrary web script or HTML via Console.exe. | |||||
| CVE-2021-39412 | 1 Shopping Portal Project | 1 Shopping Portal | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exists in PHPGurukul Shopping v3.1 via the (1) callback parameter in (a) server_side/scripts/id_jsonp.php, (b) server_side/scripts/jsonp.php, and (c) scripts/objects_jsonp.php, the (2) value parameter in examples_support/editable_ajax.php, and the (3) PHP_SELF parameter in captcha/index.php. | |||||
| CVE-2020-22222 | 1 Phpjabbers | 1 Fundraising Script | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the pjActionLoadCss function. | |||||
| CVE-2020-22224 | 1 Phpjabbers | 1 Fundraising Script | 2021-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the pjActionPreview function. | |||||
| CVE-2021-39416 | 1 Remoteclinic | 1 Remote Clinic | 2021-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exists in Remote Clinic v2.0 in (1) patients/register-patient.php via the (a) Contact, (b) Email, (c) Weight, (d) Profession, (e) ref_contact, (f) address, (g) gender, (h) age, and (i) serial parameters; in (2) patients/edit-patient.php via the (a) Contact, (b) Email, (c) Weight, Profession, (d) ref_contact, (e) address, (f) serial, (g) age, and (h) gender parameters; in (3) staff/edit-my-profile.php via the (a) Title, (b) First Name, (c) Last Name, (d) Skype, and (e) Address parameters; and in (4) clinics/settings.php via the (a) portal_name, (b) guardian_short_name, (c) guardian_name, (d) opening_time, (e) closing_time, (f) access_level_5, (g) access_level_4, (h) access_level_ 3, (i) access_level_2, (j) access_level_1, (k) currency, (l) mobile_number, (m) address, (n) patient_contact, (o) patient_address, and (p) patient_email parameters. | |||||
| CVE-2021-39413 | 1 Seopanel | 1 Seo Panel | 2021-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exits in SEO Panel v4.8.0 via the (1) to_time parameter in (a) backlinks.php, (b) analytics.php, (c) log.php, (d) overview.php, (e) pagespeed.php, (f) rank.php, (g) review.php, (h) saturationchecker.php, (i) social_media.php, and (j) reports.php; the (2) from_time parameter in (a) backlinks.php, (b) analytics.php, (c) log.php, (d) overview.php, (e) pagespeed.php, (f) rank.php, (g) review.php, (h) saturationchecker.php, (i) social_media.php, (j) webmaster-tools.php, and (k) reports.php; the (3) order_col parameter in (a) analytics.php, (b) review.php, (c) social_media.php, and (d) webmaster-tools.php; and the (4) pageno parameter in (a) alerts.php, (b) log.php, (c) keywords.php, (d) proxy.php, (e) searchengine.php, and (f) siteauditor.php. | |||||
| CVE-2021-39906 | 1 Gitlab | 1 Gitlab | 2021-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. | |||||
| CVE-2021-25875 | 1 Youphptube | 1 Youphptube | 2021-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the searchPhrase parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator. | |||||
| CVE-2021-25876 | 1 Youphptube | 1 Youphptube | 2021-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator. | |||||
| CVE-2021-25878 | 1 Youphptube | 1 Youphptube | 2021-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cross Script Scripting vulnerabilities via the videoName parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator. | |||||
| CVE-2019-11203 | 1 Tibco | 2 Activematrix Business Process Management, Silver Fabric Enabler | 2021-11-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The workspace client, openspace client, app development client, and REST API of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain cross site scripting (XSS) and cross-site request forgery vulnerabilities. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1. | |||||
| CVE-2021-3163 | 1 Slab | 1 Quill | 2021-11-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser. | |||||
| CVE-2021-34731 | 1 Cisco | 1 Prime Access Registrar | 2021-11-06 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Prime Access Registrar could allow an authenticated, remote attacker to perform a stored cross-site scripting attack on an affected system. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need valid administrative credentials. Cisco expects to release software updates that address this vulnerability. | |||||
| CVE-2021-34784 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2021-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2021-29764 | 1 Ibm | 1 Sterling B2b Integrator | 2021-11-06 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 202268. | |||||
| CVE-2021-40115 | 1 Cisco | 2 Collaboration Meeting Rooms, Webex Video Mesh | 2021-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in Cisco Webex Video Mesh could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2021-23784 | 1 Tempura Project | 1 Tempura | 2021-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability. | |||||
| CVE-2021-41134 | 1 Jupyter | 2 Nbdime, Nbdime-jupyterlab | 2021-11-05 | 3.5 LOW | 5.4 MEDIUM |
| nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook (diffNotebookCheckpoint), nbdime appears to simply append .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function. From there, the frontend simply renders the HTML tag and anything along with it. Users are advised to patch to the most recent version of the affected product. | |||||
| CVE-2021-43032 | 1 Xenforo | 1 Xenforo | 2021-11-05 | 3.5 LOW | 4.8 MEDIUM |
| In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side. | |||||
| CVE-2020-18259 | 1 Ed01-cms Project | 1 Ed01-cms | 2021-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ED01-CMS v1.0 was discovered to contain a reflective cross-site scripting (XSS) vulnerability in the component sposts.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Post title or Post content fields. | |||||