Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38488 | 1 Deltaww | 1 Dialink | 2021-11-05 | 3.5 LOW | 4.8 MEDIUM |
| Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter comment of the API events, which may allow an attacker to remotely execute code. | |||||
| CVE-2021-38428 | 1 Deltaww | 1 Dialink | 2021-11-05 | 3.5 LOW | 4.8 MEDIUM |
| Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API schedule, which may allow an attacker to remotely execute code. | |||||
| CVE-2021-38403 | 1 Deltaww | 1 Dialink | 2021-11-05 | 3.5 LOW | 4.8 MEDIUM |
| Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter supplier of the API maintenance, which may allow an attacker to remotely execute code. | |||||
| CVE-2021-38407 | 1 Deltaww | 1 Dialink | 2021-11-05 | 3.5 LOW | 4.8 MEDIUM |
| Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API devices, which may allow an attacker to remotely execute code. | |||||
| CVE-2021-38411 | 1 Deltaww | 1 Dialink | 2021-11-05 | 3.5 LOW | 4.8 MEDIUM |
| Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter deviceName of the API modbusWriter-Reader, which may allow an attacker to remotely execute code. | |||||
| CVE-2020-23126 | 1 Chamilo | 1 Chamilo Lms | 2021-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends. | |||||
| CVE-2020-20982 | 1 Wdja | 1 Wdja Cms | 2021-11-04 | 6.8 MEDIUM | 9.6 CRITICAL |
| Cross Site Scripting (XSS) vulnerability in shadoweb wdja v1.5.1, allows attackers to execute arbitrary code and gain escalated privileges, via the backurl parameter to /php/passport/index.php. | |||||
| CVE-2021-3662 | 1 Hp | 2 Futuresmart 4, Futuresmart 5 | 2021-11-04 | 3.5 LOW | 5.4 MEDIUM |
| Certain HP Enterprise LaserJet and PageWide MFPs may be vulnerable to stored cross site scripting (XSS). | |||||
| CVE-2021-36698 | 1 Artica | 1 Pandora Fms | 2021-11-04 | 3.5 LOW | 5.4 MEDIUM |
| Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name. | |||||
| CVE-2021-36176 | 1 Fortinet | 1 Fortiportal | 2021-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests. | |||||
| CVE-2021-43324 | 1 Librenms | 1 Librenms | 2021-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| LibreNMS through 21.10.2 allows XSS via a widget title. | |||||
| CVE-2019-3810 | 1 Moodle | 1 Moodle | 2021-11-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. | |||||
| CVE-2020-15940 | 1 Fortinet | 1 Forticlient Enterprise Management Server | 2021-11-04 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server. | |||||
| CVE-2020-23718 | 1 Zibbs Project | 1 Zibbs | 2021-11-03 | 6.8 MEDIUM | 9.6 CRITICAL |
| Cross site scripting (XSS) vulnerability in xujinliang zibbs 1.0, allows attackers to execute arbitrary code via the route parameter to index.php. | |||||
| CVE-2020-23719 | 1 Zibbs Project | 1 Zibbs | 2021-11-03 | 6.8 MEDIUM | 9.6 CRITICAL |
| Cross site scripting (XSS) vulnerability in application/controllers/AdminController.php in xujinliang zibbs 1.0, allows attackers to execute arbitrary code via the bbsmeta parameter. | |||||
| CVE-2020-23754 | 1 Php-fusion | 1 Phpfusion | 2021-11-03 | 6.8 MEDIUM | 9.6 CRITICAL |
| Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to execute arbitrary code, via the polls feature. | |||||
| CVE-2019-5450 | 1 Nextcloud | 1 Nextcloud | 2021-11-03 | 4.6 MEDIUM | 6.8 MEDIUM |
| Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3.7.0 allowed to style the directory name in the header bar when using basic HTML. | |||||
| CVE-2021-29771 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2021-11-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2020-12814 | 1 Fortinet | 1 Fortianalyzer | 2021-11-03 | 3.5 LOW | 5.4 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI. | |||||
| CVE-2021-24539 | 1 Dazzlersoftware | 1 Coming Soon\, Under Construction \& Maintenance Mode By Dazzler | 2021-11-03 | 2.1 LOW | 4.8 MEDIUM |
| The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-31862 | 1 Sysaid | 1 Sysaid | 2021-11-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication. | |||||
| CVE-2021-3441 | 1 Hp | 2 Officejet 7110, Officejet 7110 Firmware | 2021-11-03 | 3.5 LOW | 4.8 MEDIUM |
| A potential security vulnerability has been identified for the HP OfficeJet 7110 Wide Format ePrinter that enables Cross-Site Scripting (XSS). | |||||
| CVE-2020-35249 | 1 Elkarbackup | 1 Elkarbackup | 2021-11-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in ElkarBackup 1.3.3, allows attackers to execute arbitrary code via the name parameter to the add client feature. | |||||
| CVE-2020-27406 | 1 Dynpg | 1 Dynpg | 2021-11-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in DynPG 4.9.1, allows authenticated attackers to execute arbitrary code via the groupname. | |||||
| CVE-2021-33611 | 1 Vaadin | 2 Vaadin, Vaadin-menu-bar | 2021-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL | |||||
| CVE-2021-41310 | 1 Atlassian | 1 Jira Software Data Center | 2021-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1. | |||||
| CVE-2021-24624 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| The MP3 Audio Player for Music, Radio & Podcast by Sonaar WordPress plugin before 2.4.2 does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to perform Cross-Site Scripting attacks | |||||
| CVE-2015-20019 | 1 Content Text Slider On Post Project | 1 Content Text Slider On Post | 2021-11-02 | 3.5 LOW | 5.4 MEDIUM |
| The Content text slider on post WordPress plugin before 6.9 does not sanitise and escape the Title and Message/Content settings, which could lead to Cross-Site Scripting issues | |||||
| CVE-2019-3847 | 1 Moodle | 1 Moodle | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. | |||||
| CVE-2021-39346 | 1 Supsystic | 1 Easy Google Maps | 2021-11-02 | 2.1 LOW | 4.8 MEDIUM |
| The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.9.33. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39340 | 1 Bracketspace | 1 Notification | 2021-11-02 | 2.1 LOW | 4.8 MEDIUM |
| The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/classes/Utils/Settings.php file which made it possible for attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 7.2.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-38356 | 1 Nextscripts | 1 Social Networks Auto Poster | 2021-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The NextScripts: Social Networks Auto-Poster <= 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $_REQUEST['page'] parameter which is echoed out on inc/nxs_class_snap.php by supplying the appropriate value 'nxssnap-post' to load the page in $_GET['page'] along with malicious JavaScript in $_POST['page']. | |||||
| CVE-2021-24813 | 1 E-dynamics | 1 Events Made Easy | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24794 | 1 Connections-pro | 1 Connections Business Directory | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| The Connections Business Directory WordPress plugin before 10.4.3 does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24793 | 1 Etruel | 1 Wpematico Rss Feed Fetcher | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24789 | 1 Flat Preloader Project | 1 Flat Preloader | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2021-24773 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24723 | 1 Wpreactions | 1 Wp Reactions Lite | 2021-11-02 | 3.5 LOW | 5.4 MEDIUM |
| The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. | |||||
| CVE-2021-24716 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-11-02 | 3.5 LOW | 5.4 MEDIUM |
| The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. | |||||
| CVE-2021-24715 | 1 Wp Sitemap Page Project | 1 Wp Sitemap Page | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-36551 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2021-11-02 | 3.5 LOW | 5.4 MEDIUM |
| TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module. | |||||
| CVE-2019-15116 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2021-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. | |||||
| CVE-2021-24682 | 1 Wpkube | 1 Cool Tag Cloud | 2021-11-02 | 3.5 LOW | 5.4 MEDIUM |
| The Cool Tag Cloud WordPress plugin before 2.26 does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2021-36550 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2021-11-02 | 3.5 LOW | 5.4 MEDIUM |
| TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module. | |||||
| CVE-2020-22312 | 1 Hznuoj Project | 1 Hznuoj | 2021-11-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability was discovered in the OJ/admin-tool /cal_scores.php function of HZNUOJ v1.0. | |||||
| CVE-2017-12061 | 1 Mantisbt | 1 Mantisbt | 2021-11-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP. | |||||
| CVE-2021-41728 | 1 Sourcecodester | 1 News247 Cms | 2021-10-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in Sourcecodester News247 CMS 1.0 via the search function in articles. | |||||
| CVE-2020-25422 | 1 Mara Cms Project | 1 Mara Cms | 2021-10-29 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in menuedit.php of Mara CMS 7.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-29713 | 1 Ibm | 5 Engineering Lifecycle Optimization, Rational Collaborative Lifecycle Management, Rational Doors Next Generation and 2 more | 2021-10-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2019-19285 | 1 Siemens | 1 Xhq | 2021-10-29 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow injections that could lead to XSS attacks if unsuspecting users are tricked into accessing a malicious link. | |||||