Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3904 | 1 Getgrav | 1 Grav | 2021-10-29 | 3.5 LOW | 5.4 MEDIUM |
| grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-29673 | 1 Ibm | 6 Engineering Lifecycle Optimization, Engineering Workflow Management, Rational Collaborative Lifecycle Management and 3 more | 2021-10-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199482. | |||||
| CVE-2020-5669 | 1 Sixapart | 1 Movable Type | 2021-10-29 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-34763 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an attacker to execute a cross-site scripting (XSS) attack or an open redirect attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-34764 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2021-10-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an attacker to execute a cross-site scripting (XSS) attack or an open redirect attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-41175 | 1 Pi-hole | 1 Web Interface | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. | |||||
| CVE-2021-41188 | 1 Shopware | 1 Shopware | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability. | |||||
| CVE-2020-36502 | 1 Swiftfiletransfer | 1 Swift File Transfer | 2021-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Swift File Transfer Mobile v1.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the devicename parameter which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered as the device name itself. | |||||
| CVE-2020-36499 | 1 Taotesting | 1 Assessment Platform | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a cross-site scripting (XSS) vulnerability in the content parameter of the Rubric Block (Add) module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the rubric name value. | |||||
| CVE-2020-36489 | 1 Dropouts | 1 Air Share | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the devicename parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the devicename information. | |||||
| CVE-2020-36498 | 1 Macrob7 Macs Framework Content Management System Project | 1 Macrob7 Macs Framework Content Management System | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Macrob7 Macs Framework Content Management System - 1.14f contains a cross-site scripting (XSS) vulnerability in the account reset function, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the e-mail input field. | |||||
| CVE-2020-28961 | 1 Perfexcrm | 1 Perfex Crm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter. | |||||
| CVE-2020-28957 | 1 Froxlor | 1 Froxlor | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields. | |||||
| CVE-2020-23055 | 1 Lancom-systems | 3 Lcos, Wlc-1000, Wlc-4006 | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| ANCOM WLAN Controller (Wireless Series & Hotspot) WLC-1000 & WLC-4006 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the /authen/start/ module via the userid and password parameters. | |||||
| CVE-2020-28955 | 1 Sugarcrm | 1 Sugarcrm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields. | |||||
| CVE-2020-28968 | 1 Draytek | 26 Vigorap 1000c, Vigorap 1000c Firmware, Vigorap 700 and 23 more | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field. | |||||
| CVE-2020-28956 | 1 Sugarcrm | 1 Sugarcrm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. | |||||
| CVE-2021-35499 | 1 Tibco | 1 Nimbus | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.4.0 and below. | |||||
| CVE-2021-41866 | 1 Mybb | 1 Mybb | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly. | |||||
| CVE-2021-24884 | 1 Strategy11 | 1 Formidable Form Builder | 2021-10-28 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited. | |||||
| CVE-2020-22864 | 1 Froala | 1 Wysiwyg-editor | 2021-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability in the Insert Video function of Froala WYSIWYG Editor 3.1.0 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2021-24544 | 1 Motopress | 1 Motopress-slider-lite | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. | |||||
| CVE-2021-24489 | 1 Emarketdesign | 1 Request A Quote | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Request a Quote WordPress plugin before 2.3.5 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24414 | 1 Video Player For Youtube Project | 1 Video Player For Youtube | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | |||||
| CVE-2021-24381 | 1 Ninjaforms | 1 Contact Form | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24514 | 1 Vfbpro | 1 Visual Form Builder | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-21319 | 1 Galette | 1 Galette | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5. | |||||
| CVE-2021-24885 | 1 Yop-poll | 1 Yop-poll | 2021-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2020-20908 | 1 Akaunting | 1 Akaunting | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Akaunting v1.3.17 was discovered to contain a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Company Name input field. | |||||
| CVE-2020-36490 | 1 Dedecms | 1 Dedecms | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | |||||
| CVE-2020-36491 | 1 Dedecms | 1 Dedecms | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tags_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | |||||
| CVE-2020-23054 | 1 User-agent Switcher And Manager Project | 1 User-agent Switcher And Manager | 2021-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in NSK User Agent String Switcher Service v0.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the user agent input field. | |||||
| CVE-2020-23049 | 1 Fork-cms | 1 Fork Cms | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register' functions. This vulnerability allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-23046 | 1 Dedecms | 1 Dedecms | 2021-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tpl.php via the `filename`, `mid`, `userid`, and `templet' parameters. | |||||
| CVE-2020-23044 | 1 Dedecms | 1 Dedecms | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | |||||
| CVE-2020-23052 | 1 Catalyst | 1 Mahara | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Catalyst IT Ltd Mahara CMS v19.10.2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component groupfiles.php via the Number (Nombre) and Description (Descripción) parameters. | |||||
| CVE-2021-39328 | 1 Presstigers | 1 Simple Job Board | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39354 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2. | |||||
| CVE-2021-39356 | 1 Content Staging Project | 1 Content Staging | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Content Staging WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo'd out via the ~/templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-41172 | 1 Antsword Redis Project | 1 Antsword Redis | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| AS_Redis is an AntSword plugin for Redis. The Redis Manage plugin for AntSword prior to version 0.5 is vulnerable to Self-XSS due to due to insufficient input validation and sanitization via redis server configuration. Self-XSS in the plugin configuration leads to code execution. This issue is patched in version 0.5. | |||||
| CVE-2020-23042 | 1 Dropouts | 1 Super Backup | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request. | |||||
| CVE-2021-41791 | 1 Alfresco | 2 Community Share, Share | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0. An evasion of the XSS filter for HTML input validation in the Alfresco Share User Interface leads to stored XSS that could be exploited by an attacker (given that he has privileges on the content collaboration features). | |||||
| CVE-2020-23051 | 1 User Registration \& Login And User Management System With Admin Panel Project | 1 User Registration \& Login And User Management System With Admin Panel | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Phpgurukul User Registration & User Management System v2.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & loginsystem input fields. | |||||
| CVE-2021-24744 | 1 Cimatti | 1 Contact Forms | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2020-23041 | 1 Dropouts | 1 Air Share | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` exception-handling. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request. | |||||
| CVE-2020-23048 | 1 Seeddms | 1 Seeddms | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters. | |||||
| CVE-2020-23047 | 1 Macs Cms Project | 1 Macs Cms | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a cross-site scripting (XSS) vulnerability in the search input field of the search module. | |||||
| CVE-2020-23039 | 1 Newsoftwares | 1 Folder Lock | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Folder Lock v3.4.5 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Create Folder function under the 'create' module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload as a path or folder name. | |||||
| CVE-2021-24653 | 1 Cookie-bar Project | 1 Cookie-bar | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Cookie Bar WordPress plugin through 1.8.8 doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24608 | 1 Strategy11 | 1 Formidable Form Builder | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||