Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24287 | 1 Mooveagency | 1 Select All Categories And Taxonomies\, Change Checkbox To Radio Buttons | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-20481 | 1 Ibm | 1 Sterling File Gateway | 2021-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197503. | |||||
| CVE-2021-40541 | 1 Php-fusion | 1 Phpfusion | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text. | |||||
| CVE-2021-35059 | 1 Openwaygroup | 1 Way4 | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenWay WAY4 ACS before 1.2.278-2693 allows XSS via the /way4acs/enroll action parameter. | |||||
| CVE-2021-20561 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199230. | |||||
| CVE-2021-20571 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199246. | |||||
| CVE-2021-24712 | 1 Dwbooster | 1 Appointment Hour Booking | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars. | |||||
| CVE-2021-24690 | 1 Kibokolabs | 1 Chained Quiz | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings. | |||||
| CVE-2021-24545 | 1 Wp Html Author Bio Project | 1 Wp Html Author Bio | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s. | |||||
| CVE-2021-24656 | 1 Wpbrigade | 1 Simple Social Buttons | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24691 | 1 Expresstech | 1 Quiz And Survey Master | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24709 | 1 Awplife | 1 Weather Effect | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24737 | 1 Gvectors | 1 Wpdiscuz | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24681 | 1 Duplicatepro | 1 Duplicate Page | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24577 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. | |||||
| CVE-2021-24720 | 1 Ayecode | 1 Geodirectory | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). | |||||
| CVE-2021-41565 | 1 Tadtools Project | 1 Tadtools | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| TadTools special page parameter does not properly restrict the input of specific characters, thus remote attackers can inject JavaScript syntax without logging in, and further perform reflective XSS attacks. | |||||
| CVE-2021-41567 | 1 Tad Uploader Project | 1 Tad Uploader | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The new add subject parameter of Tad Uploader view book list function fails to filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks. | |||||
| CVE-2021-41918 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| webTareas version 2.4 and earlier allows an authenticated user to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the platform users and administrators. The issue affects every endpoint on the application because it is related on how each URL is echoed back on every response page. | |||||
| CVE-2021-41917 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| webTareas version 2.4 and earlier allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name in the clients section, due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the platform users and administrators. The affected endpoint is /clients/editclient.php, on the HTTP POST cn parameter. | |||||
| CVE-2021-41563 | 1 Tad Book3 Project | 1 Tad Book3 | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tad Book3 editing book function does not filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks. | |||||
| CVE-2021-36150 | 1 Silverstripe | 1 Silverstripe | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe Framework through 4.8.1 allows XSS. | |||||
| CVE-2021-34742 | 1 Cisco | 1 Vision Dynamic Signage Director | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-21729 | 1 Jeecms | 1 Jeecms X | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| JEECMS x1.1 contains a stored cross-site scripting (XSS) vulnerability in the component of /member-vipcenter.htm, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2020-21656 | 1 Xyhcms | 1 Xyhcms | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| XYHCMS v3.6 contains a stored cross-site scripting (XSS) vulnerability in the component xyhai.php?s=/Link/index. | |||||
| CVE-2021-42053 | 1 Django-unicorn | 1 Unicorn | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| The Unicorn framework through 0.35.3 for Django allows XSS via component.name. | |||||
| CVE-2021-42042 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript. | |||||
| CVE-2021-42043 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query. | |||||
| CVE-2021-42044 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago MediaWiki messages were not being properly sanitized and allowed for the injection and execution of HTML and JavaScript. | |||||
| CVE-2021-42041 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log. | |||||
| CVE-2021-29836 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0. through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204912. | |||||
| CVE-2021-29855 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205684. | |||||
| CVE-2021-36175 | 1 Fortinet | 1 Fortiweb | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device. | |||||
| CVE-2021-33849 | 1 Zohocorp | 1 Zoho Crm Lead Magnet | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4. | |||||
| CVE-2021-39350 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727. | |||||
| CVE-2021-24021 | 1 Fortinet | 1 Fortianalyzer | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks. | |||||
| CVE-2021-42092 | 1 Zammad | 1 Zammad | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket. | |||||
| CVE-2020-21505 | 1 Waimai Super Cms Project | 1 Waimai Super Cms | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php/Link/addsave. | |||||
| CVE-2020-21506 | 1 Waimai Super Cms Project | 1 Waimai Super Cms | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php?m=Config&a=add. | |||||
| CVE-2020-21504 | 1 Waimai Super Cms Project | 1 Waimai Super Cms | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php?&m=Public&a=login. | |||||
| CVE-2021-42088 | 1 Zammad | 1 Zammad | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled. | |||||
| CVE-2021-42085 | 1 Zammad | 1 Zammad | 2021-10-13 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar. | |||||
| CVE-2020-21495 | 1 Xiuno | 1 Xiunobbs | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitename parameter. | |||||
| CVE-2020-21494 | 1 Xiuno | 1 Xiunobbs | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component install\install.sql of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via changing the doctype value to 0. | |||||
| CVE-2020-21496 | 1 Xiuno | 1 Xiunobbs | 2021-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitebrief parameter. | |||||
| CVE-2021-37330 | 1 Bookingcore | 1 Booking Core | 2021-10-12 | 3.5 LOW | 5.4 MEDIUM |
| Laravel Booking System Booking Core 2.0 is vulnerable to Cross Site Scripting (XSS). The Avatar upload in the My Profile section could be exploited to upload a malicious SVG file which contains Javascript. Now if another user/admin views the profile and clicks to view his avatar, an XSS will trigger. | |||||
| CVE-2021-39878 | 1 Gitlab | 1 Gitlab | 2021-10-12 | 3.5 LOW | 5.4 MEDIUM |
| A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. | |||||
| CVE-2021-39486 | 1 Gilacms | 1 Gila Cms | 2021-10-12 | 3.5 LOW | 5.4 MEDIUM |
| A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a victim's browser. | |||||
| CVE-2021-36845 | 1 Yithemes | 1 Yith Maintenance Mode | 2021-10-12 | 3.5 LOW | 4.8 MEDIUM |
| Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - "Newsletter" tab, &yith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (') symbol to break the context, i.e.: NOTIFY ME' autofocus onfocus=alert(/Visse/);// v=' - this payload will be auto triggered while admin visits this page/tab. 2 - "General" tab issues, vulnerable parameters: &yith_maintenance_message, &yith_maintenance_custom_style, &yith_maintenance_mascotte, &yith_maintenance_title_font[size], &yith_maintenance_title_font[family], &yith_maintenance_title_font[color], &yith_maintenance_paragraph_font[size], &yith_maintenance_paragraph_font[family], &yith_maintenance_paragraph_font[color], &yith_maintenance_border_top. 3 - "Background" tab issues, vulnerable parameters: &yith_maintenance_background_image, &yith_maintenance_background_color. 4 - "Logo" tab issues, vulnerable parameters: &yith_maintenance_logo_image, &yith_maintenance_logo_tagline, &yith_maintenance_logo_tagline_font[size], &yith_maintenance_logo_tagline_font[family], &yith_maintenance_logo_tagline_font[color]. 5 - "Newsletter" tab issues, vulnerable parameters: &yith_maintenance_newsletter_email_font[size], &yith_maintenance_newsletter_email_font[family], &yith_maintenance_newsletter_email_font[color], &yith_maintenance_newsletter_submit_font[size], &yith_maintenance_newsletter_submit_font[family], &yith_maintenance_newsletter_submit_font[color], &yith_maintenance_newsletter_submit_background, &yith_maintenance_newsletter_submit_background_hover, &yith_maintenance_newsletter_title, &yith_maintenance_newsletter_action, &yith_maintenance_newsletter_email_label, &yith_maintenance_newsletter_email_name, &yith_maintenance_newsletter_submit_label, &yith_maintenance_newsletter_hidden_fields. 6 - "Socials" tab issues, vulnerable parameters: &yith_maintenance_socials_facebook, &yith_maintenance_socials_twitter, &yith_maintenance_socials_gplus, &yith_maintenance_socials_youtube, &yith_maintenance_socials_rss, &yith_maintenance_socials_skype, &yith_maintenance_socials_email, &yith_maintenance_socials_behance, &yith_maintenance_socials_dribble, &yith_maintenance_socials_flickr, &yith_maintenance_socials_instagram, &yith_maintenance_socials_pinterest, &yith_maintenance_socials_tumblr, &yith_maintenance_socials_linkedin. | |||||
| CVE-2016-1000132 | 1 Cminds | 1 Tooltip Glossary | 2021-10-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8 | |||||