Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40223 | 1 Rittal | 2 Cmc Pu Iii 7030.000, Cmc Pu Iii 7030.000 Firmware | 2021-09-22 | 3.5 LOW | 5.4 MEDIUM |
| Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application. | |||||
| CVE-2021-38331 | 1 Wp-t-wap Project | 1 Wp-t-wap | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP-T-Wap WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the posted parameter found in the ~/wap/writer.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.13.2. | |||||
| CVE-2021-3646 | 1 Btcpayserver | 1 Btcpay Server | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-27889 | 1 Mybb | 1 Mybb | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. | |||||
| CVE-2021-24477 | 1 Migrate Users Project | 1 Migrate Users | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-23411 | 1 Anchorme Project | 1 Anchorme | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the main functionality. It accepts input that can result in the output (an anchor a tag) containing undesirable Javascript code that can be executed upon user interaction. | |||||
| CVE-2021-31813 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-09-21 | 3.5 LOW | 5.4 MEDIUM |
| Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD. | |||||
| CVE-2021-35061 | 1 Drk-odenwaldkreis | 1 Testerfassung | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in DRK Odenwaldkreis Testerfassung March-2021 allow remote attackers to inject arbitrary web script or HTML via all parameters to HTML form fields in all components. | |||||
| CVE-2020-24723 | 1 User Registration \& Login And User Management System Project | 1 User Registration \& Login And User Management System | 2021-09-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1. | |||||
| CVE-2021-38354 | 1 Gnu-mailman Integration Project | 1 Gnu-mailman Integration | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GNU-Mailman Integration WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the gm_error parameter found in the ~/includes/admin/mailing-lists-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6. | |||||
| CVE-2021-38355 | 1 Bug Library Project | 1 Bug Library | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Bug Library WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the successimportcount parameter found in the ~/bug-library.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.3. | |||||
| CVE-2021-38358 | 1 Kibokolabs | 1 Moolamojo | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MoolaMojo WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the classes parameter found in the ~/views/button-generator.html.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.4.1. | |||||
| CVE-2021-38349 | 1 Techastha | 1 Integration Of Moneybird For Woocommerce | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error_description parameter found in the ~/templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. | |||||
| CVE-2021-38348 | 1 Advance Search Project | 1 Advance Search | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advance Search WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the wpas_id parameter found in the ~/inc/admin/views/html-advance-search-admin-options.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.2. | |||||
| CVE-2021-38347 | 1 Custom Website Data Project | 1 Custom Website Data | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Website Data WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter found in the ~/views/edit.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2. | |||||
| CVE-2021-38340 | 1 Wordpress Simple Shop Project | 1 Wordpress Simple Shop | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Wordpress Simple Shop WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the update_row parameter found in the ~/includes/add_product.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-38338 | 1 Border Loading Bar Project | 1 Border Loading Bar | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Border Loading Bar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `f` and `t` parameter found in the ~/titan-framework/iframe-googlefont-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1. | |||||
| CVE-2021-38359 | 1 Invitebox | 1 Invitebox | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress InviteBox Plugin for viral Refer-a-Friend Promotions WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the message parameter found in the ~/admin/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.1. | |||||
| CVE-2021-27658 | 1 Johnsoncontrols | 1 Exacqvision Enterprise Manager | 2021-09-20 | 3.5 LOW | 5.4 MEDIUM |
| exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. | |||||
| CVE-2021-27659 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2021-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. | |||||
| CVE-2020-19515 | 1 Qdpm | 1 Qdpm | 2021-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php. | |||||
| CVE-2021-20293 | 2 Netapp, Redhat | 2 Oncommand Insight, Resteasy | 2021-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. | |||||
| CVE-2021-38152 | 1 Chikitsa | 1 Patient Management System | 2021-09-20 | 3.5 LOW | 5.4 MEDIUM |
| index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS. | |||||
| CVE-2021-36871 | 1 Codecabin | 1 Wp Google Maps | 2021-09-17 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps Pro premium plugin (versions <= 8.1.11). Vulnerable parameters: &wpgmaps_marker_category_name, Value > &attributes[], Name > &attributes[], &icons[], &names[], &description, &link, &title. | |||||
| CVE-2021-36870 | 1 Codecabin | 1 Wp Google Maps | 2021-09-17 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address. | |||||
| CVE-2021-30689 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2021-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, watchOS 7.5. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||
| CVE-2021-29011 | 1 Dmasoftlab | 1 Dma Radius Manager | 2021-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| DMA Softlab Radius Manager 4.4.0 is affected by Cross Site Scripting (XSS) via the description, name, or address field (under admin.php). | |||||
| CVE-2021-1826 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2021-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||
| CVE-2019-16562 | 1 Jenkins | 1 Buildgraph-view | 2021-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions. | |||||
| CVE-2020-1760 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2021-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. | |||||
| CVE-2021-1825 | 1 Apple | 8 Icloud, Ipados, Iphone Os and 5 more | 2021-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An input validation issue was addressed with improved input validation. This issue is fixed in iTunes 12.11.3 for Windows, iCloud for Windows 12.3, macOS Big Sur 11.3, Safari 14.1, watchOS 7.4, tvOS 14.5, iOS 14.5 and iPadOS 14.5. Processing maliciously crafted web content may lead to a cross site scripting attack. | |||||
| CVE-2021-36563 | 1 Checkmk | 1 Checkmk | 2021-09-16 | 3.5 LOW | 5.4 MEDIUM |
| The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS payload will be triggered when the user accesses some specific sections of the application. In the same sense a very dangerous potential way would be when an attacker who has the monitor role (not administrator) manages to get a stored XSS to steal the secretAutomation (for the use of the API in administrator mode) and thus be able to create another administrator user who has high privileges on the CheckMK monitoring web console. Another way is that persistent XSS allows an attacker to modify the displayed content or change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session. | |||||
| CVE-2021-32106 | 1 Icecoder | 1 Icecoder | 2021-09-16 | 3.5 LOW | 5.4 MEDIUM |
| In ICEcoder 8.0 allows, a reflected XSS vulnerability was identified in the multipe-results.php page due to insufficient sanitization of the _GET['replace'] variable. As a result, arbitrary Javascript code can get executed. | |||||
| CVE-2020-24553 | 4 Fedoraproject, Golang, Opensuse and 1 more | 4 Fedora, Go, Leap and 1 more | 2021-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. | |||||
| CVE-2021-38341 | 1 Dreamfoxmedia | 1 Woocommerce Payment Gateway Per Category | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce Payment Gateway Per Category WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/includes/plugin_settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.10. | |||||
| CVE-2021-38353 | 1 Webodid | 1 Dropdown And Scrollable Text | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Dropdown and scrollable Text WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the content parameter found in the ~/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0. | |||||
| CVE-2021-38350 | 1 Spideranalyse Project | 1 Spideranalyse | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The spideranalyse WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the date parameter found in the ~/analyse/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.1. | |||||
| CVE-2021-38351 | 1 Outsidesource | 1 Osd Subscribe | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The OSD Subscribe WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the osd_subscribe_message parameter found in the ~/options/osd_subscribe_options_subscribers.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.3. | |||||
| CVE-2021-38339 | 1 Devondev | 1 Simple Matted Thumbnails | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Matted Thumbnails WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simple-matted-thumbnail.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.01. | |||||
| CVE-2021-38357 | 1 Elyazalee | 1 Sms-ovh | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SMS OVH WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the position parameter found in the ~/sms-ovh-sent.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1. | |||||
| CVE-2021-38332 | 1 Ops-robots-txt Project | 1 Ops-robots-txt | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The On Page SEO + Whatsapp Chat Button Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1. | |||||
| CVE-2021-38330 | 1 Tromit | 1 Yabp | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Yet Another bol.com Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/yabp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4. | |||||
| CVE-2021-38329 | 1 Dj Emailpublish Project | 1 Dj Emailpublish | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The DJ EmailPublish WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/dj-email-publish.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.7.2. | |||||
| CVE-2021-38326 | 1 Wpleet | 1 Post Title Counter | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Post Title Counter WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the notice parameter found in the ~/post-title-counter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1. | |||||
| CVE-2021-38328 | 1 Notices Project | 1 Notices | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Notices WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/notices.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. | |||||
| CVE-2021-38327 | 1 Ueberhamm-design | 1 Youtube Video Inserter | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The YouTube Video Inserter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/adminUI/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.1.0. | |||||
| CVE-2021-38334 | 1 Amazingweb | 1 Wp-design-maps-places | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Design Maps & Places WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the filename parameter found in the ~/wpdmp-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-38337 | 1 Carrcommunications | 1 Rsvpmaker Excel | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The RSVPMaker Excel WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/phpexcel/PHPExcel/Shared/JAMA/docs/download.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1. | |||||
| CVE-2021-38336 | 1 Sw-guide | 1 Edit Comments Xt | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Edit Comments XT WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/edit-comments-xt.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-38335 | 1 Wiseagent | 1 Wise Agent Capture Forms | 2021-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||