Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34658 | 1 Keszites | 1 Simple Popup Newsletter | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7. | |||||
| CVE-2021-34659 | 1 Sizmic | 1 Plugmatter Pricing Table | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Plugmatter Pricing Table Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `email` parameter in the ~/license.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.32. | |||||
| CVE-2021-38619 | 1 Openbaraza | 1 Openbaraza Human Capital Management | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| openBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-site scripting (XSS) attack against an administrative user from hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view=). | |||||
| CVE-2021-34641 | 1 Seopress | 1 Seopress | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 - 5.0.3. | |||||
| CVE-2021-34643 | 1 Skaut-bazar Project | 1 Skaut-bazar | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2. | |||||
| CVE-2021-34642 | 1 Followistic | 1 Smart Email Alerts | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Smart Email Alerts WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the api_key in the ~/views/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.10. | |||||
| CVE-2021-34644 | 1 Multiplayer-plugin Project | 1 Multiplayer-plugin | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.7. | |||||
| CVE-2021-34651 | 1 Scribblemaps | 1 Scribble Maps | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Scribble Maps WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the ~/includes/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-34649 | 1 Simple-behace-portfolio Project | 1 Simple-behace-portfolio | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `dark` parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2. | |||||
| CVE-2021-34652 | 1 Meowapps | 1 Media Usage | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.4. | |||||
| CVE-2020-18702 | 1 Quokka Project | 1 Quokka | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'. | |||||
| CVE-2021-38713 | 1 Imgurl Project | 1 Imgurl | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header. | |||||
| CVE-2020-25352 | 1 Rconfig | 1 Rconfig | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote attackers to perform arbitrary Javascript execution through entering a crafted payload into the 'Model' field then saving. | |||||
| CVE-2021-27401 | 1 Mitel | 1 Micollab | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka Cross-Site Scripting (XSS). | |||||
| CVE-2020-18699 | 1 Talelin | 1 Lin-cms-flask | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Lin-CMS-Flask v0.1.1 allows remote attackers to execute arbitrary code by entering scripts in the the 'Username' parameter of the in component 'app/api/cms/user.py'. | |||||
| CVE-2021-24471 | 1 Youtube Embed Project | 1 Youtube Embed | 2021-08-23 | 2.1 LOW | 5.4 MEDIUM |
| The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured). | |||||
| CVE-2021-24518 | 1 Wpfront | 1 Notification Bar | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24445 | 1 Draftpress | 1 My Site Audit | 2021-08-23 | 3.5 LOW | 5.5 MEDIUM |
| The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24535 | 1 Light Messages Project | 1 Light Messages | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend. | |||||
| CVE-2021-24466 | 1 Verse-o-matic Project | 1 Verse-o-matic | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24519 | 1 Vikwp | 1 Car Rental Management System | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-38607 | 1 Crocoblock | 1 Jetengine | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. | |||||
| CVE-2021-38752 | 1 Online Catering Reservation System Project | 1 Online Catering Reservation System | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar. | |||||
| CVE-2021-38757 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php. | |||||
| CVE-2021-38756 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php. | |||||
| CVE-2021-24526 | 1 10web | 1 Form Maker | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24538 | 1 Current Book Project | 1 Current Book | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||
| CVE-2021-24534 | 1 Phonetrack | 1 Phonetrack Meu Site Manager | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue. | |||||
| CVE-2021-24540 | 1 Wonderplugin | 1 Wonder Video Embed | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24541 | 1 Wonderplugin | 1 Wonder Pdf Embed | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24548 | 1 Mimetic | 1 Mimetic Books | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page. | |||||
| CVE-2021-24536 | 1 Custom Login Redirect Project | 1 Custom Login Redirect | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24512 | 1 Videowhisper | 1 Video Posts Webcam Recorder | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos. | |||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack | |||||
| CVE-2021-24362 | 1 10web | 1 Photo Gallery | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue | |||||
| CVE-2021-38708 | 1 Compo | 1 Composr Cms | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS. | |||||
| CVE-2021-28002 | 1 Textpattern | 1 Textpattern | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the 'Articles' page. | |||||
| CVE-2021-28001 | 1 Textpattern | 1 Textpattern | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting https://site.com/articles/welcome-to-your-site#comments-head. | |||||
| CVE-2021-28000 | 1 Local Services Search Engine Management System Project | 1 Local Services Search Engine Management System | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| A persistent cross-site scripting vulnerability was discovered in Local Services Search Engine Management System Project 1.0 which allows remote attackers to execute arbitrary code via crafted payloads entered into the Name and Address fields. | |||||
| CVE-2020-18748 | 1 Typora | 1 Typora | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Typora v0.9.65 allows attackers to execute arbitrary code via mathjax syntax due to a mathjax configuration error in the mathematical formula blocks. This is a different vulnerability from CVE-2020-18221. | |||||
| CVE-2020-20645 | 1 Eyoucms | 1 Eyoucms | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area. | |||||
| CVE-2018-6447 | 1 Broadcom | 1 Fabric Operating System | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A Reflective XSS Vulnerability in HTTP Management Interface in Brocade Fabric OS versions before Brocade Fabric OS v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, v7.4.2g could allow authenticated attackers with access to the web interface to hijack a user’s session and take over the account. | |||||
| CVE-2021-37700 | 1 Paste-markdown Project | 1 Paste-markdown | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| @github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string `<table>`, a **div** is dynamically created, and the clipboard content is copied into its **innerHTML** property without any sanitization, resulting in improper execution of JavaScript in the browser of the victim (the user who pasted the code). Users directed to copy text from a malicious website and paste it into pages that utilize this library are affected. This is fixed in version 0.3.4. Refer the to the referenced GitHub Advisory for more details including an example exploit. | |||||
| CVE-2021-36785 | 1 Miniorange | 1 Saml | 2021-08-20 | 3.5 LOW | 5.4 MEDIUM |
| The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows XSS. | |||||
| CVE-2021-35955 | 1 Contao | 1 Contao | 2021-08-20 | 3.5 LOW | 4.8 MEDIUM |
| Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7. | |||||
| CVE-2021-38087 | 1 Acronis | 1 Cyber Protect | 2021-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) was possible on the login page in Acronis Cyber Protect 15 prior to build 27009. | |||||
| CVE-2021-36788 | 1 Yoast | 1 Yoast Seo | 2021-08-20 | 3.5 LOW | 5.4 MEDIUM |
| The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS. | |||||
| CVE-2021-36790 | 1 Dated News Project | 1 Dated News | 2021-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows XSS. | |||||
| CVE-2021-34640 | 1 Securimage-wp-fixed Project | 1 Securimage-wp-fixed | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4. | |||||
| CVE-2021-38534 | 1 Netgear | 86 D3600, D3600 Firmware, D6000 and 83 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, D6100 before 1.0.0.60, D6200 before 1.1.00.36, D6220 before 1.0.0.52, D6400 before 1.0.0.86, D7000 before 1.0.1.70, D7000v2 before 1.0.0.53, D8500 before 1.0.3.44, DC112A before 1.0.0.42, DGN2200v4 before 1.0.0.110, DGND2200Bv4 before 1.0.0.109, DM200 before 1.0.0.61, JR6150 before 1.0.1.18, PR2000 before 1.0.0.28, R6020 before 1.0.0.42, R6050 before 1.0.1.18, R6080 before 1.0.0.42, R6220 before 1.1.0.80, R6230 before 1.1.0.80, R6250 before 1.0.4.34, R6260 before 1.1.0.64, R6300v2 before 1.0.4.34, R6400 before 1.0.1.46, R6400v2 before 1.0.2.62, R6700 before 1.0.2.6, R6700v2 before 1.2.0.36, R6700v3 before 1.0.2.62, R6800 before 1.2.0.36, R6900 before 1.0.2.4, R6900P before 1.3.1.64, R6900v2 before 1.2.0.36, R7000 before 1.0.9.60, R7000P before 1.3.1.64, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7450 before 1.2.0.36, R7900 before 1.0.3.8, R7900P before 1.4.1.50, R8000 before 1.0.4.28, R8000P before 1.4.1.50, R8300 before 1.0.2.130, R8500 before 1.0.2.130, WNDR3400v3 before 1.0.1.24, WNR2020 before 1.1.0.62, WNR3500Lv2 before 1.2.0.62, XR450 before 2.3.2.40, and XR500 before 2.3.2.40. | |||||