Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37391 | 1 Chamilo | 1 Chamilo Lms | 2021-08-19 | 3.5 LOW | 5.4 MEDIUM |
| A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature. | |||||
| CVE-2021-38535 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.76, R6260 before 1.1.0.78, R6700v2 before 1.2.0.76, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, RAX35 before 1.0.3.62, and RAX40 before 1.0.3.62. | |||||
| CVE-2021-38536 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.66, R6260 before 1.1.0.78, R6700v2 before 1.2.0.76, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, RAX35 before 1.0.3.62, and RAX40 before 1.0.3.62. | |||||
| CVE-2021-38537 | 1 Netgear | 36 Ac2100, Ac2100 Firmware, Ac2400 and 33 more | 2021-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.66, R6260 before 1.1.0.78, R6700v2 before 1.2.0.76, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, and RAX40 before 1.0.3.62. | |||||
| CVE-2021-32768 | 1 Typo3 | 1 Typo3 | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions failing to properly parse, sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required. Update to TYPO3 versions 7.6.53 ELTS, 8.7.42 ELTS, 9.5.29, 10.4.19, 11.3.2 that fix the problem described. | |||||
| CVE-2021-38538 | 1 Netgear | 30 D7800, D7800 Firmware, R7800 and 27 more | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, R8900 before 1.0.4.26, R9000 before 1.0.4.26, RAX120 before 1.0.0.78, RBK20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and XR500 before 2.3.2.56. | |||||
| CVE-2021-36601 | 1 Get-simple | 1 Getsimplecms | 2021-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| GetSimpleCMS 3.3.16 contains a cross-site Scripting (XSS) vulnerability, where Function TSL does not filter check settings.php Website URL: "siteURL" parameter. | |||||
| CVE-2021-38533 | 1 Netgear | 2 Rax40, Rax40 Firmware | 2021-08-19 | 3.5 LOW | 5.4 MEDIUM |
| NETGEAR RAX40 devices before 1.0.3.64 are affected by stored XSS. | |||||
| CVE-2017-17837 | 1 Apache | 1 Deltaspike | 2021-08-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1. | |||||
| CVE-2021-24495 | 1 Marmoset | 1 Marmoset Viewer | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-22676 | 1 Advantech | 1 Webaccess\/scada | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). | |||||
| CVE-2021-20068 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the error handling functionality of web pages. | |||||
| CVE-2021-20071 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the sms.php dialogs. | |||||
| CVE-2021-20069 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the regionalSettings.php dialogs. | |||||
| CVE-2021-20070 | 1 Racom | 2 M\!dge, M\!dge Firmware | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the virtualization.php dialogs. | |||||
| CVE-2021-32798 | 1 Jupyter | 1 Notebook | 2021-08-17 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs. | |||||
| CVE-2021-24502 | 1 Flippercode | 1 Wp Google Map | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| The WP Google Map WordPress plugin before 1.7.7 did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24505 | 1 Madeit | 1 Forms | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| The Forms WordPress plugin before 1.12.3 did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the Forms "Add new" field. | |||||
| CVE-2021-32797 | 1 Jupyter | 1 Jupyterlab | 2021-08-17 | 6.8 MEDIUM | 9.6 CRITICAL |
| JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html `<form>`. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. | |||||
| CVE-2021-37633 | 1 Discourse | 1 Discourse | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Discourse is an open source discussion platform. In versions prior to 2.7.8 rendering of d-popover tooltips can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest `stable` 2.7.8 version of Discourse. As a workaround users may ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks. | |||||
| CVE-2021-24509 | 1 A3rev | 1 Page View Count | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. | |||||
| CVE-2020-8263 | 1 Pulsesecure | 1 Pulse Secure Desktop Client | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file. | |||||
| CVE-2021-37211 | 1 Larvata | 1 Flygo | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| The bulletin function of Flygo does not filter special characters while a new announcement is added. Remoter attackers can use the vulnerability with general user’s credential to inject JavaScript and execute stored XSS attacks. | |||||
| CVE-2021-24522 | 1 Profilepress | 1 Profilepress | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values. | |||||
| CVE-2013-4718 | 1 Otrs | 2 Otrs, Otrs Itsm | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search. | |||||
| CVE-2021-37390 | 1 Chamilo | 1 Chamilo Lms | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). | |||||
| CVE-2021-37389 | 1 Chamilo | 1 Chamilo | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. | |||||
| CVE-2021-24304 | 1 Tagdiv | 1 Newsmag | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsmag WordPress theme before 5.0 does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-37573 | 1 Tiny Java Web Server Project | 1 Tiny Java Web Server | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page | |||||
| CVE-2021-34660 | 1 Verygoodplugins | 1 Wp Fusion | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18. | |||||
| CVE-2021-37634 | 1 Vapor | 1 Leafkit | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leafkit is a templating language with Swift-inspired syntax. Versions prior to 1.3.0 are susceptible to Cross-site Scripting (XSS) attacks. This affects anyone passing unsanitised data to Leaf's variable tags. Before this fix, Leaf would not escape any strings passed to tags as variables. If an attacker managed to find a variable that was rendered with their unsanitised data, they could inject scripts into a generated Leaf page, which could enable XSS attacks if other mitigations such as a Content Security Policy were not enabled. This has been patched in 1.3.0. As a workaround sanitize any untrusted input before passing it to Leaf and enable a CSP to block inline script and CSS data. | |||||
| CVE-2020-20990 | 1 Domainmod | 1 Domainmod | 2021-08-16 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in the /segments/edit.php component of Domainmod 4.13 allows attackers to execute arbitrary web scripts or HTML via the Segment Name parameter. | |||||
| CVE-2020-20988 | 1 Domainmod | 1 Domainmod | 2021-08-16 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in the /domains/cost-by-owner.php component of Domainmod 4.13 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "or Expiring Between" parameter. | |||||
| CVE-2021-38602 | 1 Pluxml | 1 Pluxml | 2021-08-16 | 3.5 LOW | 4.8 MEDIUM |
| PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. | |||||
| CVE-2021-38603 | 1 Pluxml | 1 Pluxml | 2021-08-16 | 3.5 LOW | 4.8 MEDIUM |
| PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. | |||||
| CVE-2021-31655 | 1 Trendnet | 2 Tv-ip110wn, Tv-ip110wn Firmware | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in TRENDnet TV-IP110WN V1.2.2.64 V1.2.2.65 V1.2.2.68 via the profile parameter. in a GET request in view.cgi. | |||||
| CVE-2021-37152 | 1 Sonatype | 1 Nexus Repository Manager | 2021-08-16 | 3.5 LOW | 5.4 MEDIUM |
| Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager’s pages with code modifications. | |||||
| CVE-2020-18456 | 1 Pbootcms | 1 Pbootcms | 2021-08-16 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in PbootCMS v1.3.7 via the title parameter in the mod function in SingleController.php. | |||||
| CVE-2021-38193 | 1 Ammonia Project | 1 Ammonia | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870. | |||||
| CVE-2021-38186 | 1 Comrak Project | 1 Comrak | 2021-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the comrak crate before 0.10.1 for Rust. It mishandles & characters, leading to XSS via &# HTML entities. | |||||
| CVE-2018-17861 | 1 Sap | 1 J2ee Engine | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Portal/EPP allows remote attackers to inject arbitrary web script via the wsdlLib parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2018-17862 | 1 Sap | 1 J2ee Engine | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Fiori allows remote attackers to inject arbitrary web script via the sys_jdbc parameter to /TestJDBC_Web/test2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2018-17865 | 1 Sap | 1 J2ee Engine | 2021-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A cross-site scripting (XSS) vulnerability in SAP J2EE Engine 7.01 allows remote attackers to inject arbitrary web script via the wsdlPath parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-18693 | 1 Mineweb Project | 1 Minewebcms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in MineWebCMS v1.7.0 allows remote attackers to execute arbitrary code by injecting malicious code into the 'Title' field of the component '/admin/news'. | |||||
| CVE-2020-21362 | 1 Maccms | 1 Maccms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in the background search function of Maccms10 allows attackers to execute arbitrary web scripts or HTML via the 'wd' parameter. | |||||
| CVE-2020-20977 | 1 Ukcms Project | 1 Ukcms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in index.php/legend/6.html of UK CMS v1.1.10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Comments section. | |||||
| CVE-2020-21929 | 1 Eyoucms | 1 Eyoucms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the web_copyright field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-21930 | 1 Eyoucms | 1 Eyoucms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in the web_attr_2 field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-18449 | 1 Ukcms | 1 Ukcms | 2021-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in UKCMS v1.1.10 via data in the index function in Single.php | |||||
| CVE-2020-18446 | 1 Yunucms | 1 Yunucms | 2021-08-13 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in YUNUCMS 1.1.9 via the param parameter in the insertContent function in ContentModel.php. | |||||