Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-33337 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-08-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Document Library module's add document menu in Liferay Portal 7.3.0 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter. | |||||
| CVE-2021-35463 | 1 Liferay | 1 Liferay Portal | 2021-08-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. | |||||
| CVE-2021-24468 | 1 Bozdoz | 1 Leaflet Map | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The Leaflet Map WordPress plugin before 3.0.0 does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues | |||||
| CVE-2021-24470 | 1 Yada Wiki Project | 1 Yada Wiki | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The Yada Wiki WordPress plugin before 3.4.1 did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24478 | 1 Bookshelf Project | 1 Bookshelf | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The Bookshelf WordPress plugin through 2.0.4 does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24479 | 1 Drawblog Project | 1 Drawblog | 2021-08-10 | 3.5 LOW | 4.8 MEDIUM |
| The DrawBlog WordPress plugin through 0.90 does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue | |||||
| CVE-2021-24480 | 1 Event Geek Project | 1 Event Geek | 2021-08-10 | 3.5 LOW | 4.8 MEDIUM |
| The Event Geek WordPress plugin through 2.5.2 does not sanitise or escape its "Use your own " setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site Scripting issue | |||||
| CVE-2021-24488 | 1 Pickplugins | 1 Post Grid | 2021-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24496 | 1 Community Events Project | 1 Community Events | 2021-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Community Events WordPress plugin before 1.4.8 does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator | |||||
| CVE-2021-37216 | 1 Qsan | 4 Xn8008t, Xn8008t Firmware, Xn8024r and 1 more | 2021-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| QSAN Storage Manager header page parameters does not filter special characters. Remote attackers can inject JavaScript without logging in and launch reflected XSS attacks to access and modify specific data. | |||||
| CVE-2021-24450 | 1 Profilepress | 1 Profilepress | 2021-08-10 | 3.5 LOW | 4.8 MEDIUM |
| The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24481 | 1 Any Hostname Project | 1 Any Hostname | 2021-08-10 | 3.5 LOW | 4.8 MEDIUM |
| The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it | |||||
| CVE-2021-24498 | 1 Dwbooster | 1 Calendar Event Multi View | 2021-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24503 | 1 Thememason | 1 Popular Brand Icons - Simple Icons | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. | |||||
| CVE-2021-24476 | 1 Steam Group Viewer Project | 1 Steam Group Viewer | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The Steam Group Viewer WordPress plugin through 2.1 does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24464 | 1 Wpdevart | 1 Youtube Embed\, Playlist And Popup | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue. | |||||
| CVE-2021-34630 | 1 Gtranslate | 1 Gtranslate | 2021-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution. | |||||
| CVE-2021-24455 | 1 Themeum | 1 Tutor Lms | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin. | |||||
| CVE-2021-24448 | 1 Cozmoslabs | 1 Profile Builder | 2021-08-10 | 3.5 LOW | 4.8 MEDIUM |
| The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24443 | 1 Kainelabs | 1 Youzify | 2021-08-10 | 3.5 LOW | 5.4 MEDIUM |
| The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example. | |||||
| CVE-2021-24425 | 1 Premio | 1 Mystickymenu | 2021-08-10 | 3.5 LOW | 4.8 MEDIUM |
| The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active) | |||||
| CVE-2021-38149 | 1 Chikitsa | 1 Patient Management System | 2021-08-09 | 3.5 LOW | 5.4 MEDIUM |
| index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS. | |||||
| CVE-2020-21353 | 1 Get-simple | 1 Getsimplecms | 2021-08-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module. | |||||
| CVE-2021-21577 | 1 Dell | 1 Emc Idrac9 Firmware | 2021-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | |||||
| CVE-2021-21581 | 1 Dell | 1 Emc Idrac9 Firmware | 2021-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | |||||
| CVE-2021-21576 | 1 Dell | 1 Emc Idrac9 Firmware | 2021-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | |||||
| CVE-2021-3351 | 1 Openplcproject | 1 Openplc | 2021-08-09 | 3.5 LOW | 5.4 MEDIUM |
| OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page. | |||||
| CVE-2021-24428 | 1 Yandex | 1 Yandex Turbo | 2021-08-09 | 3.5 LOW | 4.8 MEDIUM |
| The RSS for Yandex Turbo WordPress plugin through 1.30 does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-37596 | 1 Telegram | 1 Web K Alpha | 2021-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Telegram Web K Alpha 0.6.1 allows XSS via a document name. | |||||
| CVE-2021-37392 | 1 Rpcms | 1 Rpcms | 2021-08-06 | 3.5 LOW | 5.4 MEDIUM |
| In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS. | |||||
| CVE-2021-37393 | 1 Rpcms | 1 Rpcms | 2021-08-06 | 3.5 LOW | 5.4 MEDIUM |
| In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS. | |||||
| CVE-2021-29148 | 1 Arubanetworks | 8 Aos-cx Firmware, Cx 6200f, Cx 6300 and 5 more | 2021-08-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A local cross-site scripting (XSS) vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xxxx - versions prior to 10.04.3070, 10.05.xxxx - versions prior to 10.05.0070, 10.06.xxxx - versions prior to 10.06.0110, 10.07.xxxx - versions prior to 10.07.0001. Aruba has released upgrades for Aruba AOS-CX devices that address this security vulnerability. | |||||
| CVE-2016-0781 | 2 Cloudfoundry, Pivotal Software | 5 Cloud Foundry Uaa Bosh, Cloud Foundry, Cloud Foundry Elastic Runtime and 2 more | 2021-08-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions. | |||||
| CVE-2021-35265 | 1 Maxsite | 1 Maxsite Cms | 2021-08-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in MaxSite CMS before V106 via product/page/* allows remote attackers to inject arbitrary web script to a page. | |||||
| CVE-2021-37916 | 1 Joplin Project | 1 Joplin | 2021-08-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Joplin before 2.0.9 allows XSS via button and form in the note body. | |||||
| CVE-2017-8005 | 2 Emc, Rsa | 3 Rsa Identity Governance And Lifecycle, Rsa Identity Management And Governance, Rsa Via Lifecycle And Governance | 2021-08-06 | 3.5 LOW | 5.4 MEDIUM |
| The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG products (RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels; RSA Via Lifecycle and Governance version 7.0, all patch levels; RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels) are affected by multiple stored cross-site scripting vulnerabilities. Remote authenticated malicious users could potentially inject arbitrary HTML code to the application. | |||||
| CVE-2021-20787 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2021-08-06 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL. | |||||
| CVE-2021-20785 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2021-08-06 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL. | |||||
| CVE-2021-23416 | 1 Curly-bracket-parser Project | 1 Curly-bracket-parser | 2021-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input. | |||||
| CVE-2019-10241 | 1 Eclipse | 1 Jetty | 2021-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. | |||||
| CVE-2021-28054 | 1 Centreon | 1 Centreon | 2021-08-04 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. A Stored Cross-Site Scripting (XSS) issue in "Configuration > Hosts" allows remote authenticated users to inject arbitrary web script or HTML via the Alias parameter. | |||||
| CVE-2021-21442 | 1 Otrs | 1 Time Accounting | 2021-08-04 | 4.3 MEDIUM | 5.4 MEDIUM |
| In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19. | |||||
| CVE-2021-36092 | 1 Otrs | 1 Otrs | 2021-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. | |||||
| CVE-2014-9224 | 2 Broadcom, Symantec | 2 Symantec Critical System Protection, Data Center Security | 2021-08-04 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2021-37448 | 1 Nchsoftware | 1 Ivm Attendant | 2021-08-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via the Mailbox name (stored). | |||||
| CVE-2021-37449 | 1 Nchsoftware | 1 Ivm Attendant | 2021-08-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmlist?folder= (reflected). | |||||
| CVE-2016-6519 | 2 Openstack, Redhat | 2 Manila, Openstack | 2021-08-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form. | |||||
| CVE-2016-4428 | 3 Debian, Openstack, Redhat | 4 Debian Linux, Horizon, Enterprise Linux and 1 more | 2021-08-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form. | |||||
| CVE-2020-9496 | 1 Apache | 1 Ofbiz | 2021-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 | |||||
| CVE-2021-23414 | 1 Videojs | 1 Video.js | 2021-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code. | |||||