Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36884 | 1 Backupbliss | 1 Backup Migration | 2022-01-04 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions. | |||||
| CVE-2021-45662 | 1 Netgear | 2 R7000, R7000 Firmware | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| NETGEAR R7000 devices before 1.0.9.88 are affected by stored XSS. | |||||
| CVE-2021-45904 | 1 Openwrt | 1 Openwrt | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen. | |||||
| CVE-2020-20946 | 1 Qibosoft | 1 Qibosoft | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add. | |||||
| CVE-2021-45905 | 1 Openwrt | 1 Openwrt | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen. | |||||
| CVE-2021-45906 | 1 Openwrt | 1 Openwrt | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen. | |||||
| CVE-2021-43842 | 1 Requarks | 1 Wiki.js | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal `<img>` tags. Commit 5d3e81496fba1f0fbd64eeb855f30f69a9040718 fixes this vulnerability by adding an optional (enabled by default) SVG sanitization step to all file uploads that match the SVG mime type. As a workaround, disable file upload for all non-trusted users. Wiki.js version 2.5.260 is the first production version to contain a patch. Version 2.5.258 is the first development build to contain a patch and is available only as a Docker image as requarks/wiki:canary-2.5.258. | |||||
| CVE-2021-4072 | 1 Elgg | 1 Elgg | 2022-01-03 | 3.5 LOW | 5.4 MEDIUM |
| elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2020-8960 | 1 Westerndigital | 1 Mycloud.com | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Western Digital mycloud.com before Web Version 2.2.0-134 allows XSS. | |||||
| CVE-2020-8952 | 1 Fiserv | 1 Accurate Reconciliation | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fiserv Accurate Reconciliation 2.19.0, fixed in 3.0.0 or higher, allows XSS via the logout.jsp timeOut parameter. | |||||
| CVE-2020-9019 | 1 Wpjobboard | 1 Wpjobboard | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description. | |||||
| CVE-2020-15497 | 1 Jalios | 1 Jcms | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build-20200224104759 allows XSS via the types parameter. Note: It is asserted that this vulnerability is not present in the standard installation of Jalios JCMS. | |||||
| CVE-2020-25828 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.) | |||||
| CVE-2020-25812 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. | |||||
| CVE-2020-25814 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> tag (or it does not have a href attribute, or it's empty, etc.). The actual result is that the object contains an <a href ="javascript... that executes when clicked. | |||||
| CVE-2020-25815 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text(). | |||||
| CVE-2020-25071 | 1 Niftypm | 1 Nifty | 2022-01-01 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** Nifty Project Management Web Application 2020-08-26 allows XSS, via Add Task, that is rendered upon a Project Home visit. Note: It has been argued that this is not reproducible. "The original issue was that the task would be created and an alert would be shown on the screen. Now the task would be created, but the alert won't be executed as those attributes are now stripped." | |||||
| CVE-2021-32052 | 3 Djangoproject, Fedoraproject, Python | 3 Django, Fedora, Python | 2022-01-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. | |||||
| CVE-2020-4987 | 1 Ibm | 2 Flashsystem 900, Flashsystem 900 Firmware | 2022-01-01 | 3.5 LOW | 5.4 MEDIUM |
| The IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting in code versions 1.5.2.8 and prior and 1.6.1.2 and prior. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2021-22878 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2022-01-01 | 3.5 LOW | 4.8 MEDIUM |
| Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. | |||||