Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9038 | 1 Joplin Project | 1 Joplin | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| Joplin through 1.0.184 allows Arbitrary File Read via XSS. | |||||
| CVE-2012-20001 | 1 Prestashop | 1 Prestashop | 2021-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field. | |||||
| CVE-2020-19770 | 1 Wuzhicms | 1 Wuzhi Cms | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the system bulletin component of WUZHI CMS v4.1.0 allows attackers to steal the admin's cookie. | |||||
| CVE-2021-4169 | 1 Livehelperchat | 1 Live Helper Chat | 2021-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2020-8951 | 1 Fiserv | 1 Accurate Reconciliation | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| Fiserv Accurate Reconciliation 2.19.0, fixed in 3.0.0 or higher, allows XSS via the Source or Destination field of the Configuration Manager (Configuration Parameter Translation) page. | |||||
| CVE-2020-8825 | 1 Vanillaforums | 1 Vanilla | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS. | |||||
| CVE-2021-3977 | 1 Invoiceninja | 1 Invoice Ninja | 2021-12-30 | 3.5 LOW | 5.4 MEDIUM |
| invoiceninja is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-44543 | 1 Privoxy | 1 Privoxy | 2021-12-29 | 2.6 LOW | 6.1 MEDIUM |
| An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself. | |||||
| CVE-2021-31558 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “descr” of the script “DIAE_hierarchyHandler.ashx”. | |||||
| CVE-2021-44544 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter “name” of the script “HandlerEnergyType.ashx”. | |||||
| CVE-2021-23228 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by “.NET Request.QueryString”. | |||||
| CVE-2021-44471 | 1 Deltaww | 1 Diaenergie | 2021-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “name” of the script “DIAE_HandlerAlarmGroup.ashx”. | |||||
| CVE-2021-44030 | 1 Quest | 1 Kace Desktop Authority | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quest KACE Desktop Authority before 11.2 allows XSS because it does not prevent untrusted HTML from reaching the jQuery.htmlPrefilter method of jQuery. | |||||
| CVE-2021-44163 | 1 Chinasea | 1 Qb Smart Service Robot | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication. | |||||
| CVE-2021-38893 | 1 Ibm | 3 Business Automation Workflow, Business Process Manager, Workflow Process Service | 2021-12-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209512. | |||||
| CVE-2021-24578 | 1 Themeboy | 1 Sportspress | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2021-12-27 | 3.5 LOW | 5.4 MEDIUM |
| The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-24907 | 1 Wpeverest | 1 Everest Forms | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24956 | 1 Adenion | 1 Blog2social | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24941 | 1 Icegram | 1 Icegram | 2021-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue | |||||