Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-19042 | 1 Zzcms | 1 Zzcms | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php. | |||||
| CVE-2021-39315 | 1 Magic-post-voice Project | 1 Magic-post-voice | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the ids parameter found in the ~/inc/admin/main.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-39314 | 1 Wanderlust-webdesign | 1 Woo-enviopack | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dataid parameter found in the ~/includes/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-24792 | 1 Wpeden | 1 Shiny Buttons | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-39310 | 1 Windyroad | 1 Real Wysiwyg | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHP_SELF in the ~/real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2. | |||||
| CVE-2021-38361 | 1 Htaccess-redirect Project | 1 Htaccess-redirect | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The .htaccess Redirect WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the link parameter found in the ~/htaccess-redirect.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.3.1. | |||||
| CVE-2021-39309 | 1 Dpsoft | 1 Parsian Bank Gateway For Woocommerce | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Parsian Bank Gateway for Woocommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via and parameter due to a var_dump() on $_POST variables found in the ~/vendor/dpsoft/parsian-payment/sample/rollback-payment.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-39308 | 1 Woo-myghpay-payment-gateway Project | 1 Woo-myghpay-payment-gateway | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce myghpay Payment Gateway WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the clientref parameter found in the ~/processresponse.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.0. | |||||
| CVE-2021-36450 | 1 Verint | 1 Workforce Optimization | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter. | |||||
| CVE-2021-42051 | 1 Abantecart | 1 Abantecart | 2021-12-15 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload. | |||||
| CVE-2021-42050 | 1 Abantecart | 1 Abantecart | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in AbanteCart before 1.3.2. It allows DOM Based XSS. | |||||
| CVE-2021-26787 | 1 Genesys | 1 Workforce Management | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability in Genesys Workforce Management 8.5.214.20 can occur (during record deletion) via the Time-off parameter. | |||||
| CVE-2021-43817 | 1 Collabora | 1 Online | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Collabora Online is a collaborative online office suite based on LibreOffice technology. In affected versions a reflected XSS vulnerability was found in Collabora Online. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set of user settings stored in the browser, as well as the session's authentication token which was also passed in at iframe creation time. Users should upgrade to Collabora Online 6.4.16 or higher or Collabora Online 4.2.20 or higher. Collabora Online Development Edition 21.11 is not affected. | |||||
| CVE-2021-42220 | 1 Dolibarr | 1 Dolibarr | 2021-12-15 | 3.5 LOW | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box. | |||||
| CVE-2021-24932 | 1 Cm-wp | 1 Auto Featured Image | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24896 | 1 Calderaforms | 1 Caldera Forms | 2021-12-15 | 3.5 LOW | 4.8 MEDIUM |
| The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-4107 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-24925 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24891 | 1 Elementor | 1 Website Builder | 2021-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. | |||||
| CVE-2021-24782 | 1 Flex Local Fonts Project | 1 Flex Local Fonts | 2021-12-15 | 3.5 LOW | 4.8 MEDIUM |
| The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||