Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-31721 | 1 Chevereto | 1 Chevereto | 2021-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image title at the image upload stage. | |||||
| CVE-2020-4354 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178506. | |||||
| CVE-2019-4653 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170964. | |||||
| CVE-2021-42365 | 1 Asgaros | 1 Asgaros Forum | 2021-12-01 | 2.1 LOW | 4.8 MEDIUM |
| The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-43698 | 1 Phpwhois Project | 1 Phpwhois | 2021-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpWhois (last update Jun 30 2021) is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET['query'] then there is a XSS vulnerability. | |||||
| CVE-2021-43695 | 1 Issabel | 1 Pbx | 2021-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| issabelPBX version 2.11 is affected by a Cross Site Scripting (XSS) vulnerability. In file page.backup_restore.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST without sanitization, then there is a XSS vulnerability. | |||||
| CVE-2021-41878 | 1 Hkurl | 1 I-panel Administration System | 2021-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button. | |||||
| CVE-2021-20858 | 1 Elecom | 2 Wrc-2533ghbk-i, Wrc-2533ghbk-i Firmware | 2021-12-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-24719 | 1 Kriesi | 1 Enfold | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder. | |||||
| CVE-2020-26135 | 1 Livehelperchat | 1 Live Helper Chat | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Live Helper Chat before 3.44v allows reflected XSS via the setsettingajax PATH_INFO. | |||||
| CVE-2020-11082 | 2 Debian, Kaminari Project | 2 Debian Linux, Kaminari | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1. | |||||
| CVE-2021-35323 | 1 Bludit | 1 Bludit | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login. | |||||
| CVE-2021-24722 | 1 Motopress | 1 Restaurant Menu | 2021-11-30 | 3.5 LOW | 4.8 MEDIUM |
| The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-20280 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-4020 | 1 Meetecho | 1 Janus | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-43776 | 1 Linuxfoundation | 1 Auth Backend | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`. | |||||
| CVE-2021-43785 | 1 Emoji Button Project | 1 Emoji Button | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| @joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code. | |||||
| CVE-2021-25987 | 1 Hexo | 1 Hexo | 2021-11-30 | 1.9 LOW | 4.6 MEDIUM |
| Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code. | |||||
| CVE-2021-24883 | 1 Essentialplugin | 1 Popup Anything | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-42118 | 1 Businessdnasolutions | 1 Topease | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Structure Component allows an authenticated remote attacker with Object Modification privileges to inject arbitrary HTML and JavaScript code in an object attribute, which is then rendered in the Structure Component, to alter the intended functionality and steal cookies, the latter allowing for account takeover. | |||||