Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-42119 | 1 Businessdnasolutions | 1 Topease | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Search Functionality allows authenticated users with Object Modification privileges to inject arbitrary HTML and JavaScript in object attributes, which is then rendered in the Search Functionality, to alter the intended functionality and steal cookies, the latter allowing for account takeover. | |||||
| CVE-2021-44200 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Self cross-site scripting (XSS) was possible on devices page. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 | |||||
| CVE-2021-44202 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) was possible in activity details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 | |||||
| CVE-2021-44201 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) was possible in notification pop-ups. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 | |||||
| CVE-2021-44203 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) was possible in protection plan details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 | |||||
| CVE-2021-24908 | 1 Wpchill | 1 Check \& Log Email | 2021-11-29 | 2.6 LOW | 6.1 MEDIUM |
| The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24927 | 1 My Calendar Project | 1 My Calendar | 2021-11-29 | 3.5 LOW | 5.4 MEDIUM |
| The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24899 | 1 Media-tags Project | 1 Media-tags | 2021-11-29 | 3.5 LOW | 4.8 MEDIUM |
| The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed. | |||||
| CVE-2021-24876 | 1 Roundupwp | 1 Registrations For The Events Calendar | 2021-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24811 | 1 Shoppagewp | 1 Shop Page Wp | 2021-11-29 | 3.5 LOW | 4.8 MEDIUM |
| The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24751 | 1 Generateblocks | 1 Generateblocks | 2021-11-29 | 3.5 LOW | 5.4 MEDIUM |
| The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. | |||||
| CVE-2017-20008 | 1 Mycred | 1 Mycred | 2021-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24745 | 1 Wpkube | 1 About Author Box | 2021-11-29 | 3.5 LOW | 5.4 MEDIUM |
| The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks. | |||||
| CVE-2021-31852 | 1 Mcafee | 1 Policy Auditor | 2021-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extract of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests. | |||||
| CVE-2021-31851 | 1 Mcafee | 1 Policy Auditor | 2021-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the profileNodeID request parameters. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extraction of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests. | |||||
| CVE-2021-25969 | 1 Tuzitio | 1 Camaleon Cms | 2021-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment. | |||||
| CVE-2021-41174 | 1 Grafana | 1 Grafana | 2021-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(‘alert(1)’)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path. | |||||
| CVE-2021-25986 | 1 Django-wiki Project | 1 Django-wiki | 2021-11-29 | 3.5 LOW | 5.4 MEDIUM |
| In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript. | |||||
| CVE-2021-24888 | 1 Imageboss | 1 Imageboss | 2021-11-29 | 3.5 LOW | 4.8 MEDIUM |
| The ImageBoss WordPress plugin before 3.0.6 does not sanitise and escape its Source Name setting, which could allow high privilege users to perform Cross-Site Scripting attacks | |||||
| CVE-2021-35976 | 1 Plesk | 1 Obsidian | 2021-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability. | |||||