Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41427 | 1 Beeline | 2 Smart Box, Smart Box Firmware | 2021-11-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Beeline Smart Box 2.0.38 is vulnerable to Cross Site Scripting (XSS) via the choose_mac parameter to setup.cgi. | |||||
| CVE-2021-40517 | 1 Airangel | 10 Hsmx-app-100, Hsmx-app-1000, Hsmx-app-1000 Firmware and 7 more | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| Airangel HSMX Gateway devices through 5.2.04 is vulnerable to stored Cross Site Scripting. XSS Payload is placed in the name column of the updates table using database access. | |||||
| CVE-2021-25975 | 1 Publify Project | 1 Publify | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file. | |||||
| CVE-2021-25974 | 1 Publify Project | 1 Publify | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article. | |||||
| CVE-2021-41372 | 1 Microsoft | 1 Power Bi Report Server | 2021-11-12 | 6.8 MEDIUM | 9.6 CRITICAL |
| Power BI Report Server Spoofing Vulnerability | |||||
| CVE-2021-43184 | 1 Jetbrains | 1 Youtrack | 2021-11-12 | 3.5 LOW | 5.4 MEDIUM |
| In JetBrains YouTrack before 2021.3.21051, stored XSS is possible. | |||||
| CVE-2021-24697 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24710 | 1 Print-o-matic Project | 1 Print-o-matic | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24474 | 1 Awesome Weather Widget Project | 1 Awesome Weather Widget | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Awesome Weather Widget WordPress plugin through 3.0.2 does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) Vulnerability. | |||||
| CVE-2021-24693 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2021-11-10 | 6.0 MEDIUM | 9.0 CRITICAL |
| The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin | |||||
| CVE-2021-24706 | 1 Qwizcards Project | 1 Qwizcards | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Qwizcards – online quizzes and flashcards WordPress plugin before 3.62 does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24701 | 1 Quiz Tool Lite Project | 1 Quiz Tool Lite | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Quiz Tool Lite WordPress plugin through 2.3.15 does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24607 | 1 Wooassist | 1 Storefront Footer Text | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Storefront Footer Text WordPress plugin through 1.0.1 does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed. | |||||
| CVE-2021-35488 | 1 Thruk | 1 Thruk | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it. | |||||
| CVE-2021-35489 | 1 Thruk | 1 Thruk | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTNAME]&service={SERVICENAME]&backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it. | |||||
| CVE-2021-24798 | 1 Androidbubbles | 1 Wp Header Images | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24708 | 1 Wp All Export Project | 1 Wp All Export | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-43181 | 1 Jetbrains | 1 Hub | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains Hub before 2021.1.13690, stored XSS is possible. | |||||
| CVE-2021-32482 | 1 Cloudera | 1 Cloudera Manager | 2021-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS via the path parameter. | |||||
| CVE-2021-24616 | 1 Addtoany | 1 Addtoany Share Buttons | 2021-11-10 | 3.5 LOW | 4.8 MEDIUM |
| The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||