Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28957 | 1 Froxlor | 1 Froxlor | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields. | |||||
| CVE-2020-23055 | 1 Lancom-systems | 3 Lcos, Wlc-1000, Wlc-4006 | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| ANCOM WLAN Controller (Wireless Series & Hotspot) WLC-1000 & WLC-4006 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the /authen/start/ module via the userid and password parameters. | |||||
| CVE-2020-28955 | 1 Sugarcrm | 1 Sugarcrm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields. | |||||
| CVE-2020-28968 | 1 Draytek | 26 Vigorap 1000c, Vigorap 1000c Firmware, Vigorap 700 and 23 more | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field. | |||||
| CVE-2020-28956 | 1 Sugarcrm | 1 Sugarcrm | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. | |||||
| CVE-2021-35499 | 1 Tibco | 1 Nimbus | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.4.0 and below. | |||||
| CVE-2021-41866 | 1 Mybb | 1 Mybb | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly. | |||||
| CVE-2021-24544 | 1 Motopress | 1 Motopress-slider-lite | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. | |||||
| CVE-2021-24489 | 1 Emarketdesign | 1 Request A Quote | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Request a Quote WordPress plugin before 2.3.5 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24414 | 1 Video Player For Youtube Project | 1 Video Player For Youtube | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | |||||
| CVE-2021-24381 | 1 Ninjaforms | 1 Contact Form | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24514 | 1 Vfbpro | 1 Visual Form Builder | 2021-10-28 | 3.5 LOW | 4.8 MEDIUM |
| The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-21319 | 1 Galette | 1 Galette | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5. | |||||
| CVE-2021-24885 | 1 Yop-poll | 1 Yop-poll | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2020-20908 | 1 Akaunting | 1 Akaunting | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Akaunting v1.3.17 was discovered to contain a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Company Name input field. | |||||
| CVE-2020-36490 | 1 Dedecms | 1 Dedecms | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | |||||
| CVE-2020-36491 | 1 Dedecms | 1 Dedecms | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tags_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | |||||
| CVE-2020-23054 | 1 User-agent Switcher And Manager Project | 1 User-agent Switcher And Manager | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in NSK User Agent String Switcher Service v0.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the user agent input field. | |||||
| CVE-2020-23049 | 1 Fork-cms | 1 Fork Cms | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register' functions. This vulnerability allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-23046 | 1 Dedecms | 1 Dedecms | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tpl.php via the `filename`, `mid`, `userid`, and `templet' parameters. | |||||