Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-23044 | 1 Dedecms | 1 Dedecms | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | |||||
| CVE-2020-23052 | 1 Catalyst | 1 Mahara | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Catalyst IT Ltd Mahara CMS v19.10.2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component groupfiles.php via the Number (Nombre) and Description (Descripción) parameters. | |||||
| CVE-2021-39328 | 1 Presstigers | 1 Simple Job Board | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39354 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2. | |||||
| CVE-2021-39356 | 1 Content Staging Project | 1 Content Staging | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Content Staging WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo'd out via the ~/templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-41172 | 1 Antsword Redis Project | 1 Antsword Redis | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| AS_Redis is an AntSword plugin for Redis. The Redis Manage plugin for AntSword prior to version 0.5 is vulnerable to Self-XSS due to due to insufficient input validation and sanitization via redis server configuration. Self-XSS in the plugin configuration leads to code execution. This issue is patched in version 0.5. | |||||
| CVE-2020-23042 | 1 Dropouts | 1 Super Backup | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request. | |||||
| CVE-2021-41791 | 1 Alfresco | 2 Community Share, Share | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0. An evasion of the XSS filter for HTML input validation in the Alfresco Share User Interface leads to stored XSS that could be exploited by an attacker (given that he has privileges on the content collaboration features). | |||||
| CVE-2020-23051 | 1 User Registration \& Login And User Management System With Admin Panel Project | 1 User Registration \& Login And User Management System With Admin Panel | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Phpgurukul User Registration & User Management System v2.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & loginsystem input fields. | |||||
| CVE-2021-24744 | 1 Cimatti | 1 Contact Forms | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2020-23041 | 1 Dropouts | 1 Air Share | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` exception-handling. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request. | |||||
| CVE-2020-23048 | 1 Seeddms | 1 Seeddms | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters. | |||||
| CVE-2020-23047 | 1 Macs Cms Project | 1 Macs Cms | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a cross-site scripting (XSS) vulnerability in the search input field of the search module. | |||||
| CVE-2020-23039 | 1 Newsoftwares | 1 Folder Lock | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Folder Lock v3.4.5 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Create Folder function under the 'create' module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload as a path or folder name. | |||||
| CVE-2021-24608 | 1 Strategy11 | 1 Formidable Form Builder | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24699 | 1 Easy Media Download Project | 1 Easy Media Download | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| The Easy Media Download WordPress plugin before 1.1.7 does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2021-24785 | 1 Great-quotes Project | 1 Great-quotes | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | |||||
| CVE-2021-42534 | 1 Trane | 2 Tracer Sc, Tracer Sc Firmware | 2021-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The affected product’s web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms. | |||||
| CVE-2021-41169 | 1 Sulu | 1 Sulu | 2021-10-27 | 3.5 LOW | 4.8 MEDIUM |
| Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade. | |||||
| CVE-2021-39221 | 1 Nextcloud | 1 Contacts | 2021-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy. | |||||