Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24672 | 1 Onedesigns | 1 One User Avatar | 2021-10-20 | 3.5 LOW | 5.4 MEDIUM |
| The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-33988 | 1 Microweber | 1 Microweber | 2021-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form. | |||||
| CVE-2021-42335 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2021-10-20 | 3.5 LOW | 5.4 MEDIUM |
| Easytest bulletin board management function of online learning platform does not filter special characters. After obtaining a user’s privilege, remote attackers can inject JavaScript and execute stored XSS attack. | |||||
| CVE-2021-32569 | 1 Ericsson | 2 Operations Support System-radio And Core, Operations Support System-radio And Core Firmware | 2021-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to. | |||||
| CVE-2021-41139 | 1 Anuko | 1 Time Tracker | 2021-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible to craft the URI with malicious JavaScript, use social engineering to convince logged on user to click on such link, and have the attacker-supplied JavaScript to be executed in user's browser. This issue is patched in version 1.19.30.5600. As a workaround, one may introduce `ttValidDbDateFormatDate` function as in the latest version and add a call to it within the access checks block in time.php. | |||||
| CVE-2021-41132 | 1 Openmicroscopy | 2 Omero-figure, Omero-web | 2021-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-33179 | 1 Nagios | 1 Nagios Xi | 2021-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload. | |||||
| CVE-2021-41142 | 1 Enalean | 1 Tuleap | 2021-10-20 | 3.5 LOW | 5.4 MEDIUM |
| Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue. | |||||
| CVE-2021-42329 | 1 Xinheinformation | 1 Xinhe Teaching Platform System | 2021-10-20 | 3.5 LOW | 5.4 MEDIUM |
| The “List_Add” function of message board of ShinHer StudyOnline System does not filter special characters in the title parameter. After logging in with user’s privilege, remote attackers can inject JavaScript and execute stored XSS attacks. | |||||
| CVE-2021-39335 | 1 Wpgenious | 1 Wpgenius Job Listing | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The WpGenius Job Listing WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/admin/class/class-wpgenious-job-listing-options.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.2. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39336 | 1 Wp-jobmanager | 1 Job Manager | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The Job Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin-jobs.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.7.25. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39334 | 1 Perceptionsystem | 1 Job Board Vanila | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The Job Board Vanila WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the psjb_exp_in and the psjb_curr_in parameters found in the ~/job-settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39332 | 1 Linksoftwarellc | 1 Business Manager | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39344 | 1 Kajoom | 1 Kjm Admin Notices | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The KJM Admin Notices WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/class-kjm-admin-notices-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39338 | 1 Mybb Cross-poster Project | 1 Mybb Cross-poster | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39345 | 1 Cnrs | 1 Hal | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The HAL WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/wp-hal.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.1.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-39337 | 1 Job-portal Project | 1 Job-portal | 2021-10-20 | 2.1 LOW | 4.8 MEDIUM |
| The job-portal WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/jobs_function.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. | |||||
| CVE-2021-36387 | 1 Yellowfinbi | 1 Yellowfin | 2021-10-20 | 3.5 LOW | 5.4 MEDIUM |
| In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". | |||||
| CVE-2021-42227 | 1 Kindsoft | 1 Kindeditor | 2021-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor (the file suffix is allowed). | |||||
| CVE-2020-19962 | 1 Chaoji Cms Project | 1 Chaoji Cms | 2021-10-19 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the getClientIp function in /lib/tinwin.class.php of Chaoji CMS 2.39, allows attackers to execute arbitrary web scripts. | |||||