Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24176 | 1 Jh 404 Logger Project | 1 Jh 404 Logger | 2021-10-18 | 3.5 LOW | 5.4 MEDIUM |
| The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. | |||||
| CVE-2021-24274 | 1 Supsystic | 1 Ultimate Maps | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24276 | 1 Supsystic | 1 Contact Form | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24286 | 1 Mooveagency | 1 Redirect 404 To Parent | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2019-12823 | 1 Craftcms | 1 Craft Cms | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. | |||||
| CVE-2018-7543 | 1 Snapcreek | 1 Duplicator | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter. | |||||
| CVE-2021-24678 | 1 Cminds | 1 Tooltip Glossary | 2021-10-18 | 3.5 LOW | 5.4 MEDIUM |
| The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2021-33904 | 1 Accela | 1 Civic Platform | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS. NOTE: The vendor states "there are configurable security flags and we are unable to reproduce them with the available information." | |||||
| CVE-2021-34370 | 1 Accela | 1 Civic Platform | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Accela Civic Platform through 20.1 allows ssoAdapter/logoutAction.do successURL XSS. NOTE: the vendor states "there are configurable security flags and we are unable to reproduce them with the available information." | |||||
| CVE-2021-24287 | 1 Mooveagency | 1 Select All Categories And Taxonomies\, Change Checkbox To Radio Buttons | 2021-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-20481 | 1 Ibm | 1 Sterling File Gateway | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197503. | |||||
| CVE-2021-40541 | 1 Php-fusion | 1 Phpfusion | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text. | |||||
| CVE-2021-35059 | 1 Openwaygroup | 1 Way4 | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenWay WAY4 ACS before 1.2.278-2693 allows XSS via the /way4acs/enroll action parameter. | |||||
| CVE-2021-20561 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199230. | |||||
| CVE-2021-20571 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199246. | |||||
| CVE-2021-24712 | 1 Dwbooster | 1 Appointment Hour Booking | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars. | |||||
| CVE-2021-24690 | 1 Kibokolabs | 1 Chained Quiz | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings. | |||||
| CVE-2021-24545 | 1 Wp Html Author Bio Project | 1 Wp Html Author Bio | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s. | |||||
| CVE-2021-24656 | 1 Wpbrigade | 1 Simple Social Buttons | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24691 | 1 Expresstech | 1 Quiz And Survey Master | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||