Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24709 | 1 Awplife | 1 Weather Effect | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24737 | 1 Gvectors | 1 Wpdiscuz | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24577 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. | |||||
| CVE-2021-24681 | 1 Duplicatepro | 1 Duplicate Page | 2021-10-15 | 3.5 LOW | 4.8 MEDIUM |
| The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24720 | 1 Ayecode | 1 Geodirectory | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). | |||||
| CVE-2021-41567 | 1 Tad Uploader Project | 1 Tad Uploader | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The new add subject parameter of Tad Uploader view book list function fails to filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks. | |||||
| CVE-2021-41565 | 1 Tadtools Project | 1 Tadtools | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| TadTools special page parameter does not properly restrict the input of specific characters, thus remote attackers can inject JavaScript syntax without logging in, and further perform reflective XSS attacks. | |||||
| CVE-2021-41918 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| webTareas version 2.4 and earlier allows an authenticated user to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the platform users and administrators. The issue affects every endpoint on the application because it is related on how each URL is echoed back on every response page. | |||||
| CVE-2021-41917 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 3.5 LOW | 5.4 MEDIUM |
| webTareas version 2.4 and earlier allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name in the clients section, due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the platform users and administrators. The affected endpoint is /clients/editclient.php, on the HTTP POST cn parameter. | |||||
| CVE-2021-41563 | 1 Tad Book3 Project | 1 Tad Book3 | 2021-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tad Book3 editing book function does not filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks. | |||||
| CVE-2021-36150 | 1 Silverstripe | 1 Silverstripe | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe Framework through 4.8.1 allows XSS. | |||||
| CVE-2021-34742 | 1 Cisco | 1 Vision Dynamic Signage Director | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-21729 | 1 Jeecms | 1 Jeecms X | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| JEECMS x1.1 contains a stored cross-site scripting (XSS) vulnerability in the component of /member-vipcenter.htm, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-3834 | 1 Artica | 1 Integria Ims | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Integria IMS in its 5.0.92 version does not filter correctly some fields related to the login.php file. An attacker could exploit this vulnerability in order to perform a cross-site scripting attack (XSS). | |||||
| CVE-2021-42053 | 1 Django-unicorn | 1 Unicorn | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| The Unicorn framework through 0.35.3 for Django allows XSS via component.name. | |||||
| CVE-2020-21656 | 1 Xyhcms | 1 Xyhcms | 2021-10-14 | 3.5 LOW | 5.4 MEDIUM |
| XYHCMS v3.6 contains a stored cross-site scripting (XSS) vulnerability in the component xyhai.php?s=/Link/index. | |||||
| CVE-2021-42042 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript. | |||||
| CVE-2021-42043 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query. | |||||
| CVE-2021-42044 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago MediaWiki messages were not being properly sanitized and allowed for the injection and execution of HTML and JavaScript. | |||||
| CVE-2021-42041 | 1 Mediawiki | 1 Mediawiki | 2021-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log. | |||||