Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40440 | 1 Microsoft | 1 Dynamics 365 Business Central | 2021-09-24 | 3.5 LOW | 5.4 MEDIUM |
| Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | |||||
| CVE-2021-23041 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 8 more | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-33673 | 1 Sap | 1 Contact Center | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them. This allows an attacker to exploit a Stored Cross-Site Scripting (XSS) vulnerability when a user browses through the employee directory and to execute arbitrary code on the victim's browser. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands. | |||||
| CVE-2021-33674 | 1 Sap | 1 Contact Center | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability when creating a new email and to execute arbitrary code on the victim's browser. | |||||
| CVE-2021-33675 | 1 Sap | 1 Contact Center | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability through phishing and to execute arbitrary code on the victim's browser. | |||||
| CVE-2021-33679 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-09-24 | 3.5 LOW | 5.4 MEDIUM |
| The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity. | |||||
| CVE-2021-39202 | 1 Wordpress | 1 Wordpress | 2021-09-24 | 3.5 LOW | 5.4 MEDIUM |
| WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8. | |||||
| CVE-2020-21082 | 1 Maccms | 1 Maccms | 2021-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the background administrator article management module of Maccms 8.0 allows attackers to steal administrator and user cookies via crafted payloads in the text fields for Chinese and English names. | |||||
| CVE-2021-3780 | 1 Framasoft | 1 Peertube | 2021-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3783 | 1 Yourls | 1 Yourls | 2021-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3785 | 1 Yourls | 1 Yourls | 2021-09-23 | 3.5 LOW | 5.4 MEDIUM |
| yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-24724 | 1 Motopress | 1 Timetable And Event Schedule | 2021-09-23 | 3.5 LOW | 5.4 MEDIUM |
| The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s | |||||
| CVE-2021-24605 | 1 Custom Post View Generator Project | 1 Custom Post View Generator | 2021-09-23 | 3.5 LOW | 5.4 MEDIUM |
| The create_post_page AJAX action of the Custom Post View Generator WordPress plugin through 0.4.6 (available to authenticated user) does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue | |||||
| CVE-2021-24614 | 1 Oz-plugin | 1 Book Appointment Online | 2021-09-23 | 3.5 LOW | 4.8 MEDIUM |
| The Book appointment online WordPress plugin before 1.39 does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24619 | 1 Evona | 1 Per Page Add To Head | 2021-09-23 | 3.5 LOW | 4.8 MEDIUM |
| The Per page add to head WordPress plugin through 1.4.4 does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues. | |||||
| CVE-2021-24621 | 1 Stratospheredigital | 1 Wp Courses Lms | 2021-09-23 | 3.5 LOW | 4.8 MEDIUM |
| The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24623 | 1 Ticket-system | 1 Wordpress Advanced Ticket System | 2021-09-23 | 3.5 LOW | 4.8 MEDIUM |
| The WordPress Advanced Ticket System, Elite Support Helpdesk WordPress plugin before 1.0.64 does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24508 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2021-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator. | |||||
| CVE-2021-24510 | 1 Mf Gig Calendar Project | 1 Mf Gig Calendar | 2021-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MF Gig Calendar WordPress plugin through 1.1 does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24523 | 1 Daily Prayer Time Project | 1 Daily Prayer Time | 2021-09-23 | 3.5 LOW | 5.4 MEDIUM |
| The Daily Prayer Time WordPress plugin before 2021.08.10 does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues. | |||||