Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34668 | 1 Devowl | 1 Wordpress Real Media Library | 2021-09-02 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress Real Media Library WordPress plugin is vulnerable to Stored Cross-Site Scripting via the name parameter in the ~/inc/overrides/lite/rest/Folder.php file which allows author-level attackers to inject arbitrary web scripts in folder names, in versions up to and including 4.14.1. | |||||
| CVE-2020-18126 | 1 Indexhibit | 1 Indexhibit | 2021-09-02 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in the Sections module of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2020-18125 | 1 Indexhibit | 1 Indexhibit | 2021-09-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the /plugin/ajax.php component of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2021-29743 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2021-09-02 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 201693. | |||||
| CVE-2021-24528 | 1 Wpmanageninja | 1 Fluentsmtp | 2021-09-02 | 3.5 LOW | 5.4 MEDIUM |
| The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting (XSS) vulnerability. Only users with roles capable of managing plugins can modify the plugin's settings. | |||||
| CVE-2021-24593 | 1 Business Hours Indicator Project | 1 Business Hours Indicator | 2021-09-02 | 3.5 LOW | 5.4 MEDIUM |
| The Business Hours Indicator WordPress plugin before 2.3.5 does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24592 | 1 Yoohooplugins | 1 Sitewide Notice | 2021-09-02 | 3.5 LOW | 4.8 MEDIUM |
| The Sitewide Notice WP WordPress plugin before 2.3 does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24665 | 1 Tipsandtricks-hq | 1 Wp Video Lightbox | 2021-09-02 | 3.5 LOW | 5.4 MEDIUM |
| The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24437 | 1 Realfavicongenerator | 1 Favicon By Realfavicongenerator | 2021-09-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator. | |||||
| CVE-2021-39117 | 1 Atlassian | 2 Data Center, Jira | 2021-09-01 | 3.5 LOW | 4.8 MEDIUM |
| The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field. | |||||
| CVE-2021-20809 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20808 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20810 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20811 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20812 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20813 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20814 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-20815 | 1 Sixapart | 1 Movable Type | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Edit Boilerplate screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2021-40178 | 1 Zohocorp | 1 Manageengine Log360 | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings. | |||||
| CVE-2021-40176 | 1 Zohocorp | 1 Manageengine Log360 | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Log360 before Build 5225 allows stored XSS. | |||||