Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24658 | 1 Erident Custom Login And Dashboard Project | 1 Erident Custom Login And Dashboard | 2021-08-27 | 3.5 LOW | 4.8 MEDIUM |
| The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled) | |||||
| CVE-2021-24574 | 1 Simple Banner Project | 1 Simple Banner | 2021-08-27 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24556 | 1 Email-subscriber Project | 1 Email-subscriber | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue. | |||||
| CVE-2021-24571 | 1 Harmonicdesign | 1 Hd Quiz | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24486 | 1 Wpbrigade | 1 Simple Social Media Share Buttons | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The Simple Social Media Share Buttons – Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2021-24529 | 1 Awplife | 1 Grid Gallery | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability. | |||||
| CVE-2021-24533 | 1 Webfactoryltd | 1 Maintenance | 2021-08-26 | 3.5 LOW | 4.8 MEDIUM |
| The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend | |||||
| CVE-2021-24524 | 1 Givewp | 1 Givewp | 2021-08-26 | 3.5 LOW | 4.8 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them. | |||||
| CVE-2021-24547 | 1 Kn Fix Your Title Project | 1 Kn Fix Your Title | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field. | |||||
| CVE-2021-24531 | 1 Wpcharitable | 1 Charitable | 2021-08-26 | 3.5 LOW | 5.4 MEDIUM |
| The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. | |||||
| CVE-2021-39368 | 1 Canon | 1 Oce Print Exec Workgroup | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter. | |||||
| CVE-2021-34223 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field. | |||||
| CVE-2021-34220 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field. | |||||
| CVE-2021-34215 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field. | |||||
| CVE-2021-34207 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field. | |||||
| CVE-2021-34228 | 1 Totolink | 2 A3002r, A3002r Firmware | 2021-08-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field. | |||||
| CVE-2021-22238 | 1 Gitlab | 1 Gitlab | 2021-08-25 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues. | |||||
| CVE-2021-32602 | 1 Fortinet | 1 Fortiportal | 2021-08-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value. | |||||
| CVE-2021-39250 | 1 Invisioncommunity | 1 Invision Power Board | 2021-08-25 | 3.5 LOW | 5.4 MEDIUM |
| Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML). | |||||
| CVE-2021-39248 | 1 Edx | 1 Edx-platform | 2021-08-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open edX through Lilac.1 allows XSS in common/static/common/js/discussion/utils.js via crafted LaTeX content within a discussion. | |||||