Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34651 | 1 Scribblemaps | 1 Scribble Maps | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Scribble Maps WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the ~/includes/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-34649 | 1 Simple-behace-portfolio Project | 1 Simple-behace-portfolio | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `dark` parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2. | |||||
| CVE-2021-34652 | 1 Meowapps | 1 Media Usage | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.4. | |||||
| CVE-2020-18702 | 1 Quokka Project | 1 Quokka | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'. | |||||
| CVE-2021-38713 | 1 Imgurl Project | 1 Imgurl | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header. | |||||
| CVE-2020-25352 | 1 Rconfig | 1 Rconfig | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote attackers to perform arbitrary Javascript execution through entering a crafted payload into the 'Model' field then saving. | |||||
| CVE-2021-27401 | 1 Mitel | 1 Micollab | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka Cross-Site Scripting (XSS). | |||||
| CVE-2020-18699 | 1 Talelin | 1 Lin-cms-flask | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Lin-CMS-Flask v0.1.1 allows remote attackers to execute arbitrary code by entering scripts in the the 'Username' parameter of the in component 'app/api/cms/user.py'. | |||||
| CVE-2021-24471 | 1 Youtube Embed Project | 1 Youtube Embed | 2021-08-23 | 2.1 LOW | 5.4 MEDIUM |
| The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured). | |||||
| CVE-2021-24518 | 1 Wpfront | 1 Notification Bar | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24445 | 1 Draftpress | 1 My Site Audit | 2021-08-23 | 3.5 LOW | 5.5 MEDIUM |
| The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24535 | 1 Light Messages Project | 1 Light Messages | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend. | |||||
| CVE-2021-24466 | 1 Verse-o-matic Project | 1 Verse-o-matic | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24519 | 1 Vikwp | 1 Car Rental Management System | 2021-08-23 | 3.5 LOW | 4.8 MEDIUM |
| The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-38607 | 1 Crocoblock | 1 Jetengine | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. | |||||
| CVE-2021-38752 | 1 Online Catering Reservation System Project | 1 Online Catering Reservation System | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar. | |||||
| CVE-2021-38757 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php. | |||||
| CVE-2021-38756 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php. | |||||
| CVE-2021-24526 | 1 10web | 1 Form Maker | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24538 | 1 Current Book Project | 1 Current Book | 2021-08-23 | 3.5 LOW | 5.4 MEDIUM |
| The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||