Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32798 | 1 Jupyter | 1 Notebook | 2021-08-17 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs. | |||||
| CVE-2021-24502 | 1 Flippercode | 1 Wp Google Map | 2021-08-17 | 3.5 LOW | 4.8 MEDIUM |
| The WP Google Map WordPress plugin before 1.7.7 did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24505 | 1 Madeit | 1 Forms | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| The Forms WordPress plugin before 1.12.3 did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the Forms "Add new" field. | |||||
| CVE-2021-37633 | 1 Discourse | 1 Discourse | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Discourse is an open source discussion platform. In versions prior to 2.7.8 rendering of d-popover tooltips can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest `stable` 2.7.8 version of Discourse. As a workaround users may ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks. | |||||
| CVE-2021-24509 | 1 A3rev | 1 Page View Count | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. | |||||
| CVE-2020-8263 | 1 Pulsesecure | 1 Pulse Secure Desktop Client | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file. | |||||
| CVE-2021-37211 | 1 Larvata | 1 Flygo | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| The bulletin function of Flygo does not filter special characters while a new announcement is added. Remoter attackers can use the vulnerability with general user’s credential to inject JavaScript and execute stored XSS attacks. | |||||
| CVE-2021-24522 | 1 Profilepress | 1 Profilepress | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values. | |||||
| CVE-2013-4718 | 1 Otrs | 2 Otrs, Otrs Itsm | 2021-08-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search. | |||||
| CVE-2021-37390 | 1 Chamilo | 1 Chamilo Lms | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). | |||||
| CVE-2021-24304 | 1 Tagdiv | 1 Newsmag | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsmag WordPress theme before 5.0 does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-37389 | 1 Chamilo | 1 Chamilo | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. | |||||
| CVE-2021-37573 | 1 Tiny Java Web Server Project | 1 Tiny Java Web Server | 2021-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page | |||||
| CVE-2021-37634 | 1 Vapor | 1 Leafkit | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leafkit is a templating language with Swift-inspired syntax. Versions prior to 1.3.0 are susceptible to Cross-site Scripting (XSS) attacks. This affects anyone passing unsanitised data to Leaf's variable tags. Before this fix, Leaf would not escape any strings passed to tags as variables. If an attacker managed to find a variable that was rendered with their unsanitised data, they could inject scripts into a generated Leaf page, which could enable XSS attacks if other mitigations such as a Content Security Policy were not enabled. This has been patched in 1.3.0. As a workaround sanitize any untrusted input before passing it to Leaf and enable a CSP to block inline script and CSS data. | |||||
| CVE-2021-34660 | 1 Verygoodplugins | 1 Wp Fusion | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18. | |||||
| CVE-2020-20990 | 1 Domainmod | 1 Domainmod | 2021-08-16 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in the /segments/edit.php component of Domainmod 4.13 allows attackers to execute arbitrary web scripts or HTML via the Segment Name parameter. | |||||
| CVE-2020-20988 | 1 Domainmod | 1 Domainmod | 2021-08-16 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in the /domains/cost-by-owner.php component of Domainmod 4.13 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "or Expiring Between" parameter. | |||||
| CVE-2021-38602 | 1 Pluxml | 1 Pluxml | 2021-08-16 | 3.5 LOW | 4.8 MEDIUM |
| PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content. | |||||
| CVE-2021-38603 | 1 Pluxml | 1 Pluxml | 2021-08-16 | 3.5 LOW | 4.8 MEDIUM |
| PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field. | |||||
| CVE-2021-31655 | 1 Trendnet | 2 Tv-ip110wn, Tv-ip110wn Firmware | 2021-08-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in TRENDnet TV-IP110WN V1.2.2.64 V1.2.2.65 V1.2.2.68 via the profile parameter. in a GET request in view.cgi. | |||||