Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-8041 | 1 Vmware | 1 Single Sign-on For Pivotal Cloud Foundry | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, a user can execute a XSS attack on certain Single Sign-On service UI pages by inputting code in the text field for an organization name. | |||||
| CVE-2021-28833 | 1 Increments | 1 Qiita\ | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Increments Qiita::Markdown before 0.34.0 allows XSS via a crafted gist link, a different vulnerability than CVE-2021-28796. | |||||
| CVE-2021-24320 | 1 Bold-themes | 1 Bello | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues. | |||||
| CVE-2021-24319 | 1 Bold-themes | 1 Bello | 2021-08-12 | 3.5 LOW | 5.4 MEDIUM |
| The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its post_excerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue | |||||
| CVE-2017-10837 | 1 Backup-guard | 1 Backup Guard | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in BackupGuard prior to version 1.1.47 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2021-38151 | 1 Chikitsa | 1 Patient Management System | 2021-08-12 | 3.5 LOW | 5.4 MEDIUM |
| index.php/appointment/todos in Chikitsa Patient Management System 2.0.0 allows XSS. | |||||
| CVE-2021-20116 | 1 Tecnick | 1 Tcexam | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. | |||||
| CVE-2021-20115 | 1 Tecnick | 1 Tcexam | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. The paths provided in the f, d, and dir parameters in tce_filemanager.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. | |||||
| CVE-2021-36454 | 1 Naviwebs | 1 Navigate Cms | 2021-08-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.php, 16) users\users.php, 17) webdictionary\webdictionary.php, 18) websites\websites.php, and 19) webusers\webusers.php because the initial_url function is built in these files. | |||||
| CVE-2021-37552 | 1 Jetbrains | 1 Youtrack | 2021-08-12 | 3.5 LOW | 5.4 MEDIUM |
| In JetBrains YouTrack before 2021.2.17925, stored XSS was possible. | |||||
| CVE-2021-37542 | 1 Jetbrains | 1 Teamcity | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains TeamCity before 2020.2.3, XSS was possible. | |||||
| CVE-2021-37859 | 1 Mattermost | 1 Mattermost | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. | |||||
| CVE-2020-21357 | 1 Popojicms | 1 Popojicms | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in /admin.php?mod=user&act=addnew of PopojiCMS 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the E-Mail field. | |||||
| CVE-2021-32818 | 1 Haml-coffee Project | 1 Haml-coffee | 2021-08-12 | 3.5 LOW | 5.4 MEDIUM |
| haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025. | |||||
| CVE-2018-18886 | 1 Helpy.io | 1 Helpy | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Helpy v2.1.0 has Stored XSS via the Ticket title. | |||||
| CVE-2020-22330 | 1 Intelliants | 1 Subrion | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in Subrion 4.2.1 via the title when adding a page. | |||||
| CVE-2021-32812 | 1 Tekmonks | 1 Monkshu | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monkshu is an enterprise application server for mobile apps (iOS and Android), responsive HTML 5 apps, and JSON API services. In version 2.90 and earlier, there is a reflected cross-site scripting vulnerability in frontend HTTP server. The attacker can send in a carefully crafted URL along with a known bug in the server which will cause a 500 error, and the response will then embed the URL provided by the hacker. The impact is moderate as the hacker must also be able to craft an HTTP request which should cause a 500 server error. None such requests are known as this point. The issue is patched in version 2.95. As a workaround, one may use a disk caching plugin. | |||||
| CVE-2018-13039 | 1 Opendesa | 1 Opensid | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenSID 18.06-pasca has reflected Cross Site Scripting (XSS) via the cari parameter, aka an index.php/first?cari= URI. | |||||
| CVE-2021-32793 | 1 Pi-hole | 1 Pi-hole | 2021-08-12 | 3.5 LOW | 4.8 MEDIUM |
| Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. Pi-hole Web Interface version 5.5.1 contains a patch for this vulnerability. | |||||
| CVE-2021-21738 | 1 Zte | 2 Zxiptv, Zxiptv Firmware | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZTE's big video business platform has two reflective cross-site scripting (XSS) vulnerabilities. Due to insufficient input verification, the attacker could implement XSS attacks by tampering with the parameters, to affect the operations of valid users. This affects: <ZXIPTV><ZXIPTV-EAS_PV5.06.04.09> | |||||