Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10075 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| GitLab 12.5 through 12.8.1 allows HTML Injection. A particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input. | |||||
| CVE-2020-12404 | 1 Mozilla | 1 Firefox | 2021-07-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26. | |||||
| CVE-2020-15400 | 1 Cakefoundation | 1 Cakephp | 2021-07-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. | |||||
| CVE-2020-15516 | 1 Mm Forum Project | 1 Mm Forum | 2021-07-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. | |||||
| CVE-2020-12817 | 1 Fortinet | 2 Fortianalyzer, Fortitester | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticated attacker to inject script related HTML tags via Name parameter of Storage Connectors. | |||||
| CVE-2019-16385 | 1 Cybelesoft | 1 Thinfinity Virtualui | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed. | |||||
| CVE-2019-16268 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. | |||||
| CVE-2020-15943 | 1 Gantt-chart Project | 1 Gantt-chart | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered in the Gantt-Chart module before 5.5.4 for Jira. Due to a missing privilege check, it is possible to read and write to the module configuration of other users. This can also be used to deliver an XSS payload to other users' dashboards. To exploit this vulnerability, an attacker has to be authenticated. | |||||
| CVE-2020-15951 | 1 Immuta | 1 Immuta | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Immuta v2.8.2 accepts user-supplied project names without properly sanitizing the input, allowing attackers to inject arbitrary HTML content that is rendered as part of the application. An attacker could leverage this to redirect application users to a phishing website in an attempt to steal credentials. | |||||
| CVE-2017-14735 | 1 Antisamy Project | 1 Antisamy | 2021-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL. | |||||
| CVE-2021-33710 | 1 Siemens | 1 Teamcenter Active Workspace | 2021-07-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Teamcenter Active Workspace V4 (All versions < V4.3.9), Teamcenter Active Workspace V5.0 (All versions < V5.0.7), Teamcenter Active Workspace V5.1 (All versions < V5.1.4). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected devices that could allow an attacker to execute malicious JavaScript code by tricking users into accessing a malicious link. | |||||
| CVE-2020-18664 | 1 Webport | 1 Web Port | 2021-07-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in WebPort <=1.19.1via the connection name parameter in type-conn. | |||||
| CVE-2020-18145 | 1 Baidu | 1 Umeditor | 2021-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in umeditor v1.2.3 via /public/common/umeditor/php/getcontent.php. | |||||
| CVE-2020-29146 | 1 Wayang-cms Project | 1 Wayang-cms | 2021-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability in index.php of Wayang-CMS v1.0 allows attackers to execute arbitrary web scripts or HTML via a constructed payload created by adding the X-Forwarded-For field to the header. | |||||
| CVE-2021-33682 | 1 Sap | 1 Lumira Server | 2021-07-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP Lumira Server version 2.4 does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with basic level privileges to store a malicious script on SAP Lumira Server. The execution of the script content, by a victim registered on SAP Lumira Server, could compromise the confidentiality and integrity of SAP Lumira content. | |||||
| CVE-2021-33212 | 1 Element-it | 1 Http Commander | 2021-07-16 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in the "View in Browser" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SVG image. | |||||
| CVE-2018-19146 | 1 Concretecms | 1 Concrete Cms | 2021-07-15 | 3.5 LOW | 4.8 MEDIUM |
| Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a SCRIPT element. | |||||
| CVE-2017-7725 | 1 Concretecms | 1 Concrete Cms | 2021-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any domain name in the Host header; this is stored and allows for arbitrary domains to be set for certain links displayed to subsequent visitors, potentially an XSS vector. | |||||
| CVE-2015-4721 | 1 Concretecms | 1 Concrete Cms | 2021-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. | |||||
| CVE-2014-9526 | 2 Concrete5, Concretecms | 2 Concrete5, Concrete Cms | 2021-07-15 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in single_pages/dashboard/users/groups/bulkupdate.php or (2) instance_id parameter in tools/dashboard/sitemap_drag_request.php. | |||||