Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-22790 | 1 Safe | 1 Fme Server | 2021-06-17 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator access the logs. | |||||
| CVE-2021-23854 | 1 Bosch | 8 Cpp13, Cpp13 Firmware, Cpp6 and 5 more | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An error in the handling of a page parameter in Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. This issue only affects versions 7.7x and 7.6x. All other versions are not affected. | |||||
| CVE-2021-32671 | 1 Flarum | 1 Flarum | 2021-06-17 | 4.3 MEDIUM | 10.0 CRITICAL |
| Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 (our last beta before v1.0.0) and was not noticed or documented. This allowed for any user to type malicious HTML markup within certain user input fields and have this execute on client browsers. The example which led to the discovery of this vulnerability was in the forum search box. Entering faux-malicious HTML markup, such as <script>alert('test')</script> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targetted towards a privileged user. All Flarum communities that run flarum v1.0.0 or v1.0.1 are impacted. The vulnerability has been fixed and published as flarum/core v1.0.2. All communities running Flarum v1.0 have to upgrade as soon as possible to v1.0.2. | |||||
| CVE-2021-32091 | 1 Localstack | 1 Localstack | 2021-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability exists in StackLift LocalStack 0.12.6. | |||||
| CVE-2020-24662 | 1 Smartstream | 1 Transaction Lifecycle Management Reconciliations-premium | 2021-06-16 | 3.5 LOW | 5.4 MEDIUM |
| SmartStream Transaction Lifecycle Management (TLM) Reconciliation Premium (RP) <3.1.0 allows XSS. This was fixed in TLM RP 3.1.0. | |||||
| CVE-2021-32641 | 1 Auth0 | 1 Lock | 2021-06-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1. | |||||
| CVE-2016-6812 | 1 Apache | 1 Cxf | 2021-06-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. | |||||
| CVE-2021-29049 | 1 Liferay | 1 Dxp | 2021-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter. | |||||
| CVE-2021-33665 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-33664 | 1 Sap | 1 Netweaver Application Server Abap | 2021-06-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-27615 | 1 Sap | 1 Manufacturing Execution | 2021-06-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2021-21666 | 1 Jenkins | 1 Kiuwan | 2021-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2021-3529 | 1 Redhat | 2 Noobaa-operator, Openshift Container Platform | 2021-06-15 | 6.8 MEDIUM | 7.1 HIGH |
| A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity. | |||||
| CVE-2020-26517 | 1 Intland | 1 Codebeamer Application Lifecycle Management | 2021-06-15 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. It is possible to perform XSS attacks through using the WebDAV functionality to upload files to a project (Authn users), using the users import functionality (Admin only), and changing the login text in the application configuration (Admin only). | |||||
| CVE-2019-17632 | 1 Eclipse | 1 Jetty | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. | |||||
| CVE-2018-14041 | 1 Getbootstrap | 1 Bootstrap | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. | |||||
| CVE-2021-32670 | 1 Datasette | 1 Datasette | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters. | |||||
| CVE-2021-28382 | 1 Zohocorp | 1 Manageengine Key Manager Plus | 2021-06-14 | 3.5 LOW | 5.4 MEDIUM |
| Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD. | |||||
| CVE-2021-24344 | 1 Easy Preloader Project | 1 Easy Preloader | 2021-06-14 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Preloader WordPress plugin through 1.0.0 does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues | |||||
| CVE-2020-26885 | 1 2sic | 1 2sxc | 2021-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in 2sic 2sxc before 11.22. A XSS vulnerability in the sxcver parameter of dnn/ui.html allows an attacker to craft a malicious URL that executes a JavaScript payload in a victim's browser. | |||||