Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26680 | 1 Vfairs | 1 Vfairs | 2021-06-01 | 3.5 LOW | 5.4 MEDIUM |
| In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. The user data stored by the database includes HTML tags that are intentionally rendered out onto the page, and this can be abused to perform XSS attacks. | |||||
| CVE-2021-21660 | 1 Jenkins | 1 Markdown Formatter | 2021-06-01 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter. | |||||
| CVE-2020-18221 | 1 Typora | 1 Typora | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Typora v0.9.65 and earlier allows remote attackers to execute arbitrary code by injecting commands during block rendering of a mathematical formula. | |||||
| CVE-2021-24301 | 1 Bluemedicinelabs | 1 Hotjar Connecticator | 2021-05-28 | 3.5 LOW | 5.4 MEDIUM |
| The Hotjar Connecticator WordPress plugin through 1.1.1 is vulnerable to Stored Cross-Site Scripting (XSS) in the 'hotjar script' textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users. | |||||
| CVE-2021-24305 | 1 Targetfirst | 1 Watcheezy | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the 'weeWzKey' parameter that will be save as the 'weeID option and is not sanitized. | |||||
| CVE-2021-24302 | 1 Neox | 1 Hana Flv Player | 2021-05-28 | 3.5 LOW | 5.4 MEDIUM |
| The Hana Flv Player WordPress plugin through 3.1.3 is vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the 'Default Skin' field. | |||||
| CVE-2021-24332 | 1 Autoptimize | 1 Autoptimize | 2021-05-28 | 3.5 LOW | 4.8 MEDIUM |
| The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues | |||||
| CVE-2020-28903 | 1 Nagios | 1 Fusion | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS. | |||||
| CVE-2021-24300 | 1 Pickplugins | 1 Product Slider For Woocommerce | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue | |||||
| CVE-2021-24298 | 1 Ibenic | 1 Simple Giveaways | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS | |||||
| CVE-2021-24297 | 1 Boostifythemes | 1 Goto | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24296 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2021-05-28 | 3.5 LOW | 4.8 MEDIUM |
| The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled | |||||
| CVE-2021-24294 | 1 Mlfactory | 1 Dsgvo All In One For Wp | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs. | |||||
| CVE-2021-27676 | 1 Centreon | 1 Centreon | 2021-05-28 | 3.5 LOW | 5.4 MEDIUM |
| Centreon version 20.10.2 is affected by a cross-site scripting (XSS) vulnerability. The dep_description (Dependency Description) and dep_name (Dependency Name) parameters are vulnerable to stored XSS. A user has to log in and go to the Configuration > Notifications > Hosts page. | |||||
| CVE-2020-18229 | 1 Phpmywind | 1 Phpmywind | 2021-05-28 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php". | |||||
| CVE-2020-18230 | 1 Phpmywind | 1 Phpmywind | 2021-05-28 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php". | |||||
| CVE-2021-26032 | 1 Joomla | 1 Joomla\! | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors. | |||||
| CVE-2021-25938 | 1 Arangodb | 1 Arangodb | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to. There is no X-Frame-Options Header set, which makes it more susceptible for leveraging self XSS by attackers. | |||||
| CVE-2021-27465 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected applications do not validate webpage input, which could allow an attacker to inject arbitrary HTML code into a webpage. This would allow an attacker to modify the page and display incorrect or undesirable data. | |||||
| CVE-2021-20723 | 1 Mailform01 Project | 1 Mailform01 | 2021-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in [MailForm01] free edition (versions which the last updated date listed at the top of descriptions in the program file is from 2014 December 12 to 2018 July 27) allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||