Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22157 | 1 Proofpoint | 1 Insider Threat Management | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.11.1 allows stored XSS. | |||||
| CVE-2013-5968 | 2 Broadcom, Ca | 2 Siteminder, Web Agents | 2021-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CA SiteMinder 12.0 through 12.51, and SiteMinder 6 Web Agents, allows remote attackers to inject arbitrary web script or HTML via vectors involving a " (double quote) character. | |||||
| CVE-2015-2827 | 1 Broadcom | 1 Spectrum | 2021-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and 9.3.x before 9.3 H02 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-8247 | 1 Broadcom | 1 Release Automation | 2021-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CA Release Automation (formerly iTKO LISA Release Automation) before 4.7.1 b448 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-8699 | 1 Broadcom | 1 Release Automation | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-13825 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient input validation in the gridExcelExport functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to execute reflected cross-site scripting attacks. | |||||
| CVE-2021-24208 | 1 Themeum | 1 Wp Page Builder | 2021-04-12 | 3.5 LOW | 5.4 MEDIUM |
| The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is also possible to insert malicious JavaScript via the “wppb_page_css” parameter (this can be done by closing out the style tag and opening a script tag) when performing the “wppb_page_save” AJAX action. | |||||
| CVE-2017-6958 | 1 Mantisbt | 1 Source Integration | 2021-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability in the MantisBT Source Integration Plugin (before 2.0.2) search result page allows an attacker to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by crafting any valid parameter. | |||||
| CVE-2021-24211 | 1 Wphive | 1 Wordpress Related Posts | 2021-04-12 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser. | |||||
| CVE-2021-29996 | 1 Marktext | 1 Marktext | 2021-04-12 | 6.8 MEDIUM | 9.6 CRITICAL |
| Mark Text through 0.16.3 allows attackers arbitrary command execution. This could lead to Remote Code Execution (RCE) by opening .md files containing a mutation Cross Site Scripting (XSS) payload. | |||||
| CVE-2021-24153 | 1 Yoast | 1 Yoast Seo | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found. | |||||
| CVE-2013-2630 | 1 Broadcom | 1 Service Desk Manager | 2021-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in CA Service Desk Manager 12.5 through 12.7 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2008-4119 | 2 Broadcom, Ca | 2 Service Desk, Cmdb | 2021-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CA Service Desk 11.2 and CMDB 11.0 through 11.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "multiple web forms." | |||||
| CVE-2021-24196 | 1 Cm-wp | 1 Social Slider Widget | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echoed without being sanitized | |||||
| CVE-2021-24203 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘text’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24204 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24201 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24202 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘title’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24205 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||
| CVE-2021-24206 | 1 Elementor | 1 Website Builder | 2021-04-09 | 3.5 LOW | 5.4 MEDIUM |
| In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. | |||||