Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21358 | 1 Typo3 | 1 Typo3 | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1. | |||||
| CVE-2021-21370 | 1 Typo3 | 1 Typo3 | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | |||||
| CVE-2021-22185 | 1 Gitlab | 1 Gitlab | 2021-03-26 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki | |||||
| CVE-2020-17457 | 1 Fujitsu | 1 Serverview Remote Management | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCU_FILE_INIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages. | |||||
| CVE-2021-3327 | 1 Ovation | 1 Dynamic Content | 2021-03-25 | 3.5 LOW | 5.4 MEDIUM |
| Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter. | |||||
| CVE-2021-27530 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allow remote attacker to inject javascript via URI in /index.php. | |||||
| CVE-2021-27529 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "limit" parameter. | |||||
| CVE-2021-27527 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "valueID" parameter. | |||||
| CVE-2021-27531 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "query" parameter. | |||||
| CVE-2021-27528 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "refID" parameter. | |||||
| CVE-2021-27526 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "page" parameter. | |||||
| CVE-2020-24408 | 1 Magento | 1 Magento | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file. | |||||
| CVE-2020-27224 | 1 Eclipse | 1 Theia | 2021-03-25 | 9.3 HIGH | 9.6 CRITICAL |
| In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code. | |||||
| CVE-2012-6708 | 1 Jquery | 1 Jquery | 2021-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. | |||||
| CVE-2021-28160 | 1 Acexy Wireless-n Wifi Repeater Project | 2 Acexy Wireless-n Wifi Repeater, Acexy Wireless-n Wifi Repeater Firmware | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) suffers from a reflected XSS vulnerability due to unsanitized SSID value when the latter is displayed in the /repeater.html page ("Repeater Wizard" homepage section). | |||||
| CVE-2021-28109 | 1 Compassplus | 1 Tranzware Fimi | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS). | |||||
| CVE-2021-24128 | 1 Wpdarko | 1 Team Members | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | |||||
| CVE-2021-27436 | 1 Advantech | 1 Webaccess\/scada | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions. | |||||
| CVE-2021-28126 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2021-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability | |||||
| CVE-2021-24127 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2021-03-24 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation. | |||||