Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39319 | 1 Duogeek | 1 Duofaq-responsive-flat-simple-faq | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The duoFAQ - Responsive, Flat, Simple FAQ WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/duogeek/duogeek-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.8. | |||||
| CVE-2021-39318 | 1 H5p-css-editor Project | 1 H5p-css-editor | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The H5P CSS Editor WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the h5p-css-file parameter found in the ~/h5p-css-editor.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-24954 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-41547 | 1 Siemens | 1 Teamcenter Active Workspace | 2021-12-16 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in Teamcenter Active Workspace V4.3 (All versions < V4.3.11), Teamcenter Active Workspace V5.0 (All versions < V5.0.10), Teamcenter Active Workspace V5.1 (All versions < V5.1.6), Teamcenter Active Workspace V5.2 (All versions < V5.2.3). The application contains an unsafe unzipping pattern that could lead to a zip path traversal attack. This could allow and attacker to execute a remote shell with admin rights. | |||||
| CVE-2021-39313 | 1 Duogeek | 1 Simple Image Gallery | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Image Gallery WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/simple-image-gallery.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6. | |||||
| CVE-2021-39311 | 1 Link-list-manager Project | 1 Link-list-manager | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The link-list-manager WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the category parameter found in the ~/llm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-24951 | 1 Thimpress | 1 Learnpress | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues | |||||
| CVE-2021-3831 | 1 Gnuboard | 1 Gnuboard5 | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| gnuboard5 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2020-19042 | 1 Zzcms | 1 Zzcms | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php. | |||||
| CVE-2021-43823 | 1 Sourcegraph | 1 Sourcegraph | 2021-12-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A successful attack would require an authenticated bad actor to create many Saved Searches or Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in version 3.33.2 and any future versions of Sourcegraph. We strongly encourage upgrading to secure versions. If you are unable to, you may disable Saved Searches and Code Monitors. | |||||
| CVE-2021-24795 | 1 Phoeniixx | 1 Filter Portfolio Gallery | 2021-12-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery. | |||||
| CVE-2021-39315 | 1 Magic-post-voice Project | 1 Magic-post-voice | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the ids parameter found in the ~/inc/admin/main.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-39314 | 1 Wanderlust-webdesign | 1 Woo-enviopack | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dataid parameter found in the ~/includes/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2. | |||||
| CVE-2021-24792 | 1 Wpeden | 1 Shiny Buttons | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-39310 | 1 Windyroad | 1 Real Wysiwyg | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHP_SELF in the ~/real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2. | |||||
| CVE-2021-38361 | 1 Htaccess-redirect Project | 1 Htaccess-redirect | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The .htaccess Redirect WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the link parameter found in the ~/htaccess-redirect.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.3.1. | |||||
| CVE-2021-39309 | 1 Dpsoft | 1 Parsian Bank Gateway For Woocommerce | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Parsian Bank Gateway for Woocommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via and parameter due to a var_dump() on $_POST variables found in the ~/vendor/dpsoft/parsian-payment/sample/rollback-payment.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0. | |||||
| CVE-2021-39308 | 1 Woo-myghpay-payment-gateway Project | 1 Woo-myghpay-payment-gateway | 2021-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce myghpay Payment Gateway WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the clientref parameter found in the ~/processresponse.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.0. | |||||
| CVE-2021-39930 | 1 Gitlab | 1 Gitlab | 2021-12-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates | |||||
| CVE-2021-39919 | 1 Gitlab | 1 Gitlab | 2021-12-15 | 2.1 LOW | 4.4 MEDIUM |
| In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. | |||||