Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24402 | 1 Solvercircle | 1 Wp Icommerce | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | |||||
| CVE-2021-24511 | 1 Dpl | 1 Product Feed On Woocommerce | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24530 | 1 Alojapro | 1 Alojapro Widget | 2021-09-29 | 3.5 LOW | 4.8 MEDIUM |
| The Alojapro Widget WordPress plugin through 1.1.15 doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24582 | 1 Thinktwit Project | 1 Thinktwit | 2021-09-29 | 3.5 LOW | 5.4 MEDIUM |
| The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-34650 | 1 Eideasy | 1 Eid Easy | 2021-09-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The eID Easy WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error parameter found in the ~/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.6. | |||||
| CVE-2021-39325 | 1 Optinmonster | 1 Optinmonster | 2021-09-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The OptinMonster WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input validation in the load_previews function found in the ~/OMAPI/Output.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.6.0. | |||||
| CVE-2020-19915 | 1 Wuzhicms | 1 Wuzhicms | 2021-09-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS vulnerability exists in WUZHI CMS 4.1.0 via the mailbox username in index.php. | |||||
| CVE-2021-24587 | 1 Zeesweb | 1 Splash Header | 2021-09-28 | 3.5 LOW | 5.4 MEDIUM |
| The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24403 | 1 Wpagecontact Project | 1 Wpagecontact | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | |||||
| CVE-2021-41392 | 1 Boostnote | 1 Boostnote | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API. | |||||
| CVE-2021-24397 | 1 Activemedia | 1 Microcopy | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-36873 | 1 Webence | 1 Iq Block Country | 2021-09-28 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. | |||||
| CVE-2020-23481 | 1 Cmsmadesimple | 1 Cms Made Simple | 2021-09-28 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field. | |||||
| CVE-2020-4803 | 1 Ibm | 1 Edge Application Manager | 2021-09-28 | 2.1 LOW | 3.3 LOW |
| IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189535. | |||||
| CVE-2020-4805 | 1 Ibm | 1 Edge Application Manager | 2021-09-28 | 2.1 LOW | 3.3 LOW |
| IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189539. | |||||
| CVE-2020-4809 | 1 Ibm | 1 Edge Application Manager | 2021-09-28 | 2.1 LOW | 3.3 LOW |
| IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189633. | |||||
| CVE-2021-24404 | 1 Wp-board Project | 1 Wp-board | 2021-09-28 | 6.5 MEDIUM | 8.8 HIGH |
| The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice. | |||||
| CVE-2021-24399 | 1 Ombu | 1 The Sorter | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-41380 | 1 Realvnc | 1 Vnc Viewer | 2021-09-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| ** DISPUTED ** RealVNC Viewer 6.21.406 allows remote VNC servers to cause a denial of service (application crash) via crafted RFB protocol data. NOTE: It is asserted that this issue requires social engineering a user into connecting to a fake VNC Server. The VNC Viewer application they are using will then hang, until terminated, but no memory leak occurs - the resources are freed once the hung process is terminated and the resource usage is constant during the hang. Only the process that is connected to the fake Server is affected. This is an application bug, not a security issue. | |||||
| CVE-2020-12082 | 1 Flexera | 1 Flexnet Code Insight | 2021-09-28 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64). | |||||