Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27418 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings.
|
|||||
| CVE-2021-27416 | 1 Hitachienergy | 1 Ellipse Enterprise Asset Management | 2024-11-21 | 5.8 MEDIUM | 5.5 MEDIUM |
|
An attacker could exploit this vulnerability in Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 by tricking a user to click on a link containing malicious code that would then be run by the web browser. This can result in the compromise of confidential information, or even the takeover of the user’s session.
|
|||||
| CVE-2021-27403 | 1 Asus | 2 Askey Rtf8115vw, Askey Rtf8115vw Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS.
|
|||||
| CVE-2021-27401 | 1 Mitel | 1 Micollab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka Cross-Site Scripting (XSS).
|
|||||
| CVE-2021-27371 | 1 Monicahq | 1 Monica | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Contact page in Monica 2.19.1 allows stored XSS via the Description field.
|
|||||
| CVE-2021-27370 | 1 Monicahq | 1 Monica | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.
|
|||||
| CVE-2021-27369 | 1 Monicahq | 1 Monica | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field.
|
|||||
| CVE-2021-27368 | 1 Monicahq | 1 Monica | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Contact page in Monica 2.19.1 allows stored XSS via the First Name field.
|
|||||
| CVE-2021-27349 | 1 Algolplus | 1 Advanced Order Export For Woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Advanced Order Export before 3.1.8 for WooCommerce allows XSS, a different vulnerability than CVE-2020-11727.
|
|||||
| CVE-2021-27340 | 1 Os4ed | 1 Opensis | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck.php via the "opt" parameter.
|
|||||
| CVE-2021-27338 | 1 Faraday | 1 Edge | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Faraday Edge before 3.7 allows XSS via the network/create/ page and its network name parameter.
|
|||||
| CVE-2021-27332 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the class_name parameter to update_class.php.
|
|||||
| CVE-2021-27330 | 1 Triconsole | 1 Datepicker Calendar | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.
|
|||||
| CVE-2021-27318 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter.
|
|||||
| CVE-2021-27317 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter.
|
|||||
| CVE-2021-27310 | 1 Csphere | 1 Clansphere | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "language" parameter.
|
|||||
| CVE-2021-27309 | 1 Csphere | 1 Clansphere | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "module" parameter.
|
|||||
| CVE-2021-27308 | 1 4homepages | 1 4images | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter.
|
|||||
| CVE-2021-27288 | 1 X2engine | 1 X2crm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.
|
|||||
| CVE-2021-27279 | 1 Mybb | 1 Mybb | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).
|
|||||
| CVE-2021-27237 | 1 Blackcat-cms | 1 Blackcat Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
|
|||||
| CVE-2021-27222 | 1 Obss | 1 Time In Status | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In the "Time in Status" app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS.
|
|||||
| CVE-2021-27214 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
|
|||||
| CVE-2021-27190 | 1 Peel | 1 Peel Shopping | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
|
|||||
| CVE-2021-27180 | 1 Altn | 1 Mdaemon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
|
|||||
| CVE-2021-27131 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is i ...
Show More |
|||||
| CVE-2021-26968 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the web-based management interface of AirWave could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface.
|
|||||
| CVE-2021-26967 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A remote reflected cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the web-based management interface of AirWave could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of certain components of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the AirWave management interface ...
Show More |
|||||
| CVE-2021-26947 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via a crafted link.
|
|||||
| CVE-2021-26938 | 1 Henriquedornas | 1 Henriquedornas | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored XSS issue exists in henriquedornas 5.2.17 via online live chat. NOTE: Third parties report that no such product exists. That henriquedornas is the web design agency and 5.2.17 is simply the PHP version running on this hosts
|
|||||
| CVE-2021-26929 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
|
|||||
| CVE-2021-26925 | 2 Fedoraproject, Roundcube | 2 Fedora, Webmail | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
|
|||||
| CVE-2021-26924 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header.
|
|||||
| CVE-2021-26916 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary web script or HTML through the Filters/CheckDiscountCouponAttribute.cs discountcode parameter.
|
|||||
| CVE-2021-26903 | 1 Isida | 1 Retriever | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
LMA ISIDA Retriever 5.2 is vulnerable to XSS via query['text'].
|
|||||
| CVE-2021-26844 | 1 Poweradmin | 1 Pa Server Monitor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Power Admin PA Server Monitor 8.2.1.1 allows remote attackers to inject arbitrary web script or HTML via Console.exe.
|
|||||
| CVE-2021-26835 | 1 Zettlr | 1 Zettlr | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file.
|
|||||
| CVE-2021-26834 | 1 Znote | 1 Znote | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
|
|||||
| CVE-2021-26832 | 1 Priority-software | 1 Priority Enterprise Management System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site.
|
|||||
| CVE-2021-26812 | 1 Jitsi | 1 Meet | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject javascript code to be run by the application.
|
|||||