Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26032 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors.
|
|||||
| CVE-2021-26030 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
|
|||||
| CVE-2021-26023 | 1 Nagios | 2 Favorites, Nagios Xi | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.
|
|||||
| CVE-2021-25993 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.
|
|||||
| CVE-2021-25990 | 1 If-me | 1 Ifme | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In “ifme”, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe.
|
|||||
| CVE-2021-25989 | 1 If-me | 1 Ifme | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them.
|
|||||
| CVE-2021-25988 | 1 If-me | 1 Ifme | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.
|
|||||
| CVE-2021-25987 | 1 Hexo | 1 Hexo | 2024-11-21 | 1.9 LOW | 5.0 MEDIUM |
|
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
|
|||||
| CVE-2021-25986 | 1 Django-wiki Project | 1 Django-wiki | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.
|
|||||
| CVE-2021-25984 | 1 Darwin | 1 Factor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.3 to v1.8.30, are vulnerable to stored Cross-Site Scripting (XSS) at the “post reply” section. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.
|
|||||
| CVE-2021-25983 | 1 Darwin | 1 Factor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.8 to v1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “tags” and “category” parameters in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.
|
|||||
| CVE-2021-25982 | 1 Darwin | 1 Factor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Factor (App Framework & Headless CMS) forum plugin, versions 1.3.5 to 1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “search” parameter in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.
|
|||||
| CVE-2021-25978 | 1 Apostrophecms | 1 Apostrophecms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.
|
|||||
| CVE-2021-25977 | 1 Dotnetfoundation | 1 Piranha Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. By creating a page with a specially crafted page title, a low privileged user can trigger arbitrary JavaScript execution.
|
|||||
| CVE-2021-25975 | 1 Publify Project | 1 Publify | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.
|
|||||
| CVE-2021-25974 | 1 Publify Project | 1 Publify | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.
|
|||||
| CVE-2021-25969 | 1 Tuzitio | 1 Camaleon Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.
|
|||||
| CVE-2021-25968 | 1 Alkacon | 1 Opencms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.
|
|||||
| CVE-2021-25967 | 1 Okfn | 1 Ckan | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture
|
|||||
| CVE-2021-25964 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
|
|||||
| CVE-2021-25963 | 1 Shuup | 1 Shuup | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.
|
|||||
| CVE-2021-25959 | 1 Opencrx | 1 Opencrx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.
|
|||||
| CVE-2021-25955 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 3.5 LOW | 9.0 CRITICAL |
|
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Sess ...
Show More |
|||||
| CVE-2021-25938 | 1 Arangodb | 1 Arangodb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to. There is no X-Frame-Options Header set, which makes it more susceptible for leveraging self XSS by attackers.
|
|||||
| CVE-2021-25935 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary ...
Show More |
|||||
| CVE-2021-25934 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter. Due to this flaw an attacker could inject an arbitrary script which will be s ...
Show More |
|||||
| CVE-2021-25932 | 1 Opennms | 2 Meridian, Opennms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in th ...
Show More |
|||||
| CVE-2021-25922 | 1 Open-emr | 1 Openemr | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
|
|||||
| CVE-2021-25894 | 1 Magnolia-cms | 1 Magnolia Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the /magnoliaPublic/travel/members/login.html mgnlUserId parameter.
|
|||||
| CVE-2021-25893 | 1 Magnolia-cms | 1 Magnolia Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the setText parameter of /magnoliaAuthor/.magnolia/.
|
|||||
| CVE-2021-25878 | 1 Youphptube | 1 Youphptube | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cross Script Scripting vulnerabilities via the videoName parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
|
|||||
| CVE-2021-25876 | 1 Youphptube | 1 Youphptube | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
|
|||||
| CVE-2021-25875 | 1 Youphptube | 1 Youphptube | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the searchPhrase parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
|
|||||
| CVE-2021-25838 | 1 Minthcm | 1 Minthcm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Import function in MintHCM RELEASE 3.0.8 allows an attacker to execute a cross-site scripting (XSS) payload in file-upload.
|
|||||
| CVE-2021-25828 | 1 Emby | 1 Emby | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Emby Server versions < 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web.
|
|||||
| CVE-2021-25810 | 1 Mercusys | 2 Mercury X18g, Mercury X18g Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross site Scripting (XSS) vulnerability in MERCUSYS Mercury X18G 1.0.5 devices, via crafted values to the 'src_dport_start', 'src_dport_end', and 'dest_port' parameters.
|
|||||
| CVE-2021-25791 | 1 Online Doctor Appointment System Php Full Source Code Project | 1 Online Doctor Appointment System Php Full Source Code | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.
|
|||||
| CVE-2021-25790 | 1 House Rental And Property Listing Php Project | 1 House Rental And Property Listing Php | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Multiple stored cross site scripting (XSS) vulnerabilities in the "Register" module of House Rental and Property Listing 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in all text fields except for Phone Number and Alternate Phone Number.
|
|||||
| CVE-2021-25785 | 1 Taogogo | 1 Taocms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Taocms v2.5Beta5 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Management column.
|
|||||
| CVE-2021-25773 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
JetBrains TeamCity before 2020.2 was vulnerable to reflected XSS on several pages.
|
|||||