Total
38028 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43853 | 1 Ajax.net Professional Project | 1 Ajax.net Professional | 2024-11-21 | 3.5 LOW | 8.7 HIGH |
| Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details. | |||||
| CVE-2021-43842 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal `<img>` tags. Commit 5d3e81496fba1f0fbd64eeb855f30f69a9040718 fixes this vulnerability by adding an optional (enabled by default) SVG sanitization step to all file uploads that match the SVG mime type. As a workaround, disable file upload for all non-trusted users. Wiki.js version 2.5.260 is the first production version to contain a patch. Version 2.5.258 is the first development build to contain a patch and is available only as a Docker image as requarks/wiki:canary-2.5.258. | |||||
| CVE-2021-43841 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that the default configuration doesn't allow to display the SVG files in the browser. Users are advised to update or to disallow uploads of SVG files. | |||||
| CVE-2021-43818 | 5 Debian, Fedoraproject, Lxml and 2 more | 12 Debian Linux, Fedora, Lxml and 9 more | 2024-11-21 | 6.8 MEDIUM | 8.2 HIGH |
| lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. | |||||
| CVE-2021-43817 | 1 Collabora | 1 Online | 2024-11-21 | 4.3 MEDIUM | 8.2 HIGH |
| Collabora Online is a collaborative online office suite based on LibreOffice technology. In affected versions a reflected XSS vulnerability was found in Collabora Online. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set of user settings stored in the browser, as well as the session's authentication token which was also passed in at iframe creation time. Users should upgrade to Collabora Online 6.4.16 or higher or Collabora Online 4.2.20 or higher. Collabora Online Development Edition 21.11 is not affected. | |||||
| CVE-2021-43810 | 1 Admidio | 1 Admidio | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12. | |||||
| CVE-2021-43808 | 1 Laravel | 1 Framework | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request. | |||||
| CVE-2021-43787 | 1 Nodebb | 1 Nodebb | 2024-11-21 | 4.3 MEDIUM | 9.0 CRITICAL |
| Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible. | |||||
| CVE-2021-43785 | 1 Emoji Button Project | 1 Emoji Button | 2024-11-21 | 4.3 MEDIUM | 7.6 HIGH |
| @joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code. | |||||
| CVE-2021-43776 | 1 Linuxfoundation | 1 Auth Backend | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`. | |||||
| CVE-2021-43765 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
| AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-43764 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 3.5 LOW | 8.0 HIGH |
| AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-43761 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 3.5 LOW | 8.0 HIGH |
| AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-43742 | 1 Cmsimple | 1 Cmsimple | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| CMSimple 5.4 is vulnerable to Cross Site Scripting (XSS) via the file upload feature. | |||||
| CVE-2021-43729 | 1 Pix-link | 2 Lv-wr09, Lv-wr09 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter. | |||||
| CVE-2021-43728 | 1 Pix-link | 2 Lv-wr09, Lv-wr09 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized SSID parameter. | |||||
| CVE-2021-43725 | 1 Spotweb Project | 1 Spotweb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter. | |||||
| CVE-2021-43724 | 1 Intelliants | 1 Subrion Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS through 4.2.1 in the Create Page functionality of the admin Account via a SGV file. | |||||
| CVE-2021-43721 | 1 Leanote | 1 Leanote | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markdown type note. This leads to remote code execution with payload : <video src=x onerror=(function(){require('child_process').exec('calc');})();> | |||||
| CVE-2021-43712 | 1 Employee Daily Task Management System Project | 1 Employee Daily Task Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in Add New Employee Form in Sourcecodester Employee Daily Task Management System 1.0 Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field. | |||||