Total
37815 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28002 | 1 Textpattern | 1 Textpattern | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the 'Articles' page. | |||||
| CVE-2021-28001 | 1 Textpattern | 1 Textpattern | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting https://site.com/articles/welcome-to-your-site#comments-head. | |||||
| CVE-2021-28000 | 1 Local Services Search Engine Management System Project | 1 Local Services Search Engine Management System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A persistent cross-site scripting vulnerability was discovered in Local Services Search Engine Management System Project 1.0 which allows remote attackers to execute arbitrary code via crafted payloads entered into the Name and Address fields. | |||||
| CVE-2021-27989 | 1 Appspace | 1 Appspace | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx. | |||||
| CVE-2021-27969 | 1 Boonex | 1 Dolphin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter. | |||||
| CVE-2021-27956 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. | |||||
| CVE-2021-27949 | 1 Mybb | 1 Mybb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools. | |||||
| CVE-2021-27945 | 1 Squirro | 1 Squirro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. | |||||
| CVE-2021-27940 | 1 Openark | 1 Orchestrator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter. | |||||
| CVE-2021-27938 | 1 Symbiote | 1 Silverstripe Queued Jobs | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL. | |||||
| CVE-2021-27933 | 1 Pfsense | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. | |||||
| CVE-2021-27930 | 1 Irislink | 1 Irisnext | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated (or compromised) user to inject malicious JavaScript in folder/file name within the application in order to grab other users’ sessions or execute malicious code in their browsers (1-click RCE). | |||||
| CVE-2021-27914 | 1 Acquia | 1 Mautic | 2024-11-21 | 3.5 LOW | 7.6 HIGH |
| A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript | |||||
| CVE-2021-27912 | 1 Acquia | 1 Mautic | 2024-11-21 | 3.5 LOW | 7.1 HIGH |
| Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit assets. | |||||
| CVE-2021-27911 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 8.3 HIGH |
| Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from different sources such as UI, API, 3rd party syncing, forms, etc. | |||||
| CVE-2021-27910 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 8.2 HIGH |
| Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted in the "error" and "error_related_to" parameters of the POST request of the bounce management callback will be permanently stored and executed once the details page of an affected lead is opened by a Mautic user. An attacker with access to the bounce management callback function (identified with the Mailjet webhook, but it is assumed this will work uniformly across all kinds of webhooks) can inject arbitrary JavaScript Code into the "error" and "error_related_to" parameters of the POST request (POST /mailer/<product / webhook>/callback). It is noted that there is no authentication needed to access this function. The JavaScript Code is stored permanently in the web application and executed every time an authenticated user views the details page of a single contact / lead in Mautic. This means, arbitrary code can be executed to, e.g., steal or tamper with information. | |||||
| CVE-2021-27909 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 6.3 MEDIUM |
| For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password reset URL with the vulnerable parameter utilized. | |||||
| CVE-2021-27907 | 1 Apache | 1 Superset | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code. | |||||
| CVE-2021-27902 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. | |||||
| CVE-2021-27889 | 1 Mybb | 1 Mybb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. | |||||