Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23854 | 1 Bosch | 8 Cpp13, Cpp13 Firmware, Cpp6 and 5 more | 2024-11-21 | 4.3 MEDIUM | 8.3 HIGH |
| An error in the handling of a page parameter in Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. This issue only affects versions 7.7x and 7.6x. All other versions are not affected. | |||||
| CVE-2021-23848 | 1 Bosch | 10 Cpp13, Cpp13 Firmware, Cpp4 and 7 more | 2024-11-21 | 4.3 MEDIUM | 8.3 HIGH |
| An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user. | |||||
| CVE-2021-23838 | 1 Flatcore | 1 Flatcore | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user can leverage this vulnerability to steal cookies from a victim user and perform a session-hijacking attack, which may then lead to unauthorized access to the site. | |||||
| CVE-2021-23836 | 1 Flatcore | 1 Flatcore | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The injected payload will be executed in the browser of a user whenever one visits the affected module page. | |||||
| CVE-2021-23824 | 1 Crowcpp | 1 Crow | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| This affects the package Crow before 0.3+4. When using attributes without quotes in the template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability. | |||||
| CVE-2021-23784 | 1 Tempura Project | 1 Tempura | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability. | |||||
| CVE-2021-23673 | 1 Pekeupload Project | 1 Pekeupload | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed. | |||||
| CVE-2021-23648 | 2 Fedoraproject, Paypal | 2 Fedora, Braintree\/sanitize-url | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function. | |||||
| CVE-2021-23445 | 1 Datatables | 1 Datatables.net | 2024-11-21 | 4.3 MEDIUM | 3.1 LOW |
| This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped. | |||||
| CVE-2021-23439 | 1 Johndatserakis | 1 File-upload-with-preview | 2024-11-21 | 4.3 MEDIUM | 4.2 MEDIUM |
| This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file). | |||||
| CVE-2021-23416 | 1 Curly-bracket-parser Project | 1 Curly-bracket-parser | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input. | |||||
| CVE-2021-23414 | 2 Fedoraproject, Videojs | 2 Fedora, Video.js | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code. | |||||
| CVE-2021-23411 | 1 Anchorme Project | 1 Anchorme | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the main functionality. It accepts input that can result in the output (an anchor a tag) containing undesirable Javascript code that can be executed upon user interaction. | |||||
| CVE-2021-23398 | 1 React-bootstrap-table Project | 1 React-bootstrap-table | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output. | |||||
| CVE-2021-23347 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 3.5 LOW | 4.7 MEDIUM |
| The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user. | |||||
| CVE-2021-23342 | 1 Docsifyjs | 1 Docsify | 2024-11-21 | 4.3 MEDIUM | 8.6 HIGH |
| This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters | |||||
| CVE-2021-23327 | 1 Fusioncharts | 1 Apexcharts | 2024-11-21 | 4.3 MEDIUM | 6.3 MEDIUM |
| The package apexcharts before 3.24.0 are vulnerable to Cross-site Scripting (XSS) via lack of sanitization of graph legend fields. | |||||
| CVE-2021-23288 | 1 Eaton | 1 Intelligent Power Protector | 2024-11-21 | 2.3 LOW | 5.6 MEDIUM |
| The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions prior to 1.69. | |||||
| CVE-2021-23287 | 1 Eaton | 1 Intelligent Power Manager | 2024-11-21 | 3.5 LOW | 5.6 MEDIUM |
| The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. This issue affects: Intelligent Power Manager (IPM 1) versions prior to 1.70. | |||||
| CVE-2021-23285 | 1 Eaton | 1 Intelligent Power Manager | 2024-11-21 | 3.5 LOW | 3.1 LOW |
| Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to reflected Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. | |||||