Search Results (Refine Search)
- Keyword (text search): xss
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-29274 |
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. Published: March 29, 2021; 12:15:13 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-29272 |
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string. Published: March 27, 2021; 2:15:13 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-29271 |
remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload. This is related to backend/app/store/comment.go and backend/app/store/service/service.go. Published: March 27, 2021; 2:15:13 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-35856 |
SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page. Published: March 26, 2021; 12:15:12 PM -0400 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-22889 |
Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `statsBreakdown` parameter of stats.php (and possibly other scripts) due to single quotes not being escaped. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and pressing a certain key combination to execute injected JavaScript code. Published: March 25, 2021; 4:15:12 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-22888 |
Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `status` parameter of campaign-zone-zones.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code. Published: March 25, 2021; 4:15:12 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-26715 |
The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network. Published: March 25, 2021; 5:15:12 AM -0400 |
V4.0:(not available) V3.1: 9.1 CRITICAL V2.0: 6.4 MEDIUM |
CVE-2021-27969 |
Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter. Published: March 23, 2021; 10:15:13 AM -0400 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-27310 |
Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "language" parameter. Published: March 23, 2021; 10:15:13 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-27309 |
Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "module" parameter. Published: March 23, 2021; 10:15:13 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-28968 |
An issue was discovered in PunBB before 1.4.6. An XSS vulnerability in the [email] BBcode tag allows (with authentication) injecting arbitrary JavaScript into any forum message. Published: March 22, 2021; 12:15:14 PM -0400 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2021-28957 |
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3. Published: March 21, 2021; 1:15:13 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-25278 |
FTAPI 4.0 through 4.10 allows XSS via an SVG document to the Background Image upload feature in the Submit Box Template Editor. Published: March 19, 2021; 1:15:13 PM -0400 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-25277 |
FTAPI 4.0 - 4.10 allows XSS via a crafted filename to the alternative text hover box in the file submission component. Published: March 19, 2021; 1:15:13 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-6578 |
Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php. Published: March 19, 2021; 12:15:13 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-3327 |
Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter. Published: March 18, 2021; 11:15:12 PM -0400 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2021-28160 |
Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) suffers from a reflected XSS vulnerability due to unsanitized SSID value when the latter is displayed in the /repeater.html page ("Repeater Wizard" homepage section). Published: March 18, 2021; 3:15:13 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-28796 |
Increments Qiita::Markdown before 0.33.0 allows XSS in transformers. Published: March 18, 2021; 12:15:15 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-28145 |
Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges. Published: March 18, 2021; 12:15:14 PM -0400 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2019-18233 |
In Advantech Spectre RT Industrial Routers ERT351 5.1.3 and prior, the affected product does not neutralize special characters in the error response, allowing attackers to use a reflected XSS attack. Published: March 17, 2021; 3:15:11 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |