Vulnerabilities (CVE)

Filtered by CWE-79
Total 37356 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-29643 1 Paessler 1 Prtg Network Monitor 2024-11-21 3.5 LOW 5.4 MEDIUM
PRTG Network Monitor before 21.3.69.1333 allows stored XSS via an unsanitized string imported from a User Object in a connected Active Directory instance.
CVE-2021-29625 1 Adminer 1 Adminer 2024-11-21 4.3 MEDIUM 7.5 HIGH
Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
CVE-2021-29503 1 Hedgedoc 1 Hedgedoc 2024-11-21 4.3 MEDIUM 8.1 HIGH
HedgeDoc is a platform to write and share markdown. HedgeDoc before version 1.8.2 is vulnerable to a cross-site scripting attack using the YAML-metadata of a note. An attacker with write access to a note can embed HTML tags in the Open Graph metadata section of the note, resulting in the frontend rendering the script tag as part of the `<head>` section. Unless your instance prevents guests from editing notes, this vulnerability allows unauthenticated attackers to inject JavaScript into notes that allow guest edits. If your instance prevents guests from editing notes, this vulnerability allows authenticated attackers to inject JavaScript into any note pages they have write-access to. This vulnerability is patched in version 1.8.2. As a workaround, one can disable guest edits until the next update.
CVE-2021-29489 2 Highcharts, Netapp 5 Highcharts, Cloud Backup, Oncommand Insight and 2 more 2024-11-21 3.5 LOW 7.6 HIGH
Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
CVE-2021-29484 1 Ghost 1 Ghost 2024-11-21 4.3 MEDIUM 6.8 MEDIUM
Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site. The issue has been fixed in 4.3.3, all 4.x sites should upgrade as soon as possible. As the endpoint is unused, the patch simply removes it. As a workaround blocking access to /ghost/preview can also mitigate the issue.
CVE-2021-29467 1 Wrongthink Project 1 Wrongthink 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Wrongthink is an encrypted peer-to-peer chat program. A user could check their fingerprint into the service and enter a script to run arbitrary JavaScript on the site. No workarounds exist, but a patch exists in version 2.4.1.
CVE-2021-29460 1 Getkirby 1 Kirby 2024-11-21 3.5 LOW 7.6 HIGH
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger requests to Kirby's API with the permissions of the victim. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. Visitors without Panel access can only use this attack vector if your site allows SVG file uploads in frontend forms and you don't already sanitize uploaded SVG files. The problem has been patched in Kirby 3.5.4. Please update to this or a later version to fix the vulnerability. Frontend upload forms need to be patched separately depending on how they store the uploaded file(s). If you use `File::create()`, you are protected by updating to 3.5.4+. As a work around you can disable the upload of SVG files in your file blueprints.
CVE-2021-29459 1 Xwiki 1 Xwiki 2024-11-21 4.3 MEDIUM 9.6 CRITICAL
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information and (if they have edit rights) fill the values of static lists using App Within Minutes. There is no easy workaround except upgrading XWiki. The vulnerability has been patched on XWiki 12.8 and 12.6.3.
CVE-2021-29448 1 Pi-hole 3 Ftldns, Pi-hole, Web Interface 2024-11-21 5.8 MEDIUM 7.6 HIGH
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
CVE-2021-29438 1 Nextcloud\/dialogs Project 1 Nextcloud\/dialogs 2024-11-21 4.3 MEDIUM 4.6 MEDIUM
The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version 3.1.2 If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag.
CVE-2021-29434 1 Torchbox 1 Wagtail 2024-11-21 3.5 LOW 6.1 MEDIUM
Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).
CVE-2021-29399 2 Php, Xmbforum2 2 Php, Xmb 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or 1.9.11.16.
CVE-2021-29388 1 Budget Management System Project 1 Budget Management System 2024-11-21 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in SourceCodester Budget Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php via vulnerable field 'Budget Title'.
CVE-2021-29387 1 Equipment Inventory System Project 1 Equipment Inventory System 2024-11-21 3.5 LOW 5.4 MEDIUM
Multiple stored cross-site scripting (XSS) vulnerabilities in Sourcecodester Equipment Inventory System 1.0 allow remote attackers to inject arbitrary javascript via any "Add" sections, such as Add Item , Employee and Position or others in the Name Parameters.
CVE-2021-29370 1 Cheetah Browser Project 1 Cheetah Browser 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
CVE-2021-29313 1 Seacms 1 Seacms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Cross Site Scripting (XSS) vulnerability exists in SeaCMS 12.6 via the (1) v_company and (2) v_tvs parameters in /admin_video.php,
CVE-2021-29274 1 Redmine 1 Redmine 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.
CVE-2021-29272 1 Microco 1 Bluemonday 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
CVE-2021-29271 1 Remark42 1 Remark42 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload. This is related to backend/app/store/comment.go and backend/app/store/service/service.go.
CVE-2021-29267 1 Sherlockim 1 Sherlockim 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature.