Total
37318 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27912 | 1 Acquia | 1 Mautic | 2024-11-21 | 3.5 LOW | 7.1 HIGH |
| Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit assets. | |||||
| CVE-2021-27911 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 8.3 HIGH |
| Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from different sources such as UI, API, 3rd party syncing, forms, etc. | |||||
| CVE-2021-27910 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 8.2 HIGH |
| Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted in the "error" and "error_related_to" parameters of the POST request of the bounce management callback will be permanently stored and executed once the details page of an affected lead is opened by a Mautic user. An attacker with access to the bounce management callback function (identified with the Mailjet webhook, but it is assumed this will work uniformly across all kinds of webhooks) can inject arbitrary JavaScript Code into the "error" and "error_related_to" parameters of the POST request (POST /mailer/<product / webhook>/callback). It is noted that there is no authentication needed to access this function. The JavaScript Code is stored permanently in the web application and executed every time an authenticated user views the details page of a single contact / lead in Mautic. This means, arbitrary code can be executed to, e.g., steal or tamper with information. | |||||
| CVE-2021-27909 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 6.3 MEDIUM |
| For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password reset URL with the vulnerable parameter utilized. | |||||
| CVE-2021-27907 | 1 Apache | 1 Superset | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code. | |||||
| CVE-2021-27902 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. | |||||
| CVE-2021-27889 | 1 Mybb | 1 Mybb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. | |||||
| CVE-2021-27888 | 1 Zend | 1 Zendto | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. | |||||
| CVE-2021-27887 | 1 Hitachiabb-powergrids | 1 Ellipse Asset Performance Management | 2024-11-21 | 3.5 LOW | 6.3 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids Ellipse APM 5.3 version 5.3.0.1 and prior versions; 5.2 version 5.2.0.3 and prior versions; 5.1 version 5.1.0.6 and prior versions. | |||||
| CVE-2021-27822 | 1 Phpgurukul | 1 Vehicle Parking Management System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A persistent cross site scripting (XSS) vulnerability in the Add Categories module of Vehicle Parking Management System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Category field. | |||||
| CVE-2021-27821 | 1 Openwrt | 1 Luci | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. | |||||
| CVE-2021-27781 | 1 Hcltech | 2 Bigfix Mobile, Modern Client Management | 2024-11-21 | 3.5 LOW | 6.6 MEDIUM |
| The Master operator may be able to embed script tag in HTML with alert pop-up display cookie. | |||||
| CVE-2021-27778 | 1 Hcltech | 1 Traveler | 2024-11-21 | 3.5 LOW | 4.9 MEDIUM |
| HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. | |||||
| CVE-2021-27746 | 1 Hcltechsw | 1 Connections | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| "HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability" | |||||
| CVE-2021-27733 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment. | |||||
| CVE-2021-27731 | 1 Accellion | 1 Fta | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed version is FTA_9_12_444 and later. | |||||
| CVE-2021-27695 | 1 Openmaint | 1 Openmaint | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name and Code Parameters. | |||||
| CVE-2021-27679 | 1 Batflat | 1 Batflat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Navigation in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27678 | 1 Batflat | 1 Batflat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Snippets in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27677 | 1 Batflat | 1 Batflat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Galleries in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||