Total
44775 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39408 | 1 Online Student Rate System Project | 1 Online Student Rate System | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability exists in Online Student Rate System 1.0 via the page parameter on the index.php file | ||||
| CVE-2021-39404 | 1 Maianaffiliate | 1 Maianaffiliate | 2024-11-21 | 4.8 Medium |
| MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database. | ||||
| CVE-2021-39393 | 1 Mm-wiki Project | 1 Mm-wiki | 2024-11-21 | 6.1 Medium |
| mm-wiki v0.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the markdown editor. | ||||
| CVE-2021-39391 | 1 Beego | 1 Beego | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability exists in the admin panel in Beego v2.0.1 via the URI path in an HTTP request, which is activated by administrators viewing the "Request Statistics" page. | ||||
| CVE-2021-39390 | 1 Partkeepr | 1 Partkeepr | 2024-11-21 | 5.4 Medium |
| Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter. | ||||
| CVE-2021-39368 | 1 Canon | 1 Oce Print Exec Workgroup | 2024-11-21 | 6.1 Medium |
| Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter. | ||||
| CVE-2021-39362 | 1 Recaptcha Solver Project | 1 Recaptcha Solver | 2024-11-21 | 6.1 Medium |
| An XSS issue was discovered in ReCaptcha Solver 5.7. A response from Anti-Captcha.com, RuCaptcha.com, 2captcha.com, DEATHbyCAPTCHA.com, ImageTyperz.com, or BestCaptchaSolver.com in setCaptchaCode() is inserted into the DOM as HTML, resulting in full control over the user's browser by these servers. | ||||
| CVE-2021-39307 | 1 Pdftron | 1 Webviewer Ui | 2024-11-21 | 6.1 Medium |
| PDFTron's WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. | ||||
| CVE-2021-39286 | 1 Webrecorder | 1 Pywb | 2024-11-21 | 6.1 Medium |
| Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped. | ||||
| CVE-2021-39285 | 1 Versa-networks | 1 Versa Director | 2024-11-21 | 6.1 Medium |
| A XSS vulnerability exists in Versa Director Release: 16.1R2 Build: S8. An attacker can use the administration web interface URL to create a XSS based attack. | ||||
| CVE-2021-39278 | 1 Moxa | 24 Oncell G3470a-lte-eu, Oncell G3470a-lte-eu-t, Oncell G3470a-lte-eu-t Firmware and 21 more | 2024-11-21 | 6.1 Medium |
| Certain MOXA devices allow reflected XSS via the Config Import menu. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3. | ||||
| CVE-2021-39268 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 6.1 Medium |
| Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed. | ||||
| CVE-2021-39267 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 6.1 Medium |
| Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked. | ||||
| CVE-2021-39250 | 1 Invisioncommunity | 1 Invision Power Board | 2024-11-21 | 5.4 Medium |
| Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML). | ||||
| CVE-2021-39248 | 1 Edx | 1 Edx-platform | 2024-11-21 | 6.1 Medium |
| Open edX through Lilac.1 allows XSS in common/static/common/js/discussion/utils.js via crafted LaTeX content within a discussion. | ||||
| CVE-2021-39222 | 1 Nextcloud | 1 Talk | 2024-11-21 | 6.4 Medium |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Talk application is upgraded to patched versions 10.0.7, 10.1.4, 11.1.2, 11.2.0 or 12.0.0. As a workaround, use a browser that has support for Content-Security-Policy. | ||||
| CVE-2021-39221 | 1 Nextcloud | 1 Contacts | 2024-11-21 | 6.4 Medium |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy. | ||||
| CVE-2021-39205 | 1 8x8 | 1 Jitsi Meet | 2024-11-21 | 6.8 Medium |
| Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-39202 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 7.6 High |
| WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8. | ||||
| CVE-2021-39201 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 7.6 High |
| WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) | ||||