CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2021-29209 79 XSS 2021-05-25 2021-06-02
3.5
None Remote Medium ??? None Partial None
A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.
502 CVE-2021-29208 79 XSS 2021-05-25 2021-06-02
3.5
None Remote Medium ??? None Partial None
A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.
503 CVE-2021-29207 79 XSS 2021-05-25 2021-06-02
3.5
None Remote Medium ??? None Partial None
A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.
504 CVE-2021-29206 79 XSS 2021-05-25 2021-06-02
3.5
None Remote Medium ??? None Partial None
A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.
505 CVE-2021-29205 79 XSS 2021-05-25 2021-06-02
3.5
None Remote Medium ??? None Partial None
A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.
506 CVE-2021-29204 79 XSS 2021-05-25 2021-06-02
3.5
None Remote Medium ??? None Partial None
A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.
507 CVE-2021-29201 79 XSS 2021-05-25 2021-06-02
3.5
None Remote Medium ??? None Partial None
A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.
508 CVE-2021-29110 79 XSS 2021-10-01 2021-10-07
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application.
509 CVE-2021-29105 79 XSS 2021-07-11 2021-09-14
3.5
None Remote Medium ??? None Partial None
A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory.
510 CVE-2021-29082 200 +Info 2021-03-23 2021-03-24
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects RBW30 before 2.6.1.4, RBS40V before 2.6.1.4, RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBK754 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBK854 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25.
511 CVE-2021-29056 79 XSS 2021-08-17 2021-08-24
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability exists in Pixelimity 1.0 via the HTTP POST parameter to admin/setting.php.
512 CVE-2021-29033 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/edit_group.php URI.
513 CVE-2021-29032 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/preferences.php URI.
514 CVE-2021-29031 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/users_import.php URI.
515 CVE-2021-29030 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/index.php URI.
516 CVE-2021-29029 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/edit_personal_page.php URI.
517 CVE-2021-29028 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/user_activity.php URI.
518 CVE-2021-29027 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/index.php URI.
519 CVE-2021-29026 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/permissions.php URI.
520 CVE-2021-29025 79 XSS 2021-03-24 2021-03-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/my_images.php URI.
521 CVE-2021-29010 79 XSS 2021-03-25 2021-03-26
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php in the "report_type" parameter.
522 CVE-2021-29009 79 XSS 2021-03-25 2021-03-26
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php in the "type" parameter.
523 CVE-2021-29008 79 XSS 2021-03-25 2021-03-26
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via webmaster-tools.php in the "to_time" parameter.
524 CVE-2021-29002 79 XSS 2021-03-24 2021-09-24
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter.
525 CVE-2021-28977 79 XSS 2021-06-23 2021-06-25
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,
526 CVE-2021-28968 79 XSS 2021-03-22 2021-03-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in PunBB before 1.4.6. An XSS vulnerability in the [email] BBcode tag allows (with authentication) injecting arbitrary JavaScript into any forum message.
527 CVE-2021-28935 79 XSS 2021-03-30 2021-06-04
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.
528 CVE-2021-28901 79 XSS 2021-09-15 2021-09-28
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities exist in SITA Software Azur CMS 1.2.3.1 and earlier, which allows remote attackers to inject arbitrary web script or HTML via the (1) NOM_CLI , (2) ADRESSE , (3) ADRESSE2, (4) LOCALITE parameters to /eshop/products/json/aouCustomerAdresse; and the (5) nom_liste parameter to /eshop/products/json/addCustomerFavorite.
529 CVE-2021-28807 79 XSS 2021-06-03 2021-09-14
3.5
None Remote Medium ??? None Partial None
A post-authentication reflected XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP have already fixed this vulnerability in the following versions of Q’center: QTS 4.5.3: Q’center v1.12.1012 and later QTS 4.3.6: Q’center v1.10.1004 and later QTS 4.3.3: Q’center v1.10.1004 and later QuTS hero h4.5.2: Q’center v1.12.1012 and later QuTScloud c4.5.4: Q’center v1.12.1012 and later
530 CVE-2021-28806 79 XSS 2021-06-03 2021-06-09
3.5
None Remote Medium ??? None Partial None
A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3.
531 CVE-2021-28803 79 XSS 2021-07-01 2021-07-07
3.5
None Remote Medium ??? None Partial None
This issue affects: QNAP Systems Inc. Q'center versions prior to 1.11.1004.
532 CVE-2021-28633 2021-08-24 2021-08-31
3.6
None Local Low Not required None Partial Partial
Adobe Creative Cloud Desktop Application (installer) version 2.4 (and earlier) is affected by an Insecure temporary file creation vulnerability. An attacker could leverage this vulnerability to cause arbitrary file overwriting in the context of the current user. Exploitation of this issue requires physical interaction to the system.
533 CVE-2021-28613 379 2021-09-27 2021-10-05
3.3
None Local Medium Not required None Partial Partial
Adobe Creative Cloud Desktop Application version 5.4 (and earlier) is affected by a file handling vulnerability that could allow an attacker to arbitrarily overwrite a file. Exploitation of this issue requires local access, administrator privileges and user interaction.
534 CVE-2021-28556 79 XSS 2021-06-28 2021-07-02
3.5
None Remote Medium ??? None Partial None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation.
535 CVE-2021-28461 79 XSS 2021-05-11 2021-05-17
3.5
None Remote Medium ??? None Partial None
Dynamics Finance and Operations Cross-site Scripting Vulnerability
536 CVE-2021-28424 79 XSS 2021-07-01 2021-07-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Teachers Record Management System 1.0 allows remote authenticated users to inject arbitrary web script or HTML via the 'email' POST parameter in adminprofile.php.
537 CVE-2021-28420 79 XSS 2021-03-18 2021-06-03
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter.
538 CVE-2021-28418 79 XSS 2021-03-18 2021-06-02
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter.
539 CVE-2021-28417 79 XSS 2021-03-18 2021-06-02
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter.
540 CVE-2021-28382 79 XSS 2021-06-07 2021-06-14
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.
541 CVE-2021-28380 79 XSS 2021-03-16 2021-03-22
3.5
None Remote Medium ??? None Partial None
The aimeos (aka Aimeos shop and e-commerce framework) extension before 19.10.12 and 20.x before 20.10.5 for TYPO3 allows XSS via a backend user account.
542 CVE-2021-28378 79 XSS 2021-03-15 2021-09-24
3.5
None Remote Medium ??? None Partial None
Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.
543 CVE-2021-28326 DoS 2021-04-13 2021-06-04
3.6
None Local Low Not required None Partial Partial
Windows AppX Deployment Server Denial of Service Vulnerability
544 CVE-2021-28247 79 XSS 2021-03-26 2021-03-29
3.5
None Remote Medium ??? None Partial None
** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS). The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the platform users. The affected endpoints are: cgi/nhWeb with the parameter report, aviewbin/filtermibobjects.pl with the parameter namefilter, and aviewbin/query.pl with the parameters System, SystemText, Group, and GroupText. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
545 CVE-2021-28147 2021-03-22 2021-04-30
3.5
None Remote Medium ??? None Partial None
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.
546 CVE-2021-28145 79 XSS 2021-03-18 2021-11-17
3.5
None Remote Medium ??? None Partial None
Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges.
547 CVE-2021-28136 787 Mem. Corr. 2021-09-07 2021-09-09
3.3
None Local Network Low Not required None None Partial
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.
548 CVE-2021-28135 20 DoS 2021-09-07 2021-09-13
3.3
None Local Network Low Not required None None Partial
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response data.
549 CVE-2021-28114 79 XSS 2021-07-16 2021-07-28
3.5
None Remote Medium ??? None Partial None
Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing.
550 CVE-2021-28099 2021-03-23 2021-03-26
3.6
None Local Low Not required Partial Partial None
In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.