CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
601 CVE-2021-27237 79 XSS 2021-02-16 2021-02-17
3.5
None Remote Medium ??? None Partial None
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
602 CVE-2021-27222 79 XSS 2021-03-08 2021-03-11
3.5
None Remote Medium ??? None Partial None
In the "Time in Status" app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS.
603 CVE-2021-27217 125 DoS 2021-03-04 2021-03-26
3.5
None Remote Medium ??? None None Partial
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product.
604 CVE-2021-27209 319 2021-02-13 2021-02-19
3.6
None Local Low Not required Partial Partial None
In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP.
605 CVE-2021-27194 319 2021-03-25 2021-03-29
3.3
None Local Network Low Not required Partial None None
Cleartext transmission of sensitive information in Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to gather credentials including Windows login usernames and passwords.
606 CVE-2021-27190 79 XSS 2021-02-12 2021-11-17
3.5
None Remote Medium ??? None Partial None
A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
607 CVE-2021-27129 79 XSS 2021-04-15 2021-04-19
3.5
None Remote Medium ??? None Partial None
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
608 CVE-2021-26989 DoS 2021-03-04 2021-03-17
3.5
None Remote Medium ??? None None Partial
Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P9 and 9.8 are susceptible to a vulnerability which could allow a remote authenticated attacker to cause a Denial of Service (DoS) on clustered Data ONTAP configured for SMB access.
609 CVE-2021-26968 79 Exec Code XSS 2021-03-05 2021-03-10
3.5
None Remote Medium ??? None Partial None
A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the web-based management interface of AirWave could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface.
610 CVE-2021-26938 79 XSS 2021-02-10 2021-03-04
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** A stored XSS issue exists in henriquedornas 5.2.17 via online live chat. NOTE: Third parties report that no such product exists. That henriquedornas is the web design agency and 5.2.17 is simply the PHP version running on this hosts.
611 CVE-2021-26925 79 XSS 2021-02-09 2021-02-19
3.5
None Remote Medium ??? None Partial None
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
612 CVE-2021-26886 DoS 2021-03-11 2021-03-23
3.6
None Local Low Not required None Partial Partial
User Profile Service Denial of Service Vulnerability
613 CVE-2021-26866 269 2021-03-11 2021-03-22
3.6
None Local Low Not required None Partial Partial
Windows Update Service Elevation of Privilege Vulnerability
614 CVE-2021-26844 79 XSS 2021-11-05 2021-11-09
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Power Admin PA Server Monitor 8.2.1.1 allows remote attackers to inject arbitrary web script or HTML via Console.exe.
615 CVE-2021-26834 79 Exec Code XSS 2021-06-18 2021-06-21
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
616 CVE-2021-26829 79 XSS 2021-06-11 2021-06-21
3.5
None Remote Medium ??? None Partial None
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
617 CVE-2021-26776 79 XSS 2021-03-11 2021-03-17
3.5
None Remote Medium ??? None Partial None
CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name.
618 CVE-2021-26676 +Info 2021-02-09 2021-07-12
3.3
None Local Network Low Not required Partial None None
gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp.
619 CVE-2021-26596 79 Exec Code XSS 2021-03-25 2021-04-01
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used.
620 CVE-2021-26549 79 Exec Code XSS 2021-02-09 2021-02-16
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SmartFoxServer 2.17.0. Input passed to the AdminTool console is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.
621 CVE-2021-26544 79 XSS 2021-02-20 2021-02-26
3.5
None Remote Medium ??? None Partial None
Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.
622 CVE-2021-26304 79 XSS 2021-01-29 2021-02-01
3.5
None Remote Medium ??? None Partial None
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the add-expense.php Item parameter.
623 CVE-2021-26274 276 2021-07-07 2021-07-08
3.6
None Local Low Not required None Partial Partial
The Agent in NinjaRMM 5.0.909 has Insecure Permissions.
624 CVE-2021-26111 401 2021-06-01 2021-06-11
3.3
None Local Network Low Not required None None Partial
A missing release of memory after effective lifetime vulnerability in FortiSwitch 6.4.0 to 6.4.6, 6.2.0 to 6.2.6, 6.0.0 to 6.0.6, 3.6.11 and below may allow an attacker on an adjacent network to exhaust available memory by sending specifically crafted LLDP/CDP/EDP packets to the device.
625 CVE-2021-26083 79 XSS 2021-07-20 2021-07-28
3.5
None Remote Medium ??? None Partial None
Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
626 CVE-2021-26082 79 XSS 2021-07-20 2021-07-28
3.5
None Remote Medium ??? None Partial None
The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.
627 CVE-2021-26071 352 CSRF 2021-04-01 2021-04-05
3.5
None Remote Medium ??? None Partial None
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
628 CVE-2021-25986 79 XSS 2021-11-23 2021-11-29
3.5
None Remote Medium ??? None Partial None
In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.
629 CVE-2021-25978 79 XSS 2021-11-07 2021-11-09
3.5
None Remote Medium ??? None Partial None
Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.
630 CVE-2021-25977 79 XSS 2021-10-25 2021-10-26
3.5
None Remote Medium ??? None Partial None
In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. By creating a page with a specially crafted page title, a low privileged user can trigger arbitrary JavaScript execution.
631 CVE-2021-25975 79 XSS 2021-11-10 2021-11-12
3.5
None Remote Medium ??? None Partial None
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.
632 CVE-2021-25974 79 Exec Code XSS 2021-11-10 2021-11-12
3.5
None Remote Medium ??? None Partial None
In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.
633 CVE-2021-25968 79 XSS 2021-10-19 2021-10-21
3.5
None Remote Medium ??? None Partial None
In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.
634 CVE-2021-25964 79 XSS 2021-10-04 2021-10-08
3.5
None Remote Medium ??? None Partial None
In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
635 CVE-2021-25935 79 XSS Bypass 2021-05-25 2021-06-03
3.5
None Remote Medium ??? None Partial None
In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary script which will be stored in the database.
636 CVE-2021-25934 79 XSS 2021-05-25 2021-06-03
3.5
None Remote Medium ??? None Partial None
In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.
637 CVE-2021-25933 79 XSS 2021-05-20 2021-05-26
3.5
None Remote Medium ??? None Partial None
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.
638 CVE-2021-25932 79 XSS 2021-06-01 2021-06-11
3.5
None Remote Medium ??? None Partial None
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.
639 CVE-2021-25929 79 XSS 2021-05-20 2021-05-26
3.5
None Remote Medium ??? None Partial None
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. Due to this flaw an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files.
640 CVE-2021-25925 79 XSS 2021-04-12 2021-04-20
3.5
None Remote Medium ??? None Partial None
in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly when processed by the server. Therefore, an attacker can inject arbitrary JavaScript code inside the application, and possibly steal a user’s sensitive information.
641 CVE-2021-25921 79 XSS 2021-03-22 2021-03-24
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.
642 CVE-2021-25919 79 XSS 2021-03-22 2021-03-24
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
643 CVE-2021-25918 79 XSS 2021-03-22 2021-03-29
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
644 CVE-2021-25917 79 XSS 2021-03-22 2021-03-29
3.5
None Remote Medium ??? None Partial None
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
645 CVE-2021-25910 287 2021-01-29 2021-02-05
3.3
None Local Network Low Not required None Partial None
Improper Authentication vulnerability in the cookie parameter of ZIV AUTOMATION 4CCT-EA6-334126BF allows a local attacker to perform modifications in several parameters of the affected device as an authenticated user.
646 CVE-2021-25893 79 XSS 2021-04-02 2021-04-15
3.5
None Remote Medium ??? None Partial None
Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the setText parameter of /magnoliaAuthor/.magnolia/.
647 CVE-2021-25791 79 XSS 2021-07-23 2021-08-03
3.5
None Remote Medium ??? None Partial None
Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.
648 CVE-2021-25790 79 XSS 2021-07-23 2021-09-13
3.5
None Remote Medium ??? None Partial None
Multiple stored cross site scripting (XSS) vulnerabilities in the "Register" module of House Rental and Property Listing 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in all text fields except for Phone Number and Alternate Phone Number.
649 CVE-2021-25740 610 2021-09-20 2021-11-06
3.5
None Remote Medium ??? Partial None None
A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.
650 CVE-2021-25679 79 XSS 2021-04-20 2021-04-23
3.5
None Remote Medium ??? None Partial None
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.