CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
951 CVE-2021-24129 79 XSS 2021-03-18 2021-03-24
3.5
None Remote Medium ??? None Partial None
Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.
952 CVE-2021-24128 79 XSS 2021-03-18 2021-03-25
3.5
None Remote Medium ??? None Partial None
Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member.
953 CVE-2021-24127 79 XSS 2021-03-18 2021-03-25
3.5
None Remote Medium ??? None Partial None
Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation.
954 CVE-2021-24126 79 XSS 2021-03-18 2021-03-24
3.5
None Remote Medium ??? None Partial None
Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation.
955 CVE-2021-24114 200 +Info 2021-02-25 2021-03-03
3.5
None Remote Medium ??? Partial None None
Microsoft Teams iOS Information Disclosure Vulnerability
956 CVE-2021-24075 DoS 2021-02-25 2021-03-04
3.5
None Remote Medium ??? None None Partial
Windows Network File System Denial of Service Vulnerability
957 CVE-2021-24021 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks.
958 CVE-2021-23922 79 XSS 2021-04-01 2021-04-06
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Devolutions Remote Desktop Manager before 2020.2.12. There is a cross-site scripting (XSS) vulnerability in webviews.
959 CVE-2021-23889 79 XSS 2021-03-26 2021-03-30
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
960 CVE-2021-23881 79 XSS 2021-02-10 2021-02-12
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting vulnerability in ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 February 2021 Update allows an ENS ePO administrator to add a script to a policy event which will trigger the script to be run through a browser block page when a local non-administrator user triggers the policy.
961 CVE-2021-23873 269 DoS +Priv 2021-02-10 2021-02-16
3.6
None Local Low Not required None Partial Partial
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file deletion as the SYSTEM user potentially causing Denial of Service via manipulating Junction link, after enumerating certain files, at a specific time.
962 CVE-2021-23838 79 XSS 2021-01-15 2021-01-22
3.5
None Remote Medium ??? None Partial None
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user can leverage this vulnerability to steal cookies from a victim user and perform a session-hijacking attack, which may then lead to unauthorized access to the site.
963 CVE-2021-23836 79 XSS 2021-01-15 2021-01-22
3.5
None Remote Medium ??? None Partial None
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The injected payload will be executed in the browser of a user whenever one visits the affected module page.
964 CVE-2021-23391 668 2021-06-07 2021-06-16
3.6
None Local Low Not required None Partial Partial
This affects all versions of package calipso. It is possible for a malicious module to overwrite files on an arbitrary file system through the module install functionality.
965 CVE-2021-23347 79 XSS 2021-03-03 2021-03-09
3.5
None Remote Medium ??? None Partial None
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
966 CVE-2021-23273 79 XSS 2021-03-09 2021-03-15
3.5
None Remote Medium ??? None Partial None
The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a stored Cross Site Scripting (XSS) attack on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 10.3.3 and below, versions 10.10.0, 10.10.1, and 10.10.2, versions 10.7.0, 10.8.0, 10.9.0, 11.0.0, and 11.1.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 11.1.0 and below, TIBCO Spotfire Desktop: versions 10.3.3 and below, versions 10.10.0, 10.10.1, and 10.10.2, versions 10.7.0, 10.8.0, 10.9.0, 11.0.0, and 11.1.0, and TIBCO Spotfire Server: versions 10.3.11 and below, versions 10.10.0, 10.10.1, 10.10.2, and 10.10.3, versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 11.0.0, and 11.1.0.
967 CVE-2021-23272 79 XSS 2021-01-26 2021-02-03
3.5
None Remote Medium ??? None Partial None
The Application Development Clients component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.0 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.0 and below.
968 CVE-2021-23230 89 Sql 2021-06-11 2021-06-22
3.5
None Remote Medium ??? None Partial None
A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions.
969 CVE-2021-23046 532 2021-09-14 2021-09-24
3.5
None Remote Medium ??? Partial None None
On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
970 CVE-2021-23038 79 XSS 2021-09-14 2021-09-27
3.5
None Remote Medium ??? None Partial None
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
971 CVE-2021-22983 79 XSS 2021-02-12 2021-02-18
3.5
None Remote Medium ??? None Partial None
On BIG-IP AFM version 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.5, authenticated users accessing the Configuration utility for AFM are vulnerable to a cross-site scripting attack if they attempt to access a maliciously-crafted URL. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
972 CVE-2021-22929 532 2021-08-31 2021-09-10
3.6
None Local Low Not required Partial Partial None
An information disclosure exists in Brave Browser Desktop prior to version 1.28.62, where logged warning messages that included timestamps of connections to V2 onion domains in tor.log.
973 CVE-2021-22878 79 XSS 2021-03-03 2021-07-09
3.5
None Remote Medium ??? None Partial None
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
974 CVE-2021-22871 79 XSS 2021-01-26 2021-02-01
3.5
None Remote Medium ??? None Partial None
Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which is then displayed unsanitized in the affiliate-preview.php tag generation screen, leading to a persistent cross-site scripting (XSS) vulnerability.
975 CVE-2021-22849 79 XSS 2021-01-22 2021-01-28
3.5
None Remote Medium ??? None Partial None
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
976 CVE-2021-22784 306 2021-07-21 2021-11-30
3.5
None Remote Medium ??? None Partial None
A CWE-306: Missing Authentication for Critical Function vulnerability exists in C-Bus Toolkit v1.15.8 and prior that could allow an attacker to use a crafted webpage to obtain remote access to the system.
977 CVE-2021-22780 522 Bypass 2021-07-14 2021-07-26
3.6
None Local Low Not required Partial Partial None
Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause unauthorized access to a project file protected by a password when this file is shared with untrusted sources. An attacker may bypass the password protection and be able to view and modify a project file.
978 CVE-2021-22778 522 2021-07-14 2021-07-26
3.6
None Local Low Not required Partial Partial None
Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause protected derived function blocks to be read or modified by unauthorized users when accessing a project file.
979 CVE-2021-22722 79 XSS 2021-07-21 2021-07-27
3.5
None Remote Medium ??? None Partial None
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting') vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could cause code injection when importing a CSV file or changing station parameters.
980 CVE-2021-22701 352 CSRF 2021-02-19 2021-02-26
3.5
None Remote Medium ??? None Partial None
A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when using the HTTP web interface.
981 CVE-2021-22563 125 2021-11-01 2021-11-03
3.6
None Local Low Not required None Partial Partial
Invalid JPEG XL images using libjxl can cause an out of bounds access on a std::vector<std::vector<T>> when rendering splines. The OOB read access can either lead to a segfault, or rendering splines based on other process memory. It is recommended to upgrade past 0.6.0 or patch with https://github.com/libjxl/libjxl/pull/757
982 CVE-2021-22528 79 XSS 2021-09-13 2021-09-22
3.5
None Remote Medium ??? None Partial None
Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
983 CVE-2021-22499 79 XSS 2021-02-06 2021-02-08
3.5
None Remote Medium ??? None Partial None
Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow persistent XSS attack.
984 CVE-2021-22469 125 2021-10-28 2021-11-01
3.6
None Local Low Not required Partial None Partial
A component of the HarmonyOS has a Out-of-bounds Read vulnerability. Local attackers may exploit this vulnerability to cause kernel out-of-bounds read.
985 CVE-2021-22410 79 XSS 2021-11-23 2021-11-24
3.5
None Remote Medium ??? None Partial None
There is a XSS injection vulnerability in iMaster NCE-Fabric V100R019C10. A module of the client does not verify the input sufficiently. Attackers can exploit this vulnerability by modifying input after logging onto the client. This may compromise the normal service of the client.
986 CVE-2021-22409 755 DoS 2021-05-20 2021-05-26
3.5
None Remote Medium ??? None None Partial
There is a denial of service vulnerability in some versions of ManageOne. There is a logic error in the implementation of a function of a module. When the service pressure is heavy, there is a low probability that an exception may occur. Successful exploit may cause some services abnormal.
987 CVE-2021-22378 362 2021-06-22 2021-06-29
3.5
None Remote Medium ??? None None Partial
There is a race condition vulnerability in eCNS280_TD V100R005C00 and V100R005C10. There is a timing window exists in which the database can be operated by another thread that is operating concurrently. Successful exploit may cause the affected device abnormal.
988 CVE-2021-22339 345 DoS 2021-05-20 2021-05-26
3.5
None Remote Medium ??? None None Partial
There is a denial of service vulnerability in some versions of ManageOne. In specific scenarios, due to the insufficient verification of the parameter, an attacker may craft some specific parameter. Successful exploit may cause some services abnormal.
989 CVE-2021-22334 863 2021-06-03 2021-06-10
3.3
None Local Network Low Not required None Partial None
There is an Improper Access Control vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause app redirections.
990 CVE-2021-22302 125 2021-02-06 2021-02-10
3.6
None Local Low Not required Partial None Partial
There is an out-of-bound read vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). A module does not verify the some input. Attackers can exploit this vulnerability by sending malicious input through specific app. This could cause out-of-bound, compromising normal service.
991 CVE-2021-22261 79 Exec Code XSS 2021-10-05 2021-10-08
3.5
None Remote Medium ??? None Partial None
A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
992 CVE-2021-22260 79 Exec Code XSS 2021-11-05 2021-11-05
3.5
None Remote Medium ??? None Partial None
A stored Cross-Site Scripting vulnerability in the DataDog integration in GitLab CE/EE version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf
993 CVE-2021-22254 116 2021-08-20 2021-08-26
3.5
None Remote Medium ??? Partial None None
Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9.
994 CVE-2021-22242 79 XSS 2021-08-25 2021-08-31
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
995 CVE-2021-22241 79 XSS 2021-08-05 2021-08-12
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.
996 CVE-2021-22238 79 XSS 2021-08-20 2021-08-26
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.
997 CVE-2021-22232 74 2021-07-06 2021-07-08
3.5
None Remote Medium ??? None Partial None
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
998 CVE-2021-22225 79 XSS 2021-07-07 2021-07-09
3.5
None Remote Medium ??? None Partial None
Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
999 CVE-2021-22211 863 2021-05-06 2021-05-13
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
1000 CVE-2021-22199 79 XSS 2021-04-22 2021-04-30
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.