CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1051 CVE-2021-21325 79 XSS 2021-03-08 2021-03-17
3.5
None Remote Medium ??? None Partial None
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a cross-site scripting attack. To exploit this endpoint attacker need to be authenticated. This is fixed in version 9.5.4.
1052 CVE-2021-21319 79 Exec Code XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5.
1053 CVE-2021-21314 79 XSS 2021-03-03 2021-03-09
3.5
None Remote Medium ??? None Partial None
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.
1054 CVE-2021-21312 79 XSS 2021-03-03 2021-03-10
3.5
None Remote Medium ??? None Partial None
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/document.form.php endpoint), indeed one of the form field: "Web Link" is not properly sanitized and a malicious user (who has document upload rights) can use it to deliver JavaScript payload. For example if you use the following payload: " accesskey="x" onclick="alert(1)" x=", the content will be saved within the database without any control. And then once you return to the summary documents page, by clicking on the "Web Link" of the newly created file it will create a new empty tab, but on the initial tab the pop-up "1" will appear.
1055 CVE-2021-21298 22 Dir. Trav. 2021-02-26 2021-03-10
3.5
None Remote Medium ??? Partial None None
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.
1056 CVE-2021-21283 79 XSS 2021-01-26 2021-02-04
3.5
None Remote Medium ??? None Partial None
Flarum is an open source discussion platform for websites. The "Flarum Sticky" extension versions 0.1.0-beta.14 and 0.1.0-beta.15 has a cross-site scripting vulnerability. A change in release beta 14 of the Sticky extension caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. The issue was discovered following an internal audit. Any HTML would be injected through the m.trust() helper. This resulted in an HTML injection where <script> tags would not be executed. However it was possible to run javascript from other HTML attributes, enabling a cross-site scripting (XSS) attack to be performed. Since the exploit only happens with the first post of a pinned discussion, an attacker would need the ability to pin their own discussion, or be able to edit a discussion that was previously pinned. On forums where all pinned posts are authored by your staff, you can be relatively certain the vulnerability has not been exploited. Forums where some user-created discussions were pinned can look at the first post edit date to find whether the vulnerability might have been exploited. Because Flarum doesn't store the post content history, you cannot be certain if a malicious edit was reverted. The fix will be available in version v0.1.0-beta.16 with Flarum beta 16. The fix has already been back-ported to Flarum beta 15 as version v0.1.0-beta.15.1 of the Sticky extension. Forum administrators can disable the Sticky extension until they are able to apply the update. The vulnerability cannot be exploited while the extension is disabled.
1057 CVE-2021-21260 79 XSS CSRF 2021-01-22 2021-01-29
3.5
None Remote Medium ??? None Partial None
Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.
1058 CVE-2021-21258 79 XSS 2021-03-02 2021-03-09
3.5
None Remote Medium ??? None Partial None
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using ajax/kanban.php. This is fixed in version 9.5.4.
1059 CVE-2021-21255 862 2021-03-02 2021-03-09
3.5
None Remote Medium ??? Partial None None
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.
1060 CVE-2021-21087 79 Exec Code XSS 2021-04-15 2021-07-02
3.5
None Remote Medium ??? None Partial None
Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.
1061 CVE-2021-21029 79 XSS 2021-02-11 2021-06-11
3.5
None Remote Medium ??? None Partial None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.
1062 CVE-2021-21023 79 XSS 2021-02-11 2021-02-16
3.5
None Remote Medium ??? None Partial None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.
1063 CVE-2021-20862 863 Bypass CSRF 2021-12-01 2021-12-02
3.3
None Local Network Low Not required None Partial None
Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to obtain anti-CSRF tokens and change the product's settings via unspecified vectors.
1064 CVE-2021-20858 79 XSS 2021-12-01 2021-12-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1065 CVE-2021-20857 79 XSS 2021-12-01 2021-12-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1066 CVE-2021-20856 79 XSS 2021-12-01 2021-12-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1067 CVE-2021-20855 79 XSS 2021-12-01 2021-12-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1068 CVE-2021-20844 116 +Info 2021-11-24 2021-11-30
3.5
None Remote Medium ??? Partial None None
Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page.
1069 CVE-2021-20843 829 2021-11-24 2021-11-30
3.5
None Remote Medium ??? None Partial None
Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page.
1070 CVE-2021-20805 79 XSS 2021-10-13 2021-10-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.7 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1071 CVE-2021-20800 79 XSS 2021-10-13 2021-10-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1072 CVE-2021-20799 79 XSS 2021-10-13 2021-10-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1073 CVE-2021-20798 79 XSS 2021-10-13 2021-10-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1074 CVE-2021-20797 79 XSS +Info 2021-10-13 2021-10-19
3.5
None Remote Medium ??? None Partial None
Cross-site script inclusion vulnerability in the management screen of Cybozu Remote Service 3.1.8 allows a remote authenticated attacker to obtain the information stored in the product. This issue occurs only when using Mozilla Firefox.
1075 CVE-2021-20787 79 XSS 2021-07-30 2021-08-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL.
1076 CVE-2021-20785 79 XSS 2021-07-30 2021-08-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL.
1077 CVE-2021-20774 79 XSS 2021-08-18 2021-08-24
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in some functions of E-mail of Cybozu Garoon 4.0.0 to 5.5.0 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1078 CVE-2021-20770 79 XSS 2021-08-18 2021-08-24
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Message of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1079 CVE-2021-20769 79 XSS 2021-08-18 2021-08-24
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1080 CVE-2021-20767 79 XSS 2021-08-18 2021-08-24
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Full Text Search of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1081 CVE-2021-20761 20 2021-08-18 2021-08-24
3.5
None Remote Medium ??? None Partial None
Improper input validation vulnerability in E-mail of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote attacker with an administrative privilege to alter the data of E-mail without the appropriate privilege.
1082 CVE-2021-20753 79 XSS 2021-08-18 2021-08-24
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1083 CVE-2021-20749 79 XSS 2021-06-28 2021-07-07
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Fudousan plugin ver5.7.0 and earlier, Fudousan Plugin Pro Single-User Type ver5.7.0 and earlier, and Fudousan Plugin Pro Multi-User Type ver5.7.0 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1084 CVE-2021-20746 79 XSS 2021-06-28 2021-09-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in WordPress Popular Posts 5.3.2 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
1085 CVE-2021-20738 +Info 2021-07-07 2021-07-14
3.3
None Local Network Low Not required Partial None None
WRC-1167FS-W, WRC-1167FS-B, and WRC-1167FSA all versions allow an unauthenticated network-adjacent attacker to obtain sensitive information via unspecified vectors.
1086 CVE-2021-20730 +Info 2021-06-09 2021-06-17
3.3
None Local Network Low Not required Partial None None
Improper access control vulnerability in WSR-1166DHP3 firmware Ver.1.16 and prior and WSR-1166DHP4 firmware Ver.1.02 and prior allows an attacker to obtain configuration information via unspecified vectors.
1087 CVE-2021-20683 79 XSS 2021-03-26 2021-03-29
3.5
None Remote Medium ??? None Partial None
Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.
1088 CVE-2021-20681 79 XSS 2021-03-26 2021-03-29
3.5
None Remote Medium ??? None Partial None
Improper neutralization of JavaScript input in the page editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.
1089 CVE-2021-20677 DoS 2021-03-26 2021-04-02
3.5
None Remote Medium ??? None None Partial
UNIVERGE Aspire series PBX (UNIVERGE Aspire WX from 1.00 to 3.51, UNIVERGE Aspire UX from 1.00 to 9.70, UNIVERGE SV9100 from 1.00 to 10.70, and SL2100 from 1.00 to 3.00) allows a remote authenticated attacker to cause system down and a denial of service (DoS) condition by sending a specially crafted command.
1090 CVE-2021-20673 79 XSS 2021-03-10 2021-03-17
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.
1091 CVE-2021-20667 79 XSS 2021-03-10 2021-03-15
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content.
1092 CVE-2021-20654 79 XSS 2021-02-10 2021-02-16
3.5
None Remote Medium ??? None Partial None
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named 'Fieldbleed' in the vendor's site.
1093 CVE-2021-20635 307 2021-02-12 2021-02-18
3.3
None Local Network Low Not required Partial None None
Improper restriction of excessive authentication attempts in LOGITEC LAN-WH450N/GR allows an attacker in the wireless range of the device to recover PIN and access the network.
1094 CVE-2021-20579 200 +Info 2021-06-24 2021-09-20
3.5
None Remote Medium ??? Partial None None
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user who can create a view or inline SQL function to obtain sensitive information when AUTO_REVAL is set to DEFFERED_FORCE. IBM X-Force ID: 199283.
1095 CVE-2021-20571 79 XSS 2021-10-07 2021-10-15
3.5
None Remote Medium ??? None Partial None
IBM Sterling B2B Integrator 5.2.0.0 through 6.1.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199246.
1096 CVE-2021-20562 79 XSS 2021-07-27 2021-11-28
3.5
None Remote Medium ??? None Partial None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_3 and 6.1.0.0 through 6.1.0.2 vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199232.
1097 CVE-2021-20559 79 XSS 2021-05-10 2021-05-14
3.5
None Remote Medium ??? None Partial None
IBM Control Desk 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199228.
1098 CVE-2021-20550 79 XSS 2021-04-27 2021-05-03
3.5
None Remote Medium ??? None Partial None
IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199168.
1099 CVE-2021-20549 79 XSS 2021-04-27 2021-05-03
3.5
None Remote Medium ??? None Partial None
IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199167.
1100 CVE-2021-20528 79 XSS 2021-05-19 2021-05-25
3.5
None Remote Medium ??? None Partial None
IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198761.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.