CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2021-37391 79 Exec Code XSS 2021-08-10 2021-08-19
3.5
None Remote Medium ??? None Partial None
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.
202 CVE-2021-37330 79 XSS 2021-10-04 2021-10-12
3.5
None Remote Medium ??? None Partial None
Laravel Booking System Booking Core 2.0 is vulnerable to Cross Site Scripting (XSS). The Avatar upload in the My Profile section could be exploited to upload a malicious SVG file which contains Javascript. Now if another user/admin views the profile and clicks to view his avatar, an XSS will trigger.
203 CVE-2021-37271 79 XSS +Info 2021-09-28 2021-10-01
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability exists in UEditor v1.4.3.3, which can be exploited by an attacker to obtain user cookie information.
204 CVE-2021-37211 79 XSS 2021-08-09 2021-08-17
3.5
None Remote Medium ??? None Partial None
The bulletin function of Flygo does not filter special characters while a new announcement is added. Remoter attackers can use the vulnerability with general user’s credential to inject JavaScript and execute stored XSS attacks.
205 CVE-2021-37193 471 2021-09-14 2021-09-23
3.3
None Local Network Low Not required None Partial None
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could manipulate certain parameters and set a valid user of the affected software as invalid (or vice-versa).
206 CVE-2021-37192 200 +Info 2021-09-14 2021-09-23
3.3
None Local Network Low Not required Partial None None
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software has an information disclosure vulnerability that could allow an attacker to retrieve a list of network devices a known user can manage.
207 CVE-2021-37191 799 2021-09-14 2021-09-23
3.3
None Local Network Low Not required Partial None None
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could brute force the usernames from the affected software.
208 CVE-2021-37190 200 +Info 2021-09-14 2021-09-23
3.3
None Local Network Low Not required Partial None None
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software has an information disclosure vulnerability that could allow an attacker to retrieve VPN connection for a known user.
209 CVE-2021-37183 284 2021-09-14 2021-09-23
3.3
None Local Network Low Not required None None Partial
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software allows sending send-to-sleep notifications to the managed devices. An unauthenticated attacker in the same network of the affected system can abuse these notifications to cause a Denial-of-Service condition in the managed devices.
210 CVE-2021-37177 471 2021-09-14 2021-09-23
3.3
None Local Network Low Not required None Partial None
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The status provided by the syslog clients managed by the affected software can be manipulated by an unauthenticated attacker in the same network of the affected system.
211 CVE-2021-37152 79 XSS 2021-08-10 2021-08-16
3.5
None Remote Medium ??? None Partial None
Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager’s pages with code modifications.
212 CVE-2021-37124 22 Dir. Trav. 2021-10-27 2021-10-28
3.3
None Local Network Low Not required None Partial None
There is a path traversal vulnerability in Huawei PC product. Because the product does not filter path with special characters,attackers can construct a file path with special characters to exploit this vulnerability. Successful exploitation could allow the attacker to transport a file to certain path.Affected product versions include:PC Smart Full Scene 11.1 versions PCManager 11.1.1.97.
213 CVE-2021-37122 416 2021-10-27 2021-10-28
3.3
None Local Network Low Not required None None Partial
There is a use-after-free (UAF) vulnerability in Huawei products. An attacker may craft specific packets to exploit this vulnerability. Successful exploitation may cause the service abnormal. Affected product versions include:CloudEngine 12800 V200R005C10SPC800,V200R019C00SPC800;CloudEngine 5800 V200R005C10SPC800,V200R019C00SPC800;CloudEngine 6800 V200R005C10SPC800,V200R005C20SPC800,V200R019C00SPC800;CloudEngine 7800 V200R005C10SPC800,V200R019C00SPC800.
214 CVE-2021-36961 DoS 2021-09-15 2021-09-24
3.6
None Local Low Not required None Partial Partial
Windows Installer Denial of Service Vulnerability
215 CVE-2021-36950 79 XSS 2021-08-12 2021-08-20
3.5
None Remote Medium ??? None Partial None
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
216 CVE-2021-36946 79 XSS 2021-08-12 2021-08-20
3.5
None Remote Medium ??? None Partial None
Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
217 CVE-2021-36919 79 XSS 2021-11-26 2021-12-02
3.5
None Remote Medium ??? None Partial None
Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in WordPress Awesome Support plugin (versions <= 6.0.6), vulnerable parameters (&id, &assignee).
218 CVE-2021-36884 79 XSS 2021-11-19 2021-11-24
3.5
None Remote Medium ??? None Partial None
Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions.
219 CVE-2021-36875 79 XSS 2021-09-27 2021-10-01
3.5
None Remote Medium ??? None Partial None
Authenticated Reflected Cross-Site Scripting (XSS) vulnerability in WordPress uListing plugin (versions <= 2.0.5). Vulnerable parameters: &filter[id], &filter[user], &filter[expired_date], &filter[created_date], &filter[updated_date].
220 CVE-2021-36873 79 XSS 2021-09-23 2021-09-29
3.5
None Remote Medium ??? None Partial None
Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage.
221 CVE-2021-36872 79 XSS 2021-09-23 2021-09-29
3.5
None Remote Medium ??? None Partial None
Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress Popular Posts plugin (versions <= 5.3.3). Vulnerable at &widget-wpp[2][post_type].
222 CVE-2021-36871 79 XSS 2021-09-09 2021-09-17
3.5
None Remote Medium ??? None Partial None
Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps Pro premium plugin (versions <= 8.1.11). Vulnerable parameters: &wpgmaps_marker_category_name, Value > &attributes[], Name > &attributes[], &icons[], &names[], &description, &link, &title.
223 CVE-2021-36870 79 XSS 2021-09-09 2021-09-17
3.5
None Remote Medium ??? None Partial None
Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address.
224 CVE-2021-36845 79 XSS 2021-09-27 2021-10-12
3.5
None Remote Medium ??? None Partial None
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - "Newsletter" tab, &yith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (') symbol to break the context, i.e.: NOTIFY ME' autofocus onfocus=alert(/Visse/);// v=' - this payload will be auto triggered while admin visits this page/tab. 2 - "General" tab issues, vulnerable parameters: &yith_maintenance_message, &yith_maintenance_custom_style, &yith_maintenance_mascotte, &yith_maintenance_title_font[size], &yith_maintenance_title_font[family], &yith_maintenance_title_font[color], &yith_maintenance_paragraph_font[size], &yith_maintenance_paragraph_font[family], &yith_maintenance_paragraph_font[color], &yith_maintenance_border_top. 3 - "Background" tab issues, vulnerable parameters: &yith_maintenance_background_image, &yith_maintenance_background_color. 4 - "Logo" tab issues, vulnerable parameters: &yith_maintenance_logo_image, &yith_maintenance_logo_tagline, &yith_maintenance_logo_tagline_font[size], &yith_maintenance_logo_tagline_font[family], &yith_maintenance_logo_tagline_font[color]. 5 - "Newsletter" tab issues, vulnerable parameters: &yith_maintenance_newsletter_email_font[size], &yith_maintenance_newsletter_email_font[family], &yith_maintenance_newsletter_email_font[color], &yith_maintenance_newsletter_submit_font[size], &yith_maintenance_newsletter_submit_font[family], &yith_maintenance_newsletter_submit_font[color], &yith_maintenance_newsletter_submit_background, &yith_maintenance_newsletter_submit_background_hover, &yith_maintenance_newsletter_title, &yith_maintenance_newsletter_action, &yith_maintenance_newsletter_email_label, &yith_maintenance_newsletter_email_name, &yith_maintenance_newsletter_submit_label, &yith_maintenance_newsletter_hidden_fields. 6 - "Socials" tab issues, vulnerable parameters: &yith_maintenance_socials_facebook, &yith_maintenance_socials_twitter, &yith_maintenance_socials_gplus, &yith_maintenance_socials_youtube, &yith_maintenance_socials_rss, &yith_maintenance_socials_skype, &yith_maintenance_socials_email, &yith_maintenance_socials_behance, &yith_maintenance_socials_dribble, &yith_maintenance_socials_flickr, &yith_maintenance_socials_instagram, &yith_maintenance_socials_pinterest, &yith_maintenance_socials_tumblr, &yith_maintenance_socials_linkedin.
225 CVE-2021-36843 79 XSS 2021-11-26 2021-11-26
3.5
None Remote Medium ??? None Partial None
Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Floating Social Media Icon plugin (versions <= 4.3.5) Social Media Configuration form. Requires high role user like admin.
226 CVE-2021-36841 79 XSS 2021-09-27 2021-09-30
3.5
None Remote Medium ??? None Partial None
Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration.
227 CVE-2021-36832 79 XSS 2021-10-19 2021-10-22
3.5
None Remote Medium ??? None Partial None
WordPress Popups, Welcome Bar, Optins and Lead Generation Plugin – Icegram (versions <= 2.0.2) vulnerable at "Headline" (&message_data[16][headline]) input.
228 CVE-2021-36823 79 XSS 2021-09-23 2021-09-29
3.5
None Remote Medium ??? None Partial None
Authenticated Stored Cross-Site Scripting (XSS) vulnerability in WordPress Absolutely Glamorous Custom Admin plugin (versions <= 6.8). Stored XSS possible via unsanitized input fields of the plugin settings, some of the payloads could make the frontend and the backend inaccessible.
229 CVE-2021-36805 79 XSS 2021-08-04 2021-08-11
3.5
None Remote Medium ??? None Partial None
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the sales invoice processing component of the application. This issue was fixed in version 2.1.13 of the product.
230 CVE-2021-36803 79 XSS 2021-08-04 2021-08-11
3.5
None Remote Medium ??? None Partial None
Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 2.1.13 of the product.
231 CVE-2021-36788 79 XSS 2021-08-13 2021-08-20
3.5
None Remote Medium ??? None Partial None
The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS.
232 CVE-2021-36787 79 XSS 2021-08-13 2021-08-23
3.5
None Remote Medium ??? None Partial None
The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document.
233 CVE-2021-36785 79 XSS 2021-08-13 2021-08-20
3.5
None Remote Medium ??? None Partial None
The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows XSS.
234 CVE-2021-36747 79 XSS 2021-07-20 2021-07-23
3.5
None Remote Medium ??? None Partial None
Blackboard Learn through 9.1 allows XSS by an authenticated user via the Feedback to Learner form.
235 CVE-2021-36746 79 XSS 2021-07-20 2021-07-23
3.5
None Remote Medium ??? None Partial None
Blackboard Learn through 9.1 allows XSS by an authenticated user via the Assignment Instructions HTML editor.
236 CVE-2021-36698 79 XSS 2021-11-03 2021-11-04
3.5
None Remote Medium ??? None Partial None
Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name.
237 CVE-2021-36696 79 XSS 2021-09-07 2021-09-13
3.5
None Remote Medium ??? None Partial None
Deskpro cloud and on-premise Deskpro 2021.1.6 and fixed in Deskpro 2021.1.7 contains a cross-site scripting (XSS) vulnerability in social media links on a user profile due to lack of input validation.
238 CVE-2021-36695 79 XSS 2021-09-08 2021-09-14
3.5
None Remote Medium ??? None Partial None
Deskpro cloud and on-premise Deskpro 2021.1.6 and fixed in Deskpro 2021.1.7 contains a cross-site scripting (XSS) vulnerability in the download file feature on a manager profile due to lack of input validation.
239 CVE-2021-36654 79 XSS 2021-08-03 2021-08-11
3.5
None Remote Medium ??? None Partial None
CMSuno 1.7 is vulnerable to an authenticated stored cross site scripting in modifying the filename parameter (tgo) while updating the theme.
240 CVE-2021-36605 79 Exec Code XSS 2021-07-30 2021-08-02
3.5
None Remote Medium ??? None Partial None
engineercms 1.03 is vulnerable to Cross Site Scripting (XSS). There is no escaping in the nickname field on the user list page. When viewing this page, the JavaScript code will be executed in the user's browser.
241 CVE-2021-36563 79 XSS 2021-07-26 2021-09-16
3.5
None Remote Medium ??? None Partial None
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS payload will be triggered when the user accesses some specific sections of the application. In the same sense a very dangerous potential way would be when an attacker who has the monitor role (not administrator) manages to get a stored XSS to steal the secretAutomation (for the use of the API in administrator mode) and thus be able to create another administrator user who has high privileges on the CheckMK monitoring web console. Another way is that persistent XSS allows an attacker to modify the displayed content or change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session.
242 CVE-2021-36551 79 XSS 2021-10-28 2021-11-02
3.5
None Remote Medium ??? None Partial None
TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module.
243 CVE-2021-36550 79 XSS 2021-10-28 2021-11-02
3.5
None Remote Medium ??? None Partial None
TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module.
244 CVE-2021-36454 79 XSS 2021-08-06 2021-08-12
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.php, 16) users\users.php, 17) webdictionary\webdictionary.php, 18) websites\websites.php, and 19) webusers\webusers.php because the initial_url function is built in these files.
245 CVE-2021-36387 79 XSS 2021-10-14 2021-10-20
3.5
None Remote Medium ??? None Partial None
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
246 CVE-2021-36352 79 XSS 2021-08-26 2021-09-01
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) vulnerability in Care2x Hospital Information Management 2.7 Alpha. The vulnerability has found POST requests in /modules/registration_admission/patient_register.php page with "name_middle", "addr_str", "station", "name_maiden", "name_2", "name_3" parameters.
247 CVE-2021-36286 22 Dir. Trav. 2021-09-28 2021-10-01
3.6
None Local Low Not required None Partial Partial
Dell SupportAssist Client Consumer versions 3.9.13.0 and any versions prior to 3.9.13.0 contain an arbitrary file deletion vulnerability that can be exploited by using the Windows feature of NTFS called Symbolic links. Symbolic links can be created by any(non-privileged) user under some object directories, but by themselves are not sufficient to successfully escalate privileges. However, combining them with a different object, such as the NTFS junction point allows for the exploitation. Support assist clean files functionality do not distinguish junction points from the physical folder and proceeds to clean the target of the junction that allows nonprivileged users to create junction points and delete arbitrary files on the system which can be accessed only by the admin.
248 CVE-2021-36181 362 2021-11-02 2021-11-04
3.5
None Remote Medium ??? None Partial None
A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent state via specific coordination of web requests.
249 CVE-2021-36175 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.
250 CVE-2021-36134 787 DoS 2021-09-27 2021-10-04
3.3
None Local Network Low Not required None None Partial
Out of bounds write vulnerability in the JPEG parsing code of Netop Vision Pro up to and including 9.7.2 allows an adjacent unauthenticated attacker to write to arbitrary memory potentially leading to a Denial of Service (DoS).
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.