CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2021-31583 79 XSS 2021-04-23 2021-09-07
3.5
None Remote Medium ??? None Partial None
Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang).
402 CVE-2021-31550 79 XSS 2021-04-22 2021-04-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
403 CVE-2021-31540 732 2021-04-23 2021-12-03
3.6
None Local Low Not required Partial Partial None
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.
404 CVE-2021-31521 79 XSS 2021-06-17 2021-06-21
3.5
None Remote Medium ??? None Partial None
Trend Micro InterScan Web Security Virtual Appliance version 6.5 was found to have a reflected cross-site scripting (XSS) vulnerability in the product's Captive Portal.
405 CVE-2021-31408 613 CSRF 2021-04-23 2021-05-04
3.3
None Local Medium Not required Partial Partial None
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
406 CVE-2021-31373 79 XSS 2021-10-19 2021-10-27
3.5
None Remote Medium ??? None Partial None
A persistent Cross-Site Scripting (XSS) vulnerability in Juniper Networks Junos OS on SRX Series, J-Web interface may allow a remote authenticated user to inject persistent and malicious scripts. An attacker can exploit this vulnerability to steal sensitive data and credentials from a web administration session, or hijack another user's active session to perform administrative actions. This issue affects: Juniper Networks Junos OS on SRX Series: 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R2-S1, 20.3R3.
407 CVE-2021-31370 DoS 2021-10-19 2021-10-25
3.3
None Local Network Low Not required None None Partial
An Incomplete List of Disallowed Inputs vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on QFX5000 Series and EX4600 Series allows an adjacent unauthenticated attacker which sends a high rate of specific multicast traffic to cause control traffic received from the network to be dropped. This will impact control protocols (including but not limited to routing-protocols) and lead to a Denial of Service (DoS). Continued receipt of this specific multicast traffic will create a sustained Denial of Service (DoS) condition. This issue affects Juniper Networks Junos OS on QFX5000 and EX4600 Series: All versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2.
408 CVE-2021-31366 252 DoS 2021-10-19 2021-10-25
3.3
None Local Network Low Not required None None Partial
An Unchecked Return Value vulnerability in the authd (authentication daemon) of Juniper Networks Junos OS on MX Series configured for subscriber management / BBE allows an adjacent attacker to cause a crash by sending a specific username. This impacts authentication, authorization, and accounting (AAA) services on the MX devices and leads to a Denial of Service (DoS) condition. Continued receipted of these PPP login request will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2.
409 CVE-2021-31363 835 DoS 2021-10-19 2021-10-25
3.3
None Local Network Low Not required None None Partial
In an MPLS P2MP environment a Loop with Unreachable Exit Condition vulnerability in the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause high load on RPD which in turn may lead to routing protocol flaps. If a system with sensor-based-stats enabled receives a specific LDP FEC this can lead to the above condition. Continued receipted of such an LDP FEC will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS 19.2 version 19.2R2 and later versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S2; 20.1 versions prior to 20.1R2-S1, 20.1R3; 20.2 versions prior to 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S2, 20.3R2. This issue does not affect Juniper Networks Junos OS versions prior to 19.2R2. Juniper Networks Junos OS Evolved All versions prior to 20.1R2-S3-EVO; 20.3 versions prior to 20.3R1-S2-EVO.
410 CVE-2021-31362 DoS 2021-10-19 2021-10-25
3.3
None Local Network Low Not required None None Partial
A Protection Mechanism Failure vulnerability in RPD (routing protocol daemon) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent unauthenticated attacker to cause established IS-IS adjacencies to go down by sending a spoofed hello PDU leading to a Denial of Service (DoS) condition. Continued receipted of these spoofed PDUs will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS All versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2. Juniper Networks Junos OS Evolved All versions prior to 20.4R2-EVO; 21.1 versions prior to 21.1R2-EVO.
411 CVE-2021-31355 79 XSS 2021-10-19 2021-10-25
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in the captive portal graphical user interface of Juniper Networks Junos OS may allow a remote authenticated user to inject web script or HTML and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper Networks Junos OS: All versions, including the following supported releases: 12.3X48 versions prior to 12.3X48-D105; 15.1X49 versions prior to 15.1X49-D220; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R1-S1, 20.2R2; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2; 21.1 versions prior to 21.1R2.
412 CVE-2021-31329 79 XSS 2021-04-21 2021-04-22
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Chat" and "Personal Address" field on staff/register.php
413 CVE-2021-31327 79 XSS 2021-04-21 2021-04-22
3.5
None Remote Medium ??? None Partial None
Stored XSS in Remote Clinic v2.0 in /medicines due to Medicine Name Field.
414 CVE-2021-31274 79 Exec Code XSS 2021-09-08 2021-09-15
3.5
None Remote Medium ??? None Partial None
In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed.
415 CVE-2021-31250 79 XSS 2021-06-04 2021-06-08
3.5
None Remote Medium ??? None Partial None
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
416 CVE-2021-30866 2021-08-24 2021-11-23
3.3
None Local Network Low Not required Partial None None
A user privacy issue was addressed by removing the broadcast MAC address. This issue is fixed in tvOS 15, watchOS 8, iOS 15 and iPadOS 15. A device may be passively tracked by its WiFi MAC address.
417 CVE-2021-30637 79 XSS 2021-04-13 2021-04-16
3.5
None Remote Medium ??? None Partial None
htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php.
418 CVE-2021-30496 DoS 2021-04-20 2021-04-24
3.5
None Remote Medium ??? None None Partial
The Telegram app 7.6.2 for iOS allows remote authenticated users to cause a denial of service (application crash) if the victim pastes an attacker-supplied message (e.g., in the Persian language) into a channel or group. The crash occurs in MtProtoKitFramework.
419 CVE-2021-30306 125 2021-10-20 2021-10-26
3.6
None Local Low Not required Partial None Partial
Possible buffer over read due to improper buffer allocation for file length passed from user space in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
420 CVE-2021-30297 120 2021-10-20 2021-10-26
3.6
None Local Low Not required Partial None Partial
Possible out of bound read due to improper validation of packet length while handling data transfer in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables
421 CVE-2021-30214 74 2021-05-12 2021-05-14
3.5
None Remote Medium ??? None Partial None
Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter.
422 CVE-2021-30212 79 XSS 2021-05-12 2021-05-14
3.5
None Remote Medium ??? None Partial None
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/documentnotes/saveNote' via the 'nota' parameter.
423 CVE-2021-30211 79 XSS 2021-05-12 2021-05-14
3.5
None Remote Medium ??? None Partial None
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.
424 CVE-2021-30174 79 XSS 2021-05-11 2021-05-17
3.5
None Remote Medium ??? None Partial None
RiyaLab CloudISO event item is added, special characters in specific field of time management page are not properly filtered, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks.
425 CVE-2021-30172 79 XSS 2021-05-07 2021-05-14
3.5
None Remote Medium ??? None Partial None
Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS (Cross-site scripting) attacks, additionally access and manipulate customer’s information.
426 CVE-2021-30171 79 XSS 2021-05-07 2021-09-13
3.5
None Remote Medium ??? None Partial None
Special characters of ERP POS news page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer’s information.
427 CVE-2021-30170 79 XSS 2021-05-07 2021-09-13
3.5
None Remote Medium ??? None Partial None
Special characters of ERP POS customer profile page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer’s information.
428 CVE-2021-30162 Bypass 2021-04-06 2021-04-13
3.6
None Local Low Not required Partial Partial None
An issue was discovered on LG mobile devices with Android OS 4.4 through 11 software. Attackers can leverage ISMS services to bypass access control on specific content providers. The LG ID is LVE-SMP-210003 (April 2021).
429 CVE-2021-30146 79 XSS 2021-04-06 2021-04-12
3.5
None Remote Medium ??? None Partial None
Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality."
430 CVE-2021-30140 79 XSS 2021-04-06 2021-04-12
3.5
None Remote Medium ??? None Partial None
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.
431 CVE-2021-30119 79 XSS 2021-07-09 2021-07-12
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) exists in Kaseya VSA before 9.5.7.
432 CVE-2021-30111 79 Exec Code XSS 2021-04-08 2021-04-13
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any visitor sees the events, then the payload will be executed.
433 CVE-2021-30057 74 2021-04-05 2021-04-08
3.5
None Remote Medium ??? None Partial None
A stored HTML injection vulnerability exists in Knowage Suite version 7.1. An attacker can inject arbitrary HTML in "/restful-services/2.0/analyticalDrivers" via the 'LABEL' and 'NAME' parameters.
434 CVE-2021-30056 79 XSS 2021-04-05 2021-04-08
3.5
None Remote Medium ??? None Partial None
Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in /restful-services/publish via the 'EXEC_FROM' parameter that can lead to data leakage.
435 CVE-2021-30044 79 XSS 2021-04-13 2021-08-27
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the First Name or Last Name field on staff/register.php.
436 CVE-2021-30042 79 XSS 2021-04-13 2021-08-27
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on clinics/register.php
437 CVE-2021-30039 79 XSS 2021-04-13 2021-08-27
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php.
438 CVE-2021-30034 79 XSS 2021-04-13 2021-08-27
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php.
439 CVE-2021-30030 79 XSS 2021-04-13 2021-08-27
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php.
440 CVE-2021-30003 79 XSS 2021-04-02 2021-04-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered on Nokia G-120W-F 3FE46606AGAB91 devices. There is Stored XSS in the administrative interface via urlfilter.cgi?add url_address.
441 CVE-2021-29912 79 XSS 2021-10-19 2021-10-22
3.5
None Remote Medium ??? None Partial None
IBM Security Risk Manager on CP4S 1.7.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 207828.
442 CVE-2021-29905 79 XSS 2021-09-23 2021-09-27
3.5
None Remote Medium ??? None Partial None
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 207616.
443 CVE-2021-29878 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581.
444 CVE-2021-29855 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205684.
445 CVE-2021-29852 79 XSS 2021-09-01 2021-09-09
3.5
None Remote Medium ??? None Partial None
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205528.
446 CVE-2021-29841 79 XSS 2021-09-14 2021-09-24
3.5
None Remote Medium ??? None Partial None
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205045.
447 CVE-2021-29836 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0. through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204912.
448 CVE-2021-29834 79 XSS 2021-09-29 2021-10-02
3.5
None Remote Medium ??? None Partial None
IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2, and 21.0.2 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204832.
449 CVE-2021-29833 79 XSS 2021-09-23 2021-09-27
3.5
None Remote Medium ??? None Partial None
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204825.
450 CVE-2021-29832 79 XSS 2021-09-23 2021-09-27
3.5
None Remote Medium ??? None Partial None
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204824.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.