CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44279 79 XSS 2021-12-01 2021-12-03
4.3
None Remote Medium Not required None Partial None
Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php.
2 CVE-2021-44277 79 XSS 2021-12-01 2021-12-03
4.3
None Remote Medium Not required None Partial None
Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/common/alert-log.inc.php.
3 CVE-2021-44203 79 XSS 2021-11-29 2021-11-30
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) was possible in protection plan details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
4 CVE-2021-44202 79 XSS 2021-11-29 2021-11-30
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) was possible in activity details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
5 CVE-2021-44201 79 XSS 2021-11-29 2021-11-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) was possible in notification pop-ups. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
6 CVE-2021-44200 79 XSS 2021-11-29 2021-11-30
3.5
None Remote Medium ??? None Partial None
Self cross-site scripting (XSS) was possible on devices page. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
7 CVE-2021-44025 79 XSS 2021-11-19 2021-12-06
4.3
None Remote Medium Not required None Partial None
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
8 CVE-2021-43991 79 XSS 2021-12-03 2021-12-06
3.5
None Remote Medium ??? None Partial None
The Kentico Xperience CMS version 13.0 – 13.0.43 is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users. The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data.
9 CVE-2021-43977 79 XSS 2021-11-17 2021-11-18
4.3
None Remote Medium Not required None Partial None
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS.
10 CVE-2021-43787 79 XSS 2021-11-29 2021-11-30
4.3
None Remote Medium Not required None Partial None
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.
11 CVE-2021-43785 79 Exec Code XSS 2021-11-26 2021-11-30
4.3
None Remote Medium Not required None Partial None
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code.
12 CVE-2021-43776 79 XSS 2021-11-26 2021-11-30
4.3
None Remote Medium Not required None Partial None
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`.
13 CVE-2021-43698 79 XSS 2021-11-29 2021-12-01
4.3
None Remote Medium Not required None Partial None
phpWhois (last update Jun 30 2021) is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET['query'] then there is a XSS vulnerability.
14 CVE-2021-43697 79 XSS 2021-11-29 2021-12-01
4.3
None Remote Medium Not required None Partial None
Workerman-ThinkPHP-Redis (last update Mar 16, 2018) is affected by a Cross Site Scripting (XSS) vulnerability. In file Controller.class.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET{C('VAR_JSONP_HANDLER')] then there is a XSS vulnerability.
15 CVE-2021-43696 79 XSS 2021-11-29 2021-12-01
4.3
None Remote Medium Not required None Partial None
twmap v2.91_v4.33 is affected by a Cross Site Scripting (XSS) vulnerability. In file list.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST then there is a XSS vulnerability.
16 CVE-2021-43695 79 XSS 2021-11-29 2021-12-01
4.3
None Remote Medium Not required None Partial None
issabelPBX version 2.11 is affected by a Cross Site Scripting (XSS) vulnerability. In file page.backup_restore.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST without sanitization, then there is a XSS vulnerability.
17 CVE-2021-43692 79 XSS 2021-11-29 2021-12-01
4.3
None Remote Medium Not required None Partial None
youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php.
18 CVE-2021-43690 79 XSS 2021-12-01 2021-12-02
4.3
None Remote Medium Not required None Partial None
YurunProxy v0.01 is affected by a Cross Site Scripting (XSS) vulnerability in src/Client.php. The exit function will terminate the script and print a message which have values from the socket_read.
19 CVE-2021-43689 79 XSS 2021-12-01 2021-12-02
4.3
None Remote Medium Not required None Partial None
manage (last update Oct 24, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in Application/Home/Controller/GoodsController.class.php. The exit function will terminate the script and print a message which have values from $_POST.
20 CVE-2021-43687 79 XSS 2021-12-01 2021-12-02
4.3
None Remote Medium Not required None Partial None
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.
21 CVE-2021-43686 79 XSS 2021-12-02 2021-12-03
4.3
None Remote Medium Not required None Partial None
nZEDb v0.4.20 is affected by a Cross Site Scripting (XSS) vulnerability in www/pages/api.php. The exit function will terminate the script and print the message which has the input $_GET['t'].
22 CVE-2021-43683 79 XSS 2021-12-02 2021-12-03
4.3
None Remote Medium Not required None Partial None
pictshare v1.5 is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].
23 CVE-2021-43682 79 XSS 2021-12-02 2021-12-07
4.3
None Remote Medium Not required None Partial None
thinkphp-bjyblog (last update Jun 4 2021) is affected by a Cross Site Scripting (XSS) vulnerability in AdminBaseController.class.php. The exit function terminates the script and prints a message to the user that contains $_SERVER['HTTP_HOST'].
24 CVE-2021-43681 79 XSS 2021-12-02 2021-12-03
4.3
None Remote Medium Not required None Partial None
SakuraPanel v1.0.1.1 is affected by a Cross Site Scripting (XSS) vulnerability in /master/core/PostHandler.php. The exit function will terminate the script and print the message $data['proxy_name'].
25 CVE-2021-43673 79 XSS 2021-12-03 2021-12-07
4.3
None Remote Medium Not required None Partial None
dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. The output of the exit function is printed for the user via exit(json_encode($return)).
26 CVE-2021-43574 79 XSS 2021-11-15 2021-11-17
4.3
None Remote Medium Not required None Partial None
** UNSUPPORTED WHEN ASSIGNED ** WebAdmin Control Panel in Atmail 6.5.0 (a version released in 2012) allows XSS via the format parameter to the default URI. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
27 CVE-2021-43561 79 XSS 2021-11-10 2021-11-16
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in the google_for_jobs (aka Google for Jobs) extension before 1.5.1 and 2.x before 2.1.1 for TYPO3. The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.
28 CVE-2021-43558 79 XSS 2021-11-22 2021-11-26
4.3
None Remote Medium Not required None Partial None
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
29 CVE-2021-43551 79 XSS 2021-11-17 2021-11-19
3.5
None Remote Medium ??? None Partial None
A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim’s user permissions.
30 CVE-2021-43549 79 XSS 2021-11-18 2021-11-23
3.5
None Remote Medium ??? None Partial None
A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information.
31 CVE-2021-43523 79 Exec Code XSS 2021-11-10 2021-11-15
6.8
None Remote Medium Not required Partial Partial Partial
In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.
32 CVE-2021-43409 79 XSS 2021-11-19 2021-11-24
4.3
None Remote Medium Not required None Partial None
The “WPO365 | LOGIN” WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users. The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data. In this case, the XSS payload can be submitted by any anonymous user, the payload then renders and executes when a WordPress administrator authenticates and accesses the WordPress Dashboard. The injected payload can carry out actions on behalf of the administrator including adding other administrative users and changing application settings. This flaw could be exploited to ultimately provide full control of the affected system to the attacker.
33 CVE-2021-43331 79 XSS 2021-11-12 2021-11-16
4.3
None Remote Medium Not required None Partial None
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.
34 CVE-2021-43324 79 XSS 2021-11-03 2021-11-04
4.3
None Remote Medium Not required None Partial None
LibreNMS through 21.10.2 allows XSS via a widget title.
35 CVE-2021-43295 79 XSS 2021-11-30 2021-12-02
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.
36 CVE-2021-43294 79 XSS 2021-11-30 2021-12-02
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.
37 CVE-2021-43265 79 XSS 2021-11-02 2021-11-09
3.5
None Remote Medium ??? None Partial None
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could be used for XSS, such as via a SCRIPT element.
38 CVE-2021-43198 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
39 CVE-2021-43197 79 XSS 2021-11-09 2021-11-09
4.3
None Remote Medium Not required None Partial None
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
40 CVE-2021-43186 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
41 CVE-2021-43184 79 XSS 2021-11-09 2021-11-12
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
42 CVE-2021-43181 79 XSS 2021-11-09 2021-11-10
4.3
None Remote Medium Not required None Partial None
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
43 CVE-2021-43141 79 XSS 2021-11-03 2021-11-23
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.
44 CVE-2021-43137 352 XSS CSRF 2021-12-01 2021-12-06
6.8
None Remote Medium Not required Partial Partial Partial
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover.
45 CVE-2021-43047 79 XSS 2021-11-16 2021-11-19
8.5
None Remote Medium ??? Complete Complete Complete
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below.
46 CVE-2021-43032 79 XSS 2021-11-03 2021-11-05
3.5
None Remote Medium ??? None Partial None
In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.
47 CVE-2021-42838 79 XSS 2021-11-15 2021-11-16
4.3
None Remote Medium Not required None Partial None
Grand Vice info Co. webopac7 book search field parameter does not properly restrict the input of special characters, thus unauthenticated attackers can inject JavaScript syntax remotely, and further perform reflective XSS attacks.
48 CVE-2021-42770 79 XSS 2021-11-08 2021-11-09
4.3
None Remote Medium Not required None Partial None
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.
49 CVE-2021-42703 79 XSS 2021-11-15 2021-11-16
4.3
None Remote Medium Not required None Partial None
This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action.
50 CVE-2021-42664 79 XSS 2021-11-05 2021-11-17
3.5
None Remote Medium ??? None Partial None
A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
Total number of vulnerabilities : 20810   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.