CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44025 79 XSS 2021-11-19 2021-11-27
4.3
None Remote Medium Not required None Partial None
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
2 CVE-2021-43977 79 XSS 2021-11-17 2021-11-18
4.3
None Remote Medium Not required None Partial None
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS.
3 CVE-2021-43785 Exec Code XSS 2021-11-26 2021-11-26
0.0
None ??? ??? ??? ??? ??? ???
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code.
4 CVE-2021-43776 79 XSS 2021-11-26 2021-11-26
0.0
None ??? ??? ??? ??? ??? ???
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`.
5 CVE-2021-43574 79 XSS 2021-11-15 2021-11-17
4.3
None Remote Medium Not required None Partial None
** UNSUPPORTED WHEN ASSIGNED ** WebAdmin Control Panel in Atmail 6.5.0 (a version released in 2012) allows XSS via the format parameter to the default URI. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
6 CVE-2021-43561 79 XSS 2021-11-10 2021-11-16
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in the google_for_jobs (aka Google for Jobs) extension before 1.5.1 and 2.x before 2.1.1 for TYPO3. The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.
7 CVE-2021-43558 79 XSS 2021-11-22 2021-11-26
4.3
None Remote Medium Not required None Partial None
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
8 CVE-2021-43551 79 XSS 2021-11-17 2021-11-19
3.5
None Remote Medium ??? None Partial None
A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim’s user permissions.
9 CVE-2021-43549 79 XSS 2021-11-18 2021-11-23
3.5
None Remote Medium ??? None Partial None
A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information.
10 CVE-2021-43523 79 Exec Code XSS 2021-11-10 2021-11-15
6.8
None Remote Medium Not required Partial Partial Partial
In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.
11 CVE-2021-43409 79 XSS 2021-11-19 2021-11-24
4.3
None Remote Medium Not required None Partial None
The “WPO365 | LOGIN” WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users. The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data. In this case, the XSS payload can be submitted by any anonymous user, the payload then renders and executes when a WordPress administrator authenticates and accesses the WordPress Dashboard. The injected payload can carry out actions on behalf of the administrator including adding other administrative users and changing application settings. This flaw could be exploited to ultimately provide full control of the affected system to the attacker.
12 CVE-2021-43331 79 XSS 2021-11-12 2021-11-16
4.3
None Remote Medium Not required None Partial None
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.
13 CVE-2021-43324 79 XSS 2021-11-03 2021-11-04
4.3
None Remote Medium Not required None Partial None
LibreNMS through 21.10.2 allows XSS via a widget title.
14 CVE-2021-43265 79 XSS 2021-11-02 2021-11-09
3.5
None Remote Medium ??? None Partial None
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could be used for XSS, such as via a SCRIPT element.
15 CVE-2021-43198 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
16 CVE-2021-43197 79 XSS 2021-11-09 2021-11-09
4.3
None Remote Medium Not required None Partial None
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
17 CVE-2021-43186 79 XSS 2021-11-09 2021-11-09
3.5
None Remote Medium ??? None Partial None
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
18 CVE-2021-43184 79 XSS 2021-11-09 2021-11-12
3.5
None Remote Medium ??? None Partial None
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
19 CVE-2021-43181 79 XSS 2021-11-09 2021-11-10
4.3
None Remote Medium Not required None Partial None
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
20 CVE-2021-43141 79 XSS 2021-11-03 2021-11-23
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.
21 CVE-2021-43047 79 XSS 2021-11-16 2021-11-19
8.5
None Remote Medium ??? Complete Complete Complete
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below.
22 CVE-2021-43032 79 XSS 2021-11-03 2021-11-05
3.5
None Remote Medium ??? None Partial None
In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.
23 CVE-2021-42838 79 XSS 2021-11-15 2021-11-16
4.3
None Remote Medium Not required None Partial None
Grand Vice info Co. webopac7 book search field parameter does not properly restrict the input of special characters, thus unauthenticated attackers can inject JavaScript syntax remotely, and further perform reflective XSS attacks.
24 CVE-2021-42770 79 XSS 2021-11-08 2021-11-09
4.3
None Remote Medium Not required None Partial None
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.
25 CVE-2021-42703 79 XSS 2021-11-15 2021-11-16
4.3
None Remote Medium Not required None Partial None
This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action.
26 CVE-2021-42664 79 XSS 2021-11-05 2021-11-17
3.5
None Remote Medium ??? None Partial None
A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
27 CVE-2021-42662 79 XSS 2021-11-05 2021-11-17
3.5
None Remote Medium ??? None Partial None
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
28 CVE-2021-42650 79 XSS 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
29 CVE-2021-42566 79 XSS 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
30 CVE-2021-42565 79 XSS 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
31 CVE-2021-42534 79 XSS 2021-10-22 2021-10-27
4.3
None Remote Medium Not required None Partial None
The affected product’s web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms.
32 CVE-2021-42363 79 XSS 2021-11-19 2021-11-19
4.3
None Remote Medium Not required None Partial None
The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8.
33 CVE-2021-42361 79 XSS 2021-11-17 2021-11-18
2.1
None Remote High ??? None Partial None
The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
34 CVE-2021-42360 79 XSS 2021-11-17 2021-11-19
3.5
None Remote Medium ??? None Partial None
On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.
35 CVE-2021-42335 79 XSS 2021-10-15 2021-10-20
3.5
None Remote Medium ??? None Partial None
Easytest bulletin board management function of online learning platform does not filter special characters. After obtaining a user’s privilege, remote attackers can inject JavaScript and execute stored XSS attack.
36 CVE-2021-42329 79 XSS 2021-10-15 2021-10-20
3.5
None Remote Medium ??? None Partial None
The “List_Add” function of message board of ShinHer StudyOnline System does not filter special characters in the title parameter. After logging in with user’s privilege, remote attackers can inject JavaScript and execute stored XSS attacks.
37 CVE-2021-42227 79 XSS 2021-10-14 2021-10-19
4.3
None Remote Medium Not required None Partial None
Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor (the file suffix is allowed).
38 CVE-2021-42223 79 XSS 2021-10-13 2021-10-19
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS).vulnerability exists in Online DJ Booking Management System 1.0 in view-booking-detail.php.
39 CVE-2021-42134 79 XSS 2021-10-11 2021-10-18
4.3
None Remote Medium Not required None Partial None
The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053.
40 CVE-2021-42112 79 XSS 2021-10-08 2021-11-16
4.3
None Remote Medium Not required None Partial None
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js.
41 CVE-2021-42092 79 XSS 2021-10-07 2021-10-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket.
42 CVE-2021-42088 79 XSS 2021-10-07 2021-10-13
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled.
43 CVE-2021-42085 79 XSS 2021-10-07 2021-10-13
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar.
44 CVE-2021-42078 79 XSS 2021-11-08 2021-11-09
4.3
None Remote Medium Not required None Partial None
PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site.
45 CVE-2021-42053 79 XSS 2021-10-07 2021-10-14
3.5
None Remote Medium ??? None Partial None
The Unicorn framework through 0.35.3 for Django allows XSS via component.name.
46 CVE-2021-42044 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago MediaWiki messages were not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.
47 CVE-2021-42043 79 XSS 2021-10-06 2021-10-14
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query.
48 CVE-2021-42042 79 XSS 2021-10-06 2021-10-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.
49 CVE-2021-42041 79 XSS 2021-10-06 2021-10-14
4.3
None Remote Medium Not required None Partial None
An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.
50 CVE-2021-41951 79 XSS 2021-11-15 2021-11-17
4.3
None Remote Medium Not required None Partial None
ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter. If an attacker is able to persuade a victim to visit a crafted URL, malicious JavaScript content may be executed within the context of the victim's browser.
Total number of vulnerabilities : 2442   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.