Security Vulnerabilities, CVEs, Published In August 2021 (XSS)
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.
Max CVSS
6.1
EPSS Score
0.13%
Published
2021-08-29
Updated
2021-09-01
Zoho ManageEngine Log360 before Build 5225 allows stored XSS.
Max CVSS
6.1
EPSS Score
0.13%
Published
2021-08-29
Updated
2021-09-01
Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function.
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-08-23
Updated
2022-07-28
Multiple Cross Site Scripting (XSS) vulnerabilities exists in CXUUCMS 3.1 in the search and c parameters in (1) public/search.php and in the (2) c parameter in admin.php.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-08-23
Updated
2021-08-30
Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-08-23
Updated
2021-08-26
An XSS issue was discovered in ReCaptcha Solver 5.7. A response from Anti-Captcha.com, RuCaptcha.com, 2captcha.com, DEATHbyCAPTCHA.com, ImageTyperz.com, or BestCaptchaSolver.com in setCaptchaCode() is inserted into the DOM as HTML, resulting in full control over the user's browser by these servers.
Max CVSS
6.1
EPSS Score
0.07%
Published
2021-08-22
Updated
2021-08-30
Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped.
Max CVSS
6.1
EPSS Score
0.06%
Published
2021-08-18
Updated
2021-08-24
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
Max CVSS
6.1
EPSS Score
0.13%
Published
2021-08-18
Updated
2021-08-24
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.
Max CVSS
6.1
EPSS Score
0.21%
Published
2021-08-18
Updated
2021-08-24
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-08-17
Updated
2021-08-25
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.
Max CVSS
6.1
EPSS Score
0.11%
Published
2021-08-17
Updated
2022-07-12
Open edX through Lilac.1 allows XSS in common/static/common/js/discussion/utils.js via crafted LaTeX content within a discussion.
Max CVSS
6.1
EPSS Score
0.07%
Published
2021-08-17
Updated
2021-08-25
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.
Max CVSS
7.5
EPSS Score
0.06%
Published
2021-08-31
Updated
2021-09-08
HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading.
Max CVSS
8.1
EPSS Score
0.10%
Published
2021-08-30
Updated
2022-10-25
Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading.
Max CVSS
8.0
EPSS Score
0.05%
Published
2021-08-27
Updated
2021-09-08
Discourse is an open source platform for community discussion. In affected versions category names can be used for Cross-site scripting(XSS) attacks. This is mitigated by Discourse's default Content Security Policy and this vulnerability only affects sites which have modified or disabled or changed Discourse's default Content Security Policy have allowed for moderators to modify categories. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.
Max CVSS
5.4
EPSS Score
0.05%
Published
2021-08-26
Updated
2021-09-01
baserCMS is an open source content management system with a focus on Japanese language support. In affected versions there is a cross-site scripting vulnerability in the file upload function of the management system of baserCMS. Users are advised to update as soon as possible. No workaround are available to mitigate this issue.
Max CVSS
8.7
EPSS Score
0.08%
Published
2021-08-25
Updated
2021-08-30
The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
Max CVSS
4.8
EPSS Score
0.07%
Published
2021-08-30
Updated
2021-09-02
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
Max CVSS
6.1
EPSS Score
0.10%
Published
2021-08-30
Updated
2022-03-30
Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php.
Max CVSS
6.1
EPSS Score
0.10%
Published
2021-08-16
Updated
2021-08-23
Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-08-16
Updated
2021-08-23
A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar.
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-08-16
Updated
2021-08-23
imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header.
Max CVSS
5.4
EPSS Score
0.06%
Published
2021-08-16
Updated
2021-08-23
Static (Persistent) XSS Vulnerability exists in version 4.3.0 of Yclas when using the install/view/form.php script. An attacker can store XSS in the database through the vulnerable SITE_NAME parameter.
Max CVSS
6.1
EPSS Score
0.07%
Published
2021-08-18
Updated
2021-08-24
In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS.
Max CVSS
6.1
EPSS Score
0.07%
Published
2021-08-16
Updated
2021-08-24