CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2021-20520 79 XSS 2021-03-30 2021-03-31
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198572.
352 CVE-2021-20518 79 XSS 2021-03-30 2021-03-31
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198437.
353 CVE-2021-20506 79 XSS 2021-03-30 2021-03-31
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198231.
354 CVE-2021-20504 79 XSS 2021-03-30 2021-03-31
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198231.
355 CVE-2021-20503 79 XSS 2021-03-30 2021-03-31
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198182.
356 CVE-2021-20448 79 XSS 2021-04-27 2021-05-03
3.5
None Remote Medium ??? None Partial None
IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196624.
357 CVE-2021-20447 79 XSS 2021-03-30 2021-03-31
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196623.
358 CVE-2021-20446 79 XSS 2021-02-18 2021-02-19
3.5
None Remote Medium ??? None Partial None
IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196622.
359 CVE-2021-20410 312 2021-02-12 2021-02-12
3.5
None Remote Medium ??? Partial None None
IBM Security Verify Information Queue 1.0.6 and 1.0.7 sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques. IBM X-Force ID: 198190.
360 CVE-2021-20374 79 XSS 2021-05-19 2021-05-26
3.5
None Remote Medium ??? None Partial None
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195522.
361 CVE-2021-20357 79 XSS 2021-01-27 2021-01-29
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194963.
362 CVE-2021-20352 79 XSS 2021-03-30 2021-03-31
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194710.
363 CVE-2021-20351 79 XSS 2021-03-04 2021-03-05
3.5
None Remote Medium ??? None Partial None
IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194708.
364 CVE-2021-20350 79 XSS 2021-03-04 2021-03-05
3.5
None Remote Medium ??? None Partial None
IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194707.
365 CVE-2021-20340 79 XSS 2021-03-04 2021-03-05
3.5
None Remote Medium ??? None Partial None
IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194451.
366 CVE-2021-20338 79 XSS 2021-06-02 2021-06-07
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194449.
367 CVE-2021-20336 79 XSS 2021-03-11 2021-03-17
3.5
None Remote Medium ??? None Partial None
IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
368 CVE-2021-20331 200 Exec Code +Info 2021-05-13 2021-06-03
3.5
None Remote Medium ??? Partial None None
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1.
369 CVE-2021-20280 79 XSS 2021-03-15 2021-03-23
3.5
None Remote Medium ??? None Partial None
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
370 CVE-2021-20279 79 XSS 2021-03-15 2021-03-23
3.5
None Remote Medium ??? None Partial None
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
371 CVE-2021-20253 552 2021-03-09 2021-06-02
3.5
None Local High ??? Partial Partial Partial
A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
372 CVE-2021-20197 59 2021-03-26 2021-05-28
3.3
None Local Medium Not required Partial Partial None
There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.
373 CVE-2021-20071 79 XSS 2021-02-16 2021-02-19
3.5
None Remote Medium ??? None Partial None
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the sms.php dialogs.
374 CVE-2021-20070 79 XSS 2021-02-16 2021-02-19
3.5
None Remote Medium ??? None Partial None
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the virtualization.php dialogs.
375 CVE-2021-20069 79 XSS 2021-02-16 2021-02-19
3.5
None Remote Medium ??? None Partial None
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the regionalSettings.php dialogs.
376 CVE-2021-20068 79 XSS 2021-02-16 2021-02-19
3.5
None Remote Medium ??? None Partial None
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the error handling functionality of web pages.
377 CVE-2021-3536 79 XSS 2021-05-20 2021-05-26
3.5
None Remote Medium ??? None Partial None
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
378 CVE-2021-3511 863 +Info 2021-04-28 2021-05-12
3.3
None Local Network Low Not required Partial None None
Disclosure of sensitive information to an unauthorized user vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 firmware Ver.1.99 and prior, WHR-G301N firmware Ver.1.86 and prior, WHR-HP-G300N firmware Ver.1.99 and prior, WHR-HP-GN firmware Ver.1.86 and prior, WPL-05G300 firmware Ver.1.87 and prior, WZR-450HP-CWT firmware Ver.1.99 and prior, WZR-450HP-UB firmware Ver.1.99 and prior, WZR-HP-AG300H firmware Ver.1.75 and prior, WZR-HP-G300NH firmware Ver.1.83 and prior, WZR-HP-G301NH firmware Ver.1.83 and prior, WZR-HP-G302H firmware Ver.1.85 and prior, WZR-HP-G450H firmware Ver.1.89 and prior, WZR-300HP firmware Ver.1.99 and prior, WZR-450HP firmware Ver.1.99 and prior, WZR-600DHP firmware Ver.1.99 and prior, WZR-D1100H firmware Ver.1.99 and prior, FS-HP-G300N firmware Ver.3.32 and prior, FS-600DHP firmware Ver.3.38 and prior, FS-R600DHP firmware Ver.3.39 and prior, and FS-G300N firmware Ver.3.13 and prior) allows remote unauthenticated attackers to obtain information such as configuration via unspecified vectors.
379 CVE-2021-3507 119 Overflow +Info 2021-05-06 2021-06-01
3.6
None Local Low Not required Partial None Partial
A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
380 CVE-2021-3501 787 2021-05-06 2021-05-14
3.6
None Local Low Not required None Partial Partial
A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.
381 CVE-2021-3469 863 2021-06-03 2021-06-10
3.5
None Remote Medium ??? None Partial None
Foreman versions before 2.3.4 and before 2.4.0 is affected by an improper authorization handling flaw. An authenticated attacker can impersonate the foreman-proxy if product enable the Puppet Certificate authority (CA) to sign certificate requests that have subject alternative names (SANs). Foreman do not enable SANs by default and `allow-authorization-extensions` is set to `false` unless user change `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration explicitly.
382 CVE-2021-3457 863 DoS 2021-05-12 2021-05-20
3.6
None Local Low Not required None Partial Partial
An improper authorization handling flaw was found in Foreman. The Shellhooks plugin for the smart-proxy allows Foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
383 CVE-2021-3395 79 Exec Code XSS 2021-02-02 2021-02-04
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment.
384 CVE-2021-3393 209 +Info 2021-04-01 2021-06-04
3.5
None Remote Medium ??? Partial None None
An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.
385 CVE-2021-3355 79 Exec Code XSS 2021-02-24 2021-03-04
3.5
None Remote Medium ??? None Partial None
A stored-self XSS exists in LightCMS v1.3.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.
386 CVE-2021-3327 79 XSS 2021-03-19 2021-03-25
3.5
None Remote Medium ??? None Partial None
Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter.
387 CVE-2021-3315 79 XSS 2021-05-11 2021-05-13
3.5
None Remote Medium ??? None Partial None
In JetBrains TeamCity before 2020.2.2, stored XSS on a tests page was possible.
388 CVE-2021-3313 79 Exec Code XSS 2021-05-20 2021-05-25
3.5
None Remote Medium ??? None Partial None
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
389 CVE-2021-3298 79 XSS 2021-01-29 2021-01-29
3.5
None Remote Medium ??? None Partial None
Collabtive 3.1 allows XSS when an authenticated user enters an XSS payload into the address section of the profile edit page, aka the manageuser.php?action=edit address1 parameter.
390 CVE-2021-3294 79 XSS 2021-02-09 2021-02-17
3.5
None Remote Medium ??? None Partial None
CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website.
391 CVE-2021-3271 79 XSS 2021-02-18 2021-02-24
3.5
None Remote Medium ??? None Partial None
PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info's Long Description Body, and all actions to open or preview the books page will result in the triggering the stored XSS.
392 CVE-2021-3258 79 Exec Code XSS 2021-02-05 2021-02-10
3.5
None Remote Medium ??? None Partial None
Question2Answer Q2A Ultimate SEO Version 1.3 is affected by cross-site scripting (XSS), which may lead to arbitrary remote code execution.
393 CVE-2021-3224 79 XSS 2021-03-10 2021-03-12
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter.
394 CVE-2021-3151 79 XSS 2021-02-27 2021-06-03
3.5
None Remote Medium ??? None Partial None
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__MONITORING__CONFIG__ADDRESS, or SM2__C__MONITORING__CONFIG__ADDRESS.
395 CVE-2021-3137 79 XSS 2021-01-20 2021-01-22
3.5
None Remote Medium ??? None Partial None
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
396 CVE-2021-3124 79 XSS 2021-02-25 2021-03-26
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) in form field in robust.systems product Custom Global Variables v 1.0.5 allows a remote attacker to inject arbitrary code via the vars[0][name] field.
397 CVE-2021-3111 79 XSS 2021-01-08 2021-03-29
3.5
None Remote Medium ??? None Partial None
The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI.
398 CVE-2021-3034 532 2021-03-10 2021-03-24
3.6
None Local Low Not required Partial Partial None
An information exposure through log file vulnerability exists in Cortex XSOAR software where the secrets configured for the SAML single sign-on (SSO) integration can be logged to the '/var/log/demisto/' server logs when testing the integration during setup. This logged information includes the private key and identity provider certificate used to configure the SAML SSO integration. This issue impacts: Cortex XSOAR 5.5.0 builds earlier than 98622; Cortex XSOAR 6.0.1 builds earlier than 830029; Cortex XSOAR 6.0.2 builds earlier than 98623; Cortex XSOAR 6.1.0 builds earlier than 848144.
399 CVE-2021-3031 200 +Info 2021-01-13 2021-01-19
3.3
None Local Network Low Not required Partial None None
Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets. This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001. This issue impacts: PAN-OS 8.1 version earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.
400 CVE-2021-3012 79 XSS 2021-04-08 2021-05-26
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in the Document Link of documents in ESRI Enterprise before 10.9 allows remote authenticated users to inject arbitrary JavaScript code via a malicious HTML attribute such as onerror (in the URL field of the Parameters tab).
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.