CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-34540 XSS 2021-06-11 2021-06-11
0.0
None ??? ??? ??? ??? ??? ???
Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard.
2 CVE-2021-34370 XSS 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Accela Civic Platform through 20.1 allows ssoAdapter/logoutAction.do successURL XSS.
3 CVE-2021-34364 79 XSS 2021-06-09 2021-06-10
4.3
None Remote Medium Not required None Partial None
The Refined GitHub browser extension before 21.6.8 might allow XSS via a link in a document. NOTE: github.com sends Content-Security-Policy headers to, in general, address XSS and other concerns.
4 CVE-2021-33904 79 XSS 2021-06-07 2021-06-11
4.3
None Remote Medium Not required None Partial None
In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS.
5 CVE-2021-33829 79 XSS 2021-06-09 2021-06-10
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
6 CVE-2021-33666 XSS 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation.
7 CVE-2021-33665 XSS 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
8 CVE-2021-33664 XSS 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
9 CVE-2021-33570 79 XSS 2021-05-25 2021-06-01
3.5
None Remote Medium ??? None Partial None
Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.
10 CVE-2021-33562 79 XSS 2021-05-24 2021-05-27
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.
11 CVE-2021-33561 79 Exec Code XSS 2021-05-24 2021-05-27
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
12 CVE-2021-33513 79 XSS 2021-05-21 2021-05-24
3.5
None Remote Medium ??? None Partial None
Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.
13 CVE-2021-33512 79 XSS 2021-05-21 2021-05-24
3.5
None Remote Medium ??? None Partial None
Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.
14 CVE-2021-33508 79 XSS 2021-05-21 2021-05-24
3.5
None Remote Medium ??? None Partial None
Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.
15 CVE-2021-33507 79 XSS 2021-05-21 2021-05-27
4.3
None Remote Medium Not required None Partial None
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.
16 CVE-2021-33496 79 XSS 2021-05-24 2021-05-27
4.3
None Remote Medium Not required None Partial None
Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view.
17 CVE-2021-33469 79 XSS 2021-05-26 2021-06-07
3.5
None Remote Medium ??? None Partial None
COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter.
18 CVE-2021-33425 79 XSS 2021-05-25 2021-06-04
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation.
19 CVE-2021-33041 79 Exec Code XSS 2021-05-17 2021-05-25
4.3
None Remote Medium Not required None Partial None
vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS.
20 CVE-2021-32818 79 XSS 2021-05-14 2021-05-19
3.5
None Remote Medium ??? None Partial None
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025.
21 CVE-2021-32671 79 XSS 2021-06-07 2021-06-07
0.0
None ??? ??? ??? ??? ??? ???
Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 (our last beta before v1.0.0) and was not noticed or documented. This allowed for any user to type malicious HTML markup within certain user input fields and have this execute on client browsers. The example which led to the discovery of this vulnerability was in the forum search box. Entering faux-malicious HTML markup, such as <script>alert('test')</script> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targetted towards a privileged user. All Flarum communities that run flarum v1.0.0 or v1.0.1 are impacted. The vulnerability has been fixed and published as flarum/core v1.0.2. All communities running Flarum v1.0 have to upgrade as soon as possible to v1.0.2.
22 CVE-2021-32670 79 XSS 2021-06-07 2021-06-07
0.0
None ??? ??? ??? ??? ??? ???
Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.
23 CVE-2021-32641 79 Exec Code XSS 2021-06-04 2021-06-07
0.0
None ??? ??? ??? ??? ??? ???
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1.
24 CVE-2021-32616 79 Exec Code XSS 2021-05-28 2021-06-09
4.3
None Remote Medium Not required None Partial None
1CDN is open-source file sharing software. In 1CDN before commit f88a2730fa50fc2c2aeab09011f6f142fd90ec25, there is a basic cross-site scripting vulnerability that allows an attacker to inject /<script>//code</script> and execute JavaScript code on the client side.
25 CVE-2021-32604 79 XSS 2021-05-11 2021-05-25
4.3
None Remote Medium Not required None Partial None
SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter.
26 CVE-2021-32573 79 XSS 2021-05-11 2021-05-21
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website."
27 CVE-2021-32561 79 XSS 2021-05-11 2021-05-26
4.3
None Remote Medium Not required None Partial None
OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.
28 CVE-2021-32544 79 XSS 2021-05-11 2021-05-14
3.5
None Remote Medium ??? None Partial None
Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS (Cross-site scripting) attacks.
29 CVE-2021-32542 79 XSS 2021-05-28 2021-06-08
4.3
None Remote Medium Not required None Partial None
The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users’ connection token that triggered the attack.
30 CVE-2021-32540 79 XSS 2021-05-28 2021-06-08
3.5
None Remote Medium ??? None Partial None
Add announcement function in the 101EIP system does not filter special characters, which allows authenticated users to inject JavaScript and perform a stored XSS attack.
31 CVE-2021-32539 79 XSS 2021-05-28 2021-06-08
3.5
None Remote Medium ??? None Partial None
Add event in calendar function in the 101EIP system does not filter special characters in specific fields, which allows remote authenticated users to inject JavaScript and perform a stored XSS attack.
32 CVE-2021-32470 79 XSS 2021-05-07 2021-05-12
4.3
None Remote Medium Not required None Partial None
Craft CMS before 3.6.13 has an XSS vulnerability.
33 CVE-2021-32106 Exec Code XSS 2021-06-08 2021-06-08
0.0
None ??? ??? ??? ??? ??? ???
In ICEcoder 8.0 allows, a reflected XSS vulnerability was identified in the multipe-results.php page due to insufficient sanitization of the _GET['replace'] variable. As a result, arbitrary Javascript code can get executed.
34 CVE-2021-32103 79 XSS 2021-05-07 2021-05-11
3.5
None Remote Medium ??? None Partial None
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.
35 CVE-2021-32092 79 XSS 2021-05-07 2021-05-13
4.3
None Remote Medium Not required None Partial None
A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the uuid parameter.
36 CVE-2021-32091 79 XSS 2021-05-07 2021-05-11
4.3
None Remote Medium Not required None Partial None
A Cross-site scripting (XSS) vulnerability exists in StackLift LocalStack 0.12.6.
37 CVE-2021-32052 79 XSS 2021-05-06 2021-06-11
4.3
None Remote Medium Not required None Partial None
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
38 CVE-2021-31935 XSS 2021-04-30 2021-05-01
0.0
None ??? ??? ??? ??? ??? ???
OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.
39 CVE-2021-31934 XSS 2021-04-30 2021-05-01
0.0
None ??? ??? ??? ??? ??? ???
OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.
40 CVE-2021-31930 79 XSS 2021-05-19 2021-05-25
4.3
None Remote Medium Not required None Partial None
Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.
41 CVE-2021-31911 79 XSS 2021-05-11 2021-05-14
4.3
None Remote Medium Not required None Partial None
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.
42 CVE-2021-31908 79 XSS 2021-05-11 2021-05-13
3.5
None Remote Medium ??? None Partial None
In JetBrains TeamCity before 2020.2.3, stored XSS was possible on several pages.
43 CVE-2021-31904 79 XSS 2021-05-11 2021-05-14
4.3
None Remote Medium Not required None Partial None
In JetBrains TeamCity before 2020.2.2, XSS was potentially possible on the test history page.
44 CVE-2021-31903 79 XSS 2021-05-11 2021-05-17
4.3
None Remote Medium Not required None Partial None
In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS.
45 CVE-2021-31832 79 Exec Code XSS 2021-06-09 2021-06-09
0.0
None ??? ??? ??? ??? ??? ???
Improper Neutralization of Input in the ePO administrator extension for McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.200 allows a remote ePO DLP administrator to inject JavaScript code into the alert configuration text field. This JavaScript will be executed when an end user triggers a DLP policy on their machine.
46 CVE-2021-31830 79 XSS 2021-06-03 2021-06-11
3.5
None Remote Medium ??? None Partial None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows an administrator to embed JavaScript code when configuring the name of a database to be monitored. This would be triggered when any authorized user logs into the DBSec interface and opens the properties configuration page for this database.
47 CVE-2021-31803 XSS 2021-04-26 2021-04-26
0.0
None ??? ??? ??? ??? ??? ???
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
48 CVE-2021-31794 79 XSS 2021-04-24 2021-05-01
4.3
None Remote Medium Not required None Partial None
Settings.aspx?view=About in Directum 5.8.2 allows XSS via the HTTP User-Agent header.
49 CVE-2021-31792 79 XSS 2021-04-30 2021-05-03
3.5
None Remote Medium ??? None Partial None
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
50 CVE-2021-31778 XSS 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account.
Total number of vulnerabilities : 975   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.