Export limit exceeded: 45870 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45870 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41917 | 1 Webtareas Project | 1 Webtareas | 2024-11-21 | 5.4 Medium |
| webTareas version 2.4 and earlier allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name in the clients section, due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the platform users and administrators. The affected endpoint is /clients/editclient.php, on the HTTP POST cn parameter. | ||||
| CVE-2021-41878 | 1 Hkurl | 1 I-panel Administration System | 2024-11-21 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button. | ||||
| CVE-2021-41871 | 1 Socomec | 2 Remote View Pro, Remote View Pro Firmware | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Socomec REMOTE VIEW PRO 2.0.41.4. Improper validation of input into the username field makes it possible to place a stored XSS payload. This is executed if an administrator views the System Event Log. | ||||
| CVE-2021-41866 | 1 Mybb | 1 Mybb | 2024-11-21 | 5.4 Medium |
| MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly. | ||||
| CVE-2021-41848 | 3 Bluproducts, Luna, Wikomobile | 10 G9, G90, G90 Firmware and 7 more | 2024-11-21 | 7.8 High |
| An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It mishandles software updates such that local third-party apps can provide a spoofed software update file that contains an arbitrary shell script and arbitrary ARM binary, where both will be executed as the root user with an SELinux domain named osi. To exploit this vulnerability, a local third-party app needs to have write access to external storage to write the spoofed update at the expected path. The vulnerable system binary (i.e., /system/bin/osi_bin) does not perform any authentication of the update file beyond ensuring that it is encrypted with an AES key (that is hard-coded in the vulnerable system binary). Processes executing with the osi SELinux domain can programmatically perform the following actions: install apps, grant runtime permissions to apps (including permissions with protection levels of dangerous and development), access extensive Personally Identifiable Information (PII) using the programmatically grant permissions, uninstall apps, set the default launcher app to a malicious launcher app that spoofs other apps, set a network proxy to intercept network traffic, unload kernel modules, set the default keyboard to a keyboard that has keylogging functionality, examine notification contents, send text messages, and more. The spoofed update can optionally contain an arbitrary ARM binary that will be locally stored in internal storage and executed at system startup to achieve persistent code execution as the root user with the osi SELinux domain. This ARM binary will continue to execute at startup even if the app that provided the spoofed update is uninstalled. | ||||
| CVE-2021-41828 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-11-21 | 7.5 High |
| Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. | ||||
| CVE-2021-41827 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-11-21 | 7.5 High |
| Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive. | ||||
| CVE-2021-41825 | 1 Verint | 1 Workforce Optimization | 2024-11-21 | 5.3 Medium |
| Verint Workforce Optimization (WFO) 15.2.5.1033 allows HTML injection via the /wfo/control/signin username parameter. | ||||
| CVE-2021-41798 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | 6.1 Medium |
| MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page. | ||||
| CVE-2021-41791 | 1 Alfresco | 2 Community Share, Share | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0. An evasion of the XSS filter for HTML input validation in the Alfresco Share User Interface leads to stored XSS that could be exploited by an attacker (given that he has privileges on the content collaboration features). | ||||
| CVE-2021-41750 | 1 Nystudio107 | 1 Seomatic | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded URL of a malicious web page / file and fileName parameter containing an arbitrary filename with the intended content-type to be rendered in the user's browser as the extension. | ||||
| CVE-2021-41747 | 1 Csdn | 1 Csdn App | 2024-11-21 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability exists in Csdn APP 4.10.0, which can be exploited by attackers to obtain sensitive information such as user cookies. | ||||
| CVE-2021-41731 | 1 News247 News Magazine \(cms\) Project | 1 News247 News Magazine \(cms\) | 2024-11-21 | 4.8 Medium |
| Cross Site Scripting (XSS vulnerability exists in )Sourcecodester News247 News Magazine (CMS) PHP 5.6 or higher and MySQL 5.7 or higher via the blog category name field | ||||
| CVE-2021-41728 | 1 Sourcecodester | 1 News247 Cms | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability exists in Sourcecodester News247 CMS 1.0 via the search function in articles. | ||||
| CVE-2021-41697 | 1 Globaldatingsoftware | 1 Premiumdatingscript | 2024-11-21 | 6.1 Medium |
| A reflected Cross Site Scripting (XSS) vulnerability exists in Premiumdatingscript 4.2.7.7 via the aerror_description parameter in assets/sources/instagram.php script. | ||||
| CVE-2021-41663 | 1 1234n | 1 Minicms | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability exists in Mini CMS V1.11. The vulnerability exists in the article upload: post-edit.php page. | ||||
| CVE-2021-41658 | 1 Student Quarterly Grading System Project | 1 Student Quarterly Grading System | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting (XSS) in Sourcecodester Student Quarterly Grading System by oretnom23, allows attackers to execute arbitrary code via the fullname and username parameters to the users page. | ||||
| CVE-2021-41570 | 1 Veritas | 1 Netbackup | 2024-11-21 | 5.4 Medium |
| Veritas NetBackup OpsCenter Analytics 9.1 allows XSS via the NetBackup Master Server Name, Display Name, NetBackup User Name, or NetBackup Password field during a Settings/Configuration Add operation. | ||||
| CVE-2021-41567 | 1 Tad Uploader Project | 1 Tad Uploader | 2024-11-21 | 6.1 Medium |
| The new add subject parameter of Tad Uploader view book list function fails to filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks. | ||||
| CVE-2021-41565 | 1 Tadtools Project | 1 Tadtools | 2024-11-21 | 6.1 Medium |
| TadTools special page parameter does not properly restrict the input of specific characters, thus remote attackers can inject JavaScript syntax without logging in, and further perform reflective XSS attacks. | ||||