Total
41395 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25267 | 1 Sophos | 2 Firewall, Firewall Firmware | 2024-11-21 | 6.8 Medium |
| Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 19.0 GA. | ||||
| CVE-2021-25204 | 1 E-commerce Website Project | 1 E-commerce Website | 2024-11-21 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject arbitrary web script or HTM via the subject field to feedback_process.php. | ||||
| CVE-2021-25197 | 1 Content Management System Project | 1 Content Management System | 2024-11-21 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in SourceCodester Content Management System v 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter to content_management_system\admin\new_content.php | ||||
| CVE-2021-25179 | 1 Solarwinds | 1 Serv-u File Server | 2024-11-21 | 6.1 Medium |
| SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header. | ||||
| CVE-2021-25161 | 2 Arubanetworks, Siemens | 3 Instant, Scalance W1750d, Scalance W1750d Firmware | 2024-11-21 | 6.1 Medium |
| A remote cross-site scripting (xss) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. | ||||
| CVE-2021-25120 | 1 Easysocialfeed | 1 Easy Social Feed | 2024-11-21 | 6.1 Medium |
| The Easy Social Feed Free and Pro WordPress plugins before 6.2.7 do not sanitise some of their parameters used via AJAX actions before outputting them back in the response, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-25115 | 1 Wp Photo Album Plus Project | 1 Wp Photo Album Plus | 2024-11-21 | 6.4 Medium |
| The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel. | ||||
| CVE-2021-25113 | 1 Dropdown Menu Widget Project | 1 Dropdown Menu Widget | 2024-11-21 | 5.4 Medium |
| The Dropdown Menu Widget WordPress plugin through 1.9.7 does not have authorisation and CSRF checks when saving its settings, allowing low privilege users such as subscriber to update them. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-25112 | 1 I-plugins | 1 Whmcs Bridge | 2024-11-21 | 6.1 Medium |
| The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25107 | 1 Accesspressthemes | 1 Form Store To Db | 2024-11-21 | 6.1 Medium |
| The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin | ||||
| CVE-2021-25106 | 1 Wpeka | 1 Wplegalpages | 2024-11-21 | 5.4 Medium |
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting | ||||
| CVE-2021-25105 | 1 Ivorysearch | 1 Ivory Search | 2024-11-21 | 4.8 Medium |
| The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-25104 | 1 Oceanwp | 1 Ocean Extra | 2024-11-21 | 6.1 Medium |
| The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25103 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2024-11-21 | 4.7 Medium |
| The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY | ||||
| CVE-2021-25102 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2024-11-21 | 4.7 Medium |
| The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk | ||||
| CVE-2021-25101 | 1 Anti-malware Security And Brute-force Firewall Project | 1 Anti-malware Security And Brute-force Firewall | 2024-11-21 | 4.8 Medium |
| The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user. | ||||
| CVE-2021-25100 | 1 Givewp | 1 Givewp | 2024-11-21 | 6.1 Medium |
| The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25099 | 1 Givewp | 1 Givewp | 2024-11-21 | 6.1 Medium |
| The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25091 | 1 Ylefebvre | 1 Link Library | 2024-11-21 | 6.1 Medium |
| The Link Library WordPress plugin before 7.2.9 does not sanitise and escape the settingscopy parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25090 | 1 Wpsofts | 1 Portfolio Gallery\, Product Catalog - Grid Kit Portfolio | 2024-11-21 | 5.4 Medium |
| The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages where a Portfolio is embed | ||||