Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-33675:

Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability through phishing and to execute arbitrary code on the victim’s browser.

CVE

Related news

CVE-2021-26844: PA Server Monitor Release Notes

A cross-site scripting (XSS) vulnerability in Power Admin PA Server Monitor 8.2.1.1 allows remote attackers to inject arbitrary web script or HTML via Console.exe.

CVE-2020-35249: Offensive Security’s Exploit Database Archive

Cross Site Scripting (XSS) vulnerability in ElkarBackup 1.3.3, allows attackers to execute arbitrary code via the name parameter to the add client feature.

CVE-2020-36501

Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.

CVE-2020-28968

Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.

CVE-2020-23039

Folder Lock v3.4.5 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Create Folder function under the 'create' module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload as a path or folder name.

CVE-2020-36499

TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a cross-site scripting (XSS) vulnerability in the content parameter of the Rubric Block (Add) module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the rubric name value.

CVE-2020-36498

Macrob7 Macs Framework Content Management System - 1.14f contains a cross-site scripting (XSS) vulnerability in the account reset function, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the e-mail input field.

CVE-2020-36502: HTTP Error 404

Swift File Transfer Mobile v1.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the devicename parameter which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered as the device name itself.

CVE-2020-36489: HTTP Error 404

Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the devicename parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the devicename information.

CVE-2021-41563: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Book3 - Stored XSS

Tad Book3 editing book function does not filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks.

CVE-2021-41567: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Uploader - Stored XSS

The new add subject parameter of Tad Uploader view book list function fails to filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks.

CVE-2020-21729: JEECMS x1.1 have Stored XSS vulnerability · Issue #3 · CoCoCoCoCoColi/CVE

JEECMS x1.1 contains a stored cross-site scripting (XSS) vulnerability in the component of /member-vipcenter.htm, which allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2020-21496: Storage Cross-Site Scripting Attack (XSS) Vulnerability · Issue #5 · rayfalling/xiuno-docker

A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitebrief parameter.

CVE-2020-21495: Storage Cross-Site Scripting Attack (XSS) Vulnerability · Issue #5 · rayfalling/xiuno-docker

A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitename parameter.

CVE-2021-41878:

A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.

CVE-2021-40973: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter.

CVE-2021-40927: [Security] XSS in callback.php · Issue #137 · citelao/Spotify-for-Alfred

Cross-site scripting (XSS) vulnerability in callback.php in Spotify-for-Alfred 0.13.9 and below allows remote attackers to inject arbitrary web script or HTML via the error parameter.

CVE-2021-40971: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword1 parameter.

CVE-2021-41467: [Security] XSS in application/controllers/dropbox.php · Issue #106 · hjue/JustWriting

Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.

CVE-2021-40928: [Security] XSS in index.php of Phlex and FlexTV · Issue #37 · d8ahazard/FlexTV

Cross-site scripting (XSS) vulnerability in index.php in FlexTV beta development version allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF parameter.

CVE-2021-40921: [Security] XSS in _contactform.inc.php · Issue #35 · dmolsen/Detector

Cross-site scripting (XSS) vulnerability in _contactform.inc.php in Detector 0.8.5 and below version allows remote attackers to inject arbitrary web script or HTML via the cid parameter.

CVE-2021-40969: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the firstname parameter.

CVE-2021-40972: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the mail parameter.

CVE-2021-40970: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the username parameter.

CVE-2021-40968: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword2 parameter.

CVE-2020-20799: jeecms commentary exists storage type xss · Issue #1 · blackjliuyun/cvetest

JeeCMS 1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the commentText parameter.

CVE-2021-24016: PSIRT Advisories | FortiGuard

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

CVE-2021-25963: General: fix critical views that can be subject of XSS attacks · shuup/shuup@75714c3

In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.

CVE-2020-20131: Stored XSS of PAGE control · Issue #36 · wanglelecc/laracms

LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows atackers to execute arbitrary web scripts or HTML via a crafted payload in the page management module.

CVE-2020-20129: 存储型XSS漏洞1 · Issue #34 · wanglelecc/laracms

LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content editor.

CVE-2021-37104: Security Advisory - Server-Side Request Forgery Vulnerability in Huawei Product

There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do.

CVE-2020-20695: Storage type xss by uploading svg files · Issue #52 · GilaCMS/gila

A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.

CVE-2021-36841: WordPress YITH Maintenance Mode plugin <= 1.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration.

CVE-2020-19949: Cross Site Scripting Vulnerability in Latest Release V5.3 · Issue #21 · yzmcms/yzmcms

A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

CVE-2020-19950: Cross Site Scripting Vulnerability in Latest Release V5.3 · Issue #22 · yzmcms/yzmcms

A cross-site scripting (XSS) vulnerability in the /banner/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

CVE-2021-36823: Absolutely Glamorous Custom Admin 6.8 stored XSS

Authenticated Stored Cross-Site Scripting (XSS) vulnerability in WordPress Absolutely Glamorous Custom Admin plugin (versions <= 6.8). Stored XSS possible via unsanitized input fields of the plugin settings, some of the payloads could make the frontend and the backend inaccessible.

CVE-2021-33045: Security Advisory - Identity authentication bypass vulnerability found in some Dahua products

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CVE-2021-33044: Security Advisory - Identity authentication bypass vulnerability found in some Dahua products

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CVE-2021-33674:

Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability when creating a new email and to execute arbitrary code on the victim's browser.

CVE-2021-33673:

Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them. This allows an attacker to exploit a Stored Cross-Site Scripting (XSS) vulnerability when a user browses through the employee directory and to execute arbitrary code on the victim's browser. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands.

CVE-2021-35061: security/CVE-2021-35061.md at main · sthierolf/security

Multiple cross-site scripting (XSS) vulnerabilities in DRK Odenwaldkreis Testerfassung March-2021 allow remote attackers to inject arbitrary web script or HTML via all parameters to HTML form fields in all components.

CVE-2021-36621: Offensive Security’s Exploit Database Archive

Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obtain the plain-text password. Hence, the attacker could authenticate as Administrator.

CVE-2020-25901: Vulnerabilities/Spiceworks version 7.5 HTTP Header Injection at master · Ramikan/Vulnerabilities

Host Header Injection in Spiceworks 7.5.7.0 allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.

CVE-2020-10770: 1846270 – (CVE-2020-10770) CVE-2020-10770 keycloak: Default Client configuration is vulnerable to SSRF using "request_uri" parameter

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

CVE-2019-1975: Cisco HyperFlex Software Cross-Frame Scripting Vulnerability

A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack on an affected device. This vulnerability is due to insufficient HTML iframe protection. An attacker could exploit this vulnerability by directing a user to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct clickjacking or other clientside browser attacks.

CVE-2014-3704: oss-security - Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907