Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-41878

A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.

CVE

Related news

CVE-2021-21749: Security Bulletin Details

ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.

CVE-2021-21743: Security Bulletin Details

ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request.

CVE-2021-21748: Security Bulletin Details

ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.

CVE-2021-21747: Security Bulletin Details

ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.

CVE-2021-21746: Security Bulletin Details

ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.

CVE-2021-41567: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Uploader - Stored XSS

The new add subject parameter of Tad Uploader view book list function fails to filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks.

CVE-2021-41563: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Book3 - Stored XSS

Tad Book3 editing book function does not filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks.

CVE-2021-41568: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Web - Improper Authorization

Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system.

CVE-2021-41878:

A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.

CVE-2021-40970: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the username parameter.

CVE-2021-40928: [Security] XSS in index.php of Phlex and FlexTV · Issue #37 · d8ahazard/FlexTV

Cross-site scripting (XSS) vulnerability in index.php in FlexTV beta development version allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF parameter.

CVE-2021-40924: GitHub - pixeline/bugs: Simple Issue Tracking for Teams. Built in Laravel 3 (php/mysql)

Cross-site scripting (XSS) vulnerability in install/index.php in bugs 1.8 and below version allows remote attackers to inject arbitrary web script or HTML via the first_name parameter.

CVE-2021-40922: GitHub - pixeline/bugs: Simple Issue Tracking for Teams. Built in Laravel 3 (php/mysql)

Cross-site scripting (XSS) vulnerability in install/index.php in bugs 1.8 and below version allows remote attackers to inject arbitrary web script or HTML via the last_name parameter.

CVE-2021-40923: GitHub - pixeline/bugs: Simple Issue Tracking for Teams. Built in Laravel 3 (php/mysql)

Cross-site scripting (XSS) vulnerability in install/index.php in bugs 1.8 and below version allows remote attackers to inject arbitrary web script or HTML via the email parameter.

CVE-2021-40921: [Security] XSS in _contactform.inc.php · Issue #35 · dmolsen/Detector

Cross-site scripting (XSS) vulnerability in _contactform.inc.php in Detector 0.8.5 and below version allows remote attackers to inject arbitrary web script or HTML via the cid parameter.

CVE-2021-40971: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword1 parameter.

CVE-2021-40969: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the firstname parameter.

CVE-2021-40973: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter.

CVE-2021-40927: [Security] XSS in callback.php · Issue #137 · citelao/Spotify-for-Alfred

Cross-site scripting (XSS) vulnerability in callback.php in Spotify-for-Alfred 0.13.9 and below allows remote attackers to inject arbitrary web script or HTML via the error parameter.

CVE-2021-40972: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the mail parameter.

CVE-2021-40968: [Security] six XSS in templates/installer/step-004.inc.php · Issue #711 · spotweb/spotweb

Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword2 parameter.

CISA: Wide Exploitation of New VMware vCenter Server Flaw Likely

Attackers can use the vulnerability to remotely execute arbitrary code.

FatPipe Networks WARP 10.2.2 Authorization Bypass

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

ECOA Building Automation System Authorization Bypass / IDOR

The BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources in the system and execute privileged functionalities.

CVE-2021-35061: security/CVE-2021-35061.md at main · sthierolf/security

Multiple cross-site scripting (XSS) vulnerabilities in DRK Odenwaldkreis Testerfassung March-2021 allow remote attackers to inject arbitrary web script or HTML via all parameters to HTML form fields in all components.

CVE-2020-25901: Vulnerabilities/Spiceworks version 7.5 HTTP Header Injection at master · Ramikan/Vulnerabilities

Host Header Injection in Spiceworks 7.5.7.0 allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907