CVE-2021-27531

A cross-site scripting XSS vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "query" parameter...

CVE-2021-26812

Cross Site Scripting XSS in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject javascript code to be run by the application...

CVE-2021-26710

A cross-site scripting XSS issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter...

CVE-2021-24425

The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue,...

CVE-2021-24309

The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the...

CVE-2021-24293

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript...

CVE-2021-38708

In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS...

CVE-2021-21259

HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instanc...

CVE-2021-20683

Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors...

CVE-2021-43288

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report...

CVE-2021-32927

An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker...

CVE-2021-35488

Thruk 2.40-2 allows /thruk/cgi-bin/status.cgi?style=combined=TITLE Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it...

CVE-2021-32009

Cross-site Scripting XSS vulnerability in firmware section of Secomea GateManager allows logged in user to inject javascript in browser session. This issue affects: Secomea GateManager Version 9.6.621421014 and all prior versions...

CVE-2021-30111

A stored XSS vulnerability exists in Web-School ERP V 5.0 via Add Events in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any visitor sees the events, then the payload will be executed...

CVE-2021-28161

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected...

CVE-2021-25925

in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting XSS due to user input not being validated properly when processed by the server. Therefore, an attacker can inject arbitrary JavaScript code inside the application, and possibly steal a user’s sensitive...

CVE-2021-24290

There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages...

CVE-2021-24162

In the Reponsive Menu free and Pro WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in...

CVE-2021-24201

In the Elementor Website Builder WordPress plugin before 3.1.4, the column element includes/elements/column.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified...

CVE-2021-21418

psemailsubscription is a newsletter subscription module for the PrestaShop platform. An employee can inject javascript in the newsletter condition field that will then be executed on the front office The issue has been fixed in 2.6.1...