Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8160 | 1 Mendix | 1 Mendixsso | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser. | |||||
| CVE-2020-8264 | 1 Rubyonrails | 1 Rails | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. | |||||
| CVE-2020-35933 | 1 Tribulant | 1 Newsletter | 2021-01-11 | 3.5 LOW | 6.5 MEDIUM |
| A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter. | |||||
| CVE-2020-4697 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186790. | |||||
| CVE-2020-4733 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188127. | |||||
| CVE-2020-4691 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186698. | |||||
| CVE-2020-4663 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186234. | |||||
| CVE-2020-4664 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186235. | |||||
| CVE-2020-4666 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186281. | |||||
| CVE-2020-8280 | 1 Nextcloud | 1 Contacts | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2020-8281 | 1 Nextcloud | 1 Contacts | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2020-24903 | 1 Cutesoft | 1 Cute Editor | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-26768 | 1 Formstone | 1 Formstone | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site once the URL is clicked or visited. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials, force malware execution, user redirection and others. | |||||
| CVE-2020-24900 | 1 Krpano | 1 Krpano | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to insecure XML load in file /viewer/krpano.html, parameter xml. | |||||
| CVE-2020-35726 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Reports/index.jsp file via the by parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35727 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseDirs.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35725 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/index.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35724 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the Error.jsp file via the err parameter (or indirectly via the cpr, tcp, or abs parameter). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35723 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the ReportPreview.do file via the referer parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35721 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseAssets.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35720 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in multiple fields (first name, last name, and logon name) when creating or modifying a user via the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35719 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Search/index.jsp file via the added parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-24902 | 1 Quixplorer Project | 1 Quixplorer | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-24901 | 1 Krpano | 1 Krpano | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url. | |||||
| CVE-2020-16030 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient data validation in Blink in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2020-36171 | 1 Elementor | 1 Website Builder | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. | |||||
| CVE-2020-35262 | 1 Digisol | 2 Dg-hr3400, Dg-hr3400 Firmware | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter. | |||||
| CVE-2020-36172 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. | |||||
| CVE-2020-25498 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2021-01-08 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter. | |||||
| CVE-2020-4895 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190986. | |||||
| CVE-2020-35170 | 1 Dell | 2 Powermax Os, Unisphere | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users’ sessions. | |||||
| CVE-2020-35946 | 1 Semperplugins | 1 All In One Seo Pack | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. The SEO Description and Title fields are vulnerable to unsanitized input from a Contributor, leading to stored XSS. | |||||
| CVE-2015-2992 | 1 Apache | 1 Struts | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2019-20483 | 1 Vikisolutions | 1 Vera | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user's last name to an XSS Payload, and read another user's cookie and use that to login to the application. | |||||
| CVE-2020-26046 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-01-08 | 4.3 MEDIUM | 5.4 MEDIUM |
| FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account and also impact other visitors. | |||||
| CVE-2017-6484 | 1 Inter-mediator | 1 Inter-mediator | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in INTER-Mediator 5.5. The vulnerabilities exist due to insufficient filtration of user-supplied data (c and cred) passed to the "INTER-Mediator-master/Auth_Support/PasswordReset/resetpassword.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6478 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter). | |||||
| CVE-2020-35741 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HGiga MailSherlock does not validate user parameters on multiple login pages. Attackers can use the vulnerability to inject JavaScript syntax for XSS attacks. | |||||
| CVE-2020-35740 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HGiga MailSherlock does not validate specific URL parameters properly that allows attackers to inject JavaScript syntax for XSS attacks. | |||||
| CVE-2015-9251 | 2 Jquery, Oracle | 47 Jquery, Agile Product Lifecycle Management For Process, Banking Platform and 44 more | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | |||||
| CVE-2021-3014 | 1 Mikrotik | 1 Routeros | 2021-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via the target parameter. | |||||
| CVE-2020-26293 | 1 Htmlsanitizer Project | 1 Htmlsanitizer | 2021-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372. | |||||
| CVE-2020-29497 | 1 Dell | 1 Wyse Management Suite | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious HTML or JavaScript code under the device tag. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | |||||
| CVE-2020-29496 | 1 Dell | 1 Wyse Management Suite | 2021-01-06 | 3.5 LOW | 4.8 MEDIUM |
| Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | |||||
| CVE-2021-3026 | 1 Invisioncommunity | 1 Ips Community Suite | 2021-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment. | |||||
| CVE-2019-25011 | 1 Netbox Project | 1 Netbox | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments. | |||||
| CVE-2019-16960 | 1 Solarwinds | 1 Web Help Desk | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. | |||||
| CVE-2019-16956 | 1 Solarwinds | 1 Web Help Desk | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. | |||||
| CVE-2020-35930 | 1 Seopanel | 1 Seo Panel | 2021-01-05 | 3.5 LOW | 5.4 MEDIUM |
| Seo Panel 4.8.0 allows stored XSS by an Authenticated User via the url parameter, as demonstrated by the seo/seopanel/websites.php URI. | |||||
| CVE-2021-3002 | 1 Seopanel | 1 Seo Panel | 2021-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter. | |||||