Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8462 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2020-12-21 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product. | |||||
| CVE-2020-35274 | 1 Dotcms | 1 Dotcms | 2020-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS. | |||||
| CVE-2020-35275 | 1 Coastercms | 1 Coastercms | 2020-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/application. | |||||
| CVE-2020-20138 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4. | |||||
| CVE-2020-25609 | 1 Mitel | 1 Micollab | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data. | |||||
| CVE-2020-28647 | 1 Progress | 1 Moveit Transfer | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS). | |||||
| CVE-2020-2231 | 1 Jenkins | 1 Jenkins | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. | |||||
| CVE-2020-20141 | 1 Flexmonster | 1 Pivot Table \& Charts | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. | |||||
| CVE-2020-20142 | 1 Flexmonster | 1 Pivot Table \& Charts | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" component under "Open" Menu in Flexmonster Pivot Table & Charts 2.7.17. | |||||
| CVE-2020-20140 | 1 Flexmonster | 1 Pivot Table \& Charts | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17. | |||||
| CVE-2020-20139 | 1 Flexmonster | 1 Pivot Table \& Charts | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the Remote JSON component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. | |||||
| CVE-2019-16955 | 1 Solarwinds | 1 Webhelpdesk | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request. | |||||
| CVE-2019-16957 | 1 Solarwinds | 1 Webhelpdesk | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account. | |||||
| CVE-2019-11776 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context. | |||||
| CVE-2020-35416 | 1 Stivasoft | 1 Phpjabbers Appointment Scheduler | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2020-4845 | 1 Ibm | 1 Security Key Lifecycle Manager | 2020-12-17 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security Key Lifecycle Manager 3.0.1 and 4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190289. | |||||
| CVE-2020-4657 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, I and 4 more | 2020-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Sterling B2B Integrator 5.2.0.0 through 6.0.3.2 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186094. | |||||
| CVE-2020-4658 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, I and 4 more | 2020-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Sterling File Gateway 2.2.0.0 through 6.0.3.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186095. | |||||
| CVE-2018-16243 | 1 Solarwinds | 1 Database Performance Analyzer | 2020-12-17 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen. | |||||
| CVE-2019-14478 | 1 Adremsoft | 1 Netcrunch | 2020-12-17 | 3.5 LOW | 5.4 MEDIUM |
| AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose "Display Name" contains an XSS payload. | |||||
| CVE-2020-28930 | 1 Epson | 2 Eps Tse Server 8, Eps Tse Server 8 Firmware | 2020-12-17 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) issue in the 'update user' and 'delete user' functionalities in settings/users.php in EPSON EPS TSE Server 8 (21.0.11) allows an authenticated attacker to inject a JavaScript payload in the user management page that is executed by an administrator. | |||||
| CVE-2020-23957 | 1 Pega | 1 Pega Platform | 2020-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI. | |||||
| CVE-2020-28457 | 1 S-cart | 1 S-cart | 2020-12-16 | 3.5 LOW | 4.8 MEDIUM |
| This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS. | |||||
| CVE-2020-35395 | 1 Egavilanmedia | 1 Expense Management System | 2020-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in the Add Expense Component of EGavilan Media Expense Management System 1.0 allows an attacker to permanently store malicious JavaScript code via the 'description' field | |||||
| CVE-2020-35396 | 1 Egavilanmedia | 1 Barcodes Generator | 2020-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| EGavilan Barcodes generator 1.0 is affected by: Cross Site Scripting (XSS) via the index.php. An Attacker is able to inject the XSS payload in the web application each time a user visits the website. | |||||
| CVE-2019-14668 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-16 | 3.5 LOW | 5.4 MEDIUM |
| Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction link. | |||||
| CVE-2019-14670 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-16 | 3.5 LOW | 5.4 MEDIUM |
| Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation. | |||||
| CVE-2019-14667 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action. | |||||
| CVE-2019-14672 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-16 | 3.5 LOW | 5.4 MEDIUM |
| Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show page. | |||||
| CVE-2019-14669 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-16 | 3.5 LOW | 5.4 MEDIUM |
| Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name. The JavaScript code is executed during a visit to the audit account statistics page. | |||||
| CVE-2020-28456 | 1 S-cart | 1 S-cart | 2020-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The package s-cart/core before 4.4 are vulnerable to Cross-site Scripting (XSS) via the admin panel. | |||||
| CVE-2020-10012 | 1 Apple | 1 Macos | 2020-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An access issue was addressed with improved access restrictions. This issue is fixed in macOS Big Sur 11.0.1. Processing a maliciously crafted document may lead to a cross site scripting attack. | |||||
| CVE-2020-29304 | 1 Directoriespro | 1 Directories Pro | 2020-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in the SabaiApps WordPress Directories Pro plugin version 1.3.45 and previous, allows attackers who have convinced a site administrator to import a specially crafted CSV file to inject arbitrary web script or HTML as the victim is proceeding through the file import workflow. | |||||
| CVE-2020-29303 | 1 Directoriespro | 1 Directories Pro | 2020-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with _drts_form_build_id parameter containing the XSS payload and _t_ parameter set to an invalid or non-existent CSRF token. | |||||
| CVE-2019-19284 | 1 Siemens | 1 Xhq | 2020-12-15 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users. | |||||
| CVE-2019-19288 | 1 Siemens | 1 Xhq | 2020-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. | |||||
| CVE-2020-35199 | 1 Igniterealtime | 1 Openfire | 2020-12-15 | 3.5 LOW | 5.4 MEDIUM |
| Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS. | |||||
| CVE-2020-35201 | 1 Igniterealtime | 1 Openfire | 2020-12-15 | 3.5 LOW | 5.4 MEDIUM |
| Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS. | |||||
| CVE-2020-35202 | 1 Igniterealtime | 1 Openfire | 2020-12-15 | 3.5 LOW | 5.4 MEDIUM |
| Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS. | |||||
| CVE-2020-28859 | 1 Openasset | 1 Digital Asset Management | 2020-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for reflected cross-site scripting attacks. | |||||
| CVE-2020-28857 | 1 Openasset | 1 Digital Asset Management | 2020-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenAsset Digital Asset Management (DAM) through 12.0.19, does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for stored cross-site scripting attacks. | |||||
| CVE-2020-35200 | 1 Igniterealtime | 1 Openfire | 2020-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS. | |||||
| CVE-2020-29455 | 1 Smartystreets | 1 Liveaddressplugin.js | 2020-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-Site Scripting (XSS) vulnerability in this.showInvalid and this.showInvalidCountry in SmartyStreets liveAddressPlugin.js 3.2 allows remote attackers to inject arbitrary web script or HTML via any address parameter (e.g., street or country). | |||||
| CVE-2020-35126 | 1 Typesettercms | 1 Typesetter | 2020-12-14 | 3.5 LOW | 4.8 MEDIUM |
| ** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy." | |||||
| CVE-2020-26407 | 1 Gitlab | 1 Gitlab | 2020-12-11 | 3.5 LOW | 5.4 MEDIUM |
| A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project | |||||
| CVE-2020-35127 | 1 Igniterealtime | 1 Openfire | 2020-12-11 | 3.5 LOW | 5.4 MEDIUM |
| Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS. | |||||
| CVE-2020-2229 | 1 Jenkins | 1 Jenkins | 2020-12-11 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2020-2230 | 1 Jenkins | 1 Jenkins | 2020-12-11 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. | |||||
| CVE-2020-2493 | 1 Qnap | 1 Multimedia Console | 2020-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| This cross-site scripting vulnerability in Multimedia Console allows remote attackers to inject malicious code. QANP have already fixed this vulnerability in Multimedia Console 1.1.5 and later. | |||||
| CVE-2020-2491 | 1 Qnap | 2 Photo Station, Qts | 2020-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code. QANP We have already fixed this vulnerability in the following versions of Photo Station. QTS 4.5.1: Photo Station 6.0.12 and later QTS 4.4.3: Photo Station 6.0.12 and later QTS 4.3.6: Photo Station 5.7.12 and later QTS 4.3.4: Photo Station 5.7.13 and later QTS 4.3.3: Photo Station 5.4.10 and later QTS 4.2.6: Photo Station 5.2.11 and later | |||||