Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26227 | 1 Typo3 | 1 Typo3 | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | |||||
| CVE-2020-25890 | 1 Kyocera | 2 Ecosys M2640idw, Ecosys M2640idw Firmware | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web application of Kyocera printer (ECOSYS M2640IDW) is affected by Stored XSS vulnerability, discovered in the addition a new contact in "Machine Address Book". Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions | |||||
| CVE-2020-29395 | 1 Myeventon | 1 Eventon | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field. | |||||
| CVE-2020-29364 | 1 Netartmedia | 1 News Lister | 2020-12-01 | 3.5 LOW | 4.8 MEDIUM |
| In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles. | |||||
| CVE-2019-13645 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-01 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability. | |||||
| CVE-2019-13646 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-01 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability. | |||||
| CVE-2019-13647 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-01 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability. | |||||
| CVE-2019-13644 | 1 Firefly-iii | 1 Firefly Iii | 2020-12-01 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability. | |||||
| CVE-2020-28092 | 1 Pescms | 1 Pescms Team | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| PESCMS Team 2.3.2 has multiple reflected XSS via the id parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id= | |||||
| CVE-2020-29137 | 1 Cpanel | 1 Cpanel | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577). | |||||
| CVE-2015-5269 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description. | |||||
| CVE-2015-5336 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer. | |||||
| CVE-2016-2152 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. | |||||
| CVE-2016-2153 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL, as demonstrated by a search form field. | |||||
| CVE-2016-0725 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search string. | |||||
| CVE-2015-3275 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1) mod/scorm/player.php or (2) mod/scorm/prereqs.php. | |||||
| CVE-2015-3274 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service. | |||||
| CVE-2015-5337 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. | |||||
| CVE-2020-7773 | 1 Markdown-it-highlightjs Project | 1 Markdown-it-highlightjs | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss); | |||||
| CVE-2020-28947 | 1 Misp | 1 Misp | 2020-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled. | |||||
| CVE-2020-26225 | 1 Prestashop | 1 Product Comments | 2020-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The problem was introduced in version 4.0.0 and is fixed in 4.2.0 | |||||
| CVE-2020-28927 | 1 Magicpin | 1 Magicpin | 2020-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a Stored XSS in Magicpin v2.1 in the User Registration section. Each time an admin visits the manage user section from the admin panel, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. | |||||
| CVE-2020-29133 | 1 Coremail Xt Project | 1 Coremail Xt | 2020-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| jsp/upload.jsp in Coremail XT 5.0 allows XSS via an uploaded personal signature, as demonstrated by a .jpg.html filename in the signImgFile parameter. | |||||
| CVE-2020-29003 | 1 Mediawiki | 1 Mediawiki | 2020-11-30 | 3.5 LOW | 5.4 MEDIUM |
| The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll. | |||||
| CVE-2020-29002 | 1 Mediawiki | 1 Mediawiki | 2020-11-30 | 3.5 LOW | 4.8 MEDIUM |
| includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator. | |||||
| CVE-2020-15249 | 1 Octobercms | 1 October | 2020-11-30 | 3.5 LOW | 5.4 MEDIUM |
| October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0. | |||||
| CVE-2020-4718 | 1 Ibm | 1 Jazz Reporting Service | 2020-11-30 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Reporting Service 6.0.6, 6.0.6.1, 7.0, and 7.0.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 187731. | |||||
| CVE-2020-7033 | 1 Avaya | 1 Equinox Conferencing | 2020-11-29 | 3.5 LOW | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) Vulnerability on the Unified Portal Client (web client) used in Avaya Equinox Conferencing can allow an authenticated user to perform XSS attacks. The affected versions of Equinox Conferencing includes all 9.x versions before 9.1.10. | |||||
| CVE-2017-15682 | 1 Craftercms | 1 Crafter Cms | 2020-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel. | |||||
| CVE-2017-15686 | 1 Craftercms | 1 Crafter Cms | 2020-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies. | |||||
| CVE-2020-13773 | 1 Ivanti | 1 Endpoint Manager | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx, /LDMS/frm_coremainfrm.aspx, /LDMS/frm_findfrm.aspx, /LDMS/frm_taskfrm.aspx, and /LDMS/query_browsecomp.aspx. | |||||
| CVE-2020-25474 | 1 Newsscriptphp | 1 News Script Php Pro | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| SimplePHPscripts News Script PHP Pro 2.3 is affected by a Cross Site Scripting (XSS) vulnerability via the editor_name parameter. | |||||
| CVE-2020-29053 | 1 Hrsale | 1 Hrsale | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter. | |||||
| CVE-2020-29070 | 1 Oscommerce | 1 Oscommerce | 2020-11-27 | 3.5 LOW | 4.8 MEDIUM |
| osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters. | |||||
| CVE-2020-25834 | 1 Microfocus | 1 Arcsight Logger | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS). | |||||
| CVE-2020-28650 | 1 Wpbakery | 1 Page Builder | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. | |||||
| CVE-2020-10776 | 1 Redhat | 1 Keycloak | 2020-11-27 | 3.5 LOW | 4.8 MEDIUM |
| A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. | |||||
| CVE-2020-25798 | 1 Limesurvey | 1 Limesurvey | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. | |||||
| CVE-2020-25454 | 1 Grocy Project | 1 Grocy | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe. | |||||
| CVE-2020-26701 | 1 Kaaproject | 1 Kaa | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT Platform v1.2.0 allows remote attackers to inject malicious web scripts or HTML Injection payloads via the Description parameter. | |||||
| CVE-2020-22723 | 1 Ljcmsshop Project | 1 Ljcmsshop | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address. | |||||
| CVE-2020-28350 | 1 Sokrates | 1 Sowasql | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in OPAC in Sokrates SOWA SowaSQL through 5.6.1 via the sowacgi.php typ parameter. | |||||
| CVE-2018-19787 | 3 Canonical, Debian, Lxml | 3 Ubuntu Linux, Debian Linux, Lxml | 2020-11-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. | |||||
| CVE-2020-27126 | 1 Cisco | 1 Webex Meetings | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in an API of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to improper validation of user-supplied input to an application programmatic interface (API) within Cisco Webex Meetings. An attacker could exploit this vulnerability by convincing a targeted user to follow a link designed to submit malicious input to the API used by Cisco Webex Meetings. A successful exploit could allow the attacker to conduct cross-site scripting attacks and potentially gain access to sensitive browser-based information from the system of a targeted user. | |||||
| CVE-2020-28129 | 1 Gym Management System Project | 1 Gym Management System | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'. | |||||
| CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. | |||||
| CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | |||||
| CVE-2017-9510 | 1 Atlassian | 1 Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. | |||||
| CVE-2017-18034 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. | |||||
| CVE-2017-14587 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. | |||||