Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15914 | 1 Ea | 1 Origin Client | 2020-11-12 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in the Origin Client for Mac and PC 10.5.86 or earlier that could allow a remote attacker to execute arbitrary Javascript in a target user’s Origin client. An attacker could use this vulnerability to access sensitive data related to the target user’s Origin account, or to control or monitor the Origin text chat window. | |||||
| CVE-2020-28249 | 1 Joplin Project | 1 Joplin | 2020-11-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. | |||||
| CVE-2020-5940 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2020-11-12 | 3.5 LOW | 5.4 MEDIUM |
| In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2.3, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the BIG-IP Configuration utility. | |||||
| CVE-2020-24609 | 1 Techkshetrainfo | 1 Savsoft Quiz | 2020-11-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| TechKshetra Info Solutions Pvt. Ltd Savsoft Quiz 5.5 and earlier has XSS which can result in an attacker injecting the XSS payload in the User Registration section and each time the admin visits the manage user section from the admin panel, the XSS triggers and the attacker can steal the cookie via crafted payload. | |||||
| CVE-2020-22158 | 1 Mediakind | 2 Rx8200, Rx8200 Firmware | 2020-11-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| MediaKind (formerly Ericsson) RX8200 5.13.3 devices are vulnerable to multiple reflected and stored XSS. An attacker has to inject JavaScript code directly in the "path" or "Services+ID" parameters and send the URL to a user in order to exploit reflected XSS. In the case of stored XSS, an attacker must modify the "name" parameter with the malicious code. | |||||
| CVE-2015-9537 | 1 Imagely | 1 Nextgen Gallery | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XSS issues involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template. | |||||
| CVE-2015-9549 | 1 Ocportal | 1 Ocportal | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site Scripting (XSS) vulnerability exists in OcPortal 9.0.20 via the OCF_EMOTICON_CELL.tpl FIELD_NAME field to data/emoticons.php. | |||||
| CVE-2015-9410 | 1 Blubrry | 1 Powerpress Podcasting | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter. | |||||
| CVE-2015-9539 | 1 Fast Secure Contact Form Project | 1 Fast Secure Contact Form | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows fs_contact_form1[welcome] XSS. | |||||
| CVE-2015-9260 | 1 Bedita | 1 Bedita | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in BEdita before 3.7.0. A cross-site scripting (XSS) attack occurs via a crafted pages/showObjects URI, as demonstrated by appending a payload to a pages/showObjects/2/0/0/leafs URI. | |||||
| CVE-2016-11016 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| NETGEAR JNR1010 devices before 1.0.0.32 allow webproc?getpage= XSS. | |||||
| CVE-2015-9230 | 1 Ait-pro | 1 Bulletproof Security | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| In the admin/db-backup-security/db-backup-security.php page in the BulletProof Security plugin before .52.5 for WordPress, XSS is possible for remote authenticated administrators via the DBTablePrefix parameter. | |||||
| CVE-2015-9229 | 1 Imagely | 1 Nextgen Gallery | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress, XSS is possible for remote authenticated administrators via the images[1][alttext] parameter. | |||||
| CVE-2019-20440 | 1 Wso2 | 1 Api Manager | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the update API documentation feature of the API Publisher. | |||||
| CVE-2019-20441 | 1 Wso2 | 1 Api Manager | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'implement phase' of the API Publisher. | |||||
| CVE-2019-20442 | 1 Wso2 | 3 Api Manager, Enterprise Integrator, Identity Server | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI. | |||||
| CVE-2019-20366 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents. | |||||
| CVE-2019-20443 | 1 Wso2 | 3 Api Manager, Enterprise Integrator, Identity Server | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI. | |||||
| CVE-2019-20364 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp. | |||||
| CVE-2020-24601 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page | |||||
| CVE-2019-20438 | 1 Wso2 | 1 Api Manager | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher. | |||||
| CVE-2019-20363 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents. | |||||
| CVE-2020-24602 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in the Server Properties and Security Audit Viewer JSP page | |||||
| CVE-2019-20365 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page. | |||||
| CVE-2020-24604 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp | |||||
| CVE-2019-16728 | 2 Cure53, Debian | 2 Dompurify, Debian Linux | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari. | |||||
| CVE-2018-5950 | 4 Canonical, Debian, Gnu and 1 more | 9 Ubuntu Linux, Debian Linux, Mailman and 6 more | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. | |||||
| CVE-2019-7356 | 1 Intelliants | 1 Subrion | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter. | |||||
| CVE-2020-28047 | 1 Web-audimex | 1 Audimexee | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| AudimexEE before 14.1.1 is vulnerable to Reflected XSS (Cross-Site-Scripting). If the recommended security configuration parameter "unique_error_numbers" is not set, remote attackers can inject arbitrary web script or HTML via 'action, cargo, panel' parameters that can lead to data leakage. | |||||
| CVE-2020-27691 | 1 Imomobile | 2 Verve Connect Vh510, Verve Connect Vh510 Firmware | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 allows XSS via URLBlocking Settings, SNMP Settings, and System Log Settings. | |||||
| CVE-2020-2316 | 1 Jenkins | 1 Static Analysis Utilities | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-2317 | 1 Jenkins | 1 Findbugs | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step. | |||||
| CVE-2017-14651 | 1 Wso2 | 17 Api Manager, App Manager, Application Server and 14 more | 2020-11-09 | 3.5 LOW | 4.8 MEDIUM |
| WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter. | |||||
| CVE-2020-26505 | 1 Marmind | 1 Marmind | 2020-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability in the “Marmind” web application with version 4.1.141.0 allows an attacker to inject code that will later be executed by legitimate users when they open the assets containing the JavaScript code. This would allow an attacker to perform unauthorized actions in the application on behalf of legitimate users or spread malware via the application. By using the “Assets Upload” function, an attacker can abuse the upload function to upload a malicious PDF file containing a stored XSS. | |||||
| CVE-2020-5932 | 1 F5 | 1 Big-ip Application Security Manager | 2020-11-09 | 3.5 LOW | 4.8 MEDIUM |
| On BIG-IP ASM 15.1.0-15.1.0.5, a cross-site scripting (XSS) vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed when preview is opened. | |||||
| CVE-2020-27980 | 1 Genexis | 2 Platinum-4410, Platinum-4410 Firmware | 2020-11-04 | 3.5 LOW | 5.4 MEDIUM |
| Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users. | |||||
| CVE-2020-27359 | 1 Evms | 1 Redcap | 2020-11-04 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages. | |||||
| CVE-2020-27741 | 1 Citadel | 1 Webcit | 2020-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Citadel WebCit through 926 allow remote attackers to inject arbitrary web script or HTML via multiple pages and parameters. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | |||||
| CVE-2020-27957 | 1 Mediawiki | 1 Mediawiki | 2020-11-04 | 3.5 LOW | 5.4 MEDIUM |
| The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension. | |||||
| CVE-2020-25516 | 1 Wso2 | 1 Enterprise Integrator | 2020-11-03 | 3.5 LOW | 5.4 MEDIUM |
| WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks. | |||||
| CVE-2020-26205 | 1 Sal Project | 1 Sal | 2020-11-03 | 3.5 LOW | 5.4 MEDIUM |
| Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view. | |||||
| CVE-2020-27885 | 1 Wso2 | 1 Api Manager | 2020-11-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access. | |||||
| CVE-2020-23868 | 1 Nedi | 1 Nedi | 2020-11-03 | 3.5 LOW | 5.4 MEDIUM |
| NeDi 1.9C allows inc/rt-popup.php d XSS. | |||||
| CVE-2020-23989 | 1 Nedi | 1 Nedi | 2020-11-03 | 3.5 LOW | 5.4 MEDIUM |
| NeDi 1.9C allows pwsec.php oid XSS. | |||||
| CVE-2020-8262 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2020-11-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface. | |||||
| CVE-2020-21266 | 1 Broadleafcommerce | 1 Broadleaf Commerce | 2020-11-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Broadleaf Commerce 5.1.14-GA is affected by cross-site scripting (XSS) due to a slow HTTP post vulnerability. | |||||
| CVE-2020-15676 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. | |||||
| CVE-2020-10803 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2020-11-02 | 3.5 LOW | 5.4 MEDIUM |
| In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. | |||||
| CVE-2018-19951 | 1 Qnap | 2 Music Station, Qts | 2020-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. | |||||
| CVE-2018-19954 | 1 Qnap | 1 Photo Station | 2020-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10. | |||||