Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5142 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2020-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the SonicOS SSLVPN web interface. A remote unauthenticated attacker is able to store and potentially execute arbitrary JavaScript code in the firewall SSLVPN portal. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0. | |||||
| CVE-2020-15263 | 1 Orchid | 1 Platform | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4. | |||||
| CVE-2020-6367 | 1 Sap | 1 Netweaver Composite Application Framework | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end users browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified. | |||||
| CVE-2020-7747 | 1 Lightning-viz | 1 Lightning | 2020-10-22 | 3.5 LOW | 6.3 MEDIUM |
| This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller. | |||||
| CVE-2020-24416 | 1 Adobe | 1 Marketo Sales Insight | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Marketo Sales Insight plugin version 1.4355 (and earlier) is affected by a blind stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2020-4564 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2020-10-22 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 and IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 183933. | |||||
| CVE-2020-6370 | 1 Sap | 1 Netweaver Design Time Repository | 2020-10-22 | 3.5 LOW | 4.8 MEDIUM |
| SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-16270 | 1 Olimpoks | 1 Olimpok | 2020-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries. | |||||
| CVE-2020-4755 | 1 Ibm | 1 Spectrum Scale | 2020-10-20 | 3.5 LOW | 5.4 MEDIUM |
| IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188595. | |||||
| CVE-2020-4748 | 1 Ibm | 1 Spectrum Scale | 2020-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188517. | |||||
| CVE-2020-24316 | 1 Admin Menu Project | 1 Admin Menu | 2020-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| WP Plugin Rednumber Admin Menu v1.1 and lower does not sanitize the value of the "role" GET parameter before echoing it back out to the user. This results in a reflected XSS vulnerability that attackers can exploit with a specially crafted URL. | |||||
| CVE-2020-16242 | 1 Ge | 4 S2020, S2020 Firmware, S2024 and 1 more | 2020-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow an attacker to trick application users into performing critical application actions that include, but are not limited to, adding and updating accounts. | |||||
| CVE-2020-9925 | 1 Apple | 7 Icloud, Ipad Os, Iphone Os and 4 more | 2020-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||
| CVE-2020-3536 | 1 Cisco | 1 Sd-wan | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface. | |||||
| CVE-2020-6319 | 1 Sap | 1 Netweaver Application Server Java | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authentication information of the user, such as data relating to his or her current session and limitedly impact confidentiality and integrity of the application, leading to Reflected Cross Site Scripting. | |||||
| CVE-2020-6323 | 1 Sap | 1 Netweaver Enterprise Portal | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal (Fiori Framework Page) versions - 7.50, 7.31, 7.40, does not sufficiently encode user-controlled inputs and allows an attacker on a valid session to create an XSS that will be both reflected immediately and also be persisted and returned in further access to the system, resulting in Cross Site Scripting. | |||||
| CVE-2020-6368 | 1 Sap | 1 Business Planning And Consolidation | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting. | |||||
| CVE-2020-6272 | 1 Sap | 1 Commerce Cloud | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-7317 | 1 Mcafee | 1 Epolicy Orchestrator | 2020-10-19 | 2.3 LOW | 4.3 MEDIUM |
| Cross-Site Scripting vulnerability in McAfee ePolicy Orchistrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via parameter values for "syncPointList" not being correctly sanitsed. | |||||
| CVE-2019-9509 | 1 Vertiv | 2 Avocent Umg-4000, Avocent Umg-4000 Firmware | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user account to execute arbitrary code. | |||||
| CVE-2020-24188 | 1 Unitedplanet | 1 Intrexx | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 20.03 allows remote attackers to inject arbitrary web script or HTML via the request parameter. | |||||
| CVE-2020-8155 | 1 Nextcloud | 1 Nextcloud Server | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. | |||||
| CVE-2019-3808 | 1 Moodle | 1 Moodle | 2020-10-19 | 4.0 MEDIUM | 5.4 MEDIUM |
| A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default. | |||||
| CVE-2020-13761 | 1 Joomla | 1 Joomla\! | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS. | |||||
| CVE-2020-26918 | 1 Netgear | 20 Ex7000, Ex7000 Firmware, R6250 and 17 more | 2020-10-19 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects EX7000 before 1.0.1.78, R6250 before 1.0.4.34, R6400 before 1.0.1.46, R6400v2 before 1.0.2.66, R6700v3 before 1.0.2.66, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7900 before 1.0.3.8, R8300 before 1.0.2.128, and R8500 before 1.0.2.128. | |||||
| CVE-2020-4775 | 1 Ibm | 1 Curam Social Program Management | 2020-10-16 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. This vulnerability allows attackers to inject malicious scripts into web applications for the purpose of running unwanted actions on the end user's device, restricted to a single location. IBM X-Force ID: 189153. | |||||
| CVE-2020-26917 | 1 Netgear | 18 Ex7000, Ex7000 Firmware, R6250 and 15 more | 2020-10-16 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects EX7000 before 1.0.1.78, R6250 before 1.0.4.34, R6400 before 1.0.1.46, R6400v2 before 1.0.2.66, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7900 before 1.0.3.8, R8300 before 1.0.2.128, and R8500 before 1.0.2.128. | |||||
| CVE-2020-26915 | 1 Netgear | 22 D7800, D7800 Firmware, R7500v2 and 19 more | 2020-10-16 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10. | |||||
| CVE-2020-25272 | 1 Online Bus Booking System Project | 1 Online Bus Booking System | 2020-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| In SourceCodester Online Bus Booking System 1.0, there is XSS through the name parameter in book_now.php. | |||||
| CVE-2020-8820 | 1 Webmin | 1 Webmin | 2020-10-16 | 3.5 LOW | 5.4 MEDIUM |
| An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. | |||||
| CVE-2020-12670 | 1 Webmin | 1 Webmin | 2020-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. | |||||
| CVE-2020-15177 | 1 Glpi-project | 1 Glpi | 2020-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2. | |||||
| CVE-2020-15217 | 1 Glpi-project | 1 Glpi | 2020-10-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ. | |||||
| CVE-2020-26923 | 1 Netgear | 8 Wc7500, Wc7500 Firmware, Wc7600 and 5 more | 2020-10-15 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects WC7500 before 6.5.5.24, WC7600 before 6.5.5.24, WC7600v2 before 6.5.5.24, and WC9500 before 6.5.5.24. | |||||
| CVE-2020-2292 | 1 Jenkins | 1 Release | 2020-10-15 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission. | |||||
| CVE-2020-24301 | 1 Hapifhir | 1 Testpage Overlay | 2020-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Users of the HAPI FHIR Testpage Overlay 5.0.0 and below can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believed to be widely used for any production purposes. | |||||
| CVE-2020-13345 | 1 Gitlab | 1 Gitlab | 2020-10-15 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes | |||||
| CVE-2020-25343 | 1 Getsymphony | 1 Symphony | 2020-10-14 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php | |||||
| CVE-2020-24627 | 1 Hpe | 2 Kvm Ip Console Switch G2, Kvm Ip Console Switch G2 Firmware | 2020-10-14 | 3.5 LOW | 5.4 MEDIUM |
| A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3. | |||||
| CVE-2020-17551 | 1 Impresscms | 1 Impresscms | 2020-10-14 | 3.5 LOW | 4.8 MEDIUM |
| ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution. | |||||
| CVE-2020-23832 | 1 Car Rental Management System Project | 1 Car Rental Management System | 2020-10-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Persistent Cross-Site Scripting (XSS) vulnerability in message_admin.php in Projectworlds Car Rental Management System v1.0 allows unauthenticated remote attackers to harvest an admin login session cookie and steal an admin session upon an admin login. | |||||
| CVE-2020-4741 | 1 Ibm | 1 Infosphere Information Server | 2020-10-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188197. | |||||
| CVE-2020-4680 | 1 Ibm | 1 Security Guardium | 2020-10-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186426. | |||||
| CVE-2020-4679 | 1 Ibm | 1 Security Guardium | 2020-10-13 | 3.5 LOW | 4.8 MEDIUM |
| IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186424. | |||||
| CVE-2020-4681 | 1 Ibm | 1 Security Guardium | 2020-10-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186427. | |||||
| CVE-2020-25830 | 1 Mantisbt | 1 Mantisbt | 2020-10-13 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php. | |||||
| CVE-2020-25288 | 1 Mantisbt | 1 Mantisbt | 2020-10-13 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript. | |||||
| CVE-2020-5631 | 1 Cmonos | 1 Cmonos | 2020-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting vulnerability in CMONOS.JP ver2.0.20191009 and earlier allows remote attackers to inject arbitrary script via unspecified vectors. | |||||
| CVE-2020-26166 | 1 Qdpm | 1 Qdpm | 2020-10-13 | 3.5 LOW | 5.4 MEDIUM |
| The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task. | |||||
| CVE-2019-19393 | 1 Rittal | 2 Cmc Pu Iii 7030.000, Cmc Pu Iii 7030.000 Firmware | 2020-10-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the content is always displayed after and before login. Persistent XSS allows an attacker to modify displayed content or to change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or a hijacked session. | |||||