Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12245 | 1 Grafana | 1 Grafana | 2020-10-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. | |||||
| CVE-2020-2290 | 1 Jenkins | 1 Active Choices | 2020-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-2289 | 1 Jenkins | 1 Active Choices | 2020-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-7676 | 1 Angularjs | 1 Angular.js | 2020-10-09 | 3.5 LOW | 5.4 MEDIUM |
| angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. | |||||
| CVE-2019-4725 | 1 Ibm | 1 Security Access Manager | 2020-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Security Access Manager Appliance 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172131. | |||||
| CVE-2020-14223 | 1 Hcltech | 1 Digital Experience | 2020-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross-site scripting (XSS). The vulnerability could be employed in a reflected or non-persistent XSS attack. | |||||
| CVE-2020-13339 | 1 Gitlab | 1 Gitlab | 2020-10-08 | 6.0 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted. | |||||
| CVE-2020-23835 | 1 Tailor Management System Project | 1 Tailor Management System | 2020-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Tailor Management System v1.0 allows remote attackers to harvest keys pressed by an unauthenticated victim who clicks on a malicious URL and begins typing. | |||||
| CVE-2020-15231 | 1 Mapfish | 1 Print | 2020-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| In mapfish-print before version 3.24, a user can use the JSONP support to do a Cross-site scripting. | |||||
| CVE-2020-26134 | 1 Livehelperchat | 1 Live Helper Chat | 2020-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Live Helper Chat before 3.44v allows stored XSS in chat messages with an operator via BBCode. | |||||
| CVE-2020-13337 | 1 Gitlab | 1 Gitlab | 2020-10-08 | 3.5 LOW | 4.8 MEDIUM |
| An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name. | |||||
| CVE-2020-13338 | 1 Gitlab | 1 Gitlab | 2020-10-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references. | |||||
| CVE-2019-12626 | 1 Cisco | 1 Unified Contact Center Express | 2020-10-08 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs valid administrator credentials. | |||||
| CVE-2020-24861 | 1 Get-simple | 1 Getsimple Cms | 2020-10-08 | 3.5 LOW | 5.4 MEDIUM |
| GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page | |||||
| CVE-2020-24860 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-10-08 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website. | |||||
| CVE-2020-13336 | 1 Gitlab | 1 Gitlab | 2020-10-08 | 3.5 LOW | 4.8 MEDIUM |
| An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature. | |||||
| CVE-2020-14294 | 1 Secudos | 1 Qiata Fta | 2020-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Secudos Qiata FTA 1.70.19. The comment feature allows persistent XSS that is executed when reading transfer comments or the global notice board. | |||||
| CVE-2020-13168 | 1 Sysaid | 2 Sysaid On-premises, Sysaidsy On-premises | 2020-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter. | |||||
| CVE-2020-8238 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2020-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS). | |||||
| CVE-2020-8245 | 1 Citrix | 4 Application Delivery Controller, Application Delivery Controller Firmware, Gateway and 1 more | 2020-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b leads to an HTML Injection attack against the SSL VPN web portal. | |||||
| CVE-2020-12815 | 1 Fortinet | 2 Fortianalyzer, Fortitester | 2020-10-06 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields. | |||||
| CVE-2020-22481 | 1 Hack | 1 Hfish | 2020-10-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in HFish 0.5.1. When a payload is inserted where the password is entered, XSS code is triggered when the administrator views the information. | |||||
| CVE-2020-25761 | 1 Projectworlds | 1 Visitor Management System In Php | 2020-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc. | |||||
| CVE-2020-25739 | 2 Debian, Gon Project | 2 Debian Linux, Gon | 2020-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now does escaping for XSS by default without relying on MultiJson. | |||||
| CVE-2019-16025 | 1 Cisco | 1 Emergency Responder | 2020-10-05 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web framework of Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of some parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by persuading a user to access a malicious link or by intercepting a user request for the affected web interface and injecting malicious code into that request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web-based management interface or access sensitive, browser-based information. | |||||
| CVE-2020-22453 | 1 Untis | 1 Webuntis | 2020-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Untis WebUntis before 2020.9.6 allows XSS in multiple functions that store information. | |||||
| CVE-2019-20921 | 1 Snapappointments | 1 Bootstrap-select | 2020-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser. | |||||
| CVE-2019-20903 | 1 Atlassian | 1 Editor-core | 2020-10-05 | 3.5 LOW | 5.4 MEDIUM |
| The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. | |||||
| CVE-2020-26043 | 1 Hoosk | 1 Hoosk | 2020-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Hoosk CMS v1.8.0. There is a XSS vulnerability in install/index.php | |||||
| CVE-2020-13330 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature. | |||||
| CVE-2020-13328 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 3.5 LOW | 4.8 MEDIUM |
| An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API. | |||||
| CVE-2020-13329 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 3.5 LOW | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature. | |||||
| CVE-2020-13331 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 3.5 LOW | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges. | |||||
| CVE-2020-26523 | 1 Froala | 1 Froala Editor | 2020-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Froala Editor before 3.2.2 allows XSS via pasted content. | |||||
| CVE-2014-9557 | 1 Smartwebsites | 1 Smartcms | 2020-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in SmartCMS v.2. | |||||
| CVE-2017-1446 | 1 Ibm | 1 Emptoris Spend Analysis | 2020-10-02 | 3.5 LOW | 5.4 MEDIUM |
| IBM Emptoris Spend Analysis 9.5.0.0 through 10.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128171. | |||||
| CVE-2020-12869 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2020-10-02 | 3.5 LOW | 5.4 MEDIUM |
| RainbowFish PacsOne Server 6.8.4 allows XSS. | |||||
| CVE-2020-22842 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-10-02 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php. | |||||
| CVE-2017-17477 | 1 Pexip | 1 Pexip Infinity | 2020-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pexip Infinity before 17 allows an unauthenticated remote attacker to achieve stored XSS via management web interface views. | |||||
| CVE-2020-5785 | 1 Teltonika-networks | 2 Trb245, Trb245 Firmware | 2020-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient output sanitization in Teltonika firmware TRB2_R_00.02.04.3 allows an unauthenticated attacker to conduct reflected cross-site scripting via a crafted ‘action’ or ‘pkg_name’ parameter. | |||||
| CVE-2018-7049 | 1 Wowza | 1 Streaming Engine | 2020-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Wowza Streaming Engine before 4.7.1. There is an XSS vulnerability in the HTTP providers (com.wowza.wms.http.HTTPProviderMediaList and com.wowza.wms.http.streammanager.HTTPStreamManager) causing script injection and/or reflection via a crafted HTTP request. | |||||
| CVE-2019-15969 | 1 Cisco | 1 Web Security Appliance | 2020-10-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script or HTML code in the context of the interface, which could allow the attacker to gain access to sensitive, browser-based information. | |||||
| CVE-2020-12816 | 1 Fortinet | 1 Fortinac | 2020-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper neutralization of input vulnerability in FortiNAC before 8.7.2 may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the UserID of Admin Users. | |||||
| CVE-2019-10177 | 1 Redhat | 1 Cloudforms Management Engine | 2020-09-30 | 6.0 MEDIUM | 6.5 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. | |||||
| CVE-2020-12811 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2020-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper neutralization of script-related HTML tags in a web page in FortiManager 6.2.0, 6.2.1, 6.2.2, and 6.2.3and FortiAnalyzer 6.2.0, 6.2.1, 6.2.2, and 6.2.3 may allow an attacker to execute a cross site scripting (XSS) via the Identify Provider name field. | |||||
| CVE-2019-7655 | 1 Wowza | 1 Streaming Engine | 2020-09-30 | 3.5 LOW | 5.4 MEDIUM |
| Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5. | |||||
| CVE-2020-12113 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used. | |||||
| CVE-2019-19456 | 1 Wowza | 1 Streaming Engine | 2020-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0. | |||||
| CVE-2019-19453 | 1 Wowza | 1 Streaming Engine | 2020-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine 4.8.5. | |||||
| CVE-2020-8347 | 1 Lenovo | 1 Enterprise Network Disk | 2020-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing. | |||||