Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5592 | 1 Zenphoto | 1 Zenphoto | 2020-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Zenphoto versions prior to 1.5.7 allows remote attackers to inject an arbitrary JavaScript via unspecified vectors. | |||||
| CVE-2019-19111 | 1 Gvectors | 1 Wpforo | 2020-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases langid parameter. | |||||
| CVE-2019-19112 | 1 Gvectors | 1 Wpforo | 2020-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw-td-value class of dashboard.php. | |||||
| CVE-2020-9648 | 1 Adobe | 1 Experience Manager | 2020-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.5 and earlier have a cross-site scripting vulnerability. Successful exploitation could lead to arbitrary javascript execution in the browser. | |||||
| CVE-2020-9651 | 1 Adobe | 1 Experience Manager | 2020-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.5 and earlier have a cross-site scripting (reflected) vulnerability. Successful exploitation could lead to arbitrary javascript execution in the browser. | |||||
| CVE-2020-9647 | 1 Adobe | 1 Experience Manager | 2020-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.5 and earlier have a cross-site scripting (dom-based) vulnerability. Successful exploitation could lead to arbitrary javascript execution in the browser. | |||||
| CVE-2020-9644 | 1 Adobe | 1 Experience Manager | 2020-06-15 | 3.5 LOW | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5 and earlier have a cross-site scripting (stored) vulnerability. Successful exploitation could lead to arbitrary javascript execution in the browser. | |||||
| CVE-2020-13228 | 1 Sysax | 1 Multi Server | 2020-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Sysax Multi Server 6.90. There is reflected XSS via the /scgi sid parameter. | |||||
| CVE-2020-14010 | 1 Laborator | 1 Xenon | 2020-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Laborator Xenon theme 1.3 for WordPress allows Reflected XSS via the data/typeahead-generate.php q (aka name) parameter. | |||||
| CVE-2020-1289 | 1 Microsoft | 1 Sharepoint Foundation | 2020-06-12 | 3.5 LOW | 5.4 MEDIUM |
| A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'. This CVE ID is unique from CVE-2020-1148. | |||||
| CVE-2020-1148 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2020-06-12 | 3.5 LOW | 5.4 MEDIUM |
| A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'. This CVE ID is unique from CVE-2020-1289. | |||||
| CVE-2020-1177 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-06-12 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1183, CVE-2020-1297, CVE-2020-1298, CVE-2020-1318, CVE-2020-1320. | |||||
| CVE-2020-1183 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-06-12 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1177, CVE-2020-1297, CVE-2020-1298, CVE-2020-1318, CVE-2020-1320. | |||||
| CVE-2020-13911 | 1 Your Online Shop Project | 1 Your Online Shop | 2020-06-12 | 3.5 LOW | 5.4 MEDIUM |
| Your Online Shop 1.8.0 allows authenticated users to trigger XSS via a Change Name or Change Surname operation. | |||||
| CVE-2020-13973 | 1 Owasp | 1 Json-sanitizer | 2020-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript. | |||||
| CVE-2020-12849 | 1 Pydio | 1 Cells | 2020-06-12 | 3.5 LOW | 5.4 MEDIUM |
| Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user. | |||||
| CVE-2020-1297 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-06-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1177, CVE-2020-1183, CVE-2020-1298, CVE-2020-1318, CVE-2020-1320. | |||||
| CVE-2020-1320 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-06-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1177, CVE-2020-1183, CVE-2020-1297, CVE-2020-1298, CVE-2020-1318. | |||||
| CVE-2020-1318 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-06-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1177, CVE-2020-1183, CVE-2020-1297, CVE-2020-1298, CVE-2020-1320. | |||||
| CVE-2020-1298 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-06-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1177, CVE-2020-1183, CVE-2020-1297, CVE-2020-1318, CVE-2020-1320. | |||||
| CVE-2020-13980 | 1 Opencart | 1 Opencart | 2020-06-11 | 3.5 LOW | 4.8 MEDIUM |
| ** DISPUTED ** OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. NOTE: this issue exists because of an incomplete fix for CVE-2020-10596. The vendor states "this is not a massive issue as you are still required to be logged into the admin." | |||||
| CVE-2020-13853 | 1 Pandorafms | 1 Pandora Fms | 2020-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Artica Pandora FMS 7.44 has persistent XSS in the Messages feature. | |||||
| CVE-2020-11696 | 1 Combodo | 1 Itop | 2020-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4. | |||||
| CVE-2020-11697 | 1 Combodo | 1 Itop | 2020-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4. | |||||
| CVE-2020-13892 | 1 Themeboy | 1 Sportspress | 2020-06-11 | 3.5 LOW | 5.4 MEDIUM |
| The SportsPress plugin before 2.7.2 for WordPress allows XSS. | |||||
| CVE-2020-13890 | 1 Laborator | 1 Neon | 2020-06-10 | 3.5 LOW | 5.4 MEDIUM |
| The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard. | |||||
| CVE-2020-12853 | 1 Pydio | 1 Cells | 2020-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pydio Cells 2.0.4 allows XSS. A malicious user can either upload or create a new file that contains potentially malicious HTML and JavaScript code to personal folders or accessible cells. | |||||
| CVE-2020-13889 | 1 Bludit | 1 Bludit | 2020-06-09 | 3.5 LOW | 5.4 MEDIUM |
| showAlert() in the administration panel in Bludit 3.12.0 allows XSS. | |||||
| CVE-2017-5964 | 1 Openenergymonitor | 1 Emoncms | 2020-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Emoncms through 9.8.0. The vulnerability exists due to insufficient filtration of user-supplied data in multiple HTTP GET parameters passed to the "emoncms-master/Modules/vis/visualisations/compare.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2020-13865 | 1 Elementor | 1 Elementor Page Builder | 2020-06-09 | 3.5 LOW | 5.4 MEDIUM |
| The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes. | |||||
| CVE-2020-13864 | 1 Elementor | 1 Elementor Page Builder | 2020-06-09 | 3.5 LOW | 5.4 MEDIUM |
| The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links. | |||||
| CVE-2020-13869 | 1 Verbb | 1 Comments | 2020-06-09 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name. | |||||
| CVE-2020-13870 | 1 Verbb | 1 Comments | 2020-06-09 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name. | |||||
| CVE-2020-13897 | 1 Hesk | 1 Hesk | 2020-06-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| HESK before 3.1.10 allows reflected XSS. | |||||
| CVE-2020-3233 | 1 Cisco | 1 Iox | 2020-06-08 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based Local Manager interface of the Cisco IOx Application Framework could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The attacker must have valid Local Manager credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based Local Manager interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a system settings tab. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. | |||||
| CVE-2018-18624 | 1 Grafana | 1 Grafana | 2020-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | |||||
| CVE-2018-18625 | 1 Grafana | 1 Grafana | 2020-06-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | |||||
| CVE-2020-6640 | 1 Fortinet | 1 Fortianalyzer | 2020-06-08 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area. | |||||
| CVE-2020-4183 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2020-06-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174739. | |||||
| CVE-2020-7015 | 1 Elastic | 1 Kibana | 2020-06-05 | 3.5 LOW | 5.4 MEDIUM |
| Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization. | |||||
| CVE-2020-7011 | 1 Elastic | 1 Elastic App Search | 2020-06-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victim�s web browser. | |||||
| CVE-2018-12355 | 1 Eng | 1 Knowage | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name or description field to the "Olap Schemas' Catalogue" catalogue. | |||||
| CVE-2018-10821 | 1 Blackcat-cms | 1 Blackcat Cms | 2020-06-04 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel. | |||||
| CVE-2020-13796 | 1 Naviwebs | 1 Navigate Cms | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/structure/structure.class.php. | |||||
| CVE-2020-13797 | 1 Naviwebs | 1 Navigate Cms | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/websites/website.class.php. | |||||
| CVE-2020-13798 | 1 Naviwebs | 1 Navigate Cms | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/feeds/feed.class.php. | |||||
| CVE-2018-10939 | 2 Synacor, Zimbra | 2 Zimbra Collaboration Suite, Zimbra Collaboration Suite | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. | |||||
| CVE-2016-3410 | 1 Synacor | 1 Zimbra Collaboration Suite | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103956, 103995, 104475, 104838, and 104839. | |||||
| CVE-2016-3411 | 1 Synacor | 1 Zimbra Collaboration Suite | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609. | |||||
| CVE-2016-3409 | 1 Synacor | 1 Zimbra Collaboration Suite | 2020-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 102637. | |||||