Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8789 | 1 Composr Project | 1 Composr | 2020-05-26 | 3.5 LOW | 5.4 MEDIUM |
| Composr 10.0.30 allows Persistent XSS via a Usergroup name under the Security configuration. | |||||
| CVE-2020-13429 | 1 Grafana | 1 Piechart-panel | 2020-05-26 | 3.5 LOW | 5.4 MEDIUM |
| legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1.5.0 for Grafana allows XSS via the Values Header (aka legend header) option. | |||||
| CVE-2020-11888 | 1 Python-markdown2 Project | 1 Python-markdown2 | 2020-05-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute. | |||||
| CVE-2020-1099 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2020-05-22 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1100, CVE-2020-1101, CVE-2020-1106. | |||||
| CVE-2020-1100 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-05-22 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1099, CVE-2020-1101, CVE-2020-1106. | |||||
| CVE-2020-1101 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-05-22 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1099, CVE-2020-1100, CVE-2020-1106. | |||||
| CVE-2020-13258 | 1 Contentful | 1 Python Example | 2020-05-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py. | |||||
| CVE-2020-13145 | 1 Edx | 1 Open Edx Platform | 2020-05-20 | 3.5 LOW | 5.4 MEDIUM |
| Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS. | |||||
| CVE-2020-13239 | 1 Dolibarr | 1 Dolibarr | 2020-05-20 | 3.5 LOW | 5.4 MEDIUM |
| The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS. | |||||
| CVE-2020-13225 | 1 Phpipam | 1 Phpipam | 2020-05-20 | 3.5 LOW | 4.8 MEDIUM |
| phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget. | |||||
| CVE-2020-11845 | 1 Microfocus | 1 Service Manager | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Micro Focus Service Manager product. Affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. The vulnerability could be exploited to allow remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2020-6956 | 1 Pcs | 1 Dexicon Enterprise | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| PCS DEXICON 3.4.1 allows XSS via the loginName parameter in login_action.jsp. | |||||
| CVE-2020-4298 | 1 Ibm | 2 Infosphere Information Server, Infosphere Information Server On Cloud | 2020-05-19 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176475. | |||||
| CVE-2019-20802 | 1 Readdle | 1 Documents | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server improperly displays directory names, leading to Stored XSS, which may be used to steal a user's data. This requires user interaction because there is no known direct way for an attacker to create a crafted directory name on a victim's device. However, a crafted directory name can occur if a victim extracts a ZIP archive that was provided by an attacker. | |||||
| CVE-2020-13153 | 1 Misp | 1 Misp | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. | |||||
| CVE-2020-12882 | 1 Rcos | 1 Submitty | 2020-05-19 | 3.5 LOW | 5.4 MEDIUM |
| Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow. | |||||
| CVE-2020-7809 | 1 Altools | 1 Alsong | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ALSong 3.46 and earlier version contain a Document Object Model (DOM) based cross-site scripting vulnerability caused by improper validation of user input. A remote attacker could exploit this vulnerability by tricking the victim to open ALSong Album(sab) file. | |||||
| CVE-2019-15083 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page. | |||||
| CVE-2020-13094 | 1 Dolibarr | 1 Dolibarr | 2020-05-19 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr before 11.0.4 allows XSS. | |||||
| CVE-2020-11930 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. | |||||
| CVE-2020-12677 | 1 Progress | 1 Moveit Automation | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2. | |||||
| CVE-2020-9524 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2020-05-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site scripting vulnerability on Micro Focus Enterprise Server and Enterprise developer, affecting all versions prior to version 5.0 Patch Update 8. The vulnerability could allow an attacker to trigger administrative actions when an administrator viewed malicious data left by the attacker (stored XSS) or followed a malicious link (reflected XSS). | |||||
| CVE-2020-12256 | 1 Rconfig | 1 Rconfig | 2020-05-18 | 3.5 LOW | 5.4 MEDIUM |
| rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php. | |||||
| CVE-2020-12259 | 1 Rconfig | 1 Rconfig | 2020-05-18 | 3.5 LOW | 5.4 MEDIUM |
| rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php. | |||||
| CVE-2019-20389 | 1 Intelliants | 1 Subrion | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding. | |||||
| CVE-2020-12685 | 1 Redhat | 1 Interchange | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in the admin help system admin/help.html and admin/quicklinks.html in Interchange 4.7.0 through 5.11.x allows remote attackers to steal credentials or data via browser JavaScript. | |||||
| CVE-2016-1113 | 1 Adobe | 1 Coldfusion | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-11285 | 1 Adobe | 1 Coldfusion | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion has a cross-site scripting (XSS) vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2020-2005 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.0. | |||||
| CVE-2020-5575 | 1 Sixapart | 1 Movable Type | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2018-4941 | 1 Adobe | 1 Coldfusion | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2018-4940 | 1 Adobe | 1 Coldfusion | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2017-3008 | 1 Adobe | 1 Coldfusion | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a reflected cross-site scripting vulnerability. | |||||
| CVE-2020-11070 | 1 Typo3 | 1 Svg Sanitizer | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulnerability in versions before 1.0.3. Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting. This is fixed in version 1.0.3. | |||||
| CVE-2020-11036 | 1 Glpi-project | 1 Glpi | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1)</script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6. | |||||
| CVE-2020-6257 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. | |||||
| CVE-2020-6254 | 1 Sap | 1 Enterprise Threat Detection | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Enterprise Threat Detection, versions 1.0, 2.0, does not sufficiently encode error response pages in case of errors, allowing XSS payload reflecting in the response, leading to reflected Cross Site Scripting. | |||||
| CVE-2020-5838 | 1 Symantec | 1 It Analytics | 2020-05-15 | 3.5 LOW | 4.8 MEDIUM |
| Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can potentially enable attackers to inject client-side scripts into web pages viewed by other users. | |||||
| CVE-2020-11064 | 1 Typo3 | 1 Typo3 | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | |||||
| CVE-2020-11065 | 1 Typo3 | 1 Typo3 | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. | |||||
| CVE-2020-2017 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions of PAN-OS 8.0. | |||||
| CVE-2016-4159 | 1 Adobe | 1 Coldfusion | 2020-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 20, 11 before Update 9, and 2016 before Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2020-12718 | 1 Php-fusion | 1 Php-fusion | 2020-05-14 | 3.5 LOW | 5.4 MEDIUM |
| In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle. | |||||
| CVE-2016-1000007 | 1 Redhat | 1 Pagure | 2020-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pagure 2.2.1 XSS in raw file endpoint | |||||
| CVE-2020-11062 | 1 Glpi-project | 1 Glpi | 2020-05-14 | 3.5 LOW | 5.4 MEDIUM |
| In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6. | |||||
| CVE-2020-11055 | 1 Bookstackapp | 1 Bookstack | 2020-05-13 | 3.5 LOW | 5.4 MEDIUM |
| In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines. This most impacts scenarios where not-trusted users are given permission to create comments. This has been fixed in 0.29.2. | |||||
| CVE-2020-11006 | 1 Shopizer | 1 Shopizer | 2020-05-13 | 3.5 LOW | 5.4 MEDIUM |
| In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0. | |||||
| CVE-2020-10630 | 1 Sae-it | 2 Net-line Fw-50, Net-line Fw-50 Firmware | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output used as a webpage that is served to other users. | |||||
| CVE-2019-20768 | 1 Servicenow | 1 It Service Management | 2020-05-12 | 3.5 LOW | 5.4 MEDIUM |
| ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do. | |||||
| CVE-2020-12679 | 1 Mitel | 2 Mivoice Connect, Shoretel Conference Web | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php. | |||||