Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12706 | 1 Php-fusion | 1 Php-fusion | 2020-05-12 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php | |||||
| CVE-2020-12708 | 1 Php-fusion | 1 Php-fusion | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043. | |||||
| CVE-2016-1222 | 1 Kobe-beauty | 1 Php-contact-form | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Kobe Beauty php-contact-form before 2016-05-18 allows remote attackers to inject arbitrary web script or HTML via a crafted URI. | |||||
| CVE-2020-12696 | 1 Iframe Project | 1 Iframe | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The iframe plugin before 4.5 for WordPress does not sanitize a URL. | |||||
| CVE-2020-5746 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. | |||||
| CVE-2020-12683 | 1 Katyshop2 Project | 1 Katyshop2 | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Katyshop2 before 2.12 has multiple stored XSS issues. | |||||
| CVE-2020-11026 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-11029 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-5749 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. | |||||
| CVE-2020-5748 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. | |||||
| CVE-2020-5747 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. | |||||
| CVE-2020-5750 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. | |||||
| CVE-2020-5751 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. | |||||
| CVE-2020-12052 | 1 Grafana | 1 Grafana | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | |||||
| CVE-2020-3313 | 1 Cisco | 1 Firepower Management Center | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web UI of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the FMC Software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or to access sensitive, browser-based information. | |||||
| CVE-2020-11051 | 1 Requarks | 1 Wiki.js | 2020-05-08 | 3.5 LOW | 4.8 MEDIUM |
| In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. The rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This vulnerability only impacts editors loading the malicious page in the Markdown editor. This has been patched in 2.3.81. | |||||
| CVE-2020-4384 | 1 Ibm | 2 Infosphere Information Server On Cloud, Infosphere Qualitystage | 2020-05-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 179265. | |||||
| CVE-2017-18866 | 1 Netgear | 14 6r7500, 6r7500 Firmware, R6100 and 11 more | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects R9000 before 1.0.2.40, R6100 before 1.0.1.1, 6R7500 before 1.0.0.110, R7500v2 before 1.0.3.20, R7800 before 1.0.2.36, WNDR4300v2 before 1.0.0.48, and WNR2000v5 before 1.0.0.58. | |||||
| CVE-2020-12703 | 1 Ulicms | 1 Ulicms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| UliCMS before 2020.2 has XSS during PackageController uninstall. | |||||
| CVE-2020-12704 | 1 Ulicms | 1 Ulicms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| UliCMS before 2020.2 has PageController stored XSS. | |||||
| CVE-2020-12705 | 1 Lepton-cms | 1 Leptoncms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0. | |||||
| CVE-2020-12707 | 1 Lepton-cms | 1 Lepton Cms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements. | |||||
| CVE-2018-20590 | 1 Generic Content Management System Project | 1 Generic Content Management System | 2020-05-08 | 3.5 LOW | 4.8 MEDIUM |
| Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID. | |||||
| CVE-2020-11030 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-11737 | 1 Zimbra | 1 Zimbra | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2. | |||||
| CVE-2016-5682 | 1 Smartbear | 1 Swagger-ui | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section. | |||||
| CVE-2017-7188 | 1 Zurmo | 1 Zurmo Crm | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse. | |||||
| CVE-2020-8799 | 1 Webtechideas | 1 Wti Like Post | 2020-05-07 | 3.5 LOW | 4.8 MEDIUM |
| A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin through 1.4.5 for WordPress. Once the administrator has submitted the data, the script stored is executed for all the users visiting the website. | |||||
| CVE-2020-8033 | 1 Commscope | 2 Ruckus Zoneflex R500, Ruckus Zoneflex R500 Firmware | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Name field. | |||||
| CVE-2020-12639 | 1 Phplist | 1 Phplist | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. | |||||
| CVE-2019-17557 | 1 Apache | 1 Syncope | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string. | |||||
| CVE-2020-5334 | 1 Rsa | 1 Archer | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Object Model (DOM) based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to DOM environment in the browser. The malicious code is then executed by the web browser in the context of the vulnerable web application. | |||||
| CVE-2020-11727 | 1 Algolplus | 1 Advanced Order Export | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced Order Export For WooCommerce plugin 3.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the view/settings-form.php woe_post_type parameter. | |||||
| CVE-2019-19514 | 1 Ayision | 2 Ays-wr01, Ays-wr01 Firmware | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID. | |||||
| CVE-2019-19515 | 1 Ayision | 2 Ays-wr01, Ays-wr01 Firmware | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in wireless settings. | |||||
| CVE-2020-11025 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-12629 | 1 Enhancesoft | 1 Osticket | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name. | |||||
| CVE-2018-0618 | 2 Debian, Gnu | 2 Debian Linux, Mailman | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-13256 | 1 Chartered Accountant \ | 1 Auditor Website Project | 2020-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall Auditor Website 2.0.1 has XSS via the lastname or firstname parameter. | |||||
| CVE-2020-10944 | 1 Hashicorp | 1 Nomad | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Fixed in 0.10.5. | |||||
| CVE-2015-2796 | 1 Projectpier | 1 Projectpier | 2020-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Project-Pier ProjectPier-Core allow remote attackers to inject arbitrary web script or HTML via the search_for parameter to (1) search_by_tag.php, (2) search_contacts.php, or (3) search.php. | |||||
| CVE-2019-7634 | 1 Ifrn | 1 Sistema Unificado De Administracao Publica | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| SUAP V2 allows XSS during the update of user information. | |||||
| CVE-2018-21155 | 1 Netgear | 20 D7800, D7800 Firmware, Dm200 and 17 more | 2020-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.34, DM200 before 1.0.0.52, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7500v2 before 1.0.3.26, R7800 before 1.0.2.42, R8900 before 1.0.4.2, R9000 before 1.0.3.16, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64. | |||||
| CVE-2019-20738 | 1 Netgear | 50 D6100, D6100 Firmware, D7800 and 47 more | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.58, D7800 before 1.0.1.34, JNR1010v2 before 1.1.0.50, JWNR2010v5 before 1.1.0.50, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R6020 before 1.0.0.30, R6080 before 1.0.0.30, R6100 before 1.0.1.16, R6120 before 1.0.0.40, R6700v2 before 1.2.0.14, R6800 before 1.2.0.14, R6900v2 before 1.2.0.14, R7500v2 before 1.0.3.26, R7800 before 1.0.2.46, R9000 before 1.0.4.2, WN3000RPv2 before 1.0.0.52, WN3000RPv3 before 1.0.2.78, WNDR3700v4 before 1.0.2.102, WNDR3700v5 before 1.1.0.54, WNDR4300v1 before 1.0.2.104, WNDR4300v2 before 1.0.0.48, WNDR4500v3 before 1.0.0.48, WNR1000v4 before 1.1.0.50, WNR2000v5 before 1.0.0.64, WNR2020 before 1.1.0.50, and WNR2050 before 1.1.0.50. NOTE: this may be a result of an incomplete fix for CVE-2017-18866. | |||||
| CVE-2020-10093 | 1 Lexmark | 160 6500e, 6500e Firmware, C734 and 157 more | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Lexmark Pro910 series inkjet and other discontinued products. | |||||
| CVE-2020-11944 | 1 Bitcoin-abe Project | 1 Bitcoin-abe | 2020-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call__ in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception. | |||||
| CVE-2018-21167 | 1 Netgear | 42 D6100, D6100 Firmware, Dm200 and 39 more | 2020-05-05 | 3.5 LOW | 5.5 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.57, DM200 before 1.0.0.50, EX2700 before 1.0.1.32, EX6100v2 before 1.0.1.70, EX6150v2 before 1.0.1.70, EX6200v2 before 1.0.1.62, EX6400 before 1.0.1.78, EX7300 before 1.0.1.78, EX8000 before 1.0.0.114, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WN2000RPTv3 before 1.0.1.26, WN3000RPv3 before 1.0.2.66, WN3100RPv2 before 1.0.0.42, WNDR3700v4 before 1.0.2.96, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64. | |||||
| CVE-2020-6213 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2020-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_PHTMLB, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, is vulnerable to reflected Cross-Site Scripting (XSS) via different URL parameters as it does not sufficiently encode user controlled inputs. | |||||
| CVE-2020-5889 | 1 F5 | 1 Big-ip Access Policy Manager | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response from the untrusted backend server and sends it to the client. | |||||
| CVE-2020-12438 | 1 Php-fusion | 1 Php-fusion | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags. | |||||