Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16069 | 1 Netsas | 1 Enigma Network Management Solution | 2020-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A number of stored Cross-site Scripting (XSS) vulnerabilities were identified in NETSAS Enigma NMS 65.0.0 and prior that could allow a threat actor to inject malicious code directly into the application through the SNMP protocol. | |||||
| CVE-2019-19851 | 1 Sangoma | 1 Freepbx | 2020-03-20 | 3.5 LOW | 4.8 MEDIUM |
| An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20. | |||||
| CVE-2019-10146 | 2 Dogtagpki, Redhat | 2 Dogtagpki, Enterprise Linux | 2020-03-20 | 2.6 LOW | 4.7 MEDIUM |
| A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser. | |||||
| CVE-2020-9443 | 1 Zulipchat | 1 Zulip Desktop | 2020-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zulip Desktop before 4.0.3 loaded untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in a number of ways. This especially affects Zulip Desktop 2.3.82. | |||||
| CVE-2019-19381 | 1 Abacus | 1 Abacus | 2020-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| oauth/oauth2/v1/saml/ in Abacus OAuth Login 2019_01_r4_20191021_0000 before prior to R4 (20.11.2019 Hotfix) allows Reflected Cross Site Scripting (XSS) via an error message. | |||||
| CVE-2019-20525 | 1 Igniterealtime | 1 Openfire | 2020-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter. | |||||
| CVE-2019-20526 | 1 Igniterealtime | 1 Openfire | 2020-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter. | |||||
| CVE-2019-20528 | 1 Igniterealtime | 1 Openfire | 2020-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. | |||||
| CVE-2019-19198 | 1 Scoutnet | 1 Kalender | 2020-03-19 | 3.5 LOW | 5.4 MEDIUM |
| The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS. | |||||
| CVE-2019-14884 | 1 Moodle | 1 Moodle | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages. | |||||
| CVE-2020-7258 | 1 Mcafee | 1 Network Security Manager | 2020-03-19 | 3.5 LOW | 4.8 MEDIUM |
| Cross site scripting vulnerability in McAfee Network Security Management (NSM) Prior to 9.1 update 6 Mar 2020 Update allows attackers to unspecified impact via unspecified vectors. | |||||
| CVE-2020-7256 | 1 Mcafee | 1 Network Security Manager | 2020-03-19 | 3.5 LOW | 4.8 MEDIUM |
| Cross site scripting vulnerability in McAfee Network Security Management (NSM) Prior to 9.1 update 6 Mar 2020 Update allows attackers to unspecified impact via unspecified vectors. | |||||
| CVE-2019-20527 | 1 Igniterealtime | 1 Openfire | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter. | |||||
| CVE-2020-6646 | 1 Fortinet | 1 Fortiweb | 2020-03-19 | 3.5 LOW | 5.4 MEDIUM |
| An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message. | |||||
| CVE-2019-19461 | 1 Teampasswordmanager | 1 Team Password Manager | 2020-03-19 | 3.5 LOW | 5.4 MEDIUM |
| Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title. | |||||
| CVE-2019-20521 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI. | |||||
| CVE-2019-20516 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI. | |||||
| CVE-2019-20519 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address. | |||||
| CVE-2019-20515 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI. | |||||
| CVE-2019-20520 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI. | |||||
| CVE-2019-20517 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI. | |||||
| CVE-2019-20518 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI. | |||||
| CVE-2019-20514 | 1 Frappe | 1 Erpnext | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI. | |||||
| CVE-2019-12366 | 1 9folders | 1 Nine | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12369 | 1 Typeapp | 1 Typeapp | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12367 | 1 Blixhq | 1 Bluemail | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The BlueMail application through 1.9.5.36 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12368 | 1 Edison | 1 Edison Mail | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Edison Mail application through 1.7.1 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12365 | 1 Cloudmagic | 1 Newton | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12370 | 1 Readdle | 1 Spark | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-20497 | 1 Cpanel | 1 Cpanel | 2020-03-19 | 3.5 LOW | 5.4 MEDIUM |
| cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533). | |||||
| CVE-2019-20512 | 1 Open.edx | 1 Ironwood | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open edX Ironwood.1 allows support/certificates?course_id= reflected XSS. | |||||
| CVE-2019-19615 | 1 Sangoma | 1 Freepbx | 2020-03-19 | 3.5 LOW | 4.8 MEDIUM |
| Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link. When another user (such as an admin) clicks the link, the XSS payload will render and execute in the context of the victim user's account. | |||||
| CVE-2019-19852 | 1 Sangoma | 1 Freepbx | 2020-03-19 | 3.5 LOW | 4.8 MEDIUM |
| An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4. | |||||
| CVE-2019-20523 | 1 Ilch | 1 Ilch Cms | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name parameter. | |||||
| CVE-2019-20524 | 1 Ilch | 1 Ilch Cms | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner parameter. | |||||
| CVE-2019-20522 | 1 Ilch | 1 Ilch Cms | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link parameter. | |||||
| CVE-2019-13198 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web application of several Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was affected by Stored XSS. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions. | |||||
| CVE-2020-10113 | 1 Cpanel | 1 Cpanel | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515). | |||||
| CVE-2020-10114 | 1 Cpanel | 1 Cpanel | 2020-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535). | |||||
| CVE-2019-20493 | 1 Cpanel | 1 Cpanel | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520). | |||||
| CVE-2019-13200 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web application of several Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was affected by Reflected XSS. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions. | |||||
| CVE-2020-10242 | 1 Joomla | 1 Joomla\! | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks. | |||||
| CVE-2019-14512 | 1 Limesurvey | 1 Limesurvey | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php. | |||||
| CVE-2019-19210 | 1 Dolibarr | 1 Dolibarr | 2020-03-18 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files. | |||||
| CVE-2019-19211 | 1 Dolibarr | 1 Dolibarr | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS. | |||||
| CVE-2018-10125 | 1 Contao | 1 Contao | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Contao before 4.5.7 has XSS in the system log. | |||||
| CVE-2020-6586 | 1 Nagios | 1 Nagios | 2020-03-18 | 3.5 LOW | 5.4 MEDIUM |
| Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is triggered. | |||||
| CVE-2019-13167 | 1 Xerox | 2 Phaser 3320, Phaser 3320 Firmware | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Stored XSS vulnerabilities were found in the Xerox Web Application, used by the Phaser 3320 V53.006.16.000 and other printers. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions. | |||||
| CVE-2020-10196 | 1 Sygnoos | 1 Popup-builder | 2020-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (which is visible in the source of the page in which the popup is inserted) and arbitrary JavaScript which will then be executed in the browsers of visitors to that page. Because the plugin functionality automatically adds script tags to data entered into these fields, this injection will typically bypass most WAF applications. | |||||
| CVE-2019-3769 | 1 Dell | 1 Wyse Management Suite | 2020-03-18 | 3.5 LOW | 6.4 MEDIUM |
| Dell Wyse Management Suite versions prior to 1.4.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious payload in the device heartbeat request. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | |||||