Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19990 | 1 Seling | 1 Visual Access Manager | 2020-02-27 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Stored Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /monitor/s_headmodel.php and /vam/vam_user.php. | |||||
| CVE-2019-19991 | 1 Seling | 1 Visual Access Manager | 2020-02-27 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Reflected Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /vam/vam_anagraphic.php, /vam/vam_vamuser.php, /common/vamp_main.php, and /wiz/change_password.php. | |||||
| CVE-2019-4596 | 1 Ibm | 1 Sterling B2b Integrator | 2020-02-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 167879. | |||||
| CVE-2020-6845 | 1 Topmanage | 1 Olk Webstore | 2020-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in TopManage OLK 2020. As there is no ReadOnly on the Session cookie, the user and admin accounts can be taken over in a DOM-Based XSS attack. | |||||
| CVE-2020-9405 | 1 Iblsoft | 1 Online Weather | 2020-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page. | |||||
| CVE-2019-17333 | 1 Tibco | 1 Ebx | 2020-02-26 | 3.5 LOW | 5.4 MEDIUM |
| The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.1.fixS and below, versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, and 5.9.7. | |||||
| CVE-2017-7389 | 1 Openeclass | 1 Openeclass | 2020-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Release_3.5.4'. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the 'openeclass-master/modules/tc/webconf/webconf.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2019-17229 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2020-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues. | |||||
| CVE-2020-9393 | 1 Supsystic | 1 Pricing Table By Supsystic | 2020-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS. | |||||
| CVE-2011-4938 | 1 Muze | 1 Ariadne | 2020-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Ariadne 2.7.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO parameter to (1) index.php and (2) loader.php. | |||||
| CVE-2020-9335 | 1 10web | 1 Photo Gallery | 2020-02-25 | 3.5 LOW | 4.8 MEDIUM |
| Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users. | |||||
| CVE-2020-9334 | 1 Enviragallery | 1 Photo Gallery | 2020-02-25 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users. | |||||
| CVE-2013-1938 | 1 Zimbra | 1 Zimbra | 2020-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zimbra 2013 has XSS in aspell.php | |||||
| CVE-2019-3670 | 1 Mcafee | 1 Web Advisor | 2020-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Remote Code Execution vulnerability in the web interface in McAfee Web Advisor (WA) 8.0.34745 and earlier allows remote unauthenticated attacker to execute arbitrary code via a cross site scripting attack. | |||||
| CVE-2012-1500 | 1 Atlassian | 2 Greenhopper, Jira | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code. | |||||
| CVE-2012-3351 | 1 Longtailvideo | 1 Jw Player | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in LongTail Video JW Player through 5.10.2295 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) logo.link, or (3) aboutlink parameter, or a nested URI scheme name for (4) javascript, (5) asfunction, or (6) vbscript. | |||||
| CVE-2015-5215 | 1 Ipsilon-project | 1 Ipsilon | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default. | |||||
| CVE-2020-9336 | 1 Fauzantrif Election Project | 1 Fauzantrif Election | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings -> Election -> "message if election is closed" field. | |||||
| CVE-2020-9350 | 1 Sas | 1 Visual Analytics | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly. | |||||
| CVE-2020-9003 | 1 Machothemes | 1 Modula Image Gallery | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users. | |||||
| CVE-2012-1903 | 1 Telligent | 1 Community | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| XSS in Telligent Community 5.6.583.20496 via a flash file and related to the allowScriptAccess parameter. | |||||
| CVE-2020-9338 | 1 Soplanning | 1 Soplanning | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field. | |||||
| CVE-2020-9339 | 1 Soplanning | 1 Soplanning | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| SOPlanning 1.45 allows XSS via the Name or Comment to status.php. | |||||
| CVE-2011-2499 | 1 Mambo-foundation | 1 Mambo Cms | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mambo CMS through 4.6.5 has multiple XSS. | |||||
| CVE-2020-5186 | 1 Dnnsoftware | 1 Dotnetnuke | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). | |||||
| CVE-2014-9916 | 1 Bilboplanet | 1 Bilboplanet | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) tribe_name or (2) tags parameter in a tribes page request to user/ or the (3) user_id or (4) fullname parameter to signup.php. | |||||
| CVE-2014-9760 | 1 Gosa Project | 1 Gosa | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the displayLogin function in html/index.php in GOsa allows remote attackers to inject arbitrary web script or HTML via the username. | |||||
| CVE-2019-4429 | 1 Ibm | 10 Control Desk, Maximo Anywhere, Maximo For Aviation and 7 more | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162886. | |||||
| CVE-2019-19757 | 1 Lenovo | 1 Xclarity Administrator | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself. | |||||
| CVE-2013-5212 | 1 Easyxdm | 1 Easyxdm | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in EasyXDM before 2.4.18 allows remote attackers to inject arbitrary web script or html via the easyxdm.swf file. | |||||
| CVE-2020-3113 | 1 Cisco | 1 Data Center Network Manager | 2020-02-24 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-3156 | 1 Cisco | 1 Identity Services Engine | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of endpoint data stored in logs used by the web-based interface. An attacker could exploit this vulnerability by sending malicious endpoint data to the targeted system. An exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. | |||||
| CVE-2019-7004 | 1 Avaya | 1 Ip Office Application Server | 2020-02-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product versions 11.x are affected. Product versions prior to 11.0, including unsupported versions, were not evaluated. | |||||
| CVE-2020-3159 | 1 Cisco | 1 Finesse | 2020-02-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2015-0749 | 1 Cisco | 1 Unified Communications Manager | 2020-02-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. | |||||
| CVE-2020-6973 | 1 Digi | 3 Connectport Lts 32 Mei, Connectport Lts 32 Mei Bios, Connectport Lts 32 Mei Firmware | 2020-02-21 | 6.3 MEDIUM | 6.2 MEDIUM |
| Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2. Multiple cross-site scripting vulnerabilities exist that could allow an attacker to cause a denial-of-service condition. | |||||
| CVE-2020-5533 | 1 Nec | 2 Aterm Wg2600hs, Aterm Wg2600hs Firmware | 2020-02-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-5216 | 1 Ipsilon-project | 1 Ipsilon | 2020-02-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly escape certain characters in a Python exception-message template, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via an HTTP response. | |||||
| CVE-2013-4395 | 1 Simplemachines | 1 Simple Machines Forum | 2020-02-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Simple Machines Forum (SMF) through 2.0.5 has XSS | |||||
| CVE-2017-5247 | 1 Biscom | 1 Secure File Transfer | 2020-02-20 | 3.5 LOW | 5.4 MEDIUM |
| Biscom Secure File Transfer is vulnerable to cross-site scripting in the File Name field. An authenticated user with permissions to upload or send files can populate this field with a filename that contains standard HTML scripting tags. The resulting script will evaluated by any other authenticated user who views the attacker-supplied file name. All versions of SFT prior to 5.1.1028 are affected. The fix version is 5.1.1028. | |||||
| CVE-2017-5241 | 1 Biscom | 1 Secure File Transfer | 2020-02-20 | 3.5 LOW | 5.4 MEDIUM |
| Biscom Secure File Transfer versions 5.0.0.0 trough 5.1.1024 are vulnerable to post-authentication persistent cross-site scripting (XSS) in the "Name" and "Description" fields of a Workspace, as well as the "Description" field of a File Details pane of a file stored in a Workspace. This issue has been resolved in version 5.1.1025. | |||||
| CVE-2020-5497 | 1 Mitreid | 1 Connect | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript. | |||||
| CVE-2019-18791 | 1 Lexmark | 160 6500e, 6500e Firmware, C734 and 157 more | 2020-02-20 | 3.5 LOW | 5.4 MEDIUM |
| Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server. The vulnerability can be exploited to expose session credentials and other information via the users web browser. | |||||
| CVE-2020-7050 | 1 Codologic | 1 Codoforum | 2020-02-20 | 3.5 LOW | 5.4 MEDIUM |
| Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts. | |||||
| CVE-2019-19325 | 1 Silverstripe | 1 Silverstripe | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. | |||||
| CVE-2020-6850 | 1 Miniorange | 1 Saml Sp Single Sign On | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLResponse and RelayState variables, and the Destination parameter of the samlp:Response XML element. | |||||
| CVE-2018-16362 | 1 Mantisbt | 1 Source Integration | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the Source Integration plugin before 1.5.9 and 2.x before 2.1.5 for MantisBT. A cross-site scripting (XSS) vulnerability in the Manage Repository and Changesets List pages allows execution of arbitrary code (if CSP settings permit it) via repo_manage_page.php or list.php. | |||||
| CVE-2014-9615 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php. | |||||
| CVE-2014-9607 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||||
| CVE-2014-9606 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/. | |||||