Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15278 | 1 Cisco | 2 Finesse, Unified Contact Center Express | 2020-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. | |||||
| CVE-2019-3686 | 1 Suse | 1 Openqa | 2020-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security | |||||
| CVE-2019-20003 | 1 Dicube | 1 Easescreen Crystal | 2020-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored XSS via the Debug-Log and Display-Log components. This could be exploited when an attacker sends an crafted string for FTP authentication. | |||||
| CVE-2019-11997 | 1 Hp | 1 Enhanced Internet Usage Manager | 2020-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A potential security vulnerability has been identified in HPE enhanced Internet Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for unauthorized access to information via cross site scripting. HPE has made the following software updates to resolve the vulnerability in eIUM. The eIUM 8.3 FP01 customers are advised to install eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch. The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later versions. For other versions, please, contact the product support. | |||||
| CVE-2012-6344 | 1 Novell | 1 Zenworks Configuration Management | 2020-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Novell ZENworks Configuration Management before 11.2.4 allows XSS. | |||||
| CVE-2015-6748 | 1 Jsoup | 1 Jsoup | 2020-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3. | |||||
| CVE-2020-7937 | 1 Plone | 1 Plone | 2020-01-24 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | |||||
| CVE-2020-7104 | 1 Kibokolabs | 1 Chained Quiz | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The chained-quiz plugin 1.1.8.1 for WordPress has reflected XSS via the wp-admin/admin-ajax.php total_questions parameter. | |||||
| CVE-2020-7239 | 1 Ibm | 1 Chatbot With Ibm Watson | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The conversation-watson plugin before 0.8.21 for WordPress has a DOM-based XSS vulnerability that is executed when a chat message containing JavaScript is sent. | |||||
| CVE-2020-7228 | 1 Codepeople | 1 Calculated Fields Form | 2020-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The Calculated Fields Form plugin through 1.0.353 for WordPress suffers from multiple Stored XSS vulnerabilities present in the input forms. These can be exploited by an authenticated user. | |||||
| CVE-2019-16512 | 1 Connectwise | 1 Control | 2020-01-24 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier. | |||||
| CVE-2020-7470 | 1 Sonoff | 4 Th10, Th10 Firmware, Th16 and 1 more | 2020-01-24 | 3.5 LOW | 4.8 MEDIUM |
| Sonoff TH 10 and 16 devices with firmware 6.6.0.21 allows XSS via the Friendly Name 1 field (after a successful login with the Web Admin Password). | |||||
| CVE-2018-17981 | 1 Lifesize | 4 Express 220, Express 220 Firmware, Room 220i and 1 more | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Lifesize Express ls ex2_4.7.10 2000 (14) devices allow XSS via the interface/interface.php brand parameter. | |||||
| CVE-2011-3622 | 1 Phorum | 1 Phorum | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18. | |||||
| CVE-2016-1000237 | 1 Apostrophecms | 1 Sanitize-html | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| sanitize-html before 1.4.3 has XSS. | |||||
| CVE-2014-7238 | 1 Formget | 1 Contact Form Integrated With Google Maps | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress plugin Contact Form Integrated With Google Maps 1.0-2.4 has Stored XSS | |||||
| CVE-2020-1607 | 1 Juniper | 44 Ex2300, Ex2300-c, Ex3400 and 41 more | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient Cross-Site Scripting (XSS) protection in J-Web may potentially allow a remote attacker to inject web script or HTML, hijack the target user's J-Web session and perform administrative actions on the Junos device as the targeted user. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 on SRX Series; 14.1X53 versions prior to 14.1X53-D51 on EX and QFX Series; 15.1F6 versions prior to 15.1F6-S13; 15.1 versions prior to 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400 Series; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S2; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3; 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2; 19.1 versions prior to 19.1R1-S2, 19.1R2. | |||||
| CVE-2011-3595 | 1 Joomla | 1 Joomla\! | 2020-01-24 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters. | |||||
| CVE-2020-7915 | 1 Eaton | 2 5p 850, 5p 850 Firmware | 2020-01-24 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator. | |||||
| CVE-2019-20381 | 1 Testlink | 1 Testlink | 2020-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter. NOTE: this issue exists because of an incomplete fix for CVE-2019-19491. | |||||
| CVE-2020-6303 | 1 Sap | 1 Disclosure Management | 2020-01-24 | 3.5 LOW | 5.4 MEDIUM |
| SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting. | |||||
| CVE-2020-7234 | 1 Ruckuswireless | 2 R310, R310 Firmware | 2020-01-23 | 3.5 LOW | 4.8 MEDIUM |
| Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS via the SSID field on the Configuration > Radio 2.4G > Wireless X screen (after a successful login to the super account). | |||||
| CVE-2020-7236 | 1 Uhp | 2 Uhp-100, Uhp-100 Firmware | 2020-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cw2?td= (Site Name field of the Site Setup section). | |||||
| CVE-2020-7235 | 1 Uhp | 2 Uhp-100, Uhp-100 Firmware | 2020-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cB3?ta= (profile title). | |||||
| CVE-2019-18273 | 1 Osisoft | 1 Pi Vision | 2020-01-23 | 3.5 LOW | 4.8 MEDIUM |
| OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced. | |||||
| CVE-2011-2714 | 1 Drupal | 2 Data, Drupal | 2020-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. | |||||
| CVE-2011-4095 | 1 Jara Project | 1 Jara | 2020-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jara 1.6 has an XSS vulnerability | |||||
| CVE-2016-4877 | 1 Basercms | 2 Basercms, Mail | 2020-01-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-18035 | 1 Open-emr | 1 Openemr | 2020-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. | |||||
| CVE-2020-0656 | 1 Microsoft | 1 Dynamics 365 | 2020-01-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. | |||||
| CVE-2019-18893 | 3 Avast, Avg, Video Downloader Project | 3 Secure Browser, Secure Browser, Video Downloader | 2020-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways. | |||||
| CVE-2019-17125 | 1 Solarwinds | 1 Orion Platform | 2020-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. | |||||
| CVE-2019-17127 | 1 Solarwinds | 1 Orion Platform | 2020-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege escalation. | |||||
| CVE-2019-18588 | 1 Dell | 2 Emc Powermax, Emc Unisphere For Powermax | 2020-01-22 | 3.5 LOW | 5.4 MEDIUM |
| Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users' sessions. | |||||
| CVE-2012-1260 | 1 Plixer | 1 Scrutinizer Netflow \& Sflow Analyzer | 2020-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script. | |||||
| CVE-2013-6430 | 1 Pivotal Software | 1 Spring Framework | 2020-01-22 | 3.5 LOW | 5.4 MEDIUM |
| The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket. | |||||
| CVE-2018-1351 | 1 Fortinet | 1 Fortimanager | 2020-01-22 | 3.5 LOW | 4.8 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.6 and below versions allows attacker to execute HTML/javascript code via managed remote devices CLI commands by viewing the remote device CLI config installation log. | |||||
| CVE-2020-5195 | 1 Cerberusftp | 1 Ftp Server | 2020-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker. | |||||
| CVE-2020-2096 | 1 Jenkins | 1 Gitlab Hook | 2020-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability. | |||||
| CVE-2019-6332 | 1 Hp | 104 Deskjet 2600 4uj28b, Deskjet 2600 4uj28b Firmware, Deskjet 2600 V1n01a and 101 more | 2020-01-21 | 3.5 LOW | 4.8 MEDIUM |
| A potential security vulnerability has been identified with certain HP InkJet printers. The vulnerability could be exploited to allow cross-site scripting (XSS). Affected products and versions include: HP DeskJet 2600 All-in-One Printer series model numbers 4UJ28B, V1N01A - V1N08A, Y5H60A - Y5H80A; HP DeskJet Ink Advantage 2600 All-in-One Printer series model numbers V1N02A - V1N02B, Y5Z00A - Y5Z04B; HP DeskJet Ink Advantage 5000 All-in-One Printer series model numbers M2U86A - M2U89B; HP DeskJet Ink Advantage 5200 All-in-One Printer series model numbers M2U76A - M2U78B; HP ENVY 5000 All-in-One Printer series model numbers M2U85A - M2U85B, M2U91A - M2U94B, Z4A54A - Z4A74A; HP ENVY Photo 6200 All-in-One Printer series model numbers K7G18A-K7G26B, K7S21B, Y0K13D - Y0K15A; HP ENVY Photo 7100 All-in-One Printer series model numbers 3XD89A, K7G93A-K7G99A, Z3M37A - Z3M52A; HP ENVY Photo 7800 All-in-One Printer series model numbers K7R96A, K7S00A - K7S10D, Y0G42D - Y0G52B; HP Ink Tank Wireless 410 series model numbers Z4B53A - Z4B55A, Z6Z95A - Z6Z99A, 4DX94A - 4DX95A, 4YF79A, Z7A01A; HP OfficeJet 5200 All-in-One Printer series model numbers M2U75A, M2U81A-M2U84B, Z4B12A - Z4B14A, Z4B27A - Z4B29A; HP Smart Tank Wireless 450 series model numbers Z4B56A, Z6Z96A - Z6Z98A. | |||||
| CVE-2019-14918 | 1 Billion | 2 Sg600 R2, Sg600 R2 Firmware | 2020-01-21 | 3.5 LOW | 5.4 MEDIUM |
| XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an attacker to inject arbitrary HTML/JavaScript code to achieve client-side code execution via crafted DHCP request packets to etc_ro/web/internet/dhcpcliinfo.asp. | |||||
| CVE-2019-12398 | 1 Apache | 1 Airflow | 2020-01-21 | 3.5 LOW | 4.8 MEDIUM |
| In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected. | |||||
| CVE-2011-4336 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2020-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php. | |||||
| CVE-2020-6305 | 1 Sap | 1 Process Integration | 2020-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| PI Rest Adapter of SAP Process Integration (update provided in SAP_XIAF 7.31, 7.40, 7.50) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-16466 | 1 Adobe | 1 Experience Manager | 2020-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-6955 | 1 Cayintech | 2 Smp-pro4, Smp-pro4 Firmware | 2020-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Cayin SMP-PRO4 devices. They allow image_preview.html?filename= reflected XSS. | |||||
| CVE-2020-7107 | 1 Etoilewebdesign | 1 Ultimate Faq | 2020-01-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php. | |||||
| CVE-2019-19856 | 1 Serpico Project | 1 Serpico | 2020-01-17 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The User Type on the admin/list_user page allows stored XSS via the type parameter. | |||||
| CVE-2019-19858 | 1 Serpico Project | 1 Serpico | 2020-01-17 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/add_user/UID allows stored XSS via the author parameter. | |||||
| CVE-2019-19855 | 1 Serpico Project | 1 Serpico | 2020-01-17 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/list_user allows stored XSS via the auth_type parameter. | |||||