Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29244 | 1 Tag Project | 1 Tag | 2020-12-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readTextWithDescrFrame. | |||||
| CVE-2020-29245 | 1 Tag Project | 1 Tag | 2020-12-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readAtomData. | |||||
| CVE-2020-35347 | 1 Cxuu | 1 Cxuucms | 2020-12-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| CXUUCMS V3 3.1 has a CSRF vulnerability that can add an administrator account via admin.php?c=adminuser&a=add. | |||||
| CVE-2020-35346 | 1 Cxuu | 1 Cxuucms | 2020-12-28 | 3.5 LOW | 4.8 MEDIUM |
| CXUUCMS V3 3.1 is affected by a reflected XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of admin.php?c=content&a=add. | |||||
| CVE-2020-9201 | 1 Huawei | 6 Nip6800, Nip6800 Firmware, Secospace Usg6600 and 3 more | 2020-12-28 | 3.3 LOW | 6.5 MEDIUM |
| There is an out-of-bounds read vulnerability in some versions of NIP6800, Secospace USG6600 and USG9500. The software reads data past the end of the intended buffer when parsing DHCP messages including crafted parameter. Successful exploit could cause certain service abnormal. | |||||
| CVE-2020-9202 | 1 Huawei | 1 Te Mobile | 2020-12-28 | 2.1 LOW | 4.4 MEDIUM |
| There is an information disclosure vulnerability in TE Mobile software versions V600R006C10,V600R006C10SPC100. Due to the improper storage of some information in certain specific scenario, the attacker can gain information in the victim's device to launch the attack, successful exploit could cause information disclosure. | |||||
| CVE-2020-35704 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Lead screen. | |||||
| CVE-2020-27515 | 1 Techkshetrainfo | 1 Savsoft Quiz | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows remote attackers to inject arbitrary web script or HTML via the Skype ID field. | |||||
| CVE-2020-29172 | 1 Litespeedtech | 1 Litespeed Cache | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via the Server IP setting. | |||||
| CVE-2020-35707 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen. | |||||
| CVE-2020-35706 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Project screen. | |||||
| CVE-2020-27724 | 1 F5 | 1 Big-ip Access Policy Manager | 2020-12-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| In BIG-IP APM versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, on systems running more than one TMM instance, authenticated VPN users may consume excessive resources by sending specially-crafted malicious traffic over the tunnel. | |||||
| CVE-2020-9137 | 1 Huawei | 8 Cloudengine 12800, Cloudengine 12800 Firmware, Cloudengine 5800 and 5 more | 2020-12-28 | 4.6 MEDIUM | 6.7 MEDIUM |
| There is a privilege escalation vulnerability in some versions of CloudEngine 12800,CloudEngine 5800,CloudEngine 6800 and CloudEngine 7800. Due to insufficient input validation, a local attacker with high privilege may execute some specially crafted scripts in the affected products. Successful exploit will cause privilege escalation. | |||||
| CVE-2020-5684 | 1 Nec | 5 Ism Server, M120, M12e and 2 more | 2020-12-28 | 5.8 MEDIUM | 4.8 MEDIUM |
| iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate. | |||||
| CVE-2020-35705 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Name parameter to the New User screen. | |||||
| CVE-2020-35676 | 1 Bigprof | 1 Online Invoicing System | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php. | |||||
| CVE-2020-35659 | 1 Pi-hole | 1 Pi-hole | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page. | |||||
| CVE-2020-27727 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2020-12-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| On BIG-IP version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, when an authenticated administrative user installs RPMs using the iAppsLX REST installer, the BIG-IP system does not sufficiently validate user input, allowing the user read access to the filesystem. | |||||
| CVE-2020-27719 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. | |||||
| CVE-2020-27722 | 1 F5 | 1 Big-ip Access Policy Manager | 2020-12-28 | 3.5 LOW | 6.5 MEDIUM |
| In BIG-IP APM versions 15.0.0-15.0.1.3, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, under certain conditions, the VDI plugin does not observe plugin flow-control protocol causing excessive resource consumption. | |||||
| CVE-2020-28190 | 1 Terra-master | 1 Tos | 2020-12-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a weaponized/infected version of applications or updates. | |||||
| CVE-2020-27726 | 1 F5 | 1 Big-ip Access Policy Manager | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system. | |||||
| CVE-2020-27729 | 1 F5 | 1 Big-ip Access Policy Manager | 2020-12-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, an undisclosed link on the BIG-IP APM virtual server allows a malicious user to build an open redirect URI. | |||||
| CVE-2020-28185 | 1 Terra-master | 1 Tos | 2020-12-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. | |||||
| CVE-2020-28184 | 1 Terra-master | 1 Tos | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php. | |||||
| CVE-2020-2503 | 1 Qnap | 1 Qes | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | |||||
| CVE-2020-35478 | 1 Mediawiki | 1 Mediawiki | 2020-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later. | |||||
| CVE-2020-35479 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2020-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later. | |||||
| CVE-2020-26932 | 2 Debian, Sympa | 2 Debian Linux, Sympa | 2020-12-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group) | |||||
| CVE-2020-35252 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0. | |||||
| CVE-2020-28071 | 1 Alumni Management System Project | 1 Alumni Management System | 2020-12-23 | 3.5 LOW | 4.8 MEDIUM |
| SourceCodester Alumni Management System 1.0 is affected by cross-site Scripting (XSS) in /admin/gallery.php. After the admin authentication an attacker can upload an image in the gallery using a XSS payload in the description textarea called 'about' and reach a stored XSS. | |||||
| CVE-2020-6159 | 1 Opera | 1 Opera | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532. | |||||
| CVE-2020-9439 | 1 Uncannyowl | 1 Tin Canny Reporting For Learndash | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter in TinCan_Content_List_Table.php, message GET Parameter in licensing.php, tc_filter_group parameter in reporting-admin-menu.php, tc_filter_user parameter in reporting-admin-menu.php, tc_filter_course parameter in reporting-admin-menu.php, tc_filter_lesson parameter in reporting-admin-menu.php, tc_filter_module parameter in reporting-admin-menu.php, tc_filter_action parameter in reporting-admin-menu.php, tc_filter_data_range parameter in reporting-admin-menu.php, or tc_filter_data_range_last parameter in reporting-admin-menu.php. | |||||
| CVE-2020-13969 | 1 Crk | 1 Business Platform | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. This is path-independent. | |||||
| CVE-2020-25640 | 1 Redhat | 1 Wildfly | 2020-12-23 | 3.5 LOW | 5.3 MEDIUM |
| A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. | |||||
| CVE-2020-7318 | 1 Mcafee | 1 Epolicy Orchestrator | 2020-12-23 | 2.3 LOW | 4.3 MEDIUM |
| Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. | |||||
| CVE-2020-35650 | 1 Uncannyowl | 1 Uncanny Groups For Learndash | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php. | |||||
| CVE-2020-26277 | 1 Dbdeployer | 1 Dbdeployer | 2020-12-23 | 4.0 MEDIUM | 6.1 MEDIUM |
| DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer before version 1.58.2, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: 1) The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user. 2) The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack. This has been fixed in version 1.58.2. | |||||
| CVE-2020-14225 | 2 Hcltech, Hcltechsw | 2 Hcl Inotes, Hcl Inotes | 2020-12-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| HCL iNotes is susceptible to a Tabnabbing vulnerability caused by improper sanitization of message content. A remote unauthenticated attacker could use this vulnerability to trick the end user into entering sensitive information such as credentials, e.g. as part of a phishing attack. | |||||
| CVE-2020-13821 | 1 Hivemq | 1 Broker Control Center | 2020-12-23 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in HiveMQ Broker Control Center 4.3.2. A crafted clientid parameter in an MQTT packet (sent to the Broker) is reflected in the client section of the management console. The attacker's JavaScript is loaded in a browser, which can lead to theft of the session and cookie of the administrator's account of the Broker. | |||||
| CVE-2020-14248 | 1 Hcltech | 1 Bigfix Platform | 2020-12-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||||
| CVE-2018-15645 | 1 Odoo | 1 Odoo | 2020-12-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation. | |||||
| CVE-2020-27659 | 1 Synology | 1 Safeaccess | 2020-12-22 | 3.5 LOW | 4.8 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter. | |||||
| CVE-2020-35132 | 2 Fedoraproject, Phpldapadmin Project | 2 Fedora, Phpldapadmin | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php. | |||||
| CVE-2018-15634 | 1 Odoo | 1 Odoo | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link. | |||||
| CVE-2020-29447 | 1 Atlassian | 1 Crucible | 2020-12-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5. | |||||
| CVE-2020-35589 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. | |||||
| CVE-2018-15633 | 1 Odoo | 1 Odoo | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames. | |||||
| CVE-2018-15638 | 1 Odoo | 1 Odoo | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names. | |||||
| CVE-2018-15641 | 1 Odoo | 1 Odoo | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes. | |||||