Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-2706 | 1 Snewscms | 1 Snews | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71. | |||||
| CVE-2018-0719 | 1 Qnap | 1 Qts | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in NAS devices of QNAP Systems Inc. QTS allows attackers to inject javascript. This issue affects: QNAP Systems Inc. QTS version 4.2.6 and prior versions on build 20180711; version 4.3.3 and prior versions on build 20180725; version 4.3.4 and prior versions on build 20180710. | |||||
| CVE-2018-4842 | 1 Siemens | 6 Scalance X200, Scalance X200 Firmware, Scalance X200 Irt and 3 more | 2020-01-16 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability has been identified in SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). A remote, authenticated attacker with access to the configuration web server could be able to store script code on the web site, if the HRP redundancy option is set. This code could be executed in the web browser of victims visiting this web site (XSS), affecting its confidentiality, integrity and availability. User interaction is required for successful exploitation, as the user needs to visit the manipulated web site. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it. | |||||
| CVE-2018-4848 | 1 Siemens | 6 Scalance X-200, Scalance X-200 Firmware, Scalance X-200 Irt and 3 more | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). The integrated configuration web server of the affected Scalance X Switches could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it. | |||||
| CVE-2011-3183 | 1 Portlandlabs | 1 Concrete Cms | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier. | |||||
| CVE-2011-3202 | 1 Jcow | 1 Jcow Cms | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the g parameter to index.php in Jcow CMS 4.2 and earlier. | |||||
| CVE-2020-6847 | 1 Opentrade Project | 1 Opentrade | 2020-01-15 | 3.5 LOW | 5.4 MEDIUM |
| OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator attempts to delete a message that contains JavaScript. | |||||
| CVE-2019-16752 | 3 Dash, Officialdapscoin, Pivx | 3 Dash Core, Decentralized Anonymous Payment System, Private Instant Verified Transactions | 2020-01-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. It is possible to force wallets to send HTTP requests to arbitrary locations, both on the local network and on the internet. This is a serious threat to user privacy, since it can possibly leak their IP address and the fact that they are using the product. This also affects Dash Core through 0.14.0.3 and Private Instant Verified Transactions (PIVX) through 3.4.0. | |||||
| CVE-2014-5516 | 1 Konakart | 1 Konakart | 2020-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in the Storefront Application in DS Data Systems KonaKart before 7.3.0.0 allows remote attackers to hijack the authentication of administrators for requests that change a user email address via an unspecified GET request. | |||||
| CVE-2019-5718 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2020-01-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the RTSE dissector and other ASN.1 dissectors could crash. This was addressed in epan/charsets.c by adding a get_t61_string length check. | |||||
| CVE-2019-20348 | 1 Okerthai | 2 G232v1, G232v1 Firmware | 2020-01-15 | 7.2 HIGH | 6.8 MEDIUM |
| OKER G232V1 v1.03.02.20161129 devices provide a root terminal on a UART serial interface without proper access control. This allows attackers with physical access to interrupt the boot sequence in order to execute arbitrary commands with root privileges and conduct further attacks. | |||||
| CVE-2016-6585 | 1 Symantec | 1 Norton Mobile Security | 2020-01-15 | 3.5 LOW | 5.3 MEDIUM |
| A Denial of Service vulnerability exists in Symantec Norton Mobile Security for Android prior to 3.16, which could let a remote malicious user conduct a man-in-the-middle attack via specially crafted JavaScript. | |||||
| CVE-2019-19817 | 1 Gonitro | 1 Nitro Free Pdf Reader | 2020-01-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| The JBIG2Decode library in npdf.dll in Nitro Free PDF Reader 12.0.0.112 has a CAPPDAnnotHandlerUtils::PDAnnotHandlerDestroyData2+0x2e8a Out-of-Bounds Read via crafted Unicode content. | |||||
| CVE-2020-6848 | 1 Axper | 2 Vision Ii, Vision Ii Firmware | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Axper Vision II 4 devices allow XSS via the DEVICE_NAME (aka Device Name) parameter to the configWebParams.cgi URI. | |||||
| CVE-2019-19819 | 1 Gonitro | 1 Nitropdf | 2020-01-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| The JBIG2Globals library in npdf.dll in Nitro Free PDF Reader 12.0.0.112 has a CAPPDAnnotHandlerUtils::PDAnnotHandlerDestroyData2+0x90ec NULL Pointer Dereference via crafted Unicode content. | |||||
| CVE-2011-5250 | 1 Prophecyinternational | 1 Snare | 2020-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Snare for Linux before 1.7.0 has CSRF in the web interface. | |||||
| CVE-2020-6758 | 1 Rasilient | 2 Pixelstor 5000, Pixelstor 5000 Firmware | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Option/optionsAll.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows remote attackers to inject arbitrary web script or HTML via the ContentFrame parameter. | |||||
| CVE-2019-1332 | 1 Microsoft | 3 Power Bi Report Server, Sql Server 2017 Reporting Services, Sql Server 2019 Reporting Services | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'. | |||||
| CVE-2019-10205 | 1 Redhat | 1 Quay | 2020-01-15 | 4.6 MEDIUM | 6.3 MEDIUM |
| A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry. | |||||
| CVE-2019-16716 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-15 | 8.5 HIGH | 6.6 MEDIUM |
| OX App Suite through 7.10.2 has Incorrect Access Control. | |||||
| CVE-2020-1786 | 1 Huawei | 2 Mate 20 Pro, Mate 20 Pro Firmware | 2020-01-15 | 2.1 LOW | 4.6 MEDIUM |
| HUAWEI Mate 20 Pro smartphones versions earlier than 10.0.0.175(C00E69R3P8) have an improper authentication vulnerability. The software does not sufficiently validate the name of apk file in a special condition which could allow an attacker to forge a crafted application as a normal one. Successful exploit could allow the attacker to bypass digital balance function. | |||||
| CVE-2020-6632 | 1 Prestashop | 1 Prestashop | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js. | |||||
| CVE-2020-6163 | 1 Mediawiki | 1 Mediawiki | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file). | |||||
| CVE-2019-18842 | 1 Usriot | 8 Usr-wifi232-g2, Usr-wifi232-g2 Firmware, Usr-wifi232-h and 5 more | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID. | |||||
| CVE-2019-18466 | 1 Libpod Project | 1 Libpod | 2020-01-15 | 5.8 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host. | |||||
| CVE-2019-20182 | 1 Fooplugins | 1 Foogallery | 2020-01-14 | 3.5 LOW | 4.8 MEDIUM |
| The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter. | |||||
| CVE-2019-20181 | 1 Getawesomesupport | 1 Awesome Support | 2020-01-14 | 3.5 LOW | 4.8 MEDIUM |
| The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter. | |||||
| CVE-2014-10398 | 1 Bssys | 1 Rbs Bs-client. Retail Client | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client. Private Client (aka RBS BS-Client. Retail Client) 2.5, 2.4, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) DICTIONARY, (2) FILTERIDENT, (3) FROMSCHEME, (4) FromPoint, or (5) FName_0 parameter and a valid sid parameter value. | |||||
| CVE-2014-4196 | 1 Bssys | 1 Rbs Bs-client | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client 3.17.9 allows remote attackers to inject arbitrary web script or HTML via the colorstyle parameter. | |||||
| CVE-2019-5988 | 1 Anglers-net | 1 Cgi An-anlyzer | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting vulnerability in Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote attackers to inject arbitrary web script or HTML via the Management Page. | |||||
| CVE-2019-16154 | 1 Fortinet | 1 Fortiauthenticator | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper neutralization of input during web page generation in FortiAuthenticator WEB UI 6.0.0 may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page. | |||||
| CVE-2020-6630 | 1 Gpac | 1 Gpac | 2020-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_isom_get_media_data_size() in isomedia/isom_read.c. | |||||
| CVE-2020-6631 | 1 Gpac | 1 Gpac | 2020-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_m2ts_stream_process_pmt() in media_tools/m2ts_mux.c. | |||||
| CVE-2012-4451 | 3 Fedoraproject, Redhat, Zend | 3 Fedora, Enterprise Linux, Zend Framework | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper. | |||||
| CVE-2019-3768 | 1 Emc | 1 Rsa Authentication Manager | 2020-01-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| RSA Authentication Manager versions prior to 8.4 P7 contain an XML Entity Injection Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to cause information disclosure of local system files by supplying specially crafted XML message. | |||||
| CVE-2019-20354 | 1 Pisignage | 1 Pisignage | 2020-01-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| The web application component of piSignage before 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download. | |||||
| CVE-2014-6275 | 2 Debian, Fusionforge | 2 Debian Linux, Fusionforge | 2020-01-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| FusionForge before 5.3.2 use scripts that run under the shared Apache user, which is also used by project homepages by default. If project webpages are hosted on the same server than FusionForge, it can allow users to incorrectly access on-disk private data in FusionForge. | |||||
| CVE-2014-0169 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2020-01-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application. | |||||
| CVE-2014-0245 | 1 Redhat | 1 Jboss Portal | 2020-01-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| It was found that the implementation of the GTNSubjectCreatingInterceptor class in gatein-wsrp was not thread safe. For a specific WSRP endpoint, under high-concurrency scenarios or scenarios where SOAP messages take long to execute, it was possible for an unauthenticated remote attacker to gain privileged information if WS-Security is enabled for the WSRP Consumer, and the endpoint in question is being used by a privileged user. This affects JBoss Portal 6.2.0. | |||||
| CVE-2019-19916 | 2 Microsoft, Midori-browser | 2 Windows 10, Midori | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Midori Browser 0.5.11 (on Windows 10), Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could result in script running where CSP should have blocked it, allowing for cross-site scripting (XSS) and other attacks when the product renders the content as HTML. Remediating this would also need to consider the polyglot case, e.g., a file that is a valid GIF image and also valid JavaScript. | |||||
| CVE-2014-3590 | 1 Redhat | 1 Satellite | 2020-01-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Versions of Foreman as shipped with Red Hat Satellite 6 does not check for a correct CSRF token in the logout action. Therefore, an attacker can log out a user by having them view specially crafted content. | |||||
| CVE-2019-17151 | 1 Tencent | 1 Wechat | 2020-01-14 | 5.8 MEDIUM | 5.4 MEDIUM |
| This vulnerability allows remote attackers redirect users to an external resource on affected installations of Tencent WeChat Prior to 7.0.9. User interaction is required to exploit this vulnerability in that the target must be within a chat session together with the attacker. The specific flaw exists within the parsing of a users profile. The issue lies in the failure to properly validate a users name. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9302. | |||||
| CVE-2019-20178 | 1 Peel | 1 Peel Shopping | 2020-01-14 | 5.8 MEDIUM | 6.5 MEDIUM |
| Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user. | |||||
| CVE-2012-5558 | 2 Smiley Project, Smileys Project | 2 Smiley, Smileys | 2020-01-14 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Smiley module 6.x-1.x versions prior to 6.x-1.1 and Smileys module 6.x-1.x versions prior to 6.x-1.1 for Drupal allows remote authenticated users with the "administer smiley" permission to inject arbitrary web script or HTML via a smiley acronym. | |||||
| CVE-2012-1261 | 1 Plixer | 1 Scrutinizer Netflow \& Sflow Analyzer | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML via the standalone parameter. | |||||
| CVE-2019-20376 | 1 Psi | 1 Electronic Logbook | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG document to elogd.c. | |||||
| CVE-2019-20375 | 1 Psi | 1 Electronic Logbook | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via the value parameter in a localization (loc) command to elogd.c. | |||||
| CVE-2019-20210 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query. | |||||
| CVE-2011-2670 | 1 Mozilla | 1 Firefox | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style Sheets | |||||
| CVE-2019-20211 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website. | |||||