Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28487 | 1 Visjs | 1 Vis-timeline | 2021-02-02 | 6.0 MEDIUM | 6.8 MEDIUM |
| This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application. | |||||
| CVE-2020-35853 | 1 4homepages | 1 4images | 2021-02-01 | 3.5 LOW | 4.8 MEDIUM |
| 4images Image Gallery Management System 1.7.11 is affected by cross-site scripting (XSS) in the Image URL. This vulnerability can result in an attacker to inject the XSS payload into the IMAGE URL. Each time a user visits that URL, the XSS triggers and the attacker can be able to steal the cookie according to the crafted payload. | |||||
| CVE-2020-36011 | 1 Qdocs | 1 Smart Hospital | 2021-02-01 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) issue in Add Patient Form in QDOCS Smart Hospital Management System 3.1 allows a remote attacker to inject arbitrary code via the Name, Guardian Name, Email, Address, Remarks, or Any Known Allergies field. | |||||
| CVE-2020-35309 | 1 Bakeshop Online Ordering System Project | 1 Bakeshop Online Ordering System | 2021-02-01 | 3.5 LOW | 4.8 MEDIUM |
| Bakeshop Online Ordering System in PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML in admin dashboard - "Categories". | |||||
| CVE-2020-29241 | 1 Online News Portal Project | 1 Online News Portal | 2021-02-01 | 3.5 LOW | 4.8 MEDIUM |
| Online News Portal using PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML via the "Title" parameter. | |||||
| CVE-2020-8292 | 1 Rocket.chat | 1 Rocket.chat | 2021-02-01 | 4.3 MEDIUM | 5.4 MEDIUM |
| Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality in message boxes. | |||||
| CVE-2021-22871 | 1 Revive-adserver | 1 Revive Adserver | 2021-02-01 | 3.5 LOW | 4.8 MEDIUM |
| Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which is then displayed unsanitized in the affiliate-preview.php tag generation screen, leading to a persistent cross-site scripting (XSS) vulnerability. | |||||
| CVE-2021-20620 | 1 Aterm | 2 Wg2600hp, Wg2600hp Firmware | 2021-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-26304 | 1 Phpgurukul | 1 Daily Expense Tracker System | 2021-02-01 | 3.5 LOW | 5.4 MEDIUM |
| PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the add-expense.php Item parameter. | |||||
| CVE-2021-20622 | 1 Aterm | 4 Wg2600hp, Wg2600hp2, Wg2600hp2 Firmware and 1 more | 2021-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2020-8288 | 1 Rocket.chat | 1 Rocket.chat | 2021-02-01 | 3.5 LOW | 5.4 MEDIUM |
| The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter. | |||||
| CVE-2020-35854 | 1 Textpattern | 1 Textpattern | 2021-02-01 | 3.5 LOW | 4.8 MEDIUM |
| Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter. | |||||
| CVE-2021-20183 | 1 Moodle | 1 Moodle | 2021-02-01 | 4.3 MEDIUM | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. | |||||
| CVE-2021-20186 | 1 Moodle | 1 Moodle | 2021-02-01 | 2.1 LOW | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. | |||||
| CVE-2020-23774 | 1 Winmail Project | 1 Winmail | 2021-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS vulnerability exists in tohtml/convert.php of Winmail 6.5, which can cause JavaScript code to be executed. | |||||
| CVE-2021-3186 | 1 Tenda | 2 Ac1200, Ac1200 Firmware | 2021-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Stored Cross-site scripting (XSS) vulnerability in /main.html Wifi Settings in Tenda AC5 AC1200 version V15.03.06.47_multi allows remote attackers to inject arbitrary web script or HTML via the Wifi Name parameter. | |||||
| CVE-2020-24085 | 1 Misp | 1 Misp | 2021-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code. | |||||
| CVE-2020-23447 | 1 Newbee-mall Project | 1 Newbee-mall | 2021-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| newbee-mall 1.0 is affected by cross-site scripting in shop-cart/settle. Users only need to write xss payload in their address information when buying goods, which is triggered when viewing the "View Recipient Information" of this order in "Order Management Office". | |||||
| CVE-2020-21146 | 1 Feehi | 1 Feehi Cms | 2021-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Feehi CMS 2.0.8 is affected by a cross-site scripting (XSS) vulnerability. When the user name is inserted as JavaScript code, browsing the post will trigger the XSS. | |||||
| CVE-2021-26303 | 1 Phpgurukul | 1 Daily Expense Tracker System | 2021-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the user-profile.php Full Name field. | |||||
| CVE-2020-21147 | 1 Rockoa | 1 Rockoa | 2021-01-29 | 3.5 LOW | 4.8 MEDIUM |
| RockOA V1.9.8 is affected by a cross-site scripting (XSS) vulnerability which allows remote attackers to send malicious code to the administrator and execute JavaScript code, because webmain/flow/input/mode_emailmAction.php does not perform strict filtering. | |||||
| CVE-2020-23014 | 1 Apfell Project | 1 Apfell | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| APfell 1.4 is vulnerable to authenticated reflected cross-site scripting (XSS) in /apiui/command_ through the payloadtypes_callback function, which allows an attacker to steal remote admin/user session and/or adding new users to the administration panel. | |||||
| CVE-2020-4524 | 1 Ibm | 11 Collaborative Lifecycle Management, Engineering Insights, Engineering Lifecycle Management and 8 more | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182434. | |||||
| CVE-2020-4855 | 1 Ibm | 11 Collaborative Lifecycle Management, Engineering Insights, Engineering Lifecycle Management and 8 more | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190457. | |||||
| CVE-2020-4865 | 1 Ibm | 11 Collaborative Lifecycle Management, Engineering Insights, Engineering Lifecycle Management and 8 more | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190741. | |||||
| CVE-2021-20357 | 1 Ibm | 11 Collaborative Lifecycle Management, Engineering Insights, Engineering Lifecycle Management and 8 more | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194963. | |||||
| CVE-2021-3298 | 1 O-dyn | 1 Collabtive | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| Collabtive 3.1 allows XSS when an authenticated user enters an XSS payload into the address section of the profile edit page, aka the manageuser.php?action=edit address1 parameter. | |||||
| CVE-2020-36012 | 1 Bdtask | 1 Multi-store | 2021-01-29 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field. | |||||
| CVE-2020-4820 | 1 Ibm | 1 Cloud Pak For Security | 2021-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Cloud Pak for Security (CP4S) 1.4.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2019-25015 | 1 Openwrt | 1 Openwrt | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID. | |||||
| CVE-2021-21260 | 1 Bigprof | 1 Online Invoicing System | 2021-01-29 | 3.5 LOW | 5.4 MEDIUM |
| Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario. | |||||
| CVE-2021-22875 | 1 Revive-adserver | 1 Revive Adserver | 2021-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in stats.php via the `setPerPage` parameter. | |||||
| CVE-2021-22874 | 1 Revive-adserver | 1 Revive Adserver | 2021-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in userlog-index.php via the `period_preset` parameter. | |||||
| CVE-2021-22849 | 1 Hyweb | 1 Hycms-j1 | 2021-01-28 | 3.5 LOW | 5.4 MEDIUM |
| Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack. | |||||
| CVE-2020-6470 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient validation of untrusted input in clipboard in Google Chrome prior to 83.0.4103.61 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via crafted clipboard contents. | |||||
| CVE-2020-13932 | 1 Apache | 1 Activemq Artemis | 2021-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section. | |||||
| CVE-2020-26934 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Backports Sle and 2 more | 2021-01-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. | |||||
| CVE-2020-12512 | 1 Pepperl-fuchs | 24 Io-link Master 4-eip, Io-link Master 4-eip Firmware, Io-link Master 4-pnio and 21 more | 2021-01-27 | 3.5 LOW | 5.4 MEDIUM |
| Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting | |||||
| CVE-2021-1271 | 1 Cisco | 1 Web Security Virtual Appliance | 2021-01-27 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface. | |||||
| CVE-2020-35129 | 1 Mautic | 1 Mautic | 2021-01-27 | 6.0 MEDIUM | 9.0 CRITICAL |
| Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users, including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account. | |||||
| CVE-2021-1250 | 1 Cisco | 1 Data Center Network Manager | 2021-01-27 | 3.5 LOW | 5.4 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow a remote attacker with network-operator privileges to conduct a cross-site scripting (XSS) attack or a reflected file download (RFD) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1253 | 1 Cisco | 1 Data Center Network Manager | 2021-01-27 | 3.5 LOW | 5.4 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow a remote attacker with network-operator privileges to conduct a cross-site scripting (XSS) attack or a reflected file download (RFD) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-35272 | 1 Employee Performance Evaluation System Project | 1 Employee Performance Evaluation System | 2021-01-27 | 3.5 LOW | 4.8 MEDIUM |
| Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Admin Portal in the Task and Description fields. | |||||
| CVE-2020-35271 | 1 Employee Performance Evaluation System Project | 1 Employee Performance Evaluation System | 2021-01-27 | 3.5 LOW | 4.8 MEDIUM |
| Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Employees, First Name and Last Name fields. | |||||
| CVE-2021-25295 | 1 Opencats | 1 Opencats | 2021-01-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues. | |||||
| CVE-2010-3906 | 2 Git, Git-scm | 2 Git, Git | 2021-01-26 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters. | |||||
| CVE-2017-1000488 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2021-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form. | |||||
| CVE-2018-11198 | 1 Acquia | 1 Mautic | 2021-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json. | |||||
| CVE-2020-15864 | 1 Quali | 1 Cloudshell | 2021-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page. | |||||
| CVE-2020-13134 | 1 Tufin | 1 Securechange | 2021-01-23 | 3.5 LOW | 4.8 MEDIUM |
| Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1. | |||||