Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15221 | 1 Combodo | 1 Itop | 2021-01-15 | 3.5 LOW | 5.4 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0. | |||||
| CVE-2021-23928 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string. | |||||
| CVE-2021-23930 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. | |||||
| CVE-2021-23929 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/<share-token>?delivery=view URI. | |||||
| CVE-2021-23931 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via an inline binary file. | |||||
| CVE-2021-23933 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. | |||||
| CVE-2021-23932 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename. | |||||
| CVE-2021-23934 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. | |||||
| CVE-2021-23936 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via the subject of a task. | |||||
| CVE-2021-23935 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code. | |||||
| CVE-2020-36190 | 1 Rails Admin Project | 1 Rails Admin | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms. | |||||
| CVE-2020-27262 | 1 Innokasmedical | 2 Vital Signs Monitor Vc150, Vital Signs Monitor Vc150 Firmware | 2021-01-14 | 3.5 LOW | 5.4 MEDIUM |
| Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface. | |||||
| CVE-2019-19935 | 1 Froala | 1 Froala Editor | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Froala Editor before 3.2.3 allows XSS. | |||||
| CVE-2020-25476 | 1 Liferay | 1 Liferay Portal | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload. | |||||
| CVE-2020-26297 | 1 Rust-lang | 1 Mdbook | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it. | |||||
| CVE-2020-4838 | 1 Ibm | 1 Api Connect | 2021-01-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190036. | |||||
| CVE-2020-13116 | 1 Carbonite | 1 Server Backup Portal | 2021-01-14 | 3.5 LOW | 5.4 MEDIUM |
| OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy creation. | |||||
| CVE-2020-24445 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2021-01-13 | 3.5 LOW | 9.0 CRITICAL |
| AEM's Cloud Service offering, as well as version 6.5.6.0 (and below), are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2020-23849 | 1 Jsoneditoronline | 1 Jsoneditor | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript. | |||||
| CVE-2020-23644 | 1 Jizhicms | 1 Jizhicms | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php. | |||||
| CVE-2020-23643 | 1 Jizhicms | 1 Jizhicms | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php. | |||||
| CVE-2020-4892 | 1 Ibm | 1 Emptoris Contract Management | 2021-01-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM Emptoris Contract Management 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190979. | |||||
| CVE-2020-35206 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the cConn.jsp file via the ur parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2019-12539 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189. | |||||
| CVE-2014-9272 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2021-01-12 | 4.3 MEDIUM | N/A |
| The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. | |||||
| CVE-2013-4460 | 1 Mantisbt | 1 Mantisbt | 2021-01-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name. | |||||
| CVE-2014-9269 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2021-01-12 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. | |||||
| CVE-2014-9270 | 1 Mantisbt | 1 Mantisbt | 2021-01-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field. | |||||
| CVE-2020-8823 | 1 Sockjs Project | 1 Sockjs | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter. | |||||
| CVE-2020-8160 | 1 Mendix | 1 Mendixsso | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser. | |||||
| CVE-2010-1330 | 1 Jruby | 1 Jruby | 2021-01-12 | 4.3 MEDIUM | N/A |
| The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. | |||||
| CVE-2020-8264 | 1 Rubyonrails | 1 Rails | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. | |||||
| CVE-2020-35933 | 1 Tribulant | 1 Newsletter | 2021-01-11 | 3.5 LOW | 6.5 MEDIUM |
| A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter. | |||||
| CVE-2020-35936 | 1 Pickplugins | 2 Post Grid, Team Showcase | 2021-01-11 | 6.0 MEDIUM | 8.0 HIGH |
| Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts. | |||||
| CVE-2020-35937 | 1 Pickplugins | 2 Post Grid, Team Showcase | 2021-01-11 | 6.0 MEDIUM | 8.0 HIGH |
| Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to team_import_xml_layouts. | |||||
| CVE-2020-4733 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188127. | |||||
| CVE-2020-4697 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186790. | |||||
| CVE-2020-4691 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186698. | |||||
| CVE-2020-4663 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186234. | |||||
| CVE-2020-4664 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186235. | |||||
| CVE-2020-4666 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186281. | |||||
| CVE-2020-8280 | 1 Nextcloud | 1 Contacts | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2020-8281 | 1 Nextcloud | 1 Contacts | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2020-24903 | 1 Cutesoft | 1 Cute Editor | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-26768 | 1 Formstone | 1 Formstone | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site once the URL is clicked or visited. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials, force malware execution, user redirection and others. | |||||
| CVE-2020-24900 | 1 Krpano | 1 Krpano | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to insecure XML load in file /viewer/krpano.html, parameter xml. | |||||
| CVE-2020-35727 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseDirs.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35726 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Reports/index.jsp file via the by parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35724 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the Error.jsp file via the err parameter (or indirectly via the cpr, tcp, or abs parameter). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35725 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/index.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||