Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35723 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the ReportPreview.do file via the referer parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35721 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseAssets.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35720 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in multiple fields (first name, last name, and logon name) when creating or modifying a user via the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35719 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Search/index.jsp file via the added parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-24902 | 1 Quixplorer Project | 1 Quixplorer | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-24901 | 1 Krpano | 1 Krpano | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url. | |||||
| CVE-2020-16030 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient data validation in Blink in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2020-36171 | 1 Elementor | 1 Website Builder | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. | |||||
| CVE-2020-35262 | 1 Digisol | 2 Dg-hr3400, Dg-hr3400 Firmware | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter. | |||||
| CVE-2020-36172 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. | |||||
| CVE-2020-25498 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2021-01-08 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter. | |||||
| CVE-2020-4895 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190986. | |||||
| CVE-2020-35170 | 1 Dell | 2 Powermax Os, Unisphere | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users’ sessions. | |||||
| CVE-2020-35946 | 1 Semperplugins | 1 All In One Seo Pack | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. The SEO Description and Title fields are vulnerable to unsanitized input from a Contributor, leading to stored XSS. | |||||
| CVE-2015-2992 | 1 Apache | 1 Struts | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2019-20483 | 1 Vikisolutions | 1 Vera | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user's last name to an XSS Payload, and read another user's cookie and use that to login to the application. | |||||
| CVE-2020-26046 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-01-08 | 4.3 MEDIUM | 5.4 MEDIUM |
| FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account and also impact other visitors. | |||||
| CVE-2017-6484 | 1 Inter-mediator | 1 Inter-mediator | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in INTER-Mediator 5.5. The vulnerabilities exist due to insufficient filtration of user-supplied data (c and cred) passed to the "INTER-Mediator-master/Auth_Support/PasswordReset/resetpassword.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6478 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter). | |||||
| CVE-2020-35741 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HGiga MailSherlock does not validate user parameters on multiple login pages. Attackers can use the vulnerability to inject JavaScript syntax for XSS attacks. | |||||
| CVE-2020-35740 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HGiga MailSherlock does not validate specific URL parameters properly that allows attackers to inject JavaScript syntax for XSS attacks. | |||||
| CVE-2015-9251 | 2 Jquery, Oracle | 47 Jquery, Agile Product Lifecycle Management For Process, Banking Platform and 44 more | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | |||||
| CVE-2021-3014 | 1 Mikrotik | 1 Routeros | 2021-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via the target parameter. | |||||
| CVE-2020-26293 | 1 Htmlsanitizer Project | 1 Htmlsanitizer | 2021-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372. | |||||
| CVE-2020-35717 | 1 Electronjs | 1 Zonote | 2021-01-07 | 3.5 LOW | 9.0 CRITICAL |
| zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true). | |||||
| CVE-2020-29497 | 1 Dell | 1 Wyse Management Suite | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious HTML or JavaScript code under the device tag. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | |||||
| CVE-2020-29496 | 1 Dell | 1 Wyse Management Suite | 2021-01-06 | 3.5 LOW | 4.8 MEDIUM |
| Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | |||||
| CVE-2021-3026 | 1 Invisioncommunity | 1 Ips Community Suite | 2021-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment. | |||||
| CVE-2020-26296 | 1 Vega Project | 1 Vega | 2021-01-06 | 3.5 LOW | 8.7 HIGH |
| Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3 | |||||
| CVE-2019-25011 | 1 Netbox Project | 1 Netbox | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments. | |||||
| CVE-2019-16956 | 1 Solarwinds | 1 Web Help Desk | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. | |||||
| CVE-2019-16960 | 1 Solarwinds | 1 Web Help Desk | 2021-01-06 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. | |||||
| CVE-2020-35930 | 1 Seopanel | 1 Seo Panel | 2021-01-05 | 3.5 LOW | 5.4 MEDIUM |
| Seo Panel 4.8.0 allows stored XSS by an Authenticated User via the url parameter, as demonstrated by the seo/seopanel/websites.php URI. | |||||
| CVE-2021-3002 | 1 Seopanel | 1 Seo Panel | 2021-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter. | |||||
| CVE-2016-6418 | 1 Cisco | 1 Videoscape Distribution Suite Service Manager | 2021-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Cisco Videoscape Distribution Suite Service Manager (VDS-SM) 3.0 through 3.4.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCva14552. | |||||
| CVE-2020-4916 | 1 Ibm | 1 Cloud Pak System | 2021-01-05 | 3.5 LOW | 4.8 MEDIUM |
| IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191390. | |||||
| CVE-2020-4910 | 1 Ibm | 1 Cloud Pak System | 2021-01-05 | 3.5 LOW | 4.8 MEDIUM |
| IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191274. | |||||
| CVE-2020-4909 | 1 Ibm | 1 Cloud Pak System | 2021-01-05 | 3.5 LOW | 4.8 MEDIUM |
| IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191273. | |||||
| CVE-2020-25797 | 1 Limesurvey | 1 Limesurvey | 2021-01-05 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser. | |||||
| CVE-2020-25799 | 1 Limesurvey | 1 Limesurvey | 2021-01-05 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. | |||||
| CVE-2020-35841 | 1 Netgear | 36 D6200, D6200 Firmware, D7000 and 33 more | 2021-01-04 | 3.5 LOW | 7.6 HIGH |
| Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JNR1010v2 before 1.1.0.62, JR6150 before 1.0.1.24, JWNR2010v5 before 1.1.0.62, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.76, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, WNR1000v4 before 1.1.0.62, WNR2020 before 1.1.0.62, and WNR2050 before 1.1.0.62. | |||||
| CVE-2020-5810 | 1 Umbraco | 1 Umbraco Cms | 2021-01-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload. | |||||
| CVE-2020-5809 | 1 Umbraco | 1 Umbraco Cms | 2021-01-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS. | |||||
| CVE-2020-29231 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2021-01-04 | 3.5 LOW | 5.4 MEDIUM |
| EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers. | |||||
| CVE-2020-29230 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2021-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Panel - Manage User tab using the Full Name of the user. This vulnerability can result in the attacker injecting the XSS payload in the User Registration section and each time admin visits the manage user section from the admin panel, the XSS triggers and the attacker can steal the cookie according to the crafted payload. | |||||
| CVE-2020-35831 | 1 Netgear | 22 D7800, D7800 Firmware, R7500v2 and 19 more | 2021-01-04 | 3.5 LOW | 8.1 HIGH |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10. | |||||
| CVE-2020-35836 | 1 Netgear | 16 D7800, D7800 Firmware, R7500v2 and 13 more | 2021-01-04 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.2.56, XR700 before 1.0.1.10, and RAX120 before 1.0.0.78. | |||||
| CVE-2020-35818 | 1 Netgear | 34 D7800, D7800 Firmware, R7500v2 and 31 more | 2021-01-04 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10. | |||||
| CVE-2020-35839 | 1 Netgear | 16 D7800, D7800 Firmware, R7500v2 and 13 more | 2021-01-04 | 3.5 LOW | 8.1 HIGH |
| Certain NETGEAR devices are affected by Stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.2.56, XR700 before 1.0.1.10, and RAX120 before 1.0.0.78. | |||||
| CVE-2020-35828 | 1 Netgear | 34 D7800, D7800 Firmware, R7500v2 and 31 more | 2021-01-04 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, RBK20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.2.56, XR700 before 1.0.1.10, RAX120 before 1.0.0.78, and R7500v2 before 1.0.3.46. | |||||