Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26035 | 1 Zammad | 1 Zammad | 2020-12-29 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket. | |||||
| CVE-2020-35346 | 1 Cxuu | 1 Cxuucms | 2020-12-28 | 3.5 LOW | 4.8 MEDIUM |
| CXUUCMS V3 3.1 is affected by a reflected XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of admin.php?c=content&a=add. | |||||
| CVE-2020-35704 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Lead screen. | |||||
| CVE-2020-27515 | 1 Techkshetrainfo | 1 Savsoft Quiz | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows remote attackers to inject arbitrary web script or HTML via the Skype ID field. | |||||
| CVE-2020-29172 | 1 Litespeedtech | 1 Litespeed Cache | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via the Server IP setting. | |||||
| CVE-2020-35707 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen. | |||||
| CVE-2020-35706 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Project screen. | |||||
| CVE-2020-35705 | 1 Daybydaycrm | 1 Daybyday | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Name parameter to the New User screen. | |||||
| CVE-2020-35676 | 1 Bigprof | 1 Online Invoicing System | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php. | |||||
| CVE-2020-35659 | 1 Pi-hole | 1 Pi-hole | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page. | |||||
| CVE-2020-27719 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. | |||||
| CVE-2020-27726 | 1 F5 | 1 Big-ip Access Policy Manager | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system. | |||||
| CVE-2020-28184 | 1 Terra-master | 1 Tos | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php. | |||||
| CVE-2020-2503 | 1 Qnap | 1 Qes | 2020-12-28 | 3.5 LOW | 5.4 MEDIUM |
| If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | |||||
| CVE-2020-35478 | 1 Mediawiki | 1 Mediawiki | 2020-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later. | |||||
| CVE-2020-35479 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2020-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later. | |||||
| CVE-2019-20798 | 1 Cherokee-project | 1 Cherokee | 2020-12-23 | 6.0 MEDIUM | 8.4 HIGH |
| An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands. | |||||
| CVE-2020-35252 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0. | |||||
| CVE-2020-28071 | 1 Alumni Management System Project | 1 Alumni Management System | 2020-12-23 | 3.5 LOW | 4.8 MEDIUM |
| SourceCodester Alumni Management System 1.0 is affected by cross-site Scripting (XSS) in /admin/gallery.php. After the admin authentication an attacker can upload an image in the gallery using a XSS payload in the description textarea called 'about' and reach a stored XSS. | |||||
| CVE-2020-6159 | 1 Opera | 1 Opera | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532. | |||||
| CVE-2020-9439 | 1 Uncannyowl | 1 Tin Canny Reporting For Learndash | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter in TinCan_Content_List_Table.php, message GET Parameter in licensing.php, tc_filter_group parameter in reporting-admin-menu.php, tc_filter_user parameter in reporting-admin-menu.php, tc_filter_course parameter in reporting-admin-menu.php, tc_filter_lesson parameter in reporting-admin-menu.php, tc_filter_module parameter in reporting-admin-menu.php, tc_filter_action parameter in reporting-admin-menu.php, tc_filter_data_range parameter in reporting-admin-menu.php, or tc_filter_data_range_last parameter in reporting-admin-menu.php. | |||||
| CVE-2020-13969 | 1 Crk | 1 Business Platform | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. This is path-independent. | |||||
| CVE-2020-7318 | 1 Mcafee | 1 Epolicy Orchestrator | 2020-12-23 | 2.3 LOW | 4.3 MEDIUM |
| Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. | |||||
| CVE-2020-35650 | 1 Uncannyowl | 1 Uncanny Groups For Learndash | 2020-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php. | |||||
| CVE-2020-13821 | 1 Hivemq | 1 Broker Control Center | 2020-12-23 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in HiveMQ Broker Control Center 4.3.2. A crafted clientid parameter in an MQTT packet (sent to the Broker) is reflected in the client section of the management console. The attacker's JavaScript is loaded in a browser, which can lead to theft of the session and cookie of the administrator's account of the Broker. | |||||
| CVE-2020-27659 | 1 Synology | 1 Safeaccess | 2020-12-22 | 3.5 LOW | 4.8 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter. | |||||
| CVE-2020-35132 | 2 Fedoraproject, Phpldapadmin Project | 2 Fedora, Phpldapadmin | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php. | |||||
| CVE-2020-26280 | 1 Openslides | 1 Openslides | 2020-12-22 | 3.5 LOW | 8.9 HIGH |
| OpenSlides is a free, Web-based presentation and assembly system for managing and projecting agenda, motions, and elections of assemblies. OpenSlides version 3.2, due to unsufficient user input validation and escaping, it is vulnerable to persistant cross-site scripting (XSS). In the web applications users can enter rich text in various places, e.g. for personal notes or in motions. These fields can be used to store arbitrary JavaScript Code that will be executed when other users read the respective text. An attacker could utilize this vulnerability be used to manipulate votes of other users, hijack the moderators session or simply disturb the meeting. The vulnerability was introduced with 6eae497abeab234418dfbd9d299e831eff86ed45 on 16.04.2020, which is first included in the 3.2 release. It has been patched in version 3.3 ( in commit f3809fc8a97ee305d721662a75f788f9e9d21938, merged in master on 20.11.2020). | |||||
| CVE-2018-15634 | 1 Odoo | 1 Odoo | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link. | |||||
| CVE-2020-35589 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. | |||||
| CVE-2018-15633 | 1 Odoo | 1 Odoo | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames. | |||||
| CVE-2018-15638 | 1 Odoo | 1 Odoo | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names. | |||||
| CVE-2018-15641 | 1 Odoo | 1 Odoo | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes. | |||||
| CVE-2020-20285 | 1 Zzcms | 1 Zzcms | 2020-12-22 | 3.5 LOW | 5.4 MEDIUM |
| There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php | |||||
| CVE-2020-35622 | 1 Mediawiki | 1 Mediawiki | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions. | |||||
| CVE-2020-4080 | 1 Hcltech | 1 Domino | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| HCL Verse v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim's web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-14271 | 1 Hcltech | 1 Hcl Inotes | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| HCL iNotes v9, v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim's web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-26198 | 1 Dell | 2 Idrac9, Idrac9 Firmware | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dell EMC iDRAC9 versions prior to 4.32.10.00 and 4.40.00.00 contain a reflected cross-site scripting vulnerability in the iDRAC9 web application. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link. | |||||
| CVE-2020-25495 | 1 Xinuos | 1 Openserver | 2020-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'. | |||||
| CVE-2020-27010 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2020-12-21 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product in a manner separate from the similar CVE-2020-8462. | |||||
| CVE-2020-8462 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2020-12-21 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product. | |||||
| CVE-2020-12517 | 1 Phoenixcontact | 7 Axc F 1152, Axc F 2152, Axc F 2152 Starterkit and 4 more | 2020-12-21 | 6.0 MEDIUM | 9.0 CRITICAL |
| On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation). | |||||
| CVE-2020-35274 | 1 Dotcms | 1 Dotcms | 2020-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS. | |||||
| CVE-2020-35275 | 1 Coastercms | 1 Coastercms | 2020-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/application. | |||||
| CVE-2020-20138 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4. | |||||
| CVE-2020-25609 | 1 Mitel | 1 Micollab | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data. | |||||
| CVE-2020-28647 | 1 Progress | 1 Moveit Transfer | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS). | |||||
| CVE-2020-2231 | 1 Jenkins | 1 Jenkins | 2020-12-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. | |||||
| CVE-2020-20140 | 1 Flexmonster | 1 Pivot Table \& Charts | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17. | |||||
| CVE-2020-20141 | 1 Flexmonster | 1 Pivot Table \& Charts | 2020-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. | |||||