Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26958 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. | |||||
| CVE-2020-26956 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. | |||||
| CVE-2020-29572 | 1 Misp | 1 Misp | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field. | |||||
| CVE-2020-29539 | 1 Systransoft | 1 Pure Neural Server | 2020-12-10 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) issue in WebUI Translation in Systran Pure Neural Server before 9.7.0 allows a threat actor to have a remote authenticated user run JavaScript from a malicious site. | |||||
| CVE-2020-29258 | 1 Online Examination System Project | 1 Online Examination System | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Online Examination System 1.0 via the w parameter to index.php. | |||||
| CVE-2020-29257 | 1 Online Examination System Project | 1 Online Examination System | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Online Examination System 1.0 via the q parameter to feedback.php. | |||||
| CVE-2020-26951 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. | |||||
| CVE-2020-12262 | 1 Intelbras | 6 Tip200, Tip200 Firmware, Tip200lite and 3 more | 2020-12-08 | 3.5 LOW | 5.4 MEDIUM |
| Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS. | |||||
| CVE-2004-1865 | 1 Bblog | 1 Bblog | 2020-12-08 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the administration panel in bBlog 0.7.2 allows remote authenticated users with superuser privileges to inject arbitrary web script or HTML via a blog name ($blogname). NOTE: if administrators are normally allowed to add HTML by other means, e.g. through Smarty templates, then this issue would not give any additional privileges, and thus would not be considered a vulnerability. | |||||
| CVE-2020-15169 | 3 Action View Project, Debian, Fedoraproject | 3 Action View, Debian Linux, Fedora | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory. | |||||
| CVE-2020-14333 | 1 Ovirt | 1 Ovirt-engine | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user's cookies or other confidential information, or impersonate them within the application's context. | |||||
| CVE-2016-2075 | 2 Linux, Vmware | 2 Linux Kernel, Vrealize Business Advanced And Enterprise | 2020-12-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in VMware vRealize Business Advanced and Enterprise 8.x before 8.2.5 on Linux allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2020-25631 | 1 Moodle | 1 Moodle | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8. | |||||
| CVE-2020-25628 | 1 Moodle | 1 Moodle | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2020-28727 | 1 Seeddms | 1 Seeddms | 2020-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) exists in SeedDMS 6.0.13 via the folderid parameter to views/bootstrap/class.DropFolderChooser.php. | |||||
| CVE-2017-1000078 | 1 Onosproject | 1 Onos | 2020-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration | |||||
| CVE-2020-25449 | 1 Arachnys | 1 Cabot | 2020-12-07 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Arachnys Cabot 0.11.12 can be exploited via the Address column. | |||||
| CVE-2020-27409 | 1 Os4ed | 1 Opensis | 2020-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter. | |||||
| CVE-2020-24223 | 1 Mara Cms Project | 1 Mara Cms | 2020-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters. | |||||
| CVE-2020-7546 | 1 Schneider-electric | 5 Ecostruxure Energy Expert, Ecostruxure Power Monitoring Expert, Power Manager and 2 more | 2020-12-04 | 3.5 LOW | 5.4 MEDIUM |
| A CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow an attacker to perform actions on behalf of the authorized user when accessing an affected webpage. | |||||
| CVE-2019-3865 | 1 Redhat | 1 Quay | 2020-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in quay-2, where a stored XSS vulnerability has been found in the super user function of quay. Attackers are able to use the name field of service key to inject scripts and make it run when admin users try to change the name. | |||||
| CVE-2020-29239 | 1 Online Voting System Project | 1 Online Voting System | 2020-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Online Birth Certificate System Project V 1.0 is affected by cross-site scripting (XSS). This vulnerability can result in an attacker injecting the XSS payload in the User Registration section. When an admin visits the View Detail of Application section from the admin panel, the attacker can able to steal the cookie according to the crafted payload. | |||||
| CVE-2020-29144 | 1 Ericsson | 2 Bscs Ix R18 Billing \& Rating Admx, Bscs Ix R18 Billing \& Rating Mx | 2020-12-04 | 3.5 LOW | 5.4 MEDIUM |
| In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework. | |||||
| CVE-2020-29145 | 1 Ericsson | 2 Bscs Ix R18 Billing \& Rating Admx, Bscs Ix R18 Billing \& Rating Mx | 2020-12-04 | 3.5 LOW | 5.4 MEDIUM |
| In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework. | |||||
| CVE-2017-9621 | 1 Epesi | 1 Epesi | 2020-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in modules/Base/Lang/Administrator/update_translation.php in EPESI in Telaxus/EPESI 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) original or (2) new parameter. | |||||
| CVE-2020-5638 | 1 Desknets | 1 Neo | 2020-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors. | |||||
| CVE-2020-28938 | 1 Openclinic Project | 1 Openclinic | 2020-12-03 | 3.5 LOW | 5.4 MEDIUM |
| OpenClinic version 0.8.2 is affected by a stored XSS vulnerability in lib/Check.php that allows users of the application to force actions on behalf of other users. | |||||
| CVE-2020-25702 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10. | |||||
| CVE-2017-9624 | 1 Epesi | 1 Epesi | 2020-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted currency decimal-sign data. | |||||
| CVE-2017-9366 | 1 Epesi | 1 Epesi | 2020-12-03 | 3.5 LOW | 4.8 MEDIUM |
| Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter. | |||||
| CVE-2017-9331 | 1 Epesi | 1 Epesi | 2020-12-03 | 3.5 LOW | 5.4 MEDIUM |
| The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Utils/RecordBrowser/RecordBrowserCommon_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted meeting description parameter. | |||||
| CVE-2017-9622 | 1 Epesi | 1 Epesi | 2020-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted common data. | |||||
| CVE-2017-9623 | 1 Epesi | 1 Epesi | 2020-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted country data. | |||||
| CVE-2020-5677 | 1 Weseek | 1 Growi | 2020-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors. | |||||
| CVE-2020-5678 | 1 Weseek | 1 Growi | 2020-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors. | |||||
| CVE-2020-26239 | 1 Scratchaddons | 1 Scratch Addons | 2020-12-03 | 3.5 LOW | 5.4 MEDIUM |
| Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension. | |||||
| CVE-2020-26554 | 1 Reddoxx | 1 Maildepot | 2020-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| REDDOXX MailDepot 2033 (aka 2.3.3022) allows XSS via an incoming HTML e-mail message. | |||||
| CVE-2020-27974 | 1 Quadient | 1 Mail Accounting | 2020-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS. | |||||
| CVE-2020-7750 | 1 Mit | 1 Scratch-svg-renderer | 2020-12-02 | 6.8 MEDIUM | 9.6 CRITICAL |
| This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function. | |||||
| CVE-2020-29240 | 1 Lepton-cms | 1 Leptoncms | 2020-12-02 | 3.5 LOW | 4.8 MEDIUM |
| Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered. | |||||
| CVE-2020-14073 | 1 Paessler | 1 Prtg Network Monitor | 2020-12-02 | 3.5 LOW | 5.4 MEDIUM |
| XSS exists in PRTG Network Monitor 20.1.56.1574 via crafted map properties. An attacker with Read/Write privileges can create a map, and then use the Map Designer Properties screen to insert JavaScript code. This can be exploited against any user with View Maps or Edit Maps access. | |||||
| CVE-2020-29072 | 1 Liquidfiles | 1 Liquidfiles | 2020-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js. | |||||
| CVE-2020-29071 | 1 Liquidfiles | 1 Liquidfiles | 2020-12-02 | 8.5 HIGH | 9.0 CRITICAL |
| An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the target user. | |||||
| CVE-2020-29456 | 1 Papermerge | 1 Papermerge | 2020-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required. | |||||
| CVE-2019-16958 | 1 Solarwinds | 1 Help Desk | 2020-12-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name. | |||||
| CVE-2020-26216 | 1 Typo3 | 1 Fluid | 2020-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory. | |||||
| CVE-2020-26227 | 1 Typo3 | 1 Typo3 | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | |||||
| CVE-2020-25890 | 1 Kyocera | 2 Ecosys M2640idw, Ecosys M2640idw Firmware | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web application of Kyocera printer (ECOSYS M2640IDW) is affected by Stored XSS vulnerability, discovered in the addition a new contact in "Machine Address Book". Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions | |||||
| CVE-2020-29395 | 1 Myeventon | 1 Eventon | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field. | |||||
| CVE-2020-29364 | 1 Netartmedia | 1 News Lister | 2020-12-01 | 3.5 LOW | 4.8 MEDIUM |
| In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles. | |||||