Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9510 | 1 Atlassian | 1 Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. | |||||
| CVE-2020-22394 | 1 Yzmcms | 1 Yzmcms | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2020-26825 | 1 Sap | 1 Fiori Launchpad \(news Tile Application\) | 2020-11-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. Information maintained in the victim's web browser can be read, modified, and sent to the attacker. The malicious code cannot significantly impact the victim's browser and the victim can easily close the browser tab to terminate it. | |||||
| CVE-2020-7934 | 1 Liferay | 1 Liferay Portal | 2020-11-23 | 3.5 LOW | 5.4 MEDIUM |
| In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1. | |||||
| CVE-2020-4672 | 1 Ibm | 1 Business Automation Workflow | 2020-11-23 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 20.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186285. | |||||
| CVE-2020-4705 | 1 Ibm | 1 Sterling B2b Integrator | 2020-11-23 | 3.5 LOW | 4.8 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 187190. | |||||
| CVE-2020-25706 | 1 Cacti | 1 Cacti | 2020-11-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field | |||||
| CVE-2020-28139 | 1 Online Clothing Store Project | 1 Online Clothing Store | 2020-11-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| SourceCodester Online Clothing Store 1.0 is affected by a cross-site scripting (XSS) vulnerability via a Offer Detail field in offer.php. | |||||
| CVE-2020-27459 | 1 Chronoengine | 1 Chronoforums | 2020-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chronoforeum 2.0.11 allows Stored XSS vulnerabilities when inserting a crafted payload into a post. If any user sees the post, the inserted XSS code is executed. | |||||
| CVE-2020-11860 | 1 Microfocus | 1 Arcsight Logger | 2020-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS) | |||||
| CVE-2020-14208 | 1 Salesagility | 1 Suitecrm | 2020-11-21 | 3.5 LOW | 5.4 MEDIUM |
| SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||||
| CVE-2020-4760 | 1 Ibm | 1 Content Navigator | 2020-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188737. | |||||
| CVE-2020-4704 | 1 Ibm | 1 Content Navigator | 2020-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| IBM Content Navigator 3.0CD is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 187189. | |||||
| CVE-2020-3551 | 1 Cisco | 1 Identity Services Engine | 2020-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2020-3587 | 1 Cisco | 1 Sd-wan Vmanage | 2020-11-20 | 3.5 LOW | 6.4 MEDIUM |
| A vulnerability in the web-based management interface of the Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-3591 | 1 Cisco | 1 Sd-wan Vmanage | 2020-11-20 | 3.5 LOW | 4.3 MEDIUM |
| A vulnerability in the web-based management interface of the Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-3590 | 1 Cisco | 1 Sd-wan Vmanage | 2020-11-20 | 3.5 LOW | 6.4 MEDIUM |
| A vulnerability in the web-based management interface of the Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-3579 | 1 Cisco | 1 Sd-wan Vmanage | 2020-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-5662 | 1 Riken | 1 Xoonips | 2020-11-20 | 3.5 LOW | 5.4 MEDIUM |
| Reflected cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors. | |||||
| CVE-2020-5663 | 1 Riken | 1 Xoonips | 2020-11-20 | 4.0 MEDIUM | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors. | |||||
| CVE-2020-26672 | 1 Testimonial Rotator Project | 1 Testimonial Rotator | 2020-11-19 | 3.5 LOW | 5.4 MEDIUM |
| Testimonial Rotator Wordpress Plugin 3.0.2 is affected by Cross Site Scripting (XSS) in /wp-admin/post.php. If a user intercepts a request and inserts a payload in "cite" parameter, the payload will be stored in the database. | |||||
| CVE-2020-14240 | 1 Hcltech | 1 Notes | 2020-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| HCL Notes versions previous to releases 9.0.1 FP10 IF8, 10.0.1 FP6 and 11.0.1 FP1 is susceptible to a Stored Cross-site Scripting (XSS) vulnerability. An attacker could use this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-26083 | 1 Cisco | 1 Identity Services Engine | 2020-11-19 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need to have valid administrative credentials. | |||||
| CVE-2018-19351 | 1 Jupyter | 1 Notebook | 2020-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this. | |||||
| CVE-2018-21030 | 1 Jupyter | 1 Notebook | 2020-11-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document. | |||||
| CVE-2020-25832 | 1 Microfocus | 1 Filr | 2020-11-19 | 3.5 LOW | 5.4 MEDIUM |
| Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1. The vulnerability could be exploited to perform Reflected XSS attack. | |||||
| CVE-2020-25833 | 1 Microfocus | 1 Idol | 2020-11-19 | 3.5 LOW | 4.8 MEDIUM |
| Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7. The vulnerability could be exploited to perform Persistent XSS attack. | |||||
| CVE-2020-28409 | 1 Dundas | 1 Dundas Bi | 2020-11-18 | 3.5 LOW | 5.4 MEDIUM |
| The server in Dundas BI through 8.0.0.1001 allows XSS via addition of a Component (e.g., a button) when events such as click, hover, etc. occur. | |||||
| CVE-2020-28408 | 1 Dundas | 1 Dundas Bi | 2020-11-18 | 3.5 LOW | 5.4 MEDIUM |
| The server in Dundas BI through 8.0.0.1001 allows XSS via an HTML label when creating or editing a dashboard. | |||||
| CVE-2020-25267 | 1 Ilias | 1 Ilias | 2020-11-18 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4. | |||||
| CVE-2020-28351 | 1 Mitel | 2 Shoretel, Shoretel Firmware | 2020-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page. | |||||
| CVE-2020-28364 | 1 Locust | 1 Locust | 2020-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust before 1.3.2, if the installation violates the usage expectations by exposing this UI to outside users. | |||||
| CVE-2020-9299 | 1 Netflix | 1 Dispatch | 2020-11-17 | 3.5 LOW | 5.4 MEDIUM |
| There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user. | |||||
| CVE-2020-27991 | 1 Nagios | 1 Nagios Xi | 2020-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field). | |||||
| CVE-2020-27990 | 1 Nagios | 1 Nagios Xi | 2020-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent). | |||||
| CVE-2020-27989 | 1 Nagios | 1 Nagios Xi | 2020-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard). | |||||
| CVE-2020-27988 | 1 Nagios | 1 Nagios Xi | 2020-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field). | |||||
| CVE-2020-26221 | 1 Touchbase.ai Project | 1 Touchbase.ai | 2020-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting (XSS). The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser action. The issue is patched in version 2.0. | |||||
| CVE-2020-26218 | 1 Touchbase.ai Project | 1 Touchbase.ai | 2020-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting. The vulnerability allows an attacker to inject HTML payloads which could result in defacement, user redirection to a malicious webpage/website etc. The issue is patched in version 2.0. | |||||
| CVE-2020-24443 | 1 Adobe | 1 Connect | 2020-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. | |||||
| CVE-2020-24442 | 1 Adobe | 1 Connect | 2020-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. | |||||
| CVE-2020-28414 | 1 Tranzware Payment Gateway Project | 1 Tranzware Payment Gateway | 2020-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415). | |||||
| CVE-2020-28415 | 1 Tranzware Payment Gateway Project | 1 Tranzware Payment Gateway | 2020-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28414). | |||||
| CVE-2017-11107 | 2 Debian, Phpldapadmin Project | 2 Debian Linux, Phpldapadmin | 2020-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter. | |||||
| CVE-2012-0834 | 1 Phpldapadmin Project | 1 Phpldapadmin | 2020-11-16 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php. | |||||
| CVE-2006-2016 | 2 Debian, Phpldapadmin Project | 2 Debian Linux, Phpldapadmin | 2020-11-16 | 2.6 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in phpLDAPadmin 0.9.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dn parameter in (a) compare_form.php, (b) copy_form.php, (c) rename_form.php, (d) template_engine.php, and (e) delete_form.php; (2) scope parameter in (f) search.php; and (3) Container DN, (4) Machine Name, and (5) UID Number fields in (g) template_engine.php. | |||||
| CVE-2020-16246 | 1 Ge | 4 S2020, S2020 Firmware, S2024 and 1 more | 2020-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow attackers to trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client. | |||||
| CVE-2020-26210 | 1 Bookstackapp | 1 Bookstack | 2020-11-16 | 3.5 LOW | 8.7 HIGH |
| In BookStack before version 0.30.4, a user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page. Dangerous content may remain in the database after this update. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in version 0.30.4. | |||||
| CVE-2020-26211 | 1 Bookstackapp | 1 Bookstack | 2020-11-16 | 3.5 LOW | 8.7 HIGH |
| In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of `javascript:` URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page. Dangerous content may remain in the database but will be removed before being displayed on a page. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround without upgrading, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in BookStack version 0.30.4. | |||||
| CVE-2020-15253 | 1 Grocy | 1 Grocy | 2020-11-16 | 3.5 LOW | 4.8 MEDIUM |
| Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept. | |||||