Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14024 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2020-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application. | |||||
| CVE-2020-12778 | 1 Combodo | 1 Itop | 2020-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack. | |||||
| CVE-2020-26115 | 1 Cpanel | 1 Cpanel | 2020-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574). | |||||
| CVE-2020-26114 | 1 Cpanel | 1 Cpanel | 2020-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573). | |||||
| CVE-2020-16145 | 1 Roundcube | 1 Webmail | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. | |||||
| CVE-2020-15562 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. | |||||
| CVE-2020-12625 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. | |||||
| CVE-2020-25735 | 1 Webtareas Project | 1 Webtareas | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| webTareas through 2.1 allows XSS in clients/editclient.php, extensions/addextension.php, administration/add_announcement.php, administration/departments.php, administration/locations.php, expenses/claim_type.php, projects/editproject.php, and general/newnotifications.php. | |||||
| CVE-2020-9416 | 1 Tibco | 4 Spotfire Analyst, Spotfire Analytics Platform, Spotfire Desktop and 1 more | 2020-09-24 | 3.5 LOW | 5.4 MEDIUM |
| The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a legitimate user to inject scripts. If executed by a victim authenticated to the affected system these scripts will be executed at the privileges of the victim. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 10.7.0, 10.8.0, 10.9.0, and 10.10.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, and 10.10.1, TIBCO Spotfire Desktop: versions 10.7.0, 10.8.0, 10.9.0, and 10.10.0, and TIBCO Spotfire Server: versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, and 10.10.1. | |||||
| CVE-2020-5540 | 1 Cybersolutions | 1 Cybermail | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in CyberMail Ver.6.x and Ver.7.x allows remote attackers to inject arbitrary script or HTML via a specially crafted URL. | |||||
| CVE-2020-25729 | 1 Zoneminder | 1 Zoneminder | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php. | |||||
| CVE-2020-5606 | 1 Buffalo | 2 Airstation Whr-g54s, Airstation Whr-g54s Firmware | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WHR-G54S firmware 1.43 and earlier allows remote attackers to inject arbitrary script via a specially crafted page. | |||||
| CVE-2020-15183 | 1 Soycms Project | 1 Soycms | 2020-09-23 | 3.5 LOW | 4.8 MEDIUM |
| SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage. | |||||
| CVE-2020-13928 | 1 Apache | 1 Atlas | 2020-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas before 2.1.0 contain a XSS vulnerability. While saving search or rendering elements values are not sanitized correctly and because of that it triggers the XSS vulnerability. | |||||
| CVE-2020-1766 | 1 Otrs | 1 Otrs | 2020-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. | |||||
| CVE-2020-1771 | 1 Otrs | 1 Otrs | 2020-09-23 | 3.5 LOW | 5.4 MEDIUM |
| Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | |||||
| CVE-2020-1106 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1099, CVE-2020-1100, CVE-2020-1101. | |||||
| CVE-2019-16375 | 1 Otrs | 1 Otrs | 2020-09-23 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article. | |||||
| CVE-2019-10067 | 1 Otrs | 1 Otrs | 2020-09-23 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS. | |||||
| CVE-2020-8339 | 1 Ibm | 2 Bladecenter Advanced Management Module, Bladecenter Advanced Management Module Firmware | 2020-09-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself. | |||||
| CVE-2020-8340 | 1 Lenovo | 15 Flex System Nx360 M5, Flex System X240, Flex System X240 M5 and 12 more | 2020-09-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability was discovered in the legacy IBM and Lenovo System x IMM2 (Integrated Management Module 2), prior to version 5.60, embedded Baseboard Management Controller (BMC) web interface during an internal security review. This vulnerability could allow JavaScript code to be executed in the user's web browser if the user is convinced to visit a crafted URL, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the crafted URL. Impact is limited to the normal access restrictions and permissions of the user clicking the crafted URL, and subject to the user being able to connect to and already being authenticated to IMM2 or other systems. The JavaScript code is not executed on IMM2 itself. | |||||
| CVE-2020-15179 | 1 Scratch-wiki | 1 Scratchsig | 2020-09-22 | 4.6 MEDIUM | 9.0 CRITICAL |
| The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely. | |||||
| CVE-2020-4615 | 1 Ibm | 1 Data Risk Manager | 2020-09-22 | 3.5 LOW | 5.4 MEDIUM |
| IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 184928. | |||||
| CVE-2020-15178 | 1 Prestashop | 1 Contactform | 2020-09-21 | 4.3 MEDIUM | 9.3 CRITICAL |
| In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser. | |||||
| CVE-2020-15769 | 1 Gradle | 1 Enterprise | 2020-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL. | |||||
| CVE-2020-20406 | 1 Elementor | 1 Elementor Page Builder | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in the Custom Link Attributes control Affect function in Elementor Page Builder 2.9.2 and earlier versions. It is caused by inadequate filtering on the link custom attributes. | |||||
| CVE-2020-24924 | 1 Elkarbackup | 1 Elkarbackup | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| A Persistent Cross-site Scripting vulnerability is found in ElkarBackup v1.3.3, where an attacker can steal the user session cookie using this vulnerability present on Policies >> action >> Name Parameter | |||||
| CVE-2020-25380 | 1 Recall-products Project | 1 Recall-products | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 is affected by: Cross Site Scripting (XSS) via the 'Recall Settings' field in admin.php. An attacker can inject JavaScript code that will be stored and executed. | |||||
| CVE-2020-25375 | 1 Softrade | 1 Wp Smart Crm \& Invoices | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affected by: Cross Site Scripting via the Business Name field, Tax Code field, First Name field, Address field, Town field, Phone field, Mobile field, Place of Birth field, Web Site field, VAT Number field, Last Name field, Fax field, Email field, and Skype field. | |||||
| CVE-2020-2271 | 1 Jenkins | 1 Locked Files Report | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-5306 | 1 Codologic | 1 Codoforum | 2020-09-18 | 3.5 LOW | 4.8 MEDIUM |
| Codoforum 4.8.3 allows XSS via a post using parameters display name, title name, or content. | |||||
| CVE-2020-21845 | 1 Codoforum | 1 Codoforum | 2020-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Codoforum 4.8.3 allows HTML Injection in the 'admin dashboard Manage users Section.' | |||||
| CVE-2020-10227 | 1 Vtenext | 1 Vtenext | 2020-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the messages module of vtecrm vtenext 19 CE allows attackers to inject arbitrary JavaScript code via the From field of an email. | |||||
| CVE-2020-2265 | 1 Jenkins | 1 Coverage\/complexity Scatter Plot | 2020-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step. | |||||
| CVE-2020-21732 | 1 Rukovoditel | 1 Rukovoditel | 2020-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename. | |||||
| CVE-2020-25378 | 1 Accesspressthemes | 1 Wp Floating Menu | 2020-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wordpress Plugin Store / AccessPress Themes WP Floating Menu V1.3.0 is affected by: Cross Site Scripting (XSS) via the id GET parameter. | |||||
| CVE-2020-21733 | 1 Sagemcom | 2 F\@st 3686, F\@st 3686 Firmware | 2020-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sagemcom F@ST3686 v1.0 HUN 3.97.0 has XSS via RgDiagnostics.asp, RgDdns.asp, RgFirewallEL.asp, RgVpnL2tpPptp.asp. | |||||
| CVE-2020-9737 | 1 Adobe | 1 Experience Manager | 2020-09-17 | 3.5 LOW | 4.8 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with access to the Content Repository Development Environment to store malicious scripts in certain node fields. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-21731 | 1 Gazie Project | 1 Gazie | 2020-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gazie 7.29 is affected by: Cross Site Scripting (XSS) via http://192.168.100.7/gazie/modules/config/admin_utente.php?user_name=amministratore&Update. An attacker can inject JavaScript code, and the webapplication stores the injected code. | |||||
| CVE-2019-14756 | 1 Kaiostech | 1 Kaios | 2020-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in KaiOS 1.0, 2.5, and 2.5.12.5. The pre-installed Email application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a specially crafted email to the victim that will inject HTML into the email application's UI as soon as the email is opened. At a bare minimum, this allows an attacker to take control over the Email application's UI (e.g., display a malicious prompt to the user asking them to re-enter their email credentials) and also allows an attacker to abuse any of the privileges available to the mobile application. | |||||
| CVE-2019-14757 | 1 Kaiostech | 1 Kaios | 2020-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to import the file). At a bare minimum, this allows an attacker to take control over the Contacts application's UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application. | |||||
| CVE-2019-14758 | 1 Kaiostech | 1 Kaios | 2020-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed File Manager application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a file via email to the victim that will inject HTML into the File Manager application (assuming the victim chooses to download the email attachment). At a bare minimum, this allows an attacker to take control over the File Manager application's UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application. | |||||
| CVE-2019-15587 | 1 Loofah Project | 1 Loofah | 2020-09-17 | 3.5 LOW | 5.4 MEDIUM |
| In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. | |||||
| CVE-2020-13301 | 1 Gitlab | 1 Gitlab | 2020-09-16 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a stored XSS on the standalone vulnerability page. | |||||
| CVE-2020-2257 | 1 Jenkins | 1 Validating String Parameter | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-2262 | 1 Jenkins | 1 Android Lint | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step. | |||||
| CVE-2020-2264 | 1 Jenkins | 1 Custom Job Icon | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-2263 | 1 Jenkins | 1 Radiator View | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-2256 | 1 Jenkins | 1 Pipeline Maven Integration | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-2266 | 1 Jenkins | 1 Description Column | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||