Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-2259 | 1 Jenkins | 1 Computer Queue | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | |||||
| CVE-2020-2269 | 1 Jenkins | 1 Chosen-views-tabbar | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views. | |||||
| CVE-2020-2270 | 1 Jenkins | 1 Clearcase Release | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-9742 | 1 Adobe | 1 Experience Manager | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below) and 6.3.3.8 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Inbox calendar feature. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2017-15947 | 1 Aspsource | 1 Simple Asc Content Management System | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Simple ASC Content Management System v1.2 has XSS in the location field in the sign function, related to guestbook.asp, formgb.asp, and msggb.asp. | |||||
| CVE-2020-4530 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow C.D.0 and IBM Business Process Manager 8.0, 8.5, and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-ForceID: 182714. | |||||
| CVE-2020-24198 | 1 Stock Management System Project | 1 Stock Management System | 2020-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A persistent cross-site scripting vulnerability in Sourcecodester Stock Management System v1.0 allows remote attackers to inject arbitrary web script or HTML via the 'Brand Name.' | |||||
| CVE-2020-2036 | 1 Paloaltonetworks | 1 Pan-os | 2020-09-15 | 6.8 MEDIUM | 8.8 HIGH |
| A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9. | |||||
| CVE-2020-15788 | 1 Siemens | 1 Polarion Subversion Webclient | 2020-09-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Polarion Subversion Webclient (All versions). The Polarion subversion web application does not filter user input in a way that prevents Cross-Site Scripting. If a user is enticed into passing specially crafted, malicious input to the web client (e.g. by clicking on a malicious URL with embedded JavaScript), then JavaScript code can be returned and may then be executed by the user’s client. Various actions could be triggered by running malicious JavaScript code. | |||||
| CVE-2020-24194 | 1 Daily Tracker System Project | 1 Daily Tracker System | 2020-09-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in 'user-profile.php' in SourceCodester Daily Tracker System v1.0 allows remote attackers to inject arbitrary web script or HTML via the 'fullname' parameter. | |||||
| CVE-2020-9736 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 4.8 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with access to the Content Repository Development Environment to store malicious scripts in certain node fields. These scripts may be executed in a victim’s browser when browsing to the page containing the vulnerable field. | |||||
| CVE-2020-9738 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 4.8 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with access to the Content Repository Development Environment to store malicious scripts in certain node fields. These scripts may be executed in a victim’s browser when visiting the page containing the vulnerable field. | |||||
| CVE-2020-9740 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Design Importer. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-6326 | 1 Sap | 1 Netweaver Knowledge Management | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting. | |||||
| CVE-2020-9741 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| The AEM forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-9735 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 4.8 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with access to the Content Repository Development Environment to store malicious scripts in certain node fields. These scripts may be executed in a victim’s browser when search queries return the page containing the vulnerable field. | |||||
| CVE-2020-9734 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.1 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-24794 | 1 Kentico | 1 Kentico | 2020-09-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75. | |||||
| CVE-2020-24582 | 1 Zulipchat | 1 Zulip Desktop | 2020-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zulip Desktop before 5.4.3 allows XSS because string escaping is mishandled during composition of the HTML for the user interface. | |||||
| CVE-2020-24963 | 1 Appsbd | 1 Best Support System | 2020-09-11 | 3.5 LOW | 5.4 MEDIUM |
| An Authenticated Persistent XSS vulnerability was discovered in the Best Support System, tested version v3.0.4. | |||||
| CVE-2019-11928 | 1 Whatsapp | 1 Whatsapp Desktop | 2020-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| An input validation issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed cross-site scripting upon clicking on a link from a specially crafted live location message. | |||||
| CVE-2020-12058 | 1 Oscommerce | 1 Ce Phoenix | 2020-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/order_status.php, catalog/admin/tax_rates.php, catalog/admin/languages.php, catalog/admin/countries.php, catalog/admin/tax_classes.php, catalog/admin/reviews.php, or catalog/admin/zones.php; or the zpage or spage parameter to catalog/admin/geo_zones.php. | |||||
| CVE-2020-4578 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2020-09-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 184433. | |||||
| CVE-2020-9732 | 1 Adobe | 2 Experience Manager, Experience Manager Forms | 2020-09-11 | 6.0 MEDIUM | 9.0 CRITICAL |
| The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Sites component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-25104 | 1 Eramba | 1 Eramba | 2020-09-10 | 3.5 LOW | 5.4 MEDIUM |
| eramba c2.8.1 and Enterprise before e2.19.3 allows XSS via a crafted filename for a file attached to an object. For example, the filename has a complete XSS payload followed by the .png extension. | |||||
| CVE-2020-25102 | 1 Advanced Reports Project | 1 Advanced Reports | 2020-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| silverstripe-advancedreports (aka the Advanced Reports module for SilverStripe) 1.0 through 2.0 is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. The affects admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item (aka report preview) when an SVG document is provided in the Description parameter. | |||||
| CVE-2020-4516 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2020-09-10 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.5, 8.6 and IBM Business Automation Workflow 18.0, 19.0, and 20.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182371. | |||||
| CVE-2020-4698 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2020-09-10 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.5, 8.6 and IBM Business Automation Workflow 18.0, 19.0, and 20.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186841. | |||||
| CVE-2020-6312 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-09-10 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), versions - 4.1, 4.2, allows an attacker with a non-administrative user account that can edit certain web page properties, can modify how a browser processes particular page elements, leading to stored Cross Site Scripting. In certain situations, when a user accesses an affected web page element, the attacker will be able to access or modify metadata for which they are not authorized. | |||||
| CVE-2020-6283 | 1 Sap | 1 Fiori Launchpad | 2020-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Fiori Launchpad does not sufficiently encode user controlled inputs, and hence allowing the attacker to inject the meta tag into the launchpad html using the vulnerable parameter, resulting in reflected Cross-Site Scripting (XSS) vulnerability. With a successful attack, the attacker can steal authentication information of the user, such as data relating to his or her current session. | |||||
| CVE-2020-12646 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-09-09 | 3.5 LOW | 5.4 MEDIUM |
| OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document. | |||||
| CVE-2020-4702 | 1 Ibm | 1 Infosphere Information Server | 2020-09-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 187187. | |||||
| CVE-2020-13972 | 1 Enghouse | 1 Web Chat | 2020-09-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Enghouse Web Chat 6.2.284.34 allows XSS. When one enters their own domain name in the WebServiceLocation parameter, the response from the POST request is displayed, and any JavaScript returned from the external server is executed in the browser. This is related to CVE-2019-16951. | |||||
| CVE-2020-17458 | 1 Fabbricadigitale | 1 Multiux | 2020-09-08 | 3.5 LOW | 5.4 MEDIUM |
| A post-authenticated stored XSS was found in MultiUx v.3.1.12.0 via the /multiux/SaveMailbox LastName field. | |||||
| CVE-2020-4546 | 1 Ibm | 10 Doors Next, Engineering Requirements Management Doors Next, Engineering Test Management and 7 more | 2020-09-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 183314. | |||||
| CVE-2020-4522 | 1 Ibm | 10 Doors Next, Engineering Requirements Management Doors Next, Engineering Test Management and 7 more | 2020-09-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182397. | |||||
| CVE-2020-4445 | 1 Ibm | 10 Doors Next, Engineering Requirements Management Doors Next, Engineering Test Management and 7 more | 2020-09-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 181122. | |||||
| CVE-2020-23450 | 1 Spiceworks | 1 Spiceworks | 2020-09-08 | 3.5 LOW | 5.4 MEDIUM |
| Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization. | |||||
| CVE-2020-13828 | 1 Dolibarr | 1 Dolibarr | 2020-09-08 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. | |||||
| CVE-2020-20626 | 1 Lara\'s Google Analytics Project | 1 Lara\'s Google Analytics | 2020-09-08 | 3.5 LOW | 5.4 MEDIUM |
| lara-google-analytics.php in Lara Google Analytics plugin through 2.0.4 for WordPress allows authenticated stored XSS. | |||||
| CVE-2020-16206 | 1 Redlion | 4 N-tron 702-w, N-tron 702-w Firmware, N-tron 702m12-w and 1 more | 2020-09-04 | 3.5 LOW | 9.0 CRITICAL |
| The affected product is vulnerable to stored cross-site scripting, which may allow an attacker to remotely execute arbitrary code to gain access to sensitive data on the N-Tron 702-W / 702M12-W (all versions). | |||||
| CVE-2020-16210 | 1 Redlion | 4 N-tron 702-w, N-tron 702-w Firmware, N-tron 702m12-w and 1 more | 2020-09-04 | 3.5 LOW | 9.0 CRITICAL |
| The affected product is vulnerable to reflected cross-site scripting, which may allow an attacker to remotely execute arbitrary code and perform actions in the context of an attacked user on the N-Tron 702-W / 702M12-W (all versions). | |||||
| CVE-2020-17465 | 1 Forgerock | 1 Identity Manager | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dashboards and progressiveProfileForms in ForgeRock Identity Manager before 7.0.0 are vulnerable to stored XSS. The vulnerability affects versions 6.5.0.4, 6.0.0.6. | |||||
| CVE-2020-2238 | 1 Jenkins | 1 Git Parameter | 2020-09-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2017-12307 | 1 Cisco | 170 Esw2-350g-52, Esw2-350g-52 Firmware, Esw2-350g-52dc and 167 more | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting and injecting code into a user request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco Small Business 300 and 500 Series Managed Switches: Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches, Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, Cisco 550X Series Stackable Managed Switches, Cisco ESW2 Series Advanced Switches. Cisco Bug IDs: CSCvg24637. | |||||
| CVE-2020-24897 | 1 Stiltsoft | 1 Table Filter And Charts For Confluence Server | 2020-09-04 | 3.5 LOW | 8.9 HIGH |
| The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the provided Markdown markup to the "Table from CSV" macro. | |||||
| CVE-2020-24699 | 1 Chamber Dashboard Business Directory Project | 1 Chamber Dashboard Business Directory | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress allows XSS. | |||||
| CVE-2020-15020 | 1 Elementor | 1 Page Builder | 2020-09-04 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field. | |||||
| CVE-2020-25033 | 1 Blubrry | 1 Subscribe Sidebar | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for WordPress allows subscribe_sidebar.php&status= reflected XSS. | |||||
| CVE-2020-2243 | 1 Jenkins | 1 Cadence Vmanager | 2020-09-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. | |||||