Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19289 | 1 Valine.js | 1 Valine | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file. | |||||
| CVE-2018-1671 | 1 Ibm | 1 Curam Social Program Management | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Curam Social Program Management 7.0.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-force ID: 144951. | |||||
| CVE-2018-10554 | 1 Nagios | 1 Nagios Xi | 2020-08-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. | |||||
| CVE-2020-7690 | 1 Parall | 1 Jspdf | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript code via the html method. | |||||
| CVE-2020-8542 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-08-22 | 3.5 LOW | 5.4 MEDIUM |
| OX App Suite through 7.10.3 allows XSS. | |||||
| CVE-2013-5612 | 7 Canonical, Fedoraproject, Mozilla and 4 more | 16 Ubuntu Linux, Fedora, Firefox and 13 more | 2020-08-21 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header. | |||||
| CVE-2016-11085 | 1 Expresstech | 1 Quiz And Survey Master | 2020-08-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element. | |||||
| CVE-2020-15781 | 1 Siemens | 2 Sicam A8000, Sicam A8000 Firmware | 2020-08-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| A vulnerability has been identified in SICAM WEB firmware for SICAM A8000 RTUs (All versions < V05.30). The login screen does not sufficiently sanitize input, which enables an attacker to generate specially crafted log messages. If an unsuspecting victim views the log messages via the web browser, these log messages might be interpreted and executed as code by the web application. This Cross-Site-Scripting (XSS) vulnerability might compromize the confidentiality, integrity and availability of the web application. | |||||
| CVE-2020-13183 | 1 Teradici | 1 Pcoip Management Console | 2020-08-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross Site Scripting in Teradici PCoIP Management Console prior to 20.07 could allow an attacker to take over the user's active session if the user is exposed to a malicious payload. | |||||
| CVE-2020-3346 | 1 Cisco | 1 Unified Communications Manager | 2020-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2020-3464 | 1 Cisco | 1 Ucs Director | 2020-08-20 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco UCS Director could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need administrative credentials on the affected device. | |||||
| CVE-2020-15926 | 1 Rocket.chat | 1 Rocket.chat | 2020-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct message to the client which results in remote code execution on the client side. | |||||
| CVE-2017-17478 | 1 Pega | 1 Pega Platform | 2020-08-20 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages. | |||||
| CVE-2020-3463 | 1 Cisco | 1 Webex Meetings Online | 2020-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2018-1461 | 1 Ibm | 14 San Volume Controller, San Volume Controller Firmware, Spectrum Virtualize and 11 more | 2020-08-19 | 3.5 LOW | 5.4 MEDIUM |
| IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 140362. | |||||
| CVE-2019-6112 | 1 Graphpaperpress | 1 Sell Media | 2020-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field). | |||||
| CVE-2019-7410 | 1 Galileo Cms Project | 1 Galileo Cms | 2020-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is stored cross site scripting (XSS) in Galileo CMS v0.042. Remote authenticated users could inject arbitrary web script or HTML via $page_title in /lib/Galileo/files/templates/page/show.html.ep (aka the PAGE TITLE Field). | |||||
| CVE-2017-17828 | 1 Doditsolutions | 1 Busbooking-script | 2020-08-19 | 3.5 LOW | 4.8 MEDIUM |
| Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter. | |||||
| CVE-2020-8208 | 1 Citrix | 1 Xenmobile Server | 2020-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper input validation in Citrix XenMobile Server 10.12 before RP1, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.11 before RP6 and Citrix XenMobile Server before 10.9 RP5 allows Cross-Site Scripting (XSS). | |||||
| CVE-2013-1951 | 3 Debian, Linux, Mediawiki | 3 Debian Linux, Linux Kernel, Mediawiki | 2020-08-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. | |||||
| CVE-2013-4168 | 3 Debian, Fedoraproject, Smokeping | 3 Debian Linux, Fedora, Smokeping | 2020-08-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the start and end time fields. | |||||
| CVE-2020-7301 | 1 Mcafee | 1 Data Loss Prevention | 2020-08-18 | 3.5 LOW | 4.6 MEDIUM |
| Cross Site scripting vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated attackers to trigger alerts via the file upload tab in the DLP case management section. | |||||
| CVE-2020-8723 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 5.4 MEDIUM | 6.3 MEDIUM |
| Cross-site scripting for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2020-16266 | 1 Mantisbt | 1 Mantisbt | 2020-08-17 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). | |||||
| CVE-2020-13278 | 1 Rosariosis | 1 Student Information System | 2020-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting vulnerability in Modules.php in RosarioSIS Student Information System < 6.5.1 allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request. | |||||
| CVE-2020-12648 | 1 Tiny | 1 Tinymce | 2020-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode. | |||||
| CVE-2020-13283 | 1 Gitlab | 1 Gitlab | 2020-08-14 | 3.5 LOW | 5.4 MEDIUM |
| For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title. | |||||
| CVE-2012-4201 | 6 Canonical, Debian, Mozilla and 3 more | 15 Ubuntu Linux, Debian Linux, Firefox and 12 more | 2020-08-14 | 4.3 MEDIUM | N/A |
| The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on. | |||||
| CVE-2015-4093 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-11481 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2015-9056 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. | |||||
| CVE-2017-11479 | 2 Elastic, Elasticsearch | 2 Kibana, Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2018-3830 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2018-3818 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2018-3821 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2018-3820 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2017-8439 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users. | |||||
| CVE-2017-8440 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2016-1000220 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2016-10366 | 1 Elastic | 1 Kibana | 2020-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. | |||||
| CVE-2020-7576 | 1 Siemens | 1 Opcenter Execution Core | 2020-08-14 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2), Opcenter Execution Core (V8.2). An authenticated user with the ability to create containers, packages or register defects could perform stored Cross-Site Scripting (XSS) attacks within the vulnerable software. The impact of this attack could result in the session cookies of legitimate users being stolen. Should the attacker gain access to these cookies, they could then hijack the session and perform arbitrary actions in the name of the victim. | |||||
| CVE-2020-6284 | 1 Sap | 1 Netweaver Knowledge Management | 2020-08-14 | 8.5 HIGH | 9.0 CRITICAL |
| SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user's privileges. If the accessing user has administrative privileges, then the execution of the script content could result in complete compromise of system confidentiality, integrity and availability, leading to Stored Cross Site Scripting. | |||||
| CVE-2020-7303 | 1 Mcafee | 1 Data Loss Prevention | 2020-08-14 | 2.3 LOW | 4.1 MEDIUM |
| Cross Site scripting vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote user to trigger scripts to run in a user's browser via adding a new label. | |||||
| CVE-2020-13288 | 1 Gitlab | 1 Gitlab | 2020-08-14 | 3.5 LOW | 4.8 MEDIUM |
| In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page | |||||
| CVE-2020-2236 | 1 Jenkins | 1 Yet Another Build Visualizer | 2020-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission. | |||||
| CVE-2012-4209 | 5 Canonical, Mozilla, Opensuse and 2 more | 14 Ubuntu Linux, Firefox, Firefox Esr and 11 more | 2020-08-13 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 do not prevent use of a "top" frame name-attribute value to access the location property, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a binary plugin. | |||||
| CVE-2012-4207 | 6 Canonical, Debian, Mozilla and 3 more | 15 Ubuntu Linux, Debian Linux, Firefox and 12 more | 2020-08-13 | 4.3 MEDIUM | N/A |
| The HZ-GB-2312 character-set implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document. | |||||
| CVE-2012-4184 | 4 Canonical, Mozilla, Redhat and 1 more | 13 Ubuntu Linux, Firefox, Firefox Esr and 10 more | 2020-08-13 | 4.3 MEDIUM | N/A |
| The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not prevent access to properties of a prototype for a standard class, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site. | |||||
| CVE-2020-13176 | 1 Teradici | 2 Cloud Access Connector, Cloud Access Connector Legacy | 2020-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 24, 2020 (v16 and earlier for the Cloud Access Connector) contains a stored cross-site scripting (XSS) vulnerability which allows a remote unauthenticated attacker to poison log files with malicious JavaScript via the login page which is executed when an administrator views the logs within the application. | |||||
| CVE-2020-17449 | 1 Php-fusion | 1 Php-fusion | 2020-08-13 | 3.5 LOW | 5.4 MEDIUM |
| PHP-Fusion 9.03 allows XSS via the error_log file. | |||||