Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15032 | 1 Nedi | 1 Nedi | 2020-07-09 | 3.5 LOW | 5.4 MEDIUM |
| NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Incidents.php id parameter. | |||||
| CVE-2020-15033 | 1 Nedi | 1 Nedi | 2020-07-09 | 3.5 LOW | 5.4 MEDIUM |
| NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the snmpget.php ip parameter. | |||||
| CVE-2020-15034 | 1 Nedi | 1 Nedi | 2020-07-09 | 3.5 LOW | 5.4 MEDIUM |
| NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Setup.php tet parameter. | |||||
| CVE-2020-15035 | 1 Nedi | 1 Nedi | 2020-07-09 | 3.5 LOW | 5.4 MEDIUM |
| NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Monitoring-Map.php hde parameter. | |||||
| CVE-2020-5903 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2020-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. | |||||
| CVE-2020-2214 | 1 Jenkins | 1 Zap Pipeline | 2020-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2020-15535 | 1 Bestsoftinc | 1 Car Rental System | 2020-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the bestsoftinc Car Rental System plugin through 1.3 for WordPress. Persistent XSS can occur via any of the registration fields. | |||||
| CVE-2020-11074 | 1 Prestashop | 1 Prestashop | 2020-07-08 | 3.5 LOW | 5.4 MEDIUM |
| In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6. | |||||
| CVE-2020-4557 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2020-07-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 183611. | |||||
| CVE-2017-1659 | 1 Ibm | 1 Inotes | 2020-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| "HCL iNotes is susceptible to a Cross-Site Scripting (XSS) Vulnerability. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials." | |||||
| CVE-2020-14055 | 1 Monstaftp | 1 Monsta Ftp | 2020-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting vulnerability in the language setting due to insufficient output encoding. | |||||
| CVE-2018-16516 | 1 Flask-admin Project | 1 Flask-admin | 2020-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. | |||||
| CVE-2020-15307 | 1 Nozominetworks | 1 Guardian | 2020-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name. | |||||
| CVE-2020-2217 | 1 Praqma | 1 Compatibility Action Storage | 2020-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2019-20416 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2020-07-07 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0. | |||||
| CVE-2019-20414 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2020-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2. | |||||
| CVE-2020-14006 | 1 Solarwinds | 2 Orion Network Performance Monitor, Orion Web Performance Monitor | 2020-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team. | |||||
| CVE-2020-14007 | 1 Solarwinds | 2 Orion Network Performance Monitor, Orion Web Performance Monitor | 2020-07-07 | 3.5 LOW | 5.4 MEDIUM |
| Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition. | |||||
| CVE-2020-2205 | 1 Jenkins | 1 Vncrecorder | 2020-07-06 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins VncRecorder Plugin 1.25 and earlier does not escape a tool path in the `checkVncServ` form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators. | |||||
| CVE-2020-2207 | 1 Jenkins | 1 Vncviewer | 2020-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2018-17874 | 1 Expressionengine | 1 Expressionengine | 2020-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| ExpressionEngine before 4.3.5 has reflected XSS. | |||||
| CVE-2017-1000160 | 1 Expressionengine | 1 Expressionengine | 2020-07-06 | 3.5 LOW | 5.4 MEDIUM |
| EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection | |||||
| CVE-2020-2219 | 1 Jenkins | 1 Link Column | 2020-07-06 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Link Column Plugin 1.0 and earlier does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-4061 | 1 Octobercms | 1 October | 2020-07-06 | 3.5 LOW | 5.4 MEDIUM |
| In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467. | |||||
| CVE-2020-7355 | 1 Rapid7 | 1 Metasploit | 2020-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7354, which describes a similar issue, but involving the generated 'host' field of a discovered scan asset. | |||||
| CVE-2020-14413 | 1 Nedi | 1 Nedi | 2020-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value. | |||||
| CVE-2020-9437 | 1 Secureauth | 1 Secureauth Identity Provider | 2020-07-06 | 3.5 LOW | 4.8 MEDIUM |
| SecureAuth.aspx in SecureAuth IdP 9.3.0 suffers from a client-side template injection that allows for script execution, in the same manner as XSS. | |||||
| CVE-2020-12635 | 1 Mageme | 1 Webforms Pro M2 | 2020-07-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the WebForms Pro M2 extension before 2.9.17 for Magento 2 via the textarea field. | |||||
| CVE-2015-2068 | 1 Magmi Project | 1 Magmi | 2020-07-06 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php. | |||||
| CVE-2020-4041 | 1 Boltcms | 1 Bolt | 2020-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1. | |||||
| CVE-2020-15006 | 1 Bludit | 1 Bludit | 2020-07-02 | 3.5 LOW | 5.4 MEDIUM |
| Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document to bl-kernel/ajax/logo-upload.php. | |||||
| CVE-2020-12021 | 1 Osisoft | 1 Pi Web Api | 2020-07-02 | 6.0 MEDIUM | 9.0 CRITICAL |
| In OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions, the affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2020-15083 | 1 Prestashop | 1 Prestashop | 2020-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. The problem is fixed in 1.7.6.6 | |||||
| CVE-2020-5585 | 1 Cybozu | 1 Garoon | 2020-07-02 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 5.0.0 to 5.0.1 allows attacker with administrator rights to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2020-14071 | 1 Mk-auth | 1 Mk-auth | 2020-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MK-AUTH 19.01. XSS vulnerabilities in admin and client scripts allow an attacker to execute arbitrary JavaScript code. | |||||
| CVE-2020-7354 | 1 Rapid7 | 1 Metasploit | 2020-07-02 | 4.3 MEDIUM | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7355, which describes a similar issue, but involving the generated 'notes' field of a discovered scan asset. | |||||
| CVE-2020-13423 | 1 Form Builder For Magento 2 Project | 1 Form Builder For Magento 2 | 2020-07-02 | 3.5 LOW | 4.8 MEDIUM |
| Form Builder 2.1.0 for Magento has multiple XSS issues that can be exploited against Magento 2 admin accounts via the Current_url or email field, or the User-Agent HTTP header. | |||||
| CVE-2020-5586 | 1 Cybozu | 1 Garoon | 2020-07-02 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.10.3 to 5.0.1 allows attacker with administrator rights to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2020-14012 | 1 Enhancesoft | 1 Osticket | 2020-07-01 | 3.5 LOW | 5.4 MEDIUM |
| scp/categories.php in osTicket 1.14.2 allows XSS via a Knowledgebase Category Name or Category Description. The attacker must be an Agent. | |||||
| CVE-2020-15017 | 1 Nedi | 1 Nedi | 2020-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| NeDi 1.9C is vulnerable to reflected cross-site scripting. The Devices-Config.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the sta GET parameter. | |||||
| CVE-2020-15016 | 1 Nedi | 1 Nedi | 2020-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| NeDi 1.9C is vulnerable to reflected cross-site scripting. The Other-Converter.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the txt GET parameter. | |||||
| CVE-2020-9581 | 1 Magento | 1 Magento | 2020-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-9577 | 1 Magento | 1 Magento | 2020-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure . | |||||
| CVE-2020-4223 | 1 Ibm | 1 Maximo Asset Management | 2020-07-01 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6.0.10 and 7.6.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175121. | |||||
| CVE-2016-5394 | 1 Apache | 1 Sling | 2020-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities. | |||||
| CVE-2020-9584 | 1 Magento | 1 Magento | 2020-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-15041 | 1 Php-fusion | 1 Php-fusion | 2020-06-30 | 3.5 LOW | 4.8 MEDIUM |
| PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field. | |||||
| CVE-2017-7388 | 1 Wallaceit | 1 Wallacepos | 2020-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) was discovered in 'wallacepos v1.4.1'. The vulnerability exists due to insufficient filtration of user-supplied data (token) passed to the 'wallacepos-master/myaccount/resetpassword.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2020-14943 | 1 Globalradar | 1 Bsa Radar | 2020-06-30 | 3.5 LOW | 5.4 MEDIUM |
| The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting (XSS) via Update User Profile. | |||||
| CVE-2020-4070 | 1 W3c | 1 Css Validator | 2020-06-30 | 3.5 LOW | 5.4 MEDIUM |
| In CSS Validator less than or equal to commit 54d68a1, there is a cross-site scripting vulnerability in handling URIs. A user would have to click on a specifically crafted validator link to trigger it. This has been patched in commit e5c09a9. | |||||