Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12677 | 1 Progress | 1 Moveit Automation | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2. | |||||
| CVE-2020-9524 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2020-05-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site scripting vulnerability on Micro Focus Enterprise Server and Enterprise developer, affecting all versions prior to version 5.0 Patch Update 8. The vulnerability could allow an attacker to trigger administrative actions when an administrator viewed malicious data left by the attacker (stored XSS) or followed a malicious link (reflected XSS). | |||||
| CVE-2020-12256 | 1 Rconfig | 1 Rconfig | 2020-05-18 | 3.5 LOW | 5.4 MEDIUM |
| rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php. | |||||
| CVE-2020-12259 | 1 Rconfig | 1 Rconfig | 2020-05-18 | 3.5 LOW | 5.4 MEDIUM |
| rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php. | |||||
| CVE-2019-20389 | 1 Intelliants | 1 Subrion | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding. | |||||
| CVE-2020-12685 | 1 Redhat | 1 Interchange | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in the admin help system admin/help.html and admin/quicklinks.html in Interchange 4.7.0 through 5.11.x allows remote attackers to steal credentials or data via browser JavaScript. | |||||
| CVE-2016-1113 | 1 Adobe | 1 Coldfusion | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-11285 | 1 Adobe | 1 Coldfusion | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion has a cross-site scripting (XSS) vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2020-2005 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.0. | |||||
| CVE-2020-5575 | 1 Sixapart | 1 Movable Type | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||
| CVE-2018-4941 | 1 Adobe | 1 Coldfusion | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2018-4940 | 1 Adobe | 1 Coldfusion | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2017-3008 | 1 Adobe | 1 Coldfusion | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a reflected cross-site scripting vulnerability. | |||||
| CVE-2020-11070 | 1 Typo3 | 1 Svg Sanitizer | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulnerability in versions before 1.0.3. Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting. This is fixed in version 1.0.3. | |||||
| CVE-2020-5283 | 1 Viewvc | 1 Viewvc | 2020-05-15 | 2.1 LOW | 3.5 LOW |
| ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28. | |||||
| CVE-2020-11036 | 1 Glpi-project | 1 Glpi | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1)</script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6. | |||||
| CVE-2020-6257 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. | |||||
| CVE-2020-6254 | 1 Sap | 1 Enterprise Threat Detection | 2020-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Enterprise Threat Detection, versions 1.0, 2.0, does not sufficiently encode error response pages in case of errors, allowing XSS payload reflecting in the response, leading to reflected Cross Site Scripting. | |||||
| CVE-2020-5838 | 1 Symantec | 1 It Analytics | 2020-05-15 | 3.5 LOW | 4.8 MEDIUM |
| Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can potentially enable attackers to inject client-side scripts into web pages viewed by other users. | |||||
| CVE-2020-11064 | 1 Typo3 | 1 Typo3 | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | |||||
| CVE-2020-11065 | 1 Typo3 | 1 Typo3 | 2020-05-15 | 3.5 LOW | 5.4 MEDIUM |
| In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. | |||||
| CVE-2020-2017 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions of PAN-OS 8.0. | |||||
| CVE-2016-4159 | 1 Adobe | 1 Coldfusion | 2020-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 20, 11 before Update 9, and 2016 before Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2020-12718 | 1 Php-fusion | 1 Php-fusion | 2020-05-14 | 3.5 LOW | 5.4 MEDIUM |
| In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle. | |||||
| CVE-2016-1000007 | 1 Redhat | 1 Pagure | 2020-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pagure 2.2.1 XSS in raw file endpoint | |||||
| CVE-2020-11062 | 1 Glpi-project | 1 Glpi | 2020-05-14 | 3.5 LOW | 5.4 MEDIUM |
| In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6. | |||||
| CVE-2020-11055 | 1 Bookstackapp | 1 Bookstack | 2020-05-13 | 3.5 LOW | 5.4 MEDIUM |
| In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines. This most impacts scenarios where not-trusted users are given permission to create comments. This has been fixed in 0.29.2. | |||||
| CVE-2020-11006 | 1 Shopizer | 1 Shopizer | 2020-05-13 | 3.5 LOW | 5.4 MEDIUM |
| In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0. | |||||
| CVE-2020-10630 | 1 Sae-it | 2 Net-line Fw-50, Net-line Fw-50 Firmware | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output used as a webpage that is served to other users. | |||||
| CVE-2019-20768 | 1 Servicenow | 1 It Service Management | 2020-05-12 | 3.5 LOW | 5.4 MEDIUM |
| ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do. | |||||
| CVE-2020-12679 | 1 Mitel | 2 Mivoice Connect, Shoretel Conference Web | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php. | |||||
| CVE-2020-12706 | 1 Php-fusion | 1 Php-fusion | 2020-05-12 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php | |||||
| CVE-2020-12708 | 1 Php-fusion | 1 Php-fusion | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043. | |||||
| CVE-2016-1222 | 1 Kobe-beauty | 1 Php-contact-form | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Kobe Beauty php-contact-form before 2016-05-18 allows remote attackers to inject arbitrary web script or HTML via a crafted URI. | |||||
| CVE-2020-12696 | 1 Iframe Project | 1 Iframe | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The iframe plugin before 4.5 for WordPress does not sanitize a URL. | |||||
| CVE-2011-3881 | 2 Apple, Google | 4 Iphone Os, Safari, Android and 1 more | 2020-05-11 | 4.3 MEDIUM | N/A |
| WebKit, as used in Google Chrome before 15.0.874.102 and Android before 4.4, allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors related to (1) the DOMWindow::clear function and use of a selection object, (2) the Object::GetRealNamedPropertyInPrototypeChain function and use of an __proto__ property, (3) the HTMLPlugInImageElement::allowedToLoadFrameURL function and use of a javascript: URL, (4) incorrect origins for XSLT-generated documents in the XSLTProcessor::createDocumentFromSource function, and (5) improper handling of synchronous frame loads in the ScriptController::executeIfJavaScriptURL function. | |||||
| CVE-2020-5746 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. | |||||
| CVE-2020-12683 | 1 Katyshop2 Project | 1 Katyshop2 | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Katyshop2 before 2.12 has multiple stored XSS issues. | |||||
| CVE-2020-11026 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-11029 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-5749 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. | |||||
| CVE-2020-5748 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. | |||||
| CVE-2020-5747 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. | |||||
| CVE-2020-5750 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. | |||||
| CVE-2020-5751 | 1 Tecnick | 1 Tcexam | 2020-05-11 | 3.5 LOW | 5.4 MEDIUM |
| Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. | |||||
| CVE-2020-12052 | 1 Grafana | 1 Grafana | 2020-05-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | |||||
| CVE-2020-3313 | 1 Cisco | 1 Firepower Management Center | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web UI of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the FMC Software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or to access sensitive, browser-based information. | |||||
| CVE-2020-11051 | 1 Requarks | 1 Wiki.js | 2020-05-08 | 3.5 LOW | 4.8 MEDIUM |
| In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. The rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This vulnerability only impacts editors loading the malicious page in the Markdown editor. This has been patched in 2.3.81. | |||||
| CVE-2020-4384 | 1 Ibm | 2 Infosphere Information Server On Cloud, Infosphere Qualitystage | 2020-05-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 179265. | |||||
| CVE-2020-3955 | 1 Vmware | 1 Esxi | 2020-05-08 | 4.3 MEDIUM | 9.3 CRITICAL |
| ESXi 6.5 without patch ESXi650-201912104-SG and ESXi 6.7 without patch ESXi670-202004103-SG do not properly neutralize script-related HTML when viewing virtual machines attributes. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3. | |||||