Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18866 | 1 Netgear | 14 6r7500, 6r7500 Firmware, R6100 and 11 more | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects R9000 before 1.0.2.40, R6100 before 1.0.1.1, 6R7500 before 1.0.0.110, R7500v2 before 1.0.3.20, R7800 before 1.0.2.36, WNDR4300v2 before 1.0.0.48, and WNR2000v5 before 1.0.0.58. | |||||
| CVE-2020-12703 | 1 Ulicms | 1 Ulicms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| UliCMS before 2020.2 has XSS during PackageController uninstall. | |||||
| CVE-2020-12705 | 1 Lepton-cms | 1 Leptoncms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0. | |||||
| CVE-2020-12704 | 1 Ulicms | 1 Ulicms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| UliCMS before 2020.2 has PageController stored XSS. | |||||
| CVE-2020-12707 | 1 Lepton-cms | 1 Lepton Cms | 2020-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements. | |||||
| CVE-2018-20590 | 1 Generic Content Management System Project | 1 Generic Content Management System | 2020-05-08 | 3.5 LOW | 4.8 MEDIUM |
| Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID. | |||||
| CVE-2020-11030 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-11737 | 1 Zimbra | 1 Zimbra | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2. | |||||
| CVE-2016-5682 | 1 Smartbear | 1 Swagger-ui | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section. | |||||
| CVE-2017-7188 | 1 Zurmo | 1 Zurmo Crm | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse. | |||||
| CVE-2020-8799 | 1 Webtechideas | 1 Wti Like Post | 2020-05-07 | 3.5 LOW | 4.8 MEDIUM |
| A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin through 1.4.5 for WordPress. Once the administrator has submitted the data, the script stored is executed for all the users visiting the website. | |||||
| CVE-2020-8033 | 1 Commscope | 2 Ruckus Zoneflex R500, Ruckus Zoneflex R500 Firmware | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Name field. | |||||
| CVE-2011-3877 | 1 Google | 1 Chrome | 2020-05-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the appcache internals page in Google Chrome before 15.0.874.102 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2020-12639 | 1 Phplist | 1 Phplist | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. | |||||
| CVE-2019-17557 | 1 Apache | 1 Syncope | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string. | |||||
| CVE-2020-5334 | 1 Rsa | 1 Archer | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Object Model (DOM) based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to DOM environment in the browser. The malicious code is then executed by the web browser in the context of the vulnerable web application. | |||||
| CVE-2020-11727 | 1 Algolplus | 1 Advanced Order Export | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced Order Export For WooCommerce plugin 3.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the view/settings-form.php woe_post_type parameter. | |||||
| CVE-2019-19514 | 1 Ayision | 2 Ays-wr01, Ays-wr01 Firmware | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID. | |||||
| CVE-2019-19515 | 1 Ayision | 2 Ays-wr01, Ays-wr01 Firmware | 2020-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in wireless settings. | |||||
| CVE-2020-11025 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2020-05-07 | 3.5 LOW | 5.4 MEDIUM |
| In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||
| CVE-2020-12629 | 1 Enhancesoft | 1 Osticket | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name. | |||||
| CVE-2018-0618 | 2 Debian, Gnu | 2 Debian Linux, Mailman | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-13256 | 1 Chartered Accountant \ | 1 Auditor Website Project | 2020-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall Auditor Website 2.0.1 has XSS via the lastname or firstname parameter. | |||||
| CVE-2020-10944 | 1 Hashicorp | 1 Nomad | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Fixed in 0.10.5. | |||||
| CVE-2015-2796 | 1 Projectpier | 1 Projectpier | 2020-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Project-Pier ProjectPier-Core allow remote attackers to inject arbitrary web script or HTML via the search_for parameter to (1) search_by_tag.php, (2) search_contacts.php, or (3) search.php. | |||||
| CVE-2019-7634 | 1 Ifrn | 1 Sistema Unificado De Administracao Publica | 2020-05-06 | 3.5 LOW | 5.4 MEDIUM |
| SUAP V2 allows XSS during the update of user information. | |||||
| CVE-2018-21155 | 1 Netgear | 20 D7800, D7800 Firmware, Dm200 and 17 more | 2020-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.34, DM200 before 1.0.0.52, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7500v2 before 1.0.3.26, R7800 before 1.0.2.42, R8900 before 1.0.4.2, R9000 before 1.0.3.16, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64. | |||||
| CVE-2019-20738 | 1 Netgear | 50 D6100, D6100 Firmware, D7800 and 47 more | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.58, D7800 before 1.0.1.34, JNR1010v2 before 1.1.0.50, JWNR2010v5 before 1.1.0.50, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R6020 before 1.0.0.30, R6080 before 1.0.0.30, R6100 before 1.0.1.16, R6120 before 1.0.0.40, R6700v2 before 1.2.0.14, R6800 before 1.2.0.14, R6900v2 before 1.2.0.14, R7500v2 before 1.0.3.26, R7800 before 1.0.2.46, R9000 before 1.0.4.2, WN3000RPv2 before 1.0.0.52, WN3000RPv3 before 1.0.2.78, WNDR3700v4 before 1.0.2.102, WNDR3700v5 before 1.1.0.54, WNDR4300v1 before 1.0.2.104, WNDR4300v2 before 1.0.0.48, WNDR4500v3 before 1.0.0.48, WNR1000v4 before 1.1.0.50, WNR2000v5 before 1.0.0.64, WNR2020 before 1.1.0.50, and WNR2050 before 1.1.0.50. NOTE: this may be a result of an incomplete fix for CVE-2017-18866. | |||||
| CVE-2020-10093 | 1 Lexmark | 160 6500e, 6500e Firmware, C734 and 157 more | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Lexmark Pro910 series inkjet and other discontinued products. | |||||
| CVE-2020-11944 | 1 Bitcoin-abe Project | 1 Bitcoin-abe | 2020-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call__ in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception. | |||||
| CVE-2018-21167 | 1 Netgear | 42 D6100, D6100 Firmware, Dm200 and 39 more | 2020-05-05 | 3.5 LOW | 5.5 MEDIUM |
| Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.57, DM200 before 1.0.0.50, EX2700 before 1.0.1.32, EX6100v2 before 1.0.1.70, EX6150v2 before 1.0.1.70, EX6200v2 before 1.0.1.62, EX6400 before 1.0.1.78, EX7300 before 1.0.1.78, EX8000 before 1.0.0.114, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WN2000RPTv3 before 1.0.1.26, WN3000RPv3 before 1.0.2.66, WN3100RPv2 before 1.0.0.42, WNDR3700v4 before 1.0.2.96, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64. | |||||
| CVE-2020-6213 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2020-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_PHTMLB, versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, is vulnerable to reflected Cross-Site Scripting (XSS) via different URL parameters as it does not sufficiently encode user controlled inputs. | |||||
| CVE-2020-5889 | 1 F5 | 1 Big-ip Access Policy Manager | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response from the untrusted backend server and sends it to the client. | |||||
| CVE-2020-12438 | 1 Php-fusion | 1 Php-fusion | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags. | |||||
| CVE-2017-2216 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2020-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-18032 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2020-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_generate_password action to wp-admin/admin-ajax.php. | |||||
| CVE-2013-7319 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2020-05-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field. | |||||
| CVE-2020-10094 | 1 Lexmark | 160 6500e, 6500e Firmware, C734 and 157 more | 2020-05-04 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Lexmark CS31x before LW74.VYL.P273; CS41x before LW74.VY2.P273; CS51x before LW74.VY4.P273; CX310 before LW74.GM2.P273; CX410 & XC2130 before LW74.GM4.P273; CX510 & XC2132 before LW74.GM7.P273; MS310, MS312, MS317 before LW74.PRL.P273; MS410, M1140 before LW74.PRL.P273; MS315, MS415, MS417 before LW74.TL2.P273; MS51x, MS610dn, MS617 before LW74.PR2.P273; M1145, M3150dn before LW74.PR2.P273; MS610de, M3150 before LW74.PR4.P273; MS71x,M5163dn before LW74.DN2.P273; MS810, MS811, MS812, MS817, MS818 before LW74.DN2.P273; MS810de, M5155, M5163 before LW74.DN4.P273; MS812de, M5170 before LW74.DN7.P273; MS91x before LW74.SA.P273; MX31x, XM1135 before LW74.SB2.P273; MX410, MX510 & MX511 before LW74.SB4.P273; XM1140, XM1145 before LW74.SB4.P273; MX610 & MX611 before LW74.SB7.P273; XM3150 before LW74.SB7.P273; MX71x, MX81x before LW74.TU.P273; XM51xx & XM71xx before LW74.TU.P273; MX91x & XM91x before LW74.MG.P273; MX6500e before LW74.JD.P273; C746 before LHS60.CM2.P738; C748, CS748 before LHS60.CM4.P738; C792, CS796 before LHS60.HC.P738; C925 before LHS60.HV.P738; C950 before LHS60.TP.P738; X548 & XS548 before LHS60.VK.P738; X74x & XS748 before LHS60.NY.P738; X792 & XS79x before LHS60.MR.P738; X925 & XS925 before LHS60.HK.P738; X95x & XS95x before LHS60.TQ.P738; 6500e before LHS60.JR.P738;C734 LR.SK.P824 and earlier; C736 LR.SKE.P824 and earlier; E46x LR.LBH.P824 and earlier; T65x LR.JP.P824 and earlier; X46x LR.BS.P824 and earlier; X65x LR.MN.P824 and earlier; X73x LR.FL.P824 and earlier; W850 LP.JB.P823 and earlier; and X86x LP.SP.P823 and earlier. | |||||
| CVE-2020-12132 | 1 Fifthplay | 1 S.a.m.i | 2020-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fifthplay S.A.M.I before 2019.3_HP2 allows unauthenticated stored XSS via a POST request. | |||||
| CVE-2020-12472 | 1 Mono | 1 Monox | 2020-05-04 | 3.5 LOW | 5.4 MEDIUM |
| MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comments, or Blog Description. | |||||
| CVE-2020-12276 | 1 Gitlab | 1 Gitlab | 2020-05-04 | 3.5 LOW | 4.8 MEDIUM |
| GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature. | |||||
| CVE-2018-21209 | 1 Netgear | 20 Jnr1010, Jnr1010 Firmware, Jr6150 and 17 more | 2020-05-04 | 3.5 LOW | 4.8 MEDIUM |
| Certain NETGEAR devices are affected by reflected XSS. This affects JNR1010v2 before 1.1.0.46, JR6150 before 1.0.1.10, JWNR2010v5 before 1.1.0.46, PR2000 before 1.0.0.20, R6050 before 1.0.1.10, R6220 before 1.1.0.60, WNDR3700v5 before 1.1.0.50, WNR1000v4 before 1.1.0.46, WNR2020 before 1.1.0.46, and WNR2050 before 1.1.0.46. | |||||
| CVE-2020-11822 | 1 Rukovoditel | 1 Rukovoditel | 2020-05-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data. | |||||
| CVE-2017-12358 | 1 Cisco | 1 Jabber | 2020-05-04 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Jabber for Windows, Mac, Android, and iOS could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvf79080, CSCvf79088. | |||||
| CVE-2020-6579 | 1 Mailbeez | 1 Mailbeez | 2020-05-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudloader.php and mailhive/cloudbeez/cloudloader_core.php in the MailBeez plugin for ZenCart before 3.9.22 allows remote attackers to inject arbitrary web script or HTML via the cloudloader_mode parameter. | |||||
| CVE-2019-11999 | 1 Hpe | 1 Opencall Media Platform | 2020-05-01 | 4.9 MEDIUM | 6.9 MEDIUM |
| Potential security vulnerabilities have been identified in HPE OpenCall Media Platform (OCMP) resulting in remote arbitrary file download and cross site scripting. HPE has made the following updates available to resolve the vulnerability in the impacted versions of OCMP. * For OCMP version 4.4.X - please upgrade to OCMP 4.4.8 and then install RP806 * For OCMP 4.5.x please contact HPE Technical Support to obtain the necessary software updates. | |||||
| CVE-2020-10797 | 1 Netgate | 1 Pfsense | 2020-05-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed. | |||||
| CVE-2020-7642 | 1 Lazysizes Project | 1 Lazysizes | 2020-05-01 | 3.5 LOW | 5.4 MEDIUM |
| lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript. | |||||
| CVE-2020-5570 | 1 Ni-consul | 1 Sales Force Assistant | 2020-05-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Sales Force Assistant version 11.2.48 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2020-8477 | 1 Abb | 1 800xa Information Manager | 2020-04-30 | 6.8 MEDIUM | 8.8 HIGH |
| The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code. | |||||