Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16534 | 1 Draytek | 8 Vigor2925 Firmware, Vigor2925ac, Vigor2925fn and 5 more | 2020-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen. NOTE: this is an end-of-life product. | |||||
| CVE-2019-17231 | 1 Mageewp | 1 Onetone | 2020-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues. | |||||
| CVE-2020-11499 | 1 Firmware Analysis And Comparison Tool Project | 1 Firmware Analysis And Comparison Tool | 2020-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFunctions/mongo_task_conversion.py. | |||||
| CVE-2020-11454 | 1 Microstrategy | 1 Microstrategy Web | 2020-04-03 | 3.5 LOW | 5.4 MEDIUM |
| Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. | |||||
| CVE-2019-19002 | 1 Abb | 1 Esoms | 2020-04-03 | 3.5 LOW | 5.4 MEDIUM |
| For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting. | |||||
| CVE-2019-19003 | 1 Abb | 1 Esoms | 2020-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting. | |||||
| CVE-2019-19095 | 1 Abb | 1 Esoms | 2020-04-03 | 3.5 LOW | 5.4 MEDIUM |
| Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database. | |||||
| CVE-2020-8966 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2020-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page. | |||||
| CVE-2020-1949 | 1 Apache | 1 Sling Cms | 2020-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks. | |||||
| CVE-2020-4303 | 1 Ibm | 1 Websphere Application Server | 2020-04-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. | |||||
| CVE-2020-4304 | 1 Ibm | 1 Websphere Application Server | 2020-04-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. | |||||
| CVE-2020-10203 | 1 Sonatype | 1 Nexus | 2020-04-02 | 3.5 LOW | 4.8 MEDIUM |
| Sonatype Nexus Repository before 3.21.2 allows XSS. | |||||
| CVE-2020-10247 | 1 Misp | 1 Misp | 2020-04-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp. | |||||
| CVE-2020-10246 | 1 Misp | 1 Misp | 2020-04-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp. | |||||
| CVE-2019-10180 | 2 Dogtagpki, Redhat | 2 Dogtagpki, Certificate System | 2020-04-02 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code. | |||||
| CVE-2020-6753 | 1 Auth0 | 1 Login By Auth0 | 2020-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392. | |||||
| CVE-2018-0612 | 1 5000 Trillion Yen Converter Project | 1 5000 Trillion Yen Converter | 2020-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in 5000 trillion yen converter v1.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-14881 | 1 Moodle | 1 Moodle | 2020-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed. | |||||
| CVE-2020-9055 | 1 Versiant | 1 Lynx Customer Service Portal | 2020-04-01 | 3.5 LOW | 5.4 MEDIUM |
| Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user. This could lead to website redirects, session cookie hijacking, or information disclosure. | |||||
| CVE-2020-11106 | 1 Tecrail | 1 Responsive Filemanager | 2020-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a payload in the type parameter, and then returns to the dialog.php page. This occurs because ajax_calls.php was also able to set the $_SESSION['RF']["view_type"] variable, but there it wasn't sanitized. | |||||
| CVE-2019-13495 | 1 Zyxel | 2 Xgs2210-52hp, Xgs2210-52hp Firmware | 2020-04-01 | 3.5 LOW | 5.4 MEDIUM |
| In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field. | |||||
| CVE-2020-5392 | 1 Auth0 | 1 Wp-auth0 | 2020-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the Auth0 plugin before 4.0.0 for WordPress via the settings page. | |||||
| CVE-2020-8923 | 1 Dart | 1 Dart Software Development Kit | 2020-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements. | |||||
| CVE-2020-4235 | 1 Ibm | 1 Tivoli Netcool\/impact | 2020-03-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175408. | |||||
| CVE-2019-19912 | 1 Intland | 1 Codebeamer Application Lifecycle Management | 2020-03-31 | 3.5 LOW | 4.8 MEDIUM |
| In Intland codeBeamer ALM 9.5 and earlier, a cross-site scripting (XSS) vulnerability in the Upload Flash File feature allows authenticated remote attackers to inject arbitrary scripts via an active script embedded in an SWF file. | |||||
| CVE-2020-10509 | 1 Sun | 1 Ehrd | 2020-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack. | |||||
| CVE-2020-2161 | 1 Jenkins | 1 Jenkins | 2020-03-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels. | |||||
| CVE-2020-2169 | 1 Jenkins | 1 Queue Cleanup | 2020-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability. | |||||
| CVE-2020-2170 | 1 Jenkins | 1 Rapiddeploy | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability. | |||||
| CVE-2020-9520 | 1 Microfocus | 1 Vibe | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7. The vulnerability could allows a remote attacker to craft and store malicious content into Vibe such that when the content is viewed by another user of the system, attacker controlled JavaScript will execute in the security context of the target user’s browser. | |||||
| CVE-2020-8985 | 1 Zend | 1 Zendto | 2020-03-27 | 6.8 MEDIUM | 8.8 HIGH |
| ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality. | |||||
| CVE-2020-10790 | 1 It-novum | 1 Openitcockpit | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS. | |||||
| CVE-2020-2163 | 1 Jenkins | 1 Jenkins | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers. | |||||
| CVE-2020-2162 | 1 Jenkins | 1 Jenkins | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. | |||||
| CVE-2020-5277 | 1 Prestashop | 1 Faceted Search Module | 2020-03-27 | 3.5 LOW | 5.4 MEDIUM |
| PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. The problem is fixed in 3.5.0 | |||||
| CVE-2018-11075 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2020-03-27 | 2.6 LOW | 4.7 MEDIUM |
| RSA Authentication Manager versions prior to 8.3 P3 contain a reflected cross-site scripting vulnerability in a Security Console page. A remote, unauthenticated malicious user, with the knowledge of a target user's anti-CSRF token, could potentially exploit this vulnerability by tricking a victim Security Console user to supply malicious HTML or JavaScript code to the vulnerable web application, which code is then executed by the victim's web browser in the context of the vulnerable web application. | |||||
| CVE-2018-11074 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2020-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application. | |||||
| CVE-2018-1254 | 1 Emc | 1 Rsa Authentication Manager | 2020-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. | |||||
| CVE-2018-11073 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2020-03-27 | 3.5 LOW | 4.8 MEDIUM |
| RSA Authentication Manager versions prior to 8.3 P3 contain a stored cross-site scripting vulnerability in the Operations Console. A malicious Operations Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser. | |||||
| CVE-2012-2278 | 2 Emc, Rsa | 3 Rsa Authentication Manager, Authentication Manager, Securid Appliance | 2020-03-27 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the (1) Self-Service Console and (2) Security Console in EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-0623 | 1 Emc | 1 Rsa Authentication Manager | 2020-03-27 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Self-Service Console in EMC RSA Authentication Manager 7.1 before SP4 P32 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "cross frame scripting" issue. | |||||
| CVE-2020-10477 | 1 Knowledgebase-script | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2020-10472 | 1 Chadhaajay | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-templates.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2020-10473 | 1 Chadhaajay | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-categories.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2020-10474 | 1 Chadhaajay | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2020-10475 | 1 Chadhaajay | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-tickets.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2020-10476 | 1 Knowledgebase-script | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2020-10467 | 1 Chadhaajay | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/edit-comment.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter p. | |||||
| CVE-2020-10470 | 1 Chadhaajay | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-fields.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2020-10469 | 1 Chadhaajay | 1 Phpkb | 2020-03-26 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-departments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||