Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29053 | 1 Hrsale | 1 Hrsale | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter. | |||||
| CVE-2020-29070 | 1 Oscommerce | 1 Oscommerce | 2020-11-27 | 3.5 LOW | 4.8 MEDIUM |
| osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters. | |||||
| CVE-2020-28649 | 1 Orbisius | 1 Child Theme Creator | 2020-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file. | |||||
| CVE-2020-25834 | 1 Microfocus | 1 Arcsight Logger | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS). | |||||
| CVE-2020-28650 | 1 Wpbakery | 1 Page Builder | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. | |||||
| CVE-2020-10776 | 1 Redhat | 1 Keycloak | 2020-11-27 | 3.5 LOW | 4.8 MEDIUM |
| A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. | |||||
| CVE-2020-25454 | 1 Grocy Project | 1 Grocy | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe. | |||||
| CVE-2020-25798 | 1 Limesurvey | 1 Limesurvey | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. | |||||
| CVE-2020-26701 | 1 Kaaproject | 1 Kaa | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT Platform v1.2.0 allows remote attackers to inject malicious web scripts or HTML Injection payloads via the Description parameter. | |||||
| CVE-2020-22723 | 1 Ljcmsshop Project | 1 Ljcmsshop | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address. | |||||
| CVE-2020-28350 | 1 Sokrates | 1 Sowasql | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in OPAC in Sokrates SOWA SowaSQL through 5.6.1 via the sowacgi.php typ parameter. | |||||
| CVE-2018-19787 | 3 Canonical, Debian, Lxml | 3 Ubuntu Linux, Debian Linux, Lxml | 2020-11-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. | |||||
| CVE-2020-29065 | 2020-11-26 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none. | |||||
| CVE-2020-8352 | 1 Lenovo | 32 Qitian 4500, Qitian 4500 Firmware, Qitian B4550 and 29 more | 2020-11-25 | 2.1 LOW | 2.4 LOW |
| In some Lenovo Desktop models, the Configuration Change Detection BIOS setting failed to detect SATA configuration changes. | |||||
| CVE-2020-26075 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to gain access to the back-end database of an affected device. The vulnerability is due to insufficient input validation of REST API requests that are made to an affected device. An attacker could exploit this vulnerability by crafting malicious API requests to the affected device. A successful exploit could allow the attacker to gain access to the back-end database of the affected device. | |||||
| CVE-2020-26072 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 5.5 MEDIUM | 8.7 HIGH |
| A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to access and modify information on devices that belong to a different domain. The vulnerability is due to insufficient authorization in the SOAP API. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain. A successful exploit could allow the attacker to access and modify information on devices that belong to a different domain. | |||||
| CVE-2019-3689 | 2 Linux-nfs, Suse | 2 Nfs-utils, Linux Enterprise Server | 2020-11-25 | 10.0 HIGH | 9.8 CRITICAL |
| The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system. | |||||
| CVE-2020-8036 | 1 Tcpdump | 1 Tcpdump | 2020-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| The tok2strbuf() function in tcpdump 4.10.0-PRE-GIT was used by the SOME/IP dissector in an unsafe way. | |||||
| CVE-2020-8279 | 1 Nextcloud | 1 Social | 2020-11-25 | 5.8 MEDIUM | 7.4 HIGH |
| Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack. | |||||
| CVE-2020-26068 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2020-11-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users. | |||||
| CVE-2020-26077 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the access control functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to view lists of users from different domains that are configured on an affected system. The vulnerability is due to improper access control. An attacker could exploit this vulnerability by sending an API request that alters the domain for a requested user list on an affected system. A successful exploit could allow the attacker to view lists of users from different domains on the affected system. | |||||
| CVE-2020-26078 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the file system of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to overwrite files on an affected system. The vulnerability is due to insufficient file system protections. An attacker could exploit this vulnerability by crafting API requests and sending them to an affected system. A successful exploit could allow the attacker to overwrite files on an affected system. | |||||
| CVE-2020-26079 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device. The vulnerability is due to insufficient protection of user credentials. An attacker could exploit this vulnerability by logging in as an administrative user and crafting a call for user information. A successful exploit could allow the attacker to obtain hashes of user passwords on an affected device. | |||||
| CVE-2020-26080 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 4.0 MEDIUM | 4.1 MEDIUM |
| A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could exploit this vulnerability by manipulating JSON payloads to target different domains on an affected system. A successful exploit could allow the attacker to manage user information for users in different domains on an affected system. | |||||
| CVE-2020-26081 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web UI of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users on an affected system. The vulnerabilities are due to insufficient validation of user-supplied input that is processed by the web UI. An attacker could exploit these vulnerabilities by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information on an affected system. | |||||
| CVE-2020-27126 | 1 Cisco | 1 Webex Meetings | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in an API of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to improper validation of user-supplied input to an application programmatic interface (API) within Cisco Webex Meetings. An attacker could exploit this vulnerability by convincing a targeted user to follow a link designed to submit malicious input to the API used by Cisco Webex Meetings. A successful exploit could allow the attacker to conduct cross-site scripting attacks and potentially gain access to sensitive browser-based information from the system of a targeted user. | |||||
| CVE-2020-28129 | 1 Gym Management System Project | 1 Gym Management System | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'. | |||||
| CVE-2019-14553 | 1 Tianocore | 1 Edk2 | 2020-11-25 | 4.0 MEDIUM | 4.9 MEDIUM |
| Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. | |||||
| CVE-2018-16723 | 1 V-secure | 1 Jingyun Antivirus | 2020-11-25 | 4.6 MEDIUM | 7.8 HIGH |
| In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12364020. | |||||
| CVE-2018-16722 | 1 V-secure | 1 Jingyun Antivirus | 2020-11-25 | 4.6 MEDIUM | 7.8 HIGH |
| In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360094, a related issue to CVE-2018-16305. | |||||
| CVE-2018-16721 | 1 V-secure | 1 Jingyun Antivirus | 2020-11-25 | 4.6 MEDIUM | 7.8 HIGH |
| In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360090, a related issue to CVE-2018-16306. | |||||
| CVE-2018-16720 | 1 V-secure | 1 Jingyun Antivirus | 2020-11-25 | 4.6 MEDIUM | 7.8 HIGH |
| In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x1236001c, a related issue to CVE-2018-16304. | |||||
| CVE-2018-16719 | 1 V-secure | 1 Jingyun Antivirus | 2020-11-25 | 4.6 MEDIUM | 7.8 HIGH |
| In Jingyun Antivirus v2.4.2.39, the driver file (hookbody.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00221482. | |||||
| CVE-2017-14587 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. | |||||
| CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. | |||||
| CVE-2017-18034 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. | |||||
| CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | |||||
| CVE-2017-9510 | 1 Atlassian | 1 Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. | |||||
| CVE-2017-9511 | 2 Atlassian, Microsoft | 3 Crucible, Fisheye, Windows | 2020-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system. | |||||
| CVE-2017-9512 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks. | |||||
| CVE-2020-0181 | 1 Google | 1 Android | 2020-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076 | |||||
| CVE-2020-0198 | 2 Debian, Google | 2 Debian Linux, Android | 2020-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941 | |||||
| CVE-2019-7357 | 1 Intelliants | 1 Subrion Cms | 2020-11-25 | 6.8 MEDIUM | 8.8 HIGH |
| Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins. | |||||
| CVE-2020-22394 | 1 Yzmcms | 1 Yzmcms | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2020-13877 | 1 Resourcexpress | 1 Meeting Monitor | 2020-11-24 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection issues in various ASPX pages of ResourceXpress Meeting Monitor 4.9 could lead to remote code execution and information disclosure. | |||||
| CVE-2020-12353 | 1 Intel | 1 Data Center Manager | 2020-11-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper permissions in the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable denial of service via network access. | |||||
| CVE-2020-8669 | 1 Intel | 1 Data Center Manager | 2020-11-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper input validation in the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2020-27146 | 1 Tibco | 1 Iprocess Workspace Browser | 2020-11-24 | 6.8 MEDIUM | 8.8 HIGH |
| The Core component of TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser) contains a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a Cross Site Request Forgery (CSRF) attack on the affected system. A successful attack using this vulnerability requires human interaction from an authenticated user other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser): versions 11.6.0 and below. | |||||
| CVE-2020-5796 | 1 Nagios | 1 Nagios Xi | 2020-11-24 | 7.2 HIGH | 7.8 HIGH |
| Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges. | |||||
| CVE-2020-12346 | 1 Intel | 1 Battery Life Diagnostic Tool | 2020-11-24 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for the Intel(R) Battery Life Diagnostic Tool before version 1.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||