Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8245 | 1 Citrix | 4 Application Delivery Controller, Application Delivery Controller Firmware, Gateway and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b leads to an HTML Injection attack against the SSL VPN web po ...
Show More |
|||||
| CVE-2020-8238 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS).
|
|||||
| CVE-2020-8217 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
|
|||||
| CVE-2020-8208 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Improper input validation in Citrix XenMobile Server 10.12 before RP1, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.11 before RP6 and Citrix XenMobile Server before 10.9 RP5 allows Cross-Site Scripting (XSS).
|
|||||
| CVE-2020-8204 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page.
|
|||||
| CVE-2020-8198 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS).
|
|||||
| CVE-2020-8191 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).
|
|||||
| CVE-2020-8189 | 1 Nextcloud | 1 Desktop | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.
|
|||||
| CVE-2020-8176 | 1 Shopify | 1 Koa-shopify-auth | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint.
|
|||||
| CVE-2020-8170 | 1 Ui | 51 Ag-hp-2g16, Ag-hp-2g20, Ag-hp-5g23 and 48 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Multiple end-points with parameters vulnerable to reflected cross site scripting (XSS), allowing attackers to abuse the user' session information and/or account takeover of the admin user.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download ...
Show More |
|||||
| CVE-2020-8160 | 1 Mendix | 1 Mendixsso | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.
|
|||||
| CVE-2020-8155 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
|
|||||
| CVE-2020-8127 | 1 Revealjs | 1 Reveal.js | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.
|
|||||
| CVE-2020-8120 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation.
|
|||||
| CVE-2020-8115 | 1 Revive-adserver | 1 Revive Adserver | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printe ...
Show More |
|||||
| CVE-2020-8091 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname.
|
|||||
| CVE-2020-8090 | 1 A1 | 2 Wlan Box Adb Vv2220, Wlan Box Adb Vv2220 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Username field in the Storage Service settings of A1 WLAN Box ADB VV2220v2 devices allows stored XSS (after a successful Administrator login).
|
|||||
| CVE-2020-8089 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
|
|||||
| CVE-2020-8035 | 1 Horde | 1 Groupware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
|
|||||
| CVE-2020-8034 | 1 Horde | 2 Gollem, Groupware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
|
|||||
| CVE-2020-8033 | 1 Commscope | 2 Ruckus Zoneflex R500, Ruckus Zoneflex R500 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Name field.
|
|||||
| CVE-2020-8031 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 3.5 LOW | 6.3 MEDIUM |
|
A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8.
|
|||||
| CVE-2020-8020 | 2 Debian, Opensuse | 2 Debian Linux, Open Build Service | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb.
|
|||||
| CVE-2020-7997 | 1 Asus | 2 Rt-ac66u, Rt-ac66u Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ASUS WRT-AC66U 3 RT 3.0.0.4.372_67 devices allow XSS via the Client Name field to the Parental Control feature.
|
|||||
| CVE-2020-7996 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
|
|||||
| CVE-2020-7994 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[def ...
Show More |
|||||
| CVE-2020-7990 | 1 Adive | 1 Framework | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Adive Framework 2.0.8 has admin/user/add userName XSS.
|
|||||
| CVE-2020-7989 | 1 Adive | 1 Framework | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Adive Framework 2.0.8 has admin/user/add userUsername XSS.
|
|||||
| CVE-2020-7973 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
GitLab through 12.7.2 allows XSS.
|
|||||
| CVE-2020-7971 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
GitLab EE 11.0 and later through 12.7.2 allows XSS.
|
|||||
| CVE-2020-7937 | 1 Plone | 1 Plone | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.
|
|||||
| CVE-2020-7934 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE versio ...
Show More |
|||||
| CVE-2020-7915 | 1 Eaton | 2 5p 850, 5p 850 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
|
|||||
| CVE-2020-7913 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description.
|
|||||
| CVE-2020-7911 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In JetBrains TeamCity before 2019.2, several user-level pages were vulnerable to XSS.
|
|||||
| CVE-2020-7910 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
JetBrains TeamCity before 2019.2 was vulnerable to a stored XSS attack by a user with the developer role.
|
|||||
| CVE-2020-7809 | 1 Altools | 1 Alsong | 2024-11-21 | 4.3 MEDIUM | 4.4 MEDIUM |
|
ALSong 3.46 and earlier version contain a Document Object Model (DOM) based cross-site scripting vulnerability caused by improper validation of user input. A remote attacker could exploit this vulnerability by tricking the victim to open ALSong Album(sab) file.
|
|||||
| CVE-2020-7776 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 3.5 LOW | 7.1 HIGH |
|
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
|
|||||
| CVE-2020-7773 | 1 Markdown-it-highlightjs Project | 1 Markdown-it-highlightjs | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);
|
|||||
| CVE-2020-7750 | 1 Mit | 1 Scratch-svg-renderer | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
|
|||||