Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4252 | 1 Ibm | 2 Doors Next Generation, Rational Doors Next Generation | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175490.
|
|||||
| CVE-2020-4251 | 1 Ibm | 1 Api Connect | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM API Connect 5.0.0.0 through 5.0.8.8 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175489.
|
|||||
| CVE-2020-4235 | 1 Ibm | 1 Tivoli Netcool\/impact | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175408.
|
|||||
| CVE-2020-4223 | 1 Ibm | 1 Maximo Asset Management | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Maximo Asset Management 7.6.0.10 and 7.6.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175121.
|
|||||
| CVE-2020-4198 | 1 Ibm | 1 Tivoli Netcool\/omnibus | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174909.
|
|||||
| CVE-2020-4196 | 1 Ibm | 1 Tivoli Netcool\/omnibus | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174907.
|
|||||
| CVE-2020-4183 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174739.
|
|||||
| CVE-2020-4182 | 1 Ibm | 1 Security Guardium | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
|
|||||
| CVE-2020-4162 | 1 Ibm | 1 Infosphere Information Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174342.
|
|||||
| CVE-2020-4153 | 1 Ibm | 1 Qradar Network Security | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM QRadar Network Security 5.4.0 and 5.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174269.
|
|||||
| CVE-2020-4140 | 1 Ibm | 1 Security Siteprotector System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Security SiteProtector System 3.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174052.
|
|||||
| CVE-2020-4104 | 1 Hcltech | 1 Bigfix Webui | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
HCL BigFix WebUI is vulnerable to stored cross-site scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. This affects all versions prior to latest releases as specified in https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080855&sys_kb_id=971d99ed1b8ed01c086dcbfc0a4bcb6a.
|
|||||
| CVE-2020-4084 | 1 Hcltech | 1 Connections | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
|
|||||
| CVE-2020-4082 | 1 Hcltech | 1 Connections | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The HCL Connections 5.5 help system is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
|
|||||
| CVE-2020-4081 | 1 Hcltech | 1 Digital Experience | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS).
|
|||||
| CVE-2020-4080 | 1 Hcltech | 1 Domino | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
HCL Verse v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim's web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials.
|
|||||
| CVE-2020-4070 | 1 W3c | 1 Css Validator | 2024-11-21 | 3.5 LOW | 4.6 MEDIUM |
|
In CSS Validator less than or equal to commit 54d68a1, there is a cross-site scripting vulnerability in handling URIs. A user would have to click on a specifically crafted validator link to trigger it. This has been patched in commit e5c09a9.
|
|||||
| CVE-2020-4061 | 1 Octobercms | 1 October | 2024-11-21 | 3.5 LOW | 3.7 LOW |
|
In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.
|
|||||
| CVE-2020-4054 | 1 Sanitize Project | 1 Sanitize | 2024-11-21 | 6.8 MEDIUM | 7.3 HIGH |
|
In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML ...
Show More |
|||||
| CVE-2020-4052 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 4.3 MEDIUM | 6.3 MEDIUM |
|
In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107.
|
|||||
| CVE-2020-4051 | 3 Debian, Netapp, Openjsf | 6 Debian Linux, Active Iq Unified Manager, Oncommand Insight and 3 more | 2024-11-21 | 3.5 LOW | 3.7 LOW |
|
In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.
|
|||||
| CVE-2020-4049 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2024-11-21 | 3.5 LOW | 2.4 LOW |
|
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7. ...
Show More |
|||||
| CVE-2020-4046 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.2 ...
Show More |
|||||
| CVE-2020-4041 | 1 Boltcms | 1 Bolt | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
|
In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1.
|
|||||
| CVE-2020-4038 | 1 Prisma | 5 Graphql-playground-html, Graphql-playground-middleware-express, Graphql-playground-middleware-hapi and 2 more | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
|
GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-k ...
Show More |
|||||
| CVE-2020-4025 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.
|
|||||
| CVE-2020-4024 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.
|
|||||
| CVE-2020-4023 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter.
|
|||||
| CVE-2020-4022 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
|
|||||
| CVE-2020-4021 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
|
|||||
| CVE-2020-4013 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.
|
|||||
| CVE-2020-3997 | 1 Vmware | 1 Horizon | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
VMware Horizon Server (7.x prior to 7.10.3 or 7.13.0) contains a Cross Site Scripting (XSS) vulnerability. Successful exploitation of this issue may allow an attacker to inject malicious script which will be executed.
|
|||||
| CVE-2020-3975 | 1 Vmware | 1 App Volumes | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
VMware App Volumes 2.x prior to 2.18.6 and VMware App Volumes 4 prior to 2006 contain a Stored Cross-Site Scripting (XSS) vulnerability. A malicious actor with access to create and edit applications or create storage groups, may be able to inject malicious script which will be executed by a victim's browser when viewing.
|
|||||
| CVE-2020-3955 | 1 Vmware | 1 Esxi | 2024-11-21 | 4.3 MEDIUM | 9.3 CRITICAL |
|
ESXi 6.5 without patch ESXi650-201912104-SG and ESXi 6.7 without patch ESXi670-202004103-SG do not properly neutralize script-related HTML when viewing virtual machines attributes. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3.
|
|||||
| CVE-2020-3953 | 1 Vmware | 1 Vrealize Log Insight | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability exists in VMware vRealize Log Insight prior to 8.1.0 due to improper Input validation.
|
|||||
| CVE-2020-3939 | 1 Sysjust | 1 Syuan-gu-da-shin | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SysJust Syuan-Gu-Da-Shih, versions before 20191223, contain vulnerability of Cross-Site Scripting(XSS), personal information may be leaked to attackers via the vulnerability.
|
|||||
| CVE-2020-3902 | 1 Apple | 6 Icloud, Ipad Os, Iphone Os and 3 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An input validation issue was addressed with improved input validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to a cross site scripting attack.
|
|||||
| CVE-2020-3867 | 3 Apple, Opensuse, Webkitgtk | 8 Icloud, Ipados, Iphone Os and 5 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting.
|
|||||
| CVE-2020-3758 | 1 Magento | 1 Magento | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||
| CVE-2020-3715 | 1 Magento | 1 Magento | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||