Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35659 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page.
|
|||||
| CVE-2020-35650 | 1 Uncannyowl | 1 Uncanny Groups For Learndash | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration ...
Show More |
|||||
| CVE-2020-35622 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.
|
|||||
| CVE-2020-35594 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
|
|||||
| CVE-2020-35592 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie.
|
|||||
| CVE-2020-35589 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
|
|||||
| CVE-2020-35582 | 1 Enviragallery | 1 Envira Gallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.
|
|||||
| CVE-2020-35581 | 1 Enviragallery | 1 Envira Gallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.
|
|||||
| CVE-2020-35572 | 1 Adminer | 1 Adminer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Adminer through 4.7.8 allows XSS via the history parameter to the default URI.
|
|||||
| CVE-2020-35571 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the custom field name is not sanitized. This may be problematic depending on CSP settings.
|
|||||
| CVE-2020-35569 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page.
|
|||||
| CVE-2020-35563 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page.
|
|||||
| CVE-2020-35542 | 1 Unisys | 1 Data Exchange Management Studio | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Unisys Data Exchange Management Studio through 5.0.34 doesn't sanitize the input to a HTML document field. This could be used for an XSS attack.
|
|||||
| CVE-2020-35482 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.
|
|||||
| CVE-2020-35479 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
|
|||||
| CVE-2020-35478 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.
|
|||||
| CVE-2020-35475 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
|
|||||
| CVE-2020-35474 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
|
|||||
| CVE-2020-35438 | 1 Kamalkhan | 1 Kk Star Ratings | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in the kk Star Ratings plugin before 4.1.5.
|
|||||
| CVE-2020-35437 | 1 Intelliants | 1 Subrion Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI.
|
|||||
| CVE-2020-35419 | 1 Group-office | 1 Group Office | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
|
|||||
| CVE-2020-35418 | 1 Group-office | 1 Group Office | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.
|
|||||
| CVE-2020-35416 | 1 Onlineonly | 1 Phpjabbers Appointment Scheduler | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML.
|
|||||
| CVE-2020-35396 | 1 Egavilanmedia | 1 Barcodes Generator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
EGavilan Barcodes generator 1.0 is affected by: Cross Site Scripting (XSS) via the index.php. An Attacker is able to inject the XSS payload in the web application each time a user visits the website.
|
|||||
| CVE-2020-35395 | 1 Egavilanmedia | 1 Expense Management System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS in the Add Expense Component of EGavilan Media Expense Management System 1.0 allows an attacker to permanently store malicious JavaScript code via the 'description' field
|
|||||
| CVE-2020-35373 | 1 Fiyo | 1 Fiyo Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.
|
|||||
| CVE-2020-35349 | 1 Techkshetrainfo | 1 Savsoft Quiz | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Savsoft Quiz 5 is affected by: Cross Site Scripting (XSS) via field_title (aka a title on the custom fields page).
|
|||||
| CVE-2020-35346 | 1 Cxuu | 1 Cxuucms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
CXUUCMS V3 3.1 is affected by a reflected XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of admin.php?c=content&a=add.
|
|||||
| CVE-2020-35328 | 1 Courier Management System Project | 1 Courier Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Courier Management System 1.0 - 'First Name' Stored XSS
|
|||||
| CVE-2020-35309 | 1 Bakeshop Online Ordering System Project | 1 Bakeshop Online Ordering System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Bakeshop Online Ordering System in PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML in admin dashboard - "Categories".
|
|||||
| CVE-2020-35305 | 1 Gollum Project | 1 Gollum | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.
|
|||||
| CVE-2020-35275 | 1 Coastercms | 1 Coastercms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/application.
|
|||||
| CVE-2020-35274 | 1 Dotcms | 1 Dotcms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.
|
|||||
| CVE-2020-35272 | 1 Employee Performance Evaluation System Project | 1 Employee Performance Evaluation System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Admin Portal in the Task and Description fields.
|
|||||
| CVE-2020-35271 | 1 Employee Performance Evaluation System Project | 1 Employee Performance Evaluation System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Employees, First Name and Last Name fields.
|
|||||
| CVE-2020-35262 | 1 Digisol | 2 Dg-hr3400, Dg-hr3400 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter.
|
|||||
| CVE-2020-35261 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php.
|
|||||
| CVE-2020-35252 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0.
|
|||||
| CVE-2020-35249 | 1 Elkarbackup | 1 Elkarbackup | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in ElkarBackup 1.3.3, allows attackers to execute arbitrary code via the name parameter to the add client feature.
|
|||||
| CVE-2020-35240 | 1 Fluxbb | 1 Fluxbb | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in "Blog Content" and each time any user will visit the blog, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
|
|||||