Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14202 | 1 Ibi | 1 Webfocus Business Intelligence | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
WebFOCUS Business Intelligence 8.0 (SP6) was prone to XSS via arbitrary URL parameters.
|
|||||
| CVE-2020-14184 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.
|
|||||
| CVE-2020-14175 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2.
|
|||||
| CVE-2020-14173 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
|
|||||
| CVE-2020-14169 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
|
|||||
| CVE-2020-14166 | 1 Atlassian | 1 Jira Service Desk | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.
|
|||||
| CVE-2020-14164 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
|
|||||
| CVE-2020-14161 | 1 Thecodingmachine | 1 Gotenberg | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
It is possible to inject HTML and/or JavaScript in the HTML to PDF conversion in Gotenberg through 6.2.1 via the /convert/html endpoint.
|
|||||
| CVE-2020-14146 | 1 Kumbiaphp | 1 Kumbiaphp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
KumbiaPHP through 1.1.1, in Development mode, allows XSS via the public/pages/kumbia PATH_INFO.
|
|||||
| CVE-2020-14073 | 1 Paessler | 1 Prtg Network Monitor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
XSS exists in PRTG Network Monitor 20.1.56.1574 via crafted map properties. An attacker with Read/Write privileges can create a map, and then use the Map Designer Properties screen to insert JavaScript code. This can be exploited against any user with View Maps or Edit Maps access.
|
|||||
| CVE-2020-14071 | 1 Mk-auth | 1 Mk-auth | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in MK-AUTH 19.01. XSS vulnerabilities in admin and client scripts allow an attacker to execute arbitrary JavaScript code.
|
|||||
| CVE-2020-14063 | 1 Tc Custom Javascript Project | 1 Tc Custom Javascript | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A stored Cross-Site Scripting (XSS) vulnerability in the TC Custom JavaScript plugin before 1.2.2 for WordPress allows unauthenticated remote attackers to inject arbitrary JavaScript via the tccj-content parameter. This is displayed in the page footer of every front-end page and executed in the browser of visitors.
|
|||||
| CVE-2020-14055 | 1 Monstaftp | 1 Monsta Ftp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting vulnerability in the language setting due to insufficient output encoding.
|
|||||
| CVE-2020-14042 | 1 Codiad | 1 Codiad | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Site Scripting (XSS) vulnerability was found in Codiad v1.7.8 and later. The vulnerability occurs because of improper sanitization of the folder's name $path variable in components/filemanager/class.filemanager.php. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors."
|
|||||
| CVE-2020-14024 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application.
|
|||||
| CVE-2020-14018 | 1 Naviwebs | 1 Navigate Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Navigate CMS 2.9 r1433. There is a stored XSS vulnerability that is executed on the page to view users, and on the page to edit users. This is present in both the User field and the E-Mail field. On the Edit user page, the XSS is only triggered via the E-Mail field; however, on the View user page the XSS is triggered via either the User field or the E-Mail field.
|
|||||
| CVE-2020-14014 | 1 Naviwebs | 1 Navigate Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.
|
|||||
| CVE-2020-14012 | 1 Enhancesoft | 1 Osticket | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
scp/categories.php in osTicket 1.14.2 allows XSS via a Knowledgebase Category Name or Category Description. The attacker must be an Agent.
|
|||||
| CVE-2020-14010 | 1 Laborator | 1 Xenon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Laborator Xenon theme 1.3 for WordPress allows Reflected XSS via the data/typeahead-generate.php q (aka name) parameter.
|
|||||
| CVE-2020-14007 | 1 Solarwinds | 2 Orion Network Performance Monitor, Orion Web Performance Monitor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition.
|
|||||
| CVE-2020-14006 | 1 Solarwinds | 2 Orion Network Performance Monitor, Orion Web Performance Monitor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team.
|
|||||
| CVE-2020-13992 | 1 Mods-for-hesk | 1 Mods For Hesk | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A Stored XSS issue allows remote unauthenticated attackers to abuse a helpdesk user's logged in session. A user with sufficient privileges to change their login-page image must open a crafted ticket.
|
|||||
| CVE-2020-13980 | 1 Opencart | 1 Opencart | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. NOTE: this issue exists because of an incomplete fix for CVE-2020-10596. The vendor states "this is not a massive issue as you are still required to be logged into the admin.
|
|||||
| CVE-2020-13973 | 1 Owasp | 1 Json-sanitizer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.
|
|||||
| CVE-2020-13972 | 1 Enghouse | 1 Web Chat | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Enghouse Web Chat 6.2.284.34 allows XSS. When one enters their own domain name in the WebServiceLocation parameter, the response from the POST request is displayed, and any JavaScript returned from the external server is executed in the browser. This is related to CVE-2019-16951.
|
|||||
| CVE-2020-13971 | 1 Shopware | 1 Shopware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
|
|||||
| CVE-2020-13969 | 1 Crk | 1 Business Platform | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. This is path-independent.
|
|||||
| CVE-2020-13964 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
|
|||||
| CVE-2020-13959 | 2 Apache, Debian | 2 Velocity Tools, Debian Linux | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
|
|||||
| CVE-2020-13954 | 3 Apache, Netapp, Oracle | 6 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 3 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
|
|||||
| CVE-2020-13947 | 2 Apache, Oracle | 3 Activemq, Communications Session Report Manager, Communications Session Route Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.
|
|||||
| CVE-2020-13944 | 1 Apache | 1 Airflow | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
|
|||||
| CVE-2020-13932 | 1 Apache | 1 Activemq Artemis | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.
|
|||||
| CVE-2020-13928 | 1 Apache | 1 Atlas | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Apache Atlas before 2.1.0 contain a XSS vulnerability. While saving search or rendering elements values are not sanitized correctly and because of that it triggers the XSS vulnerability.
|
|||||
| CVE-2020-13913 | 1 Ruckuswireless | 25 C110, E510, H320 and 22 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS issue in emfd in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute JavaScript code via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
|
|||||
| CVE-2020-13911 | 1 Your Online Shop Project | 1 Your Online Shop | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Your Online Shop 1.8.0 allows authenticated users to trigger XSS via a Change Name or Change Surname operation.
|
|||||
| CVE-2020-13897 | 1 Hesk | 1 Hesk | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
HESK before 3.1.10 allows reflected XSS.
|
|||||
| CVE-2020-13893 | 1 Sage | 1 Easypay | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Multiple stored cross-site scripting (XSS) vulnerabilities in Sage EasyPay 10.7.5.10 allow authenticated attackers to inject arbitrary web script or HTML via multiple parameters through Unicode Transformations (Best-fit Mapping), as demonstrated by the full-width variants of the less-than sign (%EF%BC%9C) and greater-than sign (%EF%BC%9E).
|
|||||
| CVE-2020-13892 | 1 Themeboy | 1 Sportspress | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The SportsPress plugin before 2.7.2 for WordPress allows XSS.
|
|||||
| CVE-2020-13890 | 1 Laborator | 1 Neon | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
|
|||||