Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13168 | 1 Sysaid | 2 Sysaid On-premises, Sysaidsy On-premises | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter.
|
|||||
| CVE-2020-13153 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
|
|||||
| CVE-2020-13145 | 1 Edx | 1 Open Edx Platform | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS.
|
|||||
| CVE-2020-13134 | 1 Tufin | 1 Securechange | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1.
|
|||||
| CVE-2020-13133 | 1 Tufin | 1 Securechange | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) unauthenticated users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1
|
|||||
| CVE-2020-13116 | 1 Carbonite | 1 Server Backup Portal | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy creation.
|
|||||
| CVE-2020-13094 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dolibarr before 11.0.4 allows XSS.
|
|||||
| CVE-2020-12882 | 1 Rcos | 1 Submitty | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow.
|
|||||
| CVE-2020-12869 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
RainbowFish PacsOne Server 6.8.4 allows XSS.
|
|||||
| CVE-2020-12853 | 1 Pydio | 1 Cells | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Pydio Cells 2.0.4 allows XSS. A malicious user can either upload or create a new file that contains potentially malicious HTML and JavaScript code to personal folders or accessible cells.
|
|||||
| CVE-2020-12849 | 1 Pydio | 1 Cells | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user.
|
|||||
| CVE-2020-12817 | 1 Fortinet | 2 Fortianalyzer, Fortitester | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticated attacker to inject script related HTML tags via Name parameter of Storage Connectors.
|
|||||
| CVE-2020-12816 | 1 Fortinet | 1 Fortinac | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An improper neutralization of input vulnerability in FortiNAC before 8.7.2 may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the UserID of Admin Users.
|
|||||
| CVE-2020-12815 | 1 Fortinet | 2 Fortianalyzer, Fortitester | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields.
|
|||||
| CVE-2020-12814 | 1 Fortinet | 1 Fortianalyzer | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
|
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.
|
|||||
| CVE-2020-12811 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An improper neutralization of script-related HTML tags in a web page in FortiManager 6.2.0, 6.2.1, 6.2.2, and 6.2.3and FortiAnalyzer 6.2.0, 6.2.1, 6.2.2, and 6.2.3 may allow an attacker to execute a cross site scripting (XSS) via the Identify Provider name field.
|
|||||
| CVE-2020-12779 | 1 Combodo | 1 Itop | 2024-11-21 | 3.5 LOW | 6.8 MEDIUM |
|
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
|
|||||
| CVE-2020-12778 | 1 Combodo | 1 Itop | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
|
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
|
|||||
| CVE-2020-12759 | 1 Zulip | 1 Zulip Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook.
|
|||||
| CVE-2020-12718 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
|
|||||
| CVE-2020-12708 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.
|
|||||
| CVE-2020-12707 | 1 Lepton-cms | 1 Lepton Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements.
|
|||||
| CVE-2020-12706 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
|
|||||
| CVE-2020-12705 | 1 Lepton-cms | 1 Leptoncms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0.
|
|||||
| CVE-2020-12704 | 1 Ulicms | 1 Ulicms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
UliCMS before 2020.2 has PageController stored XSS.
|
|||||
| CVE-2020-12703 | 1 Ulicms | 1 Ulicms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
UliCMS before 2020.2 has XSS during PackageController uninstall.
|
|||||
| CVE-2020-12696 | 1 Iframe Project | 1 Iframe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The iframe plugin before 4.5 for WordPress does not sanitize a URL.
|
|||||
| CVE-2020-12685 | 1 Redhat | 1 Interchange | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS in the admin help system admin/help.html and admin/quicklinks.html in Interchange 4.7.0 through 5.11.x allows remote attackers to steal credentials or data via browser JavaScript.
|
|||||
| CVE-2020-12683 | 1 Katyshop2 Project | 1 Katyshop2 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Katyshop2 before 2.12 has multiple stored XSS issues.
|
|||||
| CVE-2020-12679 | 1 Mitel | 2 Mivoice Connect, Shoretel Conference Web | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php.
|
|||||
| CVE-2020-12677 | 1 Progress | 1 Moveit Automation | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2.
|
|||||
| CVE-2020-12670 | 1 Webmin | 1 Webmin | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email.
|
|||||
| CVE-2020-12648 | 1 Tiny | 1 Tinymce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.
|
|||||
| CVE-2020-12646 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.
|
|||||
| CVE-2020-12639 | 1 Phplist | 1 Phplist | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
|
|||||
| CVE-2020-12635 | 1 Mageme | 1 Webforms Pro M2 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS exists in the WebForms Pro M2 extension before 2.9.17 for Magento 2 via the textarea field.
|
|||||
| CVE-2020-12629 | 1 Enhancesoft | 1 Osticket | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.
|
|||||
| CVE-2020-12625 | 3 Debian, Opensuse, Roundcube | 4 Debian Linux, Backports Sle, Leap and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
|
|||||
| CVE-2020-12530 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an XSS issue in the redirect.php allowing an attacker to inject code via a get parameter.
|
|||||
| CVE-2020-12517 | 1 Phoenixcontact | 7 Axc F 1152, Axc F 2152, Axc F 2152 Starterkit and 4 more | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
|
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).
|
|||||