Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12512 | 1 Pepperl-fuchs | 24 Io-link Master 4-eip, Io-link Master 4-eip Firmware, Io-link Master 4-pnio and 21 more | 2024-11-21 | 3.5 LOW | 7.5 HIGH |
|
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
|
|||||
| CVE-2020-12472 | 1 Mono | 1 Monox | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comments, or Blog Description.
|
|||||
| CVE-2020-12438 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.
|
|||||
| CVE-2020-12432 | 1 Collaboraoffice | 1 Collabora Online Development Edition | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.
|
|||||
| CVE-2020-12404 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26.
|
|||||
| CVE-2020-12276 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.
|
|||||
| CVE-2020-12262 | 1 Intelbras | 6 Tip200, Tip200 Firmware, Tip200lite and 3 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS.
|
|||||
| CVE-2020-12261 | 1 Opmantek | 1 Open-audit | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Open-AudIT 3.3.0 allows an XSS attack after login.
|
|||||
| CVE-2020-12259 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php.
|
|||||
| CVE-2020-12256 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php.
|
|||||
| CVE-2020-12245 | 1 Grafana | 1 Grafana | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
|
|||||
| CVE-2020-12137 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
|
|||||
| CVE-2020-12132 | 1 Fifthplay | 1 S.a.m.i | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Fifthplay S.A.M.I before 2019.3_HP2 allows unauthenticated stored XSS via a POST request.
|
|||||
| CVE-2020-12131 | 1 App2pro | 1 Airdisk Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The AirDisk Pro app 5.5.3 for iOS allows XSS via the devicename parameter (shown next to the UI logo).
|
|||||
| CVE-2020-12130 | 1 App2pro | 1 Airdisk Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The AirDisk Pro app 5.5.3 for iOS allows XSS via the deleteFile parameter of the Delete function.
|
|||||
| CVE-2020-12129 | 1 App2pro | 1 Airdisk Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The AirDisk Pro app 5.5.3 for iOS allows XSS via the createFolder parameter of the Create Folder function.
|
|||||
| CVE-2020-12113 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
|
|||||
| CVE-2020-12082 | 1 Flexera | 1 Flexnet Code Insight | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).
|
|||||
| CVE-2020-12071 | 1 Anchorcms | 1 Anchor | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Anchor 0.12.7 allows admins to cause XSS via crafted post content.
|
|||||
| CVE-2020-12058 | 1 Oscommerce | 1 Ce Phoenix | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/order_status.php, catalog/admin/tax_rates.php, catalog/admin/languages.php, catalog/admin/countries.php, catalog/admin/tax_classes.php, catalog/admin/reviews.php, or catalog/admin/zones.php; or the zpage or spage parameter to catalog/admin/geo_zones.php.
|
|||||
| CVE-2020-12054 | 1 Catchplugins | 1 Catch Breadcrumb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a search query). Also affected are 16 themes (if the plugin is enabled) by the same author: Alchemist and Alchemist PRO, Izabel and Izabel PRO, Chique and Chique PRO, Clean Enterprise and Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, and Higher Education PRO.
|
|||||
| CVE-2020-12052 | 1 Grafana | 1 Grafana | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
|
|||||
| CVE-2020-12021 | 1 Osisoft | 1 Pi Web Api | 2024-11-21 | 6.0 MEDIUM | 9.0 CRITICAL |
|
In OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions, the affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to remotely execute arbitrary code.
|
|||||
| CVE-2020-11983 | 1 Apache | 1 Airflow | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
|
|||||
| CVE-2020-11944 | 1 Bitcoin-abe Project | 1 Bitcoin-abe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call__ in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception.
|
|||||
| CVE-2020-11930 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option.
|
|||||
| CVE-2020-11888 | 1 Python-markdown2 Project | 1 Python-markdown2 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.
|
|||||
| CVE-2020-11887 | 1 Svg2png Project | 1 Svg2png | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an SVG document.
|
|||||
| CVE-2020-11860 | 1 Microfocus | 1 Arcsight Logger | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS)
|
|||||
| CVE-2020-11845 | 1 Microfocus | 1 Service Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Micro Focus Service Manager product. Affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. The vulnerability could be exploited to allow remote attackers to inject arbitrary web script or HTML.
|
|||||
| CVE-2020-11839 | 1 Microfocus | 1 Arcsight Logger | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Logger product, affecting all version from 6.6.1 up to version 7.0.1. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure.
|
|||||
| CVE-2020-11838 | 1 Microfocus | 1 Arcsight Management Center | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure.
|
|||||
| CVE-2020-11823 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
|
|||||
| CVE-2020-11822 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data.
|
|||||
| CVE-2020-11813 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.
|
|||||
| CVE-2020-11791 | 1 Netgear | 2 Jgs516pe, Jgs516pe Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
NETGEAR JGS516PE devices before 2.6.0.43 are affected by reflected XSS.
|
|||||
| CVE-2020-11787 | 1 Netgear | 34 D7800, D7800 Firmware, R7500 and 31 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.
|
|||||
| CVE-2020-11786 | 1 Netgear | 22 D7800, D7800 Firmware, R7500 and 19 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.
|
|||||
| CVE-2020-11785 | 1 Netgear | 22 D7800, D7800 Firmware, R7500 and 19 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.
|
|||||
| CVE-2020-11784 | 1 Netgear | 22 D7800, D7800 Firmware, R7500 and 19 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10.
|
|||||