Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15682 | 1 Craftercms | 1 Crafter Cms | 2020-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel. | |||||
| CVE-2017-15686 | 1 Craftercms | 1 Crafter Cms | 2020-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies. | |||||
| CVE-2020-13773 | 1 Ivanti | 1 Endpoint Manager | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx, /LDMS/frm_coremainfrm.aspx, /LDMS/frm_findfrm.aspx, /LDMS/frm_taskfrm.aspx, and /LDMS/query_browsecomp.aspx. | |||||
| CVE-2020-25474 | 1 Newsscriptphp | 1 News Script Php Pro | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| SimplePHPscripts News Script PHP Pro 2.3 is affected by a Cross Site Scripting (XSS) vulnerability via the editor_name parameter. | |||||
| CVE-2020-29053 | 1 Hrsale | 1 Hrsale | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter. | |||||
| CVE-2020-29070 | 1 Oscommerce | 1 Oscommerce | 2020-11-27 | 3.5 LOW | 4.8 MEDIUM |
| osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters. | |||||
| CVE-2020-28650 | 1 Wpbakery | 1 Page Builder | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. | |||||
| CVE-2020-10776 | 1 Redhat | 1 Keycloak | 2020-11-27 | 3.5 LOW | 4.8 MEDIUM |
| A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. | |||||
| CVE-2020-25798 | 1 Limesurvey | 1 Limesurvey | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. | |||||
| CVE-2020-25454 | 1 Grocy Project | 1 Grocy | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe. | |||||
| CVE-2020-26701 | 1 Kaaproject | 1 Kaa | 2020-11-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT Platform v1.2.0 allows remote attackers to inject malicious web scripts or HTML Injection payloads via the Description parameter. | |||||
| CVE-2020-28350 | 1 Sokrates | 1 Sowasql | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in OPAC in Sokrates SOWA SowaSQL through 5.6.1 via the sowacgi.php typ parameter. | |||||
| CVE-2020-22723 | 1 Ljcmsshop Project | 1 Ljcmsshop | 2020-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address. | |||||
| CVE-2018-19787 | 3 Canonical, Debian, Lxml | 3 Ubuntu Linux, Debian Linux, Lxml | 2020-11-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. | |||||
| CVE-2020-27126 | 1 Cisco | 1 Webex Meetings | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in an API of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to improper validation of user-supplied input to an application programmatic interface (API) within Cisco Webex Meetings. An attacker could exploit this vulnerability by convincing a targeted user to follow a link designed to submit malicious input to the API used by Cisco Webex Meetings. A successful exploit could allow the attacker to conduct cross-site scripting attacks and potentially gain access to sensitive browser-based information from the system of a targeted user. | |||||
| CVE-2020-28129 | 1 Gym Management System Project | 1 Gym Management System | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'. | |||||
| CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. | |||||
| CVE-2017-14587 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. | |||||
| CVE-2017-9510 | 1 Atlassian | 1 Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. | |||||
| CVE-2017-18034 | 1 Atlassian | 2 Crucible, Fisheye | 2020-11-25 | 3.5 LOW | 5.4 MEDIUM |
| The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. | |||||