Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26891 | 1 Matrix | 1 Synapse | 2020-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_matrix/client/r0/auth/*/fallback/web or /_matrix/client/unstable/auth/*/fallback/web Synapse endpoints. | |||||
| CVE-2020-27620 | 1 Mediawiki | 1 Skin\ | 2020-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups. | |||||
| CVE-2020-17454 | 1 Wso2 | 1 Api Manager | 2020-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF. | |||||
| CVE-2020-15004 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-10-26 | 3.5 LOW | 4.8 MEDIUM |
| OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS. | |||||
| CVE-2020-27163 | 1 Phpredisadmin Project | 1 Phpredisadmin | 2020-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpRedisAdmin before 1.13.2 allows XSS via the login.php username parameter. | |||||
| CVE-2020-27176 | 1 Marktext | 1 Marktext | 2020-10-26 | 6.8 MEDIUM | 9.6 CRITICAL |
| Mutation XSS exists in Mark Text through 0.16.2 that leads to Remote Code Execution. NOTE: this might be considered a duplicate of CVE-2020-26870; however, it can also be considered an issue in the design of the "source code mode" feature, which parses HTML even though HTML support is not one of the primary advertised roles of the product. | |||||
| CVE-2020-26162 | 1 Xerox | 4 Workcentre Ec7836, Workcentre Ec7836 Firmware, Workcentre Ec7856 and 1 more | 2020-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Xerox WorkCentre EC7836 before 073.050.059.25300 and EC7856 before 073.020.059.25300 devices allow XSS via Description pages. | |||||
| CVE-2020-27344 | 1 Cminds | 1 Cm Download Manager | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cm-download-manager plugin before 2.8.0 for WordPress allows XSS. | |||||
| CVE-2020-3320 | 1 Cisco | 2 Firepower Management Center, Sourcefire Defense Center | 2020-10-22 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by first entering input within the web-based management interface and then persuading a user of the interface to view the crafted input within the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2020-3589 | 1 Cisco | 1 Identity Services Engine | 2020-10-22 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need to have valid administrative credentials. | |||||
| CVE-2020-5142 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the SonicOS SSLVPN web interface. A remote unauthenticated attacker is able to store and potentially execute arbitrary JavaScript code in the firewall SSLVPN portal. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0. | |||||
| CVE-2020-26574 | 1 Leostream | 1 Connection Broker | 2020-10-22 | 9.3 HIGH | 9.6 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins the next time they log in. The JavaScript injected can be used to force the admin to upload a malicious Perl script that will be executed as root via libMisc::browser_client. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-15263 | 1 Orchid | 1 Platform | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4. | |||||
| CVE-2020-6367 | 1 Sap | 1 Netweaver Composite Application Framework | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end users browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified. | |||||
| CVE-2020-7747 | 1 Lightning-viz | 1 Lightning | 2020-10-22 | 3.5 LOW | 6.3 MEDIUM |
| This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller. | |||||
| CVE-2020-24416 | 1 Adobe | 1 Marketo Sales Insight | 2020-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Marketo Sales Insight plugin version 1.4355 (and earlier) is affected by a blind stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2020-4564 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2020-10-22 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 and IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 183933. | |||||
| CVE-2020-6370 | 1 Sap | 1 Netweaver Design Time Repository | 2020-10-22 | 3.5 LOW | 4.8 MEDIUM |
| SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-16270 | 1 Olimpoks | 1 Olimpok | 2020-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries. | |||||
| CVE-2020-4755 | 1 Ibm | 1 Spectrum Scale | 2020-10-20 | 3.5 LOW | 5.4 MEDIUM |
| IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188595. | |||||