Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4748 | 1 Ibm | 1 Spectrum Scale | 2020-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188517. | |||||
| CVE-2020-24316 | 1 Admin Menu Project | 1 Admin Menu | 2020-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| WP Plugin Rednumber Admin Menu v1.1 and lower does not sanitize the value of the "role" GET parameter before echoing it back out to the user. This results in a reflected XSS vulnerability that attackers can exploit with a specially crafted URL. | |||||
| CVE-2020-16945 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-10-20 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-16946. | |||||
| CVE-2020-16946 | 1 Microsoft | 4 Sharepoint Designer, Sharepoint Enterprise Server, Sharepoint Foundation and 1 more | 2020-10-20 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-16945. | |||||
| CVE-2020-16978 | 1 Microsoft | 1 Dynamics 365 | 2020-10-20 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16956. | |||||
| CVE-2020-16956 | 1 Microsoft | 1 Dynamics 365 | 2020-10-20 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16978. | |||||
| CVE-2020-16944 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-10-20 | 3.5 LOW | 5.4 MEDIUM |
| This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.An authenticated attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server, aka 'Microsoft SharePoint Reflective XSS Vulnerability'. | |||||
| CVE-2020-3536 | 1 Cisco | 1 Sd-wan | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface. | |||||
| CVE-2020-6319 | 1 Sap | 1 Netweaver Application Server Java | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authentication information of the user, such as data relating to his or her current session and limitedly impact confidentiality and integrity of the application, leading to Reflected Cross Site Scripting. | |||||
| CVE-2020-6323 | 1 Sap | 1 Netweaver Enterprise Portal | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal (Fiori Framework Page) versions - 7.50, 7.31, 7.40, does not sufficiently encode user-controlled inputs and allows an attacker on a valid session to create an XSS that will be both reflected immediately and also be persisted and returned in further access to the system, resulting in Cross Site Scripting. | |||||
| CVE-2020-6368 | 1 Sap | 1 Business Planning And Consolidation | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting. | |||||
| CVE-2020-7741 | 1 Hello.js Project | 1 Hello.js | 2020-10-19 | 7.5 HIGH | 9.9 CRITICAL |
| This affects the package hellojs before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1). | |||||
| CVE-2020-6272 | 1 Sap | 1 Commerce Cloud | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-7317 | 1 Mcafee | 1 Epolicy Orchestrator | 2020-10-19 | 2.3 LOW | 4.3 MEDIUM |
| Cross-Site Scripting vulnerability in McAfee ePolicy Orchistrator (ePO) prior to 5.10.9 Update 9 allows administrators to inject arbitrary web script or HTML via parameter values for "syncPointList" not being correctly sanitsed. | |||||
| CVE-2019-9509 | 1 Vertiv | 2 Avocent Umg-4000, Avocent Umg-4000 Firmware | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user account to execute arbitrary code. | |||||
| CVE-2020-24188 | 1 Unitedplanet | 1 Intrexx | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 20.03 allows remote attackers to inject arbitrary web script or HTML via the request parameter. | |||||
| CVE-2020-8155 | 1 Nextcloud | 1 Nextcloud Server | 2020-10-19 | 3.5 LOW | 5.4 MEDIUM |
| An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. | |||||
| CVE-2019-3808 | 1 Moodle | 1 Moodle | 2020-10-19 | 4.0 MEDIUM | 5.4 MEDIUM |
| A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default. | |||||
| CVE-2019-6528 | 1 Psigridconnect | 10 Iec104 Security Proxy, Iec104 Security Proxy Firmware, Smart Telecontrol Unit Tcg and 7 more | 2020-10-19 | 6.5 MEDIUM | 8.8 HIGH |
| PSI GridConnect GmbH Telecontrol Gateway and Smart Telecontrol Unit family, IEC104 Security Proxy versions Telecontrol Gateway 3G Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Telecontrol Gateway XS-MU Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Telecontrol Gateway VM Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Smart Telecontrol Unit TCG Versions 5.0.27, 5.1.19, 6.0.16 and prior, and IEC104 Security Proxy Version 2.2.10 and prior The web application browser interprets input as active HTML, JavaScript, or VBScript, which could allow an attacker to execute arbitrary code. | |||||
| CVE-2020-13761 | 1 Joomla | 1 Joomla\! | 2020-10-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS. | |||||