Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11512 | 1 Idxbroker | 1 Impress For Idx Broker | 2020-04-08 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in the IMPress for IDX Broker WordPress plugin before 2.6.2 allows authenticated attackers with minimal (subscriber-level) permissions to save arbitrary JavaScript in the plugin's settings panel via the idx_update_recaptcha_key AJAX action and a crafted idx_recaptcha_site_key parameter, which would then be executed in the browser of any administrator visiting the panel. This could be used to create new administrator-level accounts. | |||||
| CVE-2019-15233 | 1 Oldstreetsolutions | 1 Live Input Macros | 2020-04-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Live:Text Box macro in the Old Street Live Input Macros app before 2.11 for Confluence has XSS, leading to theft of the Administrator Session Cookie. | |||||
| CVE-2020-2175 | 1 Jenkins | 1 Fitnesse | 2020-04-07 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin. | |||||
| CVE-2020-2176 | 1 Jenkins | 1 Usemango Runner | 2020-04-07 | 3.5 LOW | 5.4 MEDIUM |
| Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service. | |||||
| CVE-2020-2173 | 1 Jenkins | 1 Gatling | 2020-04-07 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content. | |||||
| CVE-2020-2174 | 1 Jenkins | 1 Awseb Deployment | 2020-04-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability. | |||||
| CVE-2020-6171 | 1 Communilink | 1 Clink Office | 2020-04-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the index page of the CLink Office 2.0 management console allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | |||||
| CVE-2020-11457 | 1 Netgate | 1 Pfsense | 2020-04-06 | 3.5 LOW | 5.4 MEDIUM |
| pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user. | |||||
| CVE-2019-16533 | 1 Draytek | 8 Vigor2925 Firmware, Vigor2925ac, Vigor2925fn and 5 more | 2020-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS. NOTE: this is an end-of-life product. | |||||
| CVE-2019-16534 | 1 Draytek | 8 Vigor2925 Firmware, Vigor2925ac, Vigor2925fn and 5 more | 2020-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen. NOTE: this is an end-of-life product. | |||||
| CVE-2019-17231 | 1 Mageewp | 1 Onetone | 2020-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues. | |||||
| CVE-2020-11499 | 1 Firmware Analysis And Comparison Tool Project | 1 Firmware Analysis And Comparison Tool | 2020-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFunctions/mongo_task_conversion.py. | |||||
| CVE-2020-11454 | 1 Microstrategy | 1 Microstrategy Web | 2020-04-03 | 3.5 LOW | 5.4 MEDIUM |
| Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. | |||||
| CVE-2019-19002 | 1 Abb | 1 Esoms | 2020-04-03 | 3.5 LOW | 5.4 MEDIUM |
| For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting. | |||||
| CVE-2019-19003 | 1 Abb | 1 Esoms | 2020-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting. | |||||
| CVE-2019-19095 | 1 Abb | 1 Esoms | 2020-04-03 | 3.5 LOW | 5.4 MEDIUM |
| Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database. | |||||
| CVE-2020-8966 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2020-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page. | |||||
| CVE-2020-1949 | 1 Apache | 1 Sling Cms | 2020-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks. | |||||
| CVE-2020-4303 | 1 Ibm | 1 Websphere Application Server | 2020-04-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. | |||||
| CVE-2020-4304 | 1 Ibm | 1 Websphere Application Server | 2020-04-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. | |||||