Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5226 | 1 Simplesamlphp | 1 Simplesamlphp | 2020-01-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field. | |||||
| CVE-2012-6494 | 1 Rapid7 | 1 Nexpose | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access. | |||||
| CVE-2013-6451 | 1 Mediawiki | 1 Mediawiki | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values. | |||||
| CVE-2013-2714 | 1 Podpress Project | 1 Podpress | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in WordPress podPress Plugin 8.8.10.13 could allow remote attackers to inject arbitrary web script or html via the 'playerID' parameter. | |||||
| CVE-2014-8490 | 1 Tennisconnect | 1 Components | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in TennisConnect COMPONENTS 9.927 allows remote attackers to inject arbitrary web script or HTML via the pid parameter to index.cfm. | |||||
| CVE-2020-2106 | 1 Jenkins | 1 Code Coverage Api | 2020-01-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations. | |||||
| CVE-2019-4632 | 1 Ibm | 1 Security Secret Server | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170004. | |||||
| CVE-2018-5376 | 1 Discuz | 1 Discuzx | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_upload.php op parameter. | |||||
| CVE-2012-6448 | 1 Cpanel | 1 Webhost Manager | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-4770 | 1 Eucalyptus | 1 Eucalyptus Management Console | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2020-8090 | 1 A1 | 2 Wlan Box Adb Vv2220, Wlan Box Adb Vv2220 Firmware | 2020-01-29 | 3.5 LOW | 4.8 MEDIUM |
| The Username field in the Storage Service settings of A1 WLAN Box ADB VV2220v2 devices allows stored XSS (after a successful Administrator login). | |||||
| CVE-2020-8091 | 1 Typo3 | 1 Typo3 | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname. | |||||
| CVE-2019-10779 | 1 Gchq | 1 Stroom | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user. | |||||
| CVE-2019-17651 | 1 Fortinet | 1 Fortisiem | 2020-01-29 | 3.5 LOW | 5.4 MEDIUM |
| An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule. | |||||
| CVE-2020-1933 | 2 Apache, Mozilla | 2 Nifi, Firefox | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers. | |||||
| CVE-2019-15607 | 1 Nodered | 1 Node-red | 2020-01-29 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc. | |||||
| CVE-2013-1421 | 1 Webcalendar Project | 1 Webcalendar | 2020-01-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php. | |||||
| CVE-2012-5384 | 1 Webcalendar Project | 1 Webcalendar | 2020-01-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Craig Knudsen WebCalendar allow remote attackers to inject arbitrary web script or HTML via the (1) $name or (2) $description variables in edit_entry_handler.php, or (3) $url, (4) $tempfullname, or (5) $ext_users[] variables in view_entry.php, different vectors than CVE-2012-0846. | |||||
| CVE-2019-16024 | 1 Cisco | 2 Crosswork Change Automation, Crosswork Network Automation | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Crosswork Change Automation could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-16008 | 1 Cisco | 38 Ip Phone 6821, Ip Phone 6821 Firmware, Ip Phone 6825 and 35 more | 2020-01-29 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based GUI of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||