Total
37849 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5305 | 1 Codologic | 1 Codoforum | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Codoforum 4.8.3 allows XSS in the admin dashboard via a name field of a new user, i.e., on the Manage Users screen. | |||||
| CVE-2020-5298 | 1 Octobercms | 1 October | 2024-11-21 | 3.5 LOW | 4.0 MEDIUM |
| In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466). | |||||
| CVE-2020-5294 | 1 Prestashop | 1 Prestashop Socialfollow | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
| PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflected XSS with social networks fields The problem is fixed in 2.1.0 | |||||
| CVE-2020-5286 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5285 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5283 | 1 Viewvc | 1 Viewvc | 2024-11-21 | 2.1 LOW | 3.1 LOW |
| ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28. | |||||
| CVE-2020-5278 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5277 | 1 Prestashop | 1 Faceted Search Module | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
| PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. The problem is fixed in 3.5.0 | |||||
| CVE-2020-5276 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflected XSS on AdminCarts page with `cartBox` parameter The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5273 | 1 Prestashop | 1 Prestashop Linklist | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
| In PrestaShop module ps_linklist versions before 3.1.0, there is a stored XSS when using custom URLs. The problem is fixed in version 3.1.0 | |||||
| CVE-2020-5272 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters. The problem is patched in 1.7.6.5 | |||||
| CVE-2020-5271 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_from` and `date_to` parameters in the dashboard page This problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5269 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5266 | 1 Prestashop | 1 Prestashop Link | 2024-11-21 | 3.5 LOW | 4.4 MEDIUM |
| In the ps_link module for PrestaShop before version 3.1.0, there is a stored XSS when you create or edit a link list block with the title field. The problem is fixed in 3.1.0 | |||||
| CVE-2020-5265 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.4 MEDIUM |
| In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5. | |||||
| CVE-2020-5264 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | 4.4 MEDIUM |
| In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5. | |||||
| CVE-2020-5241 | 1 Matestack | 1 Ui-core | 2024-11-21 | 3.5 LOW | 7.7 HIGH |
| matestack-ui-core (RubyGem) before 0.7.4 is vulnerable to XSS/Script injection. This vulnerability is patched in version 0.7.4. | |||||
| CVE-2020-5226 | 1 Simplesamlphp | 1 Simplesamlphp | 2024-11-21 | 3.5 LOW | 4.4 MEDIUM |
| Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field. | |||||
| CVE-2020-5223 | 1 Privatebin | 1 Privatebin | 2024-11-21 | 2.1 LOW | 6.1 MEDIUM |
| In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users. | |||||
| CVE-2020-5195 | 1 Cerberusftp | 1 Ftp Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker. | |||||