Total
37676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15339 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | N/A | 6.1 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS. | |||||
| CVE-2020-15307 | 1 Nozominetworks | 1 Guardian | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name. | |||||
| CVE-2020-15299 | 1 King-theme | 1 Kingcomposer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is executed in the victim's browser. | |||||
| CVE-2020-15276 | 1 Basercms | 1 Basercms | 2024-11-21 | 3.5 LOW | 7.7 HIGH |
| baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1. | |||||
| CVE-2020-15275 | 1 Moinmo | 1 Moinmoin | 2024-11-21 | 3.5 LOW | 8.7 HIGH |
| MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes. | |||||
| CVE-2020-15274 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 3.5 LOW | 5.8 MEDIUM |
| In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results. | |||||
| CVE-2020-15273 | 1 Basercms | 1 Basercms | 2024-11-21 | 3.5 LOW | 7.3 HIGH |
| baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, subsite setting list, widget area edit, and feed list on the management screen. The issue was introduced in version 4.0.0. It is fixed in version 4.4.1. | |||||
| CVE-2020-15263 | 1 Orchid | 1 Platform | 2024-11-21 | 4.3 MEDIUM | 8.0 HIGH |
| In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4. | |||||
| CVE-2020-15253 | 1 Grocy | 1 Grocy | 2024-11-21 | 3.5 LOW | 7.3 HIGH |
| Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept. | |||||
| CVE-2020-15249 | 1 Octobercms | 1 October | 2024-11-21 | 3.5 LOW | 2.8 LOW |
| October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0. | |||||
| CVE-2020-15241 | 1 Typo3 | 2 Fluid Engine, Typo3 | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). | |||||
| CVE-2020-15231 | 1 Mapfish | 1 Print | 2024-11-21 | 4.3 MEDIUM | 9.3 CRITICAL |
| In mapfish-print before version 3.24, a user can use the JSONP support to do a Cross-site scripting. | |||||
| CVE-2020-15221 | 1 Combodo | 1 Itop | 2024-11-21 | 3.5 LOW | 6.8 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0. | |||||
| CVE-2020-15217 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ. | |||||
| CVE-2020-15183 | 1 Soycms Project | 1 Soycms | 2024-11-21 | 3.5 LOW | 8.4 HIGH |
| SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage. | |||||
| CVE-2020-15179 | 1 Scratch-wiki | 1 Scratchsig | 2024-11-21 | 4.6 MEDIUM | 8.0 HIGH |
| The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely. | |||||
| CVE-2020-15178 | 1 Prestashop | 1 Contactform | 2024-11-21 | 4.3 MEDIUM | 8.0 HIGH |
| In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser. | |||||
| CVE-2020-15177 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 4.3 MEDIUM | 8.0 HIGH |
| In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2. | |||||
| CVE-2020-15169 | 3 Action View Project, Debian, Fedoraproject | 3 Action View, Debian Linux, Fedora | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory. | |||||
| CVE-2020-15162 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8. | |||||