ReportizFlow
Filtered by vendor
Subscriptions
Total
43016 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11583 | 2 Microsoft, Plesk | 2 Windows, Obsidian | 2024-11-21 | 6.1 Medium |
| A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. | ||||
| CVE-2020-11556 | 1 Castlerock | 1 Snmpc Online | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. There are multiple persistent (stored) and reflected XSS vulnerabilities. | ||||
| CVE-2020-11516 | 1 Contact-form-7-datepicker Project | 1 Contact-form-7-datepicker | 2024-11-21 | 5.4 Medium |
| Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session. | ||||
| CVE-2020-11512 | 1 Idxbroker | 1 Impress For Idx Broker | 2024-11-21 | 5.4 Medium |
| Stored XSS in the IMPress for IDX Broker WordPress plugin before 2.6.2 allows authenticated attackers with minimal (subscriber-level) permissions to save arbitrary JavaScript in the plugin's settings panel via the idx_update_recaptcha_key AJAX action and a crafted idx_recaptcha_site_key parameter, which would then be executed in the browser of any administrator visiting the panel. This could be used to create new administrator-level accounts. | ||||
| CVE-2020-11509 | 1 Wpleadplus | 1 Wp Lead Plus X | 2024-11-21 | 6.1 Medium |
| An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page). | ||||
| CVE-2020-11508 | 1 Wpleadplus | 1 Wp Lead Plus X | 2024-11-21 | 5.4 Medium |
| An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wp_ajax_core37_lp_save_page (aka core37_lp_save_page) AJAX action. | ||||
| CVE-2020-11499 | 1 Firmware Analysis And Comparison Tool Project | 1 Firmware Analysis And Comparison Tool | 2024-11-21 | 6.1 Medium |
| Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFunctions/mongo_task_conversion.py. | ||||
| CVE-2020-11457 | 1 Netgate | 1 Pfsense | 2024-11-21 | 5.4 Medium |
| pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user. | ||||
| CVE-2020-11456 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 5.4 Medium |
| LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). | ||||
| CVE-2020-11454 | 1 Microstrategy | 1 Microstrategy Web | 2024-11-21 | 5.4 Medium |
| Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. | ||||
| CVE-2020-11448 | 1 Bell | 2 Home Hub 3000, Home Hub 3000 Firmware | 2024-11-21 | 6.1 Medium |
| An issue was discovered on Bell HomeHub 3000 SG48222070 devices. There is XSS related to the email field and the login page. | ||||
| CVE-2020-11436 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 9.0 Critical |
| LibreHealth EMR v2.0.0 is vulnerable to XSS that results in the ability to force arbitrary actions on behalf of other users including administrators. | ||||
| CVE-2020-11416 | 1 Jetbrains | 1 Space | 2024-11-21 | 5.4 Medium |
| JetBrains Space through 2020-04-22 allows stored XSS in Chats. | ||||
| CVE-2020-11110 | 3 Grafana, Netapp, Redhat | 4 Grafana, E-series Performance Analyzer, Enterprise Linux and 1 more | 2024-11-21 | 5.4 Medium |
| Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||||
| CVE-2020-11106 | 1 Tecrail | 1 Responsive Filemanager | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a payload in the type parameter, and then returns to the dialog.php page. This occurs because ajax_calls.php was also able to set the $_SESSION['RF']["view_type"] variable, but there it wasn't sanitized. | ||||
| CVE-2020-11083 | 1 Octobercms | 1 October | 2024-11-21 | 3.5 Low |
| In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1. | ||||
| CVE-2020-11082 | 2 Debian, Kaminari Project | 2 Debian Linux, Kaminari | 2024-11-21 | 6.4 Medium |
| In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1. | ||||
| CVE-2020-11074 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 5.4 Medium |
| In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6. | ||||
| CVE-2020-11070 | 1 Typo3 | 1 Svg Sanitizer | 2024-11-21 | 5.4 Medium |
| The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulnerability in versions before 1.0.3. Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting. This is fixed in version 1.0.3. | ||||
| CVE-2020-11065 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.4 Medium |
| In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. | ||||