Total
2932 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4520 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to inject malicious HTML code that when viewed by the authenticated victim would execute the code. IBM X-Force ID: 182395. | |||||
| CVE-2020-4054 | 1 Sanitize Project | 1 Sanitize | 2024-11-21 | 6.8 MEDIUM | 7.3 HIGH |
| In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1. | |||||
| CVE-2020-4041 | 1 Boltcms | 1 Bolt | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1. | |||||
| CVE-2020-4038 | 1 Prisma | 5 Graphql-playground-html, Graphql-playground-middleware-express, Graphql-playground-middleware-hapi and 2 more | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13. | |||||
| CVE-2020-36769 | 1 Porternovelli | 1 Widget Settings Importer\/exporter | 2024-11-21 | N/A | 7.4 HIGH |
| The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2020-36731 | 1 Wpdesk | 1 Flexible Checkout Fields For Woocommerce | 2024-11-21 | N/A | 7.2 HIGH |
| The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored. | |||||
| CVE-2020-35937 | 1 Pickplugins | 2 Post Grid, Team Showcase | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to team_import_xml_layouts. | |||||
| CVE-2020-35936 | 1 Pickplugins | 2 Post Grid, Team Showcase | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts. | |||||
| CVE-2020-35741 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2024-11-21 | 4.3 MEDIUM | 7.0 HIGH |
| HGiga MailSherlock does not validate user parameters on multiple login pages. Attackers can use the vulnerability to inject JavaScript syntax for XSS attacks. | |||||
| CVE-2020-35740 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2024-11-21 | 4.3 MEDIUM | 7.0 HIGH |
| HGiga MailSherlock does not validate specific URL parameters properly that allows attackers to inject JavaScript syntax for XSS attacks. | |||||
| CVE-2020-35475 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.) | |||||
| CVE-2020-2036 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9. | |||||
| CVE-2020-2017 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions of PAN-OS 8.0. | |||||
| CVE-2020-2005 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.3 MEDIUM | 7.1 HIGH |
| A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.0. | |||||
| CVE-2020-29029 | 1 Secomea | 1 Gatemanager Firmware | 2024-11-21 | 4.3 MEDIUM | 7.3 HIGH |
| Improper Input Validation, Cross-site Scripting (XSS) vulnerability in Web GUI of Secomea GateManager allows an attacker to execute arbitrary javascript code. This issue affects: Secomea GateManager all versions prior to 9.4. | |||||
| CVE-2020-28459 | 1 Markdown-it-decorate Project | 1 Markdown-it-decorate | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. | |||||
| CVE-2020-28457 | 1 S-cart | 1 S-cart | 2024-11-21 | 3.5 LOW | 7.2 HIGH |
| This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS. | |||||
| CVE-2020-28456 | 1 S-cart | 1 S-cart | 2024-11-21 | 4.3 MEDIUM | 7.3 HIGH |
| The package s-cart/core before 4.4 are vulnerable to Cross-site Scripting (XSS) via the admin panel. | |||||
| CVE-2020-28455 | 1 Markdown-it-toc Project | 1 Markdown-it-toc | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. | |||||
| CVE-2020-27659 | 1 Synology | 1 Safeaccess | 2024-11-21 | 3.5 LOW | 8.4 HIGH |
| Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter. | |||||