Total
41146 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15535 | 1 Bestsoftinc | 1 Car Rental System | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the bestsoftinc Car Rental System plugin through 1.3 for WordPress. Persistent XSS can occur via any of the registration fields. | ||||
| CVE-2020-15521 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 6.1 Medium |
| Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . | ||||
| CVE-2020-15517 | 1 Faceted Search Project | 1 Faceted Search | 2024-11-21 | 5.4 Medium |
| The ke_search (aka Faceted Search) extension through 2.8.2, and 3.x through 3.1.3, for TYPO3 allows XSS. | ||||
| CVE-2020-15516 | 1 Mm Forum Project | 1 Mm Forum | 2024-11-21 | 5.4 Medium |
| The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. | ||||
| CVE-2020-15514 | 1 Jh Captcha Project | 1 Jh Captcha | 2024-11-21 | 5.4 Medium |
| The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYPO3 allows XSS. | ||||
| CVE-2020-15500 | 1 Tileserver | 1 Tileservergl | 2024-11-21 | 6.1 Medium |
| An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS. | ||||
| CVE-2020-15499 | 1 Asus | 2 Rt-ac1900p, Rt-ac1900p Firmware | 2024-11-21 | 6.1 Medium |
| An issue was discovered on ASUS RT-AC1900P routers before 3.0.0.4.385_20253. They allow XSS via spoofed Release Notes on the Firmware Upgrade page. | ||||
| CVE-2020-15497 | 1 Jalios | 1 Jcms | 2024-11-21 | 5.3 Medium |
| jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build-20200224104759 allows XSS via the types parameter. Note: It is asserted that this vulnerability is not present in the standard installation of Jalios JCMS | ||||
| CVE-2020-15400 | 1 Cakefoundation | 1 Cakephp | 2024-11-21 | 4.3 Medium |
| CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. | ||||
| CVE-2020-15364 | 1 Nexos Project | 1 Nexos | 2024-11-21 | 6.1 Medium |
| The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS. | ||||
| CVE-2020-15339 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | 6.1 Medium |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS. | ||||
| CVE-2020-15307 | 1 Nozominetworks | 1 Guardian | 2024-11-21 | 6.1 Medium |
| Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name. | ||||
| CVE-2020-15299 | 1 King-theme | 1 Kingcomposer | 2024-11-21 | 6.1 Medium |
| A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is executed in the victim's browser. | ||||
| CVE-2020-15276 | 1 Basercms | 1 Basercms | 2024-11-21 | 7.7 High |
| baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1. | ||||
| CVE-2020-15275 | 1 Moinmo | 1 Moinmoin | 2024-11-21 | 8.7 High |
| MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes. | ||||
| CVE-2020-15274 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 5.8 Medium |
| In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results. | ||||
| CVE-2020-15273 | 1 Basercms | 1 Basercms | 2024-11-21 | 7.3 High |
| baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, subsite setting list, widget area edit, and feed list on the management screen. The issue was introduced in version 4.0.0. It is fixed in version 4.4.1. | ||||
| CVE-2020-15263 | 1 Orchid | 1 Platform | 2024-11-21 | 8 High |
| In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4. | ||||
| CVE-2020-15253 | 1 Grocy | 1 Grocy | 2024-11-21 | 7.3 High |
| Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept. | ||||
| CVE-2020-15249 | 1 Octobercms | 1 October | 2024-11-21 | 2.8 Low |
| October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0. | ||||