Total
41118 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11083 | 1 Octobercms | 1 October | 2024-11-21 | 3.5 Low |
| In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1. | ||||
| CVE-2020-11082 | 2 Debian, Kaminari Project | 2 Debian Linux, Kaminari | 2024-11-21 | 6.4 Medium |
| In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1. | ||||
| CVE-2020-11074 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 5.4 Medium |
| In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6. | ||||
| CVE-2020-11070 | 1 Typo3 | 1 Svg Sanitizer | 2024-11-21 | 5.4 Medium |
| The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulnerability in versions before 1.0.3. Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting. This is fixed in version 1.0.3. | ||||
| CVE-2020-11065 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.4 Medium |
| In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly. This has been fixed in 9.5.17 and 10.4.2. | ||||
| CVE-2020-11064 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.4 Medium |
| In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | ||||
| CVE-2020-11062 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 6 Medium |
| In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6. | ||||
| CVE-2020-11055 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 6.3 Medium |
| In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines. This most impacts scenarios where not-trusted users are given permission to create comments. This has been fixed in 0.29.2. | ||||
| CVE-2020-11051 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 6.9 Medium |
| In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. The rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This vulnerability only impacts editors loading the malicious page in the Markdown editor. This has been patched in 2.3.81. | ||||
| CVE-2020-11036 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 7.6 High |
| In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1)</script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6. | ||||
| CVE-2020-11030 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 6.4 Medium |
| In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | ||||
| CVE-2020-11029 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 5.8 Medium |
| In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | ||||
| CVE-2020-11026 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 8.7 High |
| In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | ||||
| CVE-2020-11025 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 5.8 Medium |
| In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | ||||
| CVE-2020-11022 | 9 Debian, Drupal, Fedoraproject and 6 more | 88 Debian Linux, Drupal, Fedora and 85 more | 2024-11-21 | 6.9 Medium |
| In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
| CVE-2020-11006 | 1 Shopizer | 1 Shopizer | 2024-11-21 | 9.1 Critical |
| In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0. | ||||
| CVE-2020-11001 | 1 Torchbox | 1 Wagtail | 2024-11-21 | 5.8 Medium |
| In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch). | ||||
| CVE-2020-10989 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 6.1 Medium |
| An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter. | ||||
| CVE-2020-10985 | 1 Gambio | 1 Gambio Gx | 2024-11-21 | 4.8 Medium |
| Gambio GX before 4.0.1.0 allows XSS in admin/coupon_admin.php. | ||||
| CVE-2020-10946 | 1 Centreon | 3 Centreon Host-monitoring Widget, Centreon Service-monitoring Widget, Centreon Tactical-overview Widget | 2024-11-21 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the page parameter to service-monitoring/src/index.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.04.3, 19.10.2 of the Centreon service-monitoring widget; and 1.0.3, 18.10.1, 19.04.1, 19.10.1 of the Centreon tactical-overview widget. | ||||