Total
37560 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7971 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| GitLab EE 11.0 and later through 12.7.2 allows XSS. | |||||
| CVE-2020-7937 | 1 Plone | 1 Plone | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | |||||
| CVE-2020-7934 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1. | |||||
| CVE-2020-7915 | 1 Eaton | 2 5p 850, 5p 850 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator. | |||||
| CVE-2020-7913 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description. | |||||
| CVE-2020-7911 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains TeamCity before 2019.2, several user-level pages were vulnerable to XSS. | |||||
| CVE-2020-7910 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| JetBrains TeamCity before 2019.2 was vulnerable to a stored XSS attack by a user with the developer role. | |||||
| CVE-2020-7809 | 1 Altools | 1 Alsong | 2024-11-21 | 4.3 MEDIUM | 4.4 MEDIUM |
| ALSong 3.46 and earlier version contain a Document Object Model (DOM) based cross-site scripting vulnerability caused by improper validation of user input. A remote attacker could exploit this vulnerability by tricking the victim to open ALSong Album(sab) file. | |||||
| CVE-2020-7776 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 3.5 LOW | 7.1 HIGH |
| This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch. | |||||
| CVE-2020-7773 | 1 Markdown-it-highlightjs Project | 1 Markdown-it-highlightjs | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss); | |||||
| CVE-2020-7750 | 1 Mit | 1 Scratch-svg-renderer | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function. | |||||
| CVE-2020-7749 | 1 Osm-static-maps Project | 1 Osm-static-maps | 2024-11-21 | 6.5 MEDIUM | 7.6 HIGH |
| This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read. | |||||
| CVE-2020-7747 | 1 Lightning-viz | 1 Lightning | 2024-11-21 | 3.5 LOW | 6.3 MEDIUM |
| This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller. | |||||
| CVE-2020-7741 | 1 Hello.js Project | 1 Hello.js | 2024-11-21 | 7.5 HIGH | 9.9 CRITICAL |
| This affects the package hellojs before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1). | |||||
| CVE-2020-7734 | 1 Arachnys | 1 Cabot | 2024-11-21 | 3.5 LOW | 8.2 HIGH |
| All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column. | |||||
| CVE-2020-7691 | 1 Parall | 1 Jspdf | 2024-11-21 | 4.3 MEDIUM | 6.3 MEDIUM |
| In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex. | |||||
| CVE-2020-7690 | 1 Parall | 1 Jspdf | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript code via the html method. | |||||
| CVE-2020-7680 | 1 Docsifyjs | 1 Docsify | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/ (domain.com/#//attacker.com) and render arbitrary JavaScript/HTML inside docsify page. | |||||
| CVE-2020-7676 | 1 Angularjs | 1 Angular.js | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. | |||||
| CVE-2020-7656 | 4 Jquery, Juniper, Netapp and 1 more | 7 Jquery, Junos, Active Iq Unified Manager and 4 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed. | |||||