Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35724 | 1 Quest | 1 Policy Authority For Unified Communications | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the Error.jsp file via the err parameter (or indirectly via the cpr, tcp, or abs parameter). NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2020-35723 | 1 Quest | 1 Policy Authority For Unified Communications | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the ReportPreview.do file via the referer parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2020-35721 | 1 Quest | 1 Policy Authority For Unified Communications | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseAssets.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2020-35720 | 1 Quest | 1 Policy Authority For Unified Communications | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in multiple fields (first name, last name, and logon name) when creating or modifying a user via the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2020-35719 | 1 Quest | 1 Policy Authority For Unified Communications | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Search/index.jsp file via the added parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2020-35717 | 1 Electronjs | 1 Zonote | 2024-11-21 | 3.5 LOW | 9.0 CRITICAL |
| zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true). | |||||
| CVE-2020-35707 | 1 Daybydaycrm | 1 Daybyday | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen. | |||||
| CVE-2020-35706 | 1 Daybydaycrm | 1 Daybyday | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Project screen. | |||||
| CVE-2020-35705 | 1 Daybydaycrm | 1 Daybyday | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Name parameter to the New User screen. | |||||
| CVE-2020-35704 | 1 Daybydaycrm | 1 Daybyday | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Lead screen. | |||||
| CVE-2020-35698 | 1 Thinkific | 1 Thinkific | 2024-11-21 | N/A | 6.1 MEDIUM |
| Thinkific Thinkific Online Course Creation Platform 1.0 is affected by: Cross Site Scripting (XSS). The impact is: execute arbitrary code (remote). The component is: Affected Source code of the website CMS which is been used by many to host their online courses using the Thinkific Platform. The attack vector is: To exploit the vulnerability any user has to just visit the link - https://hacktify.thinkific.com/account/billing?success=%E2%80%AA%3Cscript%3Ealert(1)%3C/script%3E. ΒΆΒΆ Thinkific is a Website based Learning Platform Product which is used by thousands of users worldwide. There is a Cross Site Scripting (XSS) based vulnerability in the code of the CMS where any attacker can execute a XSS attack. Proof of Concept & Steps to Reproduce: Step1 : Go to Google.com Step 2 : Search for this Dork site:thinkific.com -www Step 3 : You will get a list of websites which are running on the thinkific domains. Step 4 : Create account and signin in any of the website Step 5 : Add this endpoint at the end of the domain and you will see that there is a XSS Alert /account/billing?success=%E2%80%AA<script>alert(1)</script> Step 6 : Choose any domains from google for any website this exploit will work on all the websites as it is a code based flaw in the CMS Step 7 : Thousands of websites are vulnerable due to this vulnerable code in the CMS itself which is giving rise to the XSS attack. | |||||
| CVE-2020-35677 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection. | |||||
| CVE-2020-35676 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php. | |||||
| CVE-2020-35664 | 1 Acronis | 1 Cyber Protect | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Acronis Cyber Protect before 15 Update 1 build 26172. There is cross-site scripting (XSS) in the console. | |||||
| CVE-2020-35660 | 1 Monicahq | 1 Monica | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page. | |||||
| CVE-2020-35659 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page. | |||||
| CVE-2020-35650 | 1 Uncannyowl | 1 Uncanny Groups For Learndash | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php. | |||||
| CVE-2020-35622 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions. | |||||
| CVE-2020-35594 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7066 allows XSS. | |||||
| CVE-2020-35592 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie. | |||||