Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15517 | 1 Faceted Search Project | 1 Faceted Search | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The ke_search (aka Faceted Search) extension through 2.8.2, and 3.x through 3.1.3, for TYPO3 allows XSS. | |||||
| CVE-2020-15516 | 1 Mm Forum Project | 1 Mm Forum | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. | |||||
| CVE-2020-15514 | 1 Jh Captcha Project | 1 Jh Captcha | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYPO3 allows XSS. | |||||
| CVE-2020-15500 | 1 Tileserver | 1 Tileservergl | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS. | |||||
| CVE-2020-15499 | 1 Asus | 2 Rt-ac1900p, Rt-ac1900p Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on ASUS RT-AC1900P routers before 3.0.0.4.385_20253. They allow XSS via spoofed Release Notes on the Firmware Upgrade page. | |||||
| CVE-2020-15497 | 1 Jalios | 1 Jcms | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build-20200224104759 allows XSS via the types parameter. Note: It is asserted that this vulnerability is not present in the standard installation of Jalios JCMS | |||||
| CVE-2020-15400 | 1 Cakefoundation | 1 Cakephp | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. | |||||
| CVE-2020-15364 | 1 Nexos Project | 1 Nexos | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS. | |||||
| CVE-2020-15339 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | N/A | 6.1 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS. | |||||
| CVE-2020-15307 | 1 Nozominetworks | 1 Guardian | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name. | |||||
| CVE-2020-15299 | 1 King-theme | 1 Kingcomposer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is executed in the victim's browser. | |||||
| CVE-2020-15276 | 1 Basercms | 1 Basercms | 2024-11-21 | 3.5 LOW | 7.7 HIGH |
| baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1. | |||||
| CVE-2020-15275 | 1 Moinmo | 1 Moinmoin | 2024-11-21 | 3.5 LOW | 8.7 HIGH |
| MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes. | |||||
| CVE-2020-15274 | 1 Requarks | 1 Wiki.js | 2024-11-21 | 3.5 LOW | 5.8 MEDIUM |
| In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results. | |||||
| CVE-2020-15273 | 1 Basercms | 1 Basercms | 2024-11-21 | 3.5 LOW | 7.3 HIGH |
| baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, subsite setting list, widget area edit, and feed list on the management screen. The issue was introduced in version 4.0.0. It is fixed in version 4.4.1. | |||||
| CVE-2020-15263 | 1 Orchid | 1 Platform | 2024-11-21 | 4.3 MEDIUM | 8.0 HIGH |
| In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.0 and fixed in 9.4.4. | |||||
| CVE-2020-15253 | 1 Grocy | 1 Grocy | 2024-11-21 | 3.5 LOW | 7.3 HIGH |
| Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept. | |||||
| CVE-2020-15249 | 1 Octobercms | 1 October | 2024-11-21 | 3.5 LOW | 2.8 LOW |
| October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0. | |||||
| CVE-2020-15245 | 1 Sylius | 1 Sylius | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here. | |||||
| CVE-2020-15241 | 1 Typo3 | 2 Fluid Engine, Typo3 | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). | |||||