CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1401 CVE-2020-35592 79 XSS 2021-02-18 2021-02-24
3.5
None Remote Medium ??? None Partial None
Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie.
1402 CVE-2020-35589 79 XSS 2020-12-21 2020-12-22
3.5
None Remote Medium ??? None Partial None
The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
1403 CVE-2020-35582 79 XSS 2021-01-15 2021-01-15
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.
1404 CVE-2020-35581 79 XSS 2021-01-15 2021-01-15
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.
1405 CVE-2020-35563 79 XSS 2021-02-16 2021-02-19
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page.
1406 CVE-2020-35482 79 XSS 2021-02-03 2021-02-04
3.5
None Remote Medium ??? None Partial None
SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.
1407 CVE-2020-35418 79 XSS 2021-04-14 2021-04-19
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.
1408 CVE-2020-35391 416 +Info 2021-01-01 2021-07-21
3.3
None Local Network Low Not required Partial None None
Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior.
1409 CVE-2020-35349 79 XSS 2020-12-26 2020-12-29
3.5
None Remote Medium ??? None Partial None
Savsoft Quiz 5 is affected by: Cross Site Scripting (XSS) via field_title (aka a title on the custom fields page).
1410 CVE-2020-35346 79 XSS 2020-12-26 2020-12-28
3.5
None Remote Medium ??? None Partial None
CXUUCMS V3 3.1 is affected by a reflected XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of admin.php?c=content&a=add.
1411 CVE-2020-35328 79 XSS 2021-03-04 2021-03-04
3.5
None Remote Medium ??? None Partial None
Courier Management System 1.0 - 'First Name' Stored XSS
1412 CVE-2020-35309 79 XSS 2021-01-26 2021-02-01
3.5
None Remote Medium ??? None Partial None
Bakeshop Online Ordering System in PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML in admin dashboard - "Categories".
1413 CVE-2020-35275 79 XSS 2020-12-21 2020-12-21
3.5
None Remote Medium ??? None Partial None
Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/application.
1414 CVE-2020-35274 79 +Priv XSS 2020-12-21 2020-12-21
3.5
None Remote Medium ??? None Partial None
DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.
1415 CVE-2020-35272 79 XSS 2021-01-20 2021-01-27
3.5
None Remote Medium ??? None Partial None
Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Admin Portal in the Task and Description fields.
1416 CVE-2020-35271 79 XSS 2021-01-20 2021-01-27
3.5
None Remote Medium ??? None Partial None
Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Employees, First Name and Last Name fields.
1417 CVE-2020-35241 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.
1418 CVE-2020-35240 79 XSS 2020-12-30 2021-07-21
3.5
None Remote Medium ??? None Partial None
FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in "Blog Content" and each time any user will visit the blog, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
1419 CVE-2020-35228 79 XSS 2021-03-10 2021-03-17
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in the administration web panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote attackers to inject arbitrary web script or HTML via the language parameter.
1420 CVE-2020-35221 327 2021-03-10 2021-07-21
3.3
None Local Network Low Not required Partial None None
The hashing algorithm implemented for NSDP password authentication on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was found to be insecure, allowing attackers (with access to a network capture) to quickly generate multiple collisions to generate valid passwords, or infer some parts of the original.
1421 CVE-2020-35208 287 Bypass 2020-12-12 2020-12-15
3.3
None Local Medium Not required Partial Partial None
** DISPUTED ** An issue was discovered in the LogMein LastPass Password Manager (aka com.lastpass.ilastpass) app 4.8.11.2403 for iOS. The password authentication for unlocking can be bypassed by forcing the authentication result to be true through runtime manipulation. In other words, an attacker could authenticate with an arbitrary password. NOTE: the vendor has indicated that this is not an attack of interest within the context of their threat model, which excludes jailbroken devices.
1422 CVE-2020-35207 287 Bypass 2020-12-12 2020-12-15
3.3
None Local Medium Not required Partial Partial None
** DISPUTED ** An issue was discovered in the LogMein LastPass Password Manager (aka com.lastpass.ilastpass) app 4.8.11.2403 for iOS. The PIN authentication for unlocking can be bypassed by forcing the authentication result to be true through runtime manipulation. In other words, an attacker could authenticate with an arbitrary PIN. NOTE: the vendor has indicated that this is not an attack of interest within the context of their threat model, which excludes jailbroken devices.
1423 CVE-2020-35202 79 XSS 2020-12-12 2020-12-15
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS.
1424 CVE-2020-35201 79 XSS 2020-12-12 2020-12-15
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS.
1425 CVE-2020-35199 79 XSS 2020-12-12 2020-12-15
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS.
1426 CVE-2020-35170 79 XSS 2021-01-05 2021-01-08
3.5
None Remote Medium ??? None Partial None
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users’ sessions.
1427 CVE-2020-35132 79 XSS 2020-12-11 2020-12-22
3.5
None Remote Medium ??? None Partial None
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php.
1428 CVE-2020-35127 79 XSS 2020-12-11 2020-12-11
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.
1429 CVE-2020-35126 79 XSS 2020-12-11 2020-12-14
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."
1430 CVE-2020-29593 79 XSS 2021-04-14 2021-04-21
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Orchard before 1.10. The Media Settings Allowed File Types list field allows an attacker to add a XSS payload that will execute when users attempt to upload a disallowed file type, causing the error to display.
1431 CVE-2020-29587 79 XSS 2021-01-14 2021-01-21
3.5
None Remote Medium ??? None Partial None
SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input, which results in a DOM XSS, because it uses the jQuery .html() function to directly append the payload to a dialog.
1432 CVE-2020-29539 79 XSS 2020-12-08 2020-12-10
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting (XSS) issue in WebUI Translation in Systran Pure Neural Server before 9.7.0 allows a threat actor to have a remote authenticated user run JavaScript from a malicious site.
1433 CVE-2020-29535 79 Exec Code XSS 2021-01-29 2021-02-03
3.5
None Remote Medium ??? None Partial None
Archer before 6.8 P4 (6.8.0.4) contains a stored XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.
1434 CVE-2020-29497 79 Exec Code XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious HTML or JavaScript code under the device tag. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.
1435 CVE-2020-29496 79 Exec Code XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.
1436 CVE-2020-29477 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
1437 CVE-2020-29475 79 XSS 2020-12-29 2020-12-30
3.5
None Remote Medium ??? None Partial None
nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
1438 CVE-2020-29471 79 Exec Code XSS 2020-12-29 2020-12-30
3.5
None Remote Medium ??? None Partial None
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger.
1439 CVE-2020-29470 79 XSS 2020-12-29 2020-12-30
3.5
None Remote Medium ??? None Partial None
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
1440 CVE-2020-29469 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can steal the cookie according to the crafted payload.
1441 CVE-2020-29444 79 XSS 2021-05-07 2021-05-13
3.5
None Remote Medium ??? None Partial None
Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters.
1442 CVE-2020-29443 125 2021-01-26 2021-03-15
3.3
None Local Medium Not required Partial None Partial
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
1443 CVE-2020-29438 347 2020-11-30 2020-12-04
3.3
None Local Network Low Not required Partial None None
Tesla Model X vehicles before 2020-11-23 have key fobs that accept firmware updates without signature verification. This allows attackers to construct firmware that retrieves an unlock code from a secure enclave chip.
1444 CVE-2020-29374 362 2020-11-28 2021-07-13
3.3
None Local Medium Not required Partial Partial None
An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.
1445 CVE-2020-29364 79 XSS 2020-11-30 2020-12-01
3.5
None Remote Medium ??? None Partial None
In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles.
1446 CVE-2020-29247 79 XSS 2020-12-24 2021-04-22
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel. An attacker can inject the XSS payload in Page keywords and each time any user will visit the website, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload.
1447 CVE-2020-29241 79 XSS 2021-01-26 2021-02-01
3.5
None Remote Medium ??? None Partial None
Online News Portal using PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML via the "Title" parameter.
1448 CVE-2020-29240 79 XSS 2020-12-02 2020-12-02
3.5
None Remote Medium ??? None Partial None
Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.
1449 CVE-2020-29233 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will visits the website, the XSS triggers and attacker can steal the cookie according to the crafted payload.
1450 CVE-2020-29231 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.