CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1451 CVE-2020-29364 79 XSS 2020-11-30 2020-12-01
3.5
None Remote Medium ??? None Partial None
In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles.
1452 CVE-2020-29247 79 XSS 2020-12-24 2021-04-22
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel. An attacker can inject the XSS payload in Page keywords and each time any user will visit the website, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload.
1453 CVE-2020-29241 79 XSS 2021-01-26 2021-02-01
3.5
None Remote Medium ??? None Partial None
Online News Portal using PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML via the "Title" parameter.
1454 CVE-2020-29240 79 XSS 2020-12-02 2020-12-02
3.5
None Remote Medium ??? None Partial None
Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.
1455 CVE-2020-29233 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will visits the website, the XSS triggers and attacker can steal the cookie according to the crafted payload.
1456 CVE-2020-29231 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers.
1457 CVE-2020-29215 79 Exec Code XSS 2021-06-15 2021-06-22
3.5
None Remote Medium ??? None Partial None
A Cross Site Scripting in SourceCodester Employee Management System 1.0 allows the user to execute alert messages via /Employee Management System/addemp.php on admin account.
1458 CVE-2020-29145 79 XSS 2020-11-27 2020-12-04
3.5
None Remote Medium ??? None Partial None
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework.
1459 CVE-2020-29144 79 XSS 2020-11-27 2020-12-04
3.5
None Remote Medium ??? None Partial None
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework.
1460 CVE-2020-29135 74 2020-11-27 2021-07-21
3.5
None Remote Medium ??? None Partial None
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
1461 CVE-2020-29070 79 XSS 2020-11-25 2020-11-27
3.5
None Remote Medium ??? None Partial None
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
1462 CVE-2020-29027 79 XSS 2021-02-16 2021-02-18
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) vulnerability in GUI of Secomea SiteManager could allow an attacker to cause an XSS Attack. This issue affects: Secomea SiteManager all versions prior to 9.3.
1463 CVE-2020-29021 79 XSS 2021-02-08 2021-02-11
3.5
None Remote Medium ??? None Partial None
A vulnerability in web UI input field of GateManager allows authenticated attacker to enter script tags that could cause XSS. This issue affects: GateManager all versions prior to 9.3.
1464 CVE-2020-29003 79 XSS 2020-11-24 2020-11-30
3.5
None Remote Medium ??? None Partial None
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
1465 CVE-2020-29002 79 XSS 2020-11-24 2020-11-30
3.5
None Remote Medium ??? None Partial None
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
1466 CVE-2020-28968 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
1467 CVE-2020-28961 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter.
1468 CVE-2020-28957 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields.
1469 CVE-2020-28956 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
1470 CVE-2020-28955 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields.
1471 CVE-2020-28938 79 XSS 2020-12-03 2020-12-03
3.5
None Remote Medium ??? None Partial None
OpenClinic version 0.8.2 is affected by a stored XSS vulnerability in lib/Check.php that allows users of the application to force actions on behalf of other users.
1472 CVE-2020-28930 79 XSS 2020-12-16 2020-12-17
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting (XSS) issue in the 'update user' and 'delete user' functionalities in settings/users.php in EPSON EPS TSE Server 8 (21.0.11) allows an authenticated attacker to inject a JavaScript payload in the user management page that is executed by an administrator.
1473 CVE-2020-28914 732 2020-11-17 2020-12-04
3.6
None Local Low Not required None Partial Partial
An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.
1474 CVE-2020-28838 352 CSRF 2020-12-11 2020-12-15
3.5
None Remote Medium ??? None Partial None
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.
1475 CVE-2020-28722 79 XSS 2021-05-12 2021-05-19
3.5
None Remote Medium ??? None Partial None
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
1476 CVE-2020-28650 79 XSS 2020-11-16 2020-11-27
3.5
None Remote Medium ??? None Partial None
The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles.
1477 CVE-2020-28647 79 Exec Code XSS 2020-11-17 2020-12-18
3.5
None Remote Medium ??? None Partial None
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).
1478 CVE-2020-28457 79 XSS 2020-12-15 2020-12-16
3.5
None Remote Medium ??? None Partial None
This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS.
1479 CVE-2020-28409 79 XSS 2020-11-10 2020-11-18
3.5
None Remote Medium ??? None Partial None
The server in Dundas BI through 8.0.0.1001 allows XSS via addition of a Component (e.g., a button) when events such as click, hover, etc. occur.
1480 CVE-2020-28408 79 XSS 2020-11-10 2020-11-18
3.5
None Remote Medium ??? None Partial None
The server in Dundas BI through 8.0.0.1001 allows XSS via an HTML label when creating or editing a dashboard.
1481 CVE-2020-28184 79 XSS 2020-12-24 2020-12-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.
1482 CVE-2020-28141 79 XSS 2021-04-19 2021-04-23
3.5
None Remote Medium ??? None Partial None
The messaging subsystem in the Online Discussion Forum 1.0 is vulnerable to XSS in the message body. An authenticated user can send messages to arbitrary users on the system that include javascript that will execute when viewing the messages page.
1483 CVE-2020-28124 79 XSS 2021-04-14 2021-04-19
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field.
1484 CVE-2020-28097 125 2021-06-24 2021-08-05
3.6
None Local Low Not required Partial None Partial
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
1485 CVE-2020-28071 79 XSS 2020-12-23 2020-12-23
3.5
None Remote Medium ??? None Partial None
SourceCodester Alumni Management System 1.0 is affected by cross-site Scripting (XSS) in /admin/gallery.php. After the admin authentication an attacker can upload an image in the gallery using a XSS payload in the description textarea called 'about' and reach a stored XSS.
1486 CVE-2020-28049 362 2020-11-04 2021-01-28
3.3
None Local Medium Not required Partial Partial None
An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation.
1487 CVE-2020-28047 79 XSS 2020-11-05 2020-11-10
3.5
None Remote Medium ??? None Partial None
AudimexEE before 14.1.1 is vulnerable to Reflected XSS (Cross-Site-Scripting). If the recommended security configuration parameter "unique_error_numbers" is not set, remote attackers can inject arbitrary web script or HTML via 'action, cargo, panel' parameters that can lead to data leakage.
1488 CVE-2020-28005 120 DoS Overflow 2020-11-18 2020-12-01
3.5
None Remote Medium ??? None None Partial
httpd on TP-Link TL-WPA4220 devices (hardware versions 2 through 4) allows remote authenticated users to trigger a buffer overflow (causing a denial of service) by sending a POST request to the /admin/syslog endpoint. Fixed version: TL-WPA4220(EU)_V4_201023
1489 CVE-2020-28001 79 XSS 2021-02-03 2021-02-25
3.5
None Remote Medium ??? None Partial None
SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS.
1490 CVE-2020-27991 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
1491 CVE-2020-27990 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
1492 CVE-2020-27989 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).
1493 CVE-2020-27988 79 XSS 2020-11-16 2020-11-17
3.5
None Remote Medium ??? None Partial None
Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).
1494 CVE-2020-27980 79 XSS 2020-10-28 2020-11-04
3.5
None Remote Medium ??? None Partial None
Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users.
1495 CVE-2020-27957 79 XSS 2020-10-28 2020-11-04
3.5
None Remote Medium ??? None Partial None
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
1496 CVE-2020-27873 863 2021-02-04 2021-02-08
3.3
None Local Network Low Not required Partial None None
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOAP API endpoint, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11559.
1497 CVE-2020-27863 288 2021-02-12 2021-04-23
3.3
None Local Network Low Not required Partial None None
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DVA-2800 and DSL-2888A routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10912.
1498 CVE-2020-27852 79 XSS 2021-01-20 2021-01-22
3.5
None Remote Medium ??? None Partial None
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
1499 CVE-2020-27851 79 XSS 2021-01-20 2021-01-22
3.5
None Remote Medium ??? None Partial None
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
1500 CVE-2020-27850 79 XSS 2021-01-20 2021-01-22
3.5
None Remote Medium ??? None Partial None
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.