CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1601 CVE-2020-25444 79 XSS 2021-07-14 2021-07-20
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 via the (1) "About Yourself” section under the “My Profile” page, " (2) “Hotel Policy” field under the “Hotel Details” page, (3) “Pricing code” and “name” fields under the “Manage Tour” page, and (4) all the labels under the “Menu” section.
1602 CVE-2020-25422 79 XSS 2021-10-28 2021-10-29
3.5
None Remote Medium ??? None Partial None
A cross site scripting (XSS) vulnerability in menuedit.php of Mara CMS 7.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
1603 CVE-2020-25394 79 XSS 2021-07-09 2021-07-12
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting (XSS) vulnerability in moziloCMS 2.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Content" parameter.
1604 CVE-2020-25392 79 XSS 2021-07-09 2021-07-12
3.5
None Remote Medium ??? None Partial None
A cross site scripting (XSS) vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Article' field under the 'Article' plugin.
1605 CVE-2020-25391 79 XSS 2021-07-09 2021-07-12
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'New Pages' field under the 'Pages Content' module.
1606 CVE-2020-25380 79 Exec Code XSS 2020-09-14 2020-09-18
3.5
None Remote Medium ??? None Partial None
Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 is affected by: Cross Site Scripting (XSS) via the 'Recall Settings' field in admin.php. An attacker can inject JavaScript code that will be stored and executed.
1607 CVE-2020-25375 79 XSS 2020-09-14 2020-09-18
3.5
None Remote Medium ??? None Partial None
Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affected by: Cross Site Scripting via the Business Name field, Tax Code field, First Name field, Address field, Town field, Phone field, Mobile field, Place of Birth field, Web Site field, VAT Number field, Last Name field, Fax field, Email field, and Skype field.
1608 CVE-2020-25352 79 XSS 2021-08-20 2021-08-23
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote attackers to perform arbitrary Javascript execution through entering a crafted payload into the 'Model' field then saving.
1609 CVE-2020-25343 79 XSS 2020-10-07 2020-10-14
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php
1610 CVE-2020-25288 79 XSS 2020-09-30 2020-10-13
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.
1611 CVE-2020-25271 79 XSS 2020-10-08 2020-10-16
3.5
None Remote Medium ??? None Partial None
PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/patient-search.php, doctor/search.php, book-appointment.php, doctor/appointment-history.php, or admin/appointment-history.php.
1612 CVE-2020-25270 79 XSS 2020-10-08 2020-10-20
3.5
None Remote Medium ??? None Partial None
PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City.
1613 CVE-2020-25267 79 XSS 2020-11-10 2020-11-18
3.5
None Remote Medium ??? None Partial None
An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4.
1614 CVE-2020-25234 321 2020-12-14 2020-12-16
3.6
None Local Low Not required Partial Partial None
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3), LOGO! Soft Comfort (All versions < V8.3). The LOGO! program files generated and used by the affected components offer the possibility to save user-defined functions (UDF) in a password protected way. This protection is implemented in the software that displays the information. An attacker could reverse engineer the UDFs directly from stored program files.
1615 CVE-2020-25211 120 Overflow 2020-09-09 2020-11-02
3.6
None Local Low Not required None Partial Partial
In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
1616 CVE-2020-25124 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
1617 CVE-2020-25123 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.
1618 CVE-2020-25122 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.
1619 CVE-2020-25121 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.
1620 CVE-2020-25120 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
1621 CVE-2020-25119 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
1622 CVE-2020-25118 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.
1623 CVE-2020-25117 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
1624 CVE-2020-25116 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
1625 CVE-2020-25115 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
1626 CVE-2020-25104 79 XSS 2020-09-03 2020-09-10
3.5
None Remote Medium ??? None Partial None
eramba c2.8.1 and Enterprise before e2.19.3 allows XSS via a crafted filename for a file attached to an object. For example, the filename has a complete XSS payload followed by the .png extension.
1627 CVE-2020-25071 79 XSS 2020-09-15 2020-09-24
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Nifty Project Management Web Application 2020-08-26 allows XSS, via Add Task, that is rendered upon a Project Home visit. Note: It has been argued that this is not reproducible. "The original issue was that the task would be created and an alert would be shown on the screen. Now the task would be created, but the alert won't be executed as those attributes are now stripped."
1628 CVE-2020-25044 2020-09-02 2020-09-10
3.6
None Local Low Not required None Partial Partial
Kaspersky Virus Removal Tool (KVRT) prior to 15.0.23.0 was vulnerable to arbitrary file corruption that could provide an attacker with the opportunity to eliminate content of any file in the system.
1629 CVE-2020-25043 2020-09-02 2020-09-10
3.6
None Local Low Not required None Partial Partial
The installer of Kaspersky VPN Secure Connection prior to 5.0 was vulnerable to arbitrary file deletion that could allow an attacker to delete any file in the system.
1630 CVE-2020-24993 79 XSS 2021-05-17 2021-05-24
3.5
None Remote Medium ??? None Partial None
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when visitors access the article module.
1631 CVE-2020-24992 79 XSS 2021-05-17 2021-05-24
3.5
None Remote Medium ??? None Partial None
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when an administrator accesses the content management module.
1632 CVE-2020-24963 79 XSS 2020-09-04 2020-09-11
3.5
None Remote Medium ??? None Partial None
An Authenticated Persistent XSS vulnerability was discovered in the Best Support System, tested version v3.0.4.
1633 CVE-2020-24925 326 2020-09-15 2021-07-21
3.5
None Remote Medium ??? Partial None None
A Sensitive Source Code Path Disclosure vulnerability is found in ElkarBackup v1.3.3. An attacker is able to view the path of the source code jobs/sort where entire source code path is displayed in the browser itself helping the attacker identify the code structure /app/elkarbackup/src/Binovo/ElkarBackupBundle/Controller/DefaultController.php
1634 CVE-2020-24924 79 XSS 2020-09-15 2020-09-18
3.5
None Remote Medium ??? None Partial None
A Persistent Cross-site Scripting vulnerability is found in ElkarBackup v1.3.3, where an attacker can steal the user session cookie using this vulnerability present on Policies >> action >> Name Parameter
1635 CVE-2020-24897 79 XSS 2020-08-29 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the provided Markdown markup to the "Table from CSV" macro.
1636 CVE-2020-24861 79 XSS 2020-10-01 2020-10-08
3.5
None Remote Medium ??? None Partial None
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
1637 CVE-2020-24860 79 XSS 2020-10-01 2020-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
1638 CVE-2020-24723 79 XSS 2020-11-18 2021-09-21
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1.
1639 CVE-2020-24721 2020-09-30 2020-10-22
3.3
None Local Medium Not required Partial Partial None
An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.
1640 CVE-2020-24712 79 XSS 2020-10-28 2020-10-30
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
1641 CVE-2020-24709 79 XSS 2020-10-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
1642 CVE-2020-24708 79 XSS 2020-10-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
1643 CVE-2020-24692 20 XSS 2020-09-25 2021-07-21
3.6
None Local Low Not required Partial Partial None
The Ignite portal in Mitel MiContact Center Business before 9.3.0.0 could allow an attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session.
1644 CVE-2020-24670 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'type' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA.
1645 CVE-2020-24669 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Analysis Report Description' field in 'About this Report' section. Remediated in >= 8.3.0.9, >= 9.0.0.1, and >= 9.1.0.0 GA.
1646 CVE-2020-24668 79 XSS 2021-06-10 2021-06-11
3.5
None Remote Medium ??? None Partial None
Trace Financial Crest Bridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.
1647 CVE-2020-24666 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Display Name' parameter. Remediated in >= 9.1.0.1
1648 CVE-2020-24664 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'pho:title' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA.
1649 CVE-2020-24663 79 XSS 2021-06-10 2021-06-11
3.5
None Remote Medium ??? None Partial None
Trace Financial CRESTBridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.
1650 CVE-2020-24662 79 XSS 2021-06-10 2021-06-16
3.5
None Remote Medium ??? None Partial None
SmartStream Transaction Lifecycle Management (TLM) Reconciliation Premium (RP) <3.1.0 allows XSS. This was fixed in TLM RP 3.1.0.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.