CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2301 CVE-2020-9524 79 XSS 2020-05-18 2020-05-19
3.5
None Remote Medium ??? None Partial None
Cross Site scripting vulnerability on Micro Focus Enterprise Server and Enterprise developer, affecting all versions prior to version 5.0 Patch Update 8. The vulnerability could allow an attacker to trigger administrative actions when an administrator viewed malicious data left by the attacker (stored XSS) or followed a malicious link (reflected XSS).
2302 CVE-2020-9520 79 XSS 2020-03-25 2020-03-27
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7. The vulnerability could allows a remote attacker to craft and store malicious content into Vibe such that when the content is viewed by another user of the system, attacker controlled JavaScript will execute in the security context of the target user’s browser.
2303 CVE-2020-9467 79 XSS 2020-03-26 2020-09-16
3.5
None Remote Medium ??? None Partial None
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
2304 CVE-2020-9462 312 2020-06-04 2020-06-10
3.3
None Local Network Low Not required Partial None None
An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks.
2305 CVE-2020-9461 79 XSS 2020-04-14 2020-04-14
3.5
None Remote Medium ??? None Partial None
Octech Oempro 4.7 through 4.11 allow stored XSS by an authenticated user. The FolderName parameter of the Media.CreateFolder command is vulnerable.
2306 CVE-2020-9460 79 XSS 2020-04-14 2020-04-14
3.5
None Remote Medium ??? None Partial None
Octech Oempro 4.7 through 4.11 allow XSS by an authenticated user. The parameter CampaignName in Campaign.Create is vulnerable.
2307 CVE-2020-9459 79 XSS 2020-02-28 2020-03-02
3.5
None Remote Medium ??? None Partial None
Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings.
2308 CVE-2020-9437 79 XSS 2020-06-25 2020-07-06
3.5
None Remote Medium ??? None Partial None
SecureAuth.aspx in SecureAuth IdP 9.3.0 suffers from a client-side template injection that allows for script execution, in the same manner as XSS.
2309 CVE-2020-9416 79 XSS 2020-09-15 2020-09-24
3.5
None Remote Medium ??? None Partial None
The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a legitimate user to inject scripts. If executed by a victim authenticated to the affected system these scripts will be executed at the privileges of the victim. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 10.7.0, 10.8.0, 10.9.0, and 10.10.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, and 10.10.1, TIBCO Spotfire Desktop: versions 10.7.0, 10.8.0, 10.9.0, and 10.10.0, and TIBCO Spotfire Server: versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, and 10.10.1.
2310 CVE-2020-9404 522 2020-08-11 2020-08-18
3.6
None Local Low Not required Partial Partial None
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in an insecure manner, and may be modified by an attacker with no knowledge of the current passwords.
2311 CVE-2020-9390 79 XSS 2021-02-03 2021-05-18
3.5
None Remote Medium ??? None Partial None
SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script.
2312 CVE-2020-9387 200 +Info 2020-04-30 2020-05-12
3.5
None Remote Medium ??? Partial None None
In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.
2313 CVE-2020-9383 125 2020-02-25 2021-01-04
3.6
None Local Low Not required Partial None Partial
An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
2314 CVE-2020-9371 79 XSS 2020-03-04 2020-03-12
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.
2315 CVE-2020-9350 79 XSS 2020-02-23 2020-02-24
3.5
None Remote Medium ??? None Partial None
Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly.
2316 CVE-2020-9339 79 XSS 2020-02-22 2020-02-24
3.5
None Remote Medium ??? None Partial None
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
2317 CVE-2020-9338 79 XSS 2020-02-22 2020-02-24
3.5
None Remote Medium ??? None Partial None
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
2318 CVE-2020-9336 79 XSS 2020-02-22 2020-02-24
3.5
None Remote Medium ??? None Partial None
fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings -> Election -> "message if election is closed" field.
2319 CVE-2020-9335 79 XSS 2020-02-25 2020-02-25
3.5
None Remote Medium ??? None Partial None
Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users.
2320 CVE-2020-9334 79 XSS 2020-02-25 2020-02-25
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
2321 CVE-2020-9311 79 XSS 2020-07-15 2020-07-22
3.5
None Remote Medium ??? None Partial None
In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
2322 CVE-2020-9299 79 XSS 2020-11-09 2020-11-17
3.5
None Remote Medium ??? None Partial None
There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user.
2323 CVE-2020-9288 79 XSS 2020-06-22 2020-06-26
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in FortiWLC 8.5.1 allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the ESS profile or the Radius Profile.
2324 CVE-2020-9260 200 +Info 2020-07-10 2021-07-21
3.3
None Local Network Low Not required Partial None None
HUAWEI P30 and HUAWEI P30 Pro smartphones with versions earlier than 10.1.0.123(C432E22R2P5) and versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability. Certain WI-FI function's default configuration in the system seems insecure, an attacker should craft a WI-FI hotspot to launch the attack. Successful exploit could cause information disclosure.
2325 CVE-2020-9249 20 DoS 2020-07-31 2021-07-21
3.3
None Local Network Low Not required None None Partial
HUAWEI P30 smartphones with versions earlier than 10.1.0.160(C00E160R2P11) have a denial of service vulnerability. A module does not deal with mal-crafted messages and it leads to memory leak. Attackers can exploit this vulnerability to make the device denial of service.Affected product versions include: HUAWEI P30 versions Versions earlier than 10.1.0.160(C00E160R2P11).
2326 CVE-2020-9238 120 Overflow 2020-10-12 2020-10-16
3.3
None Local Network Low Not required None None Partial
Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have a buffer overflow vulnerability. A function in a module does not verify inputs sufficiently. Attackers can exploit this vulnerability by sending specific request. This could compromise normal service of the affected device.
2327 CVE-2020-9230 345 DoS 2020-10-12 2020-10-16
3.3
None Local Network Low Not required None None Partial
WS5800-10 version 10.0.3.25 has a denial of service vulnerability. Due to improper verification of specific message, an attacker may exploit this vulnerability to cause specific function to become abnormal.
2328 CVE-2020-9201 125 2020-12-24 2020-12-28
3.3
None Local Network Low Not required None None Partial
There is an out-of-bounds read vulnerability in some versions of NIP6800, Secospace USG6600 and USG9500. The software reads data past the end of the intended buffer when parsing DHCP messages including crafted parameter. Successful exploit could cause certain service abnormal.
2329 CVE-2020-9122 20 2020-10-12 2020-10-16
3.3
None Local Network Low Not required None None Partial
Some Huawei products have an insufficient input verification vulnerability. Attackers can exploit this vulnerability in the LAN to cause service abnormal on affected devices.Affected product versions include:HiRouter-CD30-10 version 10.0.2.5;HiRouter-CT31-10 version 10.0.2.20;WS5200-12 version 10.0.1.9;WS5281-10 version 10.0.5.10;WS5800-10 version 10.0.3.25;WS7100-10 version 10.0.5.21;WS7200-10 version 10.0.5.21.
2330 CVE-2020-9104 401 DoS 2020-08-21 2020-08-25
3.3
None Local Network Low Not required None None Partial
HUAWEI P30 smartphones with Versions earlier than 10.1.0.123(C431E22R2P5),Versions earlier than 10.1.0.123(C432E22R2P5),Versions earlier than 10.1.0.126(C10E7R5P1),Versions earlier than 10.1.0.126(C185E4R7P1),Versions earlier than 10.1.0.126(C461E7R3P1),Versions earlier than 10.1.0.126(C605E19R1P3),Versions earlier than 10.1.0.126(C636E7R3P4),Versions earlier than 10.1.0.128(C635E3R2P4),Versions earlier than 10.1.0.160(C00E160R2P11),Versions earlier than 10.1.0.160(C01E160R2P11) have a denial of service vulnerability. In specific scenario, due to the improper resource management and memory leak of some feature, the attacker could exploit this vulnerability to cause the device reset.
2331 CVE-2020-9101 787 2020-07-18 2020-07-24
3.3
None Local Network Low Not required None None Partial
There is an out-of-bounds write vulnerability in some products. An unauthenticated attacker crafts malformed packets with specific parameter and sends the packets to the affected products. Due to insufficient validation of packets, which may be exploited to cause the process reboot. Affected product versions include: IPS Module versions V500R005C00, V500R005C10; NGFW Module versions V500R005C00, V500R005C10; Secospace USG6300 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10; Secospace USG6500 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10; Secospace USG6600 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10; USG9500 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10
2332 CVE-2020-9069 200 +Info 2020-05-21 2021-07-21
3.3
None Local Network Low Not required Partial None None
There is an information leakage vulnerability in some Huawei products. An unauthenticated, adjacent attacker could exploit this vulnerability to decrypt data. Successful exploitation may leak information randomly. Affected product versions include: Anne-AL00 Versions earlier than 9.1.0.331(C675E9R1P3T8); Berkeley-L09 Versions earlier than 10.0.1.1(C675R1); CD16-10 Versions earlier than 10.0.2.8; CD17-10 Versions earlier than 10.0.2.8; CD17-16 Versions earlier than 10.0.2.8; CD18-10 Versions earlier than 10.0.2.8; CD18-16 Versions earlier than 10.0.2.8; Columbia-TL00B Versions earlier than 9.0.0.187(C01E181R1P20T8); E6878-370 Versions earlier than 10.0.5.1(H610SP10C00); HUAWEI P30 lite Versions earlier than 10.0.0.185(C605E3R1P3), Versions earlier than 10.0.0.197(C432E8R2P7); HUAWEI nova 4e Versions earlier than 10.0.0.158(C00E64R1P9); Honor 10 Lite 9.0.1.113(C675E11R1P12); LelandP-L22A Versions earlier than 9.1.0.166(C675E5R1P4T8); Marie-AL00AX Versions earlier than 10.0.0.158(C00E64R1P9); Marie-AL00AY Versions earlier than 10.0.0.158(C00E64R1P9); Marie-AL00BX Versions earlier than 10.0.0.158(C00E64R1P9); Marie-L03BX Versions earlier than 10.0.0.188(C605E5R1P1); Marie-L21BX Versions earlier than 10.0.0.188(C432E4R4P1), Versions earlier than 10.0.0.188(C461E5R3P1); Marie-L22BX Versions earlier than 10.0.0.188(C636E3R3P1); Marie-L23BX Versions earlier than 10.0.0.188(C605E5R1P1); TC5200-16 Versions earlier than 10.0.2.8; WS5200-11 Versions earlier than 10.0.2.8; WS5200-12 Versions earlier than 10.0.2.23; WS5200-16 Versions earlier than 10.0.2.8; WS5200-17 Versions earlier than 10.0.2.23; WS5800-10 Versions earlier than 10.0.3.27; WS6500-10 Versions earlier than 10.0.2.8; WS6500-16 Versions earlier than 10.0.2.8
2333 CVE-2020-9056 79 XSS 2020-04-10 2020-04-13
3.5
None Remote Medium ??? None Partial None
Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization and is executed in the browser of the user, which could possibly cause website redirection, session hijacking, or information disclosure. This vulnerability has been patched in BuySpeed version 15.3.
2334 CVE-2020-9055 79 XSS 2020-03-30 2020-04-01
3.5
None Remote Medium ??? None Partial None
Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user. This could lead to website redirects, session cookie hijacking, or information disclosure.
2335 CVE-2020-9016 79 XSS 2020-02-16 2020-02-18
3.5
None Remote Medium ??? None Partial None
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
2336 CVE-2020-9008 79 XSS 2020-02-25 2020-03-09
3.5
None Remote Medium ??? None Partial None
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
2337 CVE-2020-9007 79 XSS 2020-02-16 2020-02-18
3.5
None Remote Medium ??? None Partial None
Codoforum 4.8.8 allows self-XSS via the title of a new topic.
2338 CVE-2020-9003 79 XSS 2020-02-20 2020-02-24
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
2339 CVE-2020-8951 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
Fiserv Accurate Reconciliation 2.19.0 allows XSS via the Source or Destination field of the Configuration Manager (Configuration Parameter Translation) page.
2340 CVE-2020-8918 665 2020-08-11 2020-08-18
3.6
None Local Low Not required Partial Partial None
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for 'migrationAuth'.
2341 CVE-2020-8825 79 XSS 2020-02-10 2020-02-11
3.5
None Remote Medium ??? None Partial None
index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS.
2342 CVE-2020-8824 79 XSS 2020-02-19 2020-02-27
3.5
None Remote Medium ??? None Partial None
Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name on the Wireless > Access Control > Add Managed Device screen.
2343 CVE-2020-8822 79 XSS 2020-02-10 2020-02-11
3.5
None Remote Medium ??? None Partial None
Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices allow stored XSS in the web application.
2344 CVE-2020-8821 74 Exec Code 2020-10-12 2021-07-21
3.5
None Remote Medium ??? None Partial None
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users.
2345 CVE-2020-8820 79 Exec Code XSS 2020-10-12 2020-10-16
3.5
None Remote Medium ??? None Partial None
An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed.
2346 CVE-2020-8812 79 XSS 2020-02-07 2020-02-10
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert malicious JavaScript on the WYSIWYG editor. NOTE: the vendor's perspective is that this is "not a bug."
2347 CVE-2020-8799 79 XSS 2020-05-05 2020-05-07
3.5
None Remote Medium ??? None Partial None
A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin through 1.4.5 for WordPress. Once the administrator has submitted the data, the script stored is executed for all the users visiting the website.
2348 CVE-2020-8789 79 XSS 2020-05-22 2020-05-26
3.5
None Remote Medium ??? None Partial None
Composr 10.0.30 allows Persistent XSS via a Usergroup name under the Security configuration.
2349 CVE-2020-8778 79 XSS 2020-03-02 2020-03-03
3.5
None Remote Medium ??? None Partial None
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.
2350 CVE-2020-8777 79 XSS 2020-03-02 2020-03-03
3.5
None Remote Medium ??? None Partial None
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.