CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2351 CVE-2020-8551 770 DoS 2020-03-27 2020-07-24
3.3
None Local Network Low Not required None None Partial
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
2352 CVE-2020-8542 79 XSS 2020-06-16 2020-08-22
3.5
None Remote Medium ??? None Partial None
OX App Suite through 7.10.3 allows XSS.
2353 CVE-2020-8503 639 2020-01-31 2020-02-05
3.5
None Remote Medium ??? Partial None None
Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004.
2354 CVE-2020-8498 79 Exec Code XSS 2020-01-30 2020-02-03
3.5
None Remote Medium ??? None Partial None
XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users (e.g., ones who have the publish_posts capability).
2355 CVE-2020-8496 79 XSS 2020-01-30 2020-02-05
3.5
None Remote Medium ??? None Partial None
In Kronos Web Time and Attendance (webTA) 4.1.x and later 4.x versions before 5.0, there is a Stored XSS vulnerability by setting the Application Banner input field of the /ApplicationBanner page as an authenticated administrator.
2356 CVE-2020-8493 79 XSS 2020-01-30 2020-02-05
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) affects 3.8.x and later 3.x versions before 4.0 via multiple input fields (Login Message, Banner Message, and Password Instructions) of the com.threeis.webta.H261configMenu servlet via an authenticated administrator.
2357 CVE-2020-8462 79 XSS 2020-12-17 2020-12-21
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product.
2358 CVE-2020-8428 416 DoS +Info 2020-01-29 2020-06-10
3.6
None Local Low Not required Partial None Partial
fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.
2359 CVE-2020-8426 79 XSS 2020-01-28 2020-01-31
3.5
None Remote Medium ??? None Partial None
The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user.
2360 CVE-2020-8299 400 2021-06-16 2021-06-24
3.3
None Local Network Low Not required None None Partial
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-of-service from within the same Layer 2 network segment. Note that the attacker must be in the same Layer 2 network segment as the vulnerable appliance.
2361 CVE-2020-8294 79 XSS 2021-02-03 2021-02-05
3.5
None Remote Medium ??? None Partial None
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
2362 CVE-2020-8288 79 XSS 2021-01-26 2021-02-01
3.5
None Remote Medium ??? None Partial None
The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter.
2363 CVE-2020-8281 79 XSS 2021-01-06 2021-01-11
3.5
None Remote Medium ??? None Partial None
A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.
2364 CVE-2020-8280 79 XSS 2021-01-06 2021-01-11
3.5
None Remote Medium ??? None Partial None
A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.
2365 CVE-2020-8263 79 XSS 2020-10-28 2021-08-17
3.5
None Remote Medium ??? None Partial None
A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
2366 CVE-2020-8223 269 2020-10-05 2020-10-26
3.5
None Remote Medium ??? None Partial None
A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
2367 CVE-2020-8217 79 XSS 2020-07-30 2020-07-31
3.5
None Remote Medium ??? None Partial None
A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
2368 CVE-2020-8189 79 XSS 2020-08-21 2020-09-14
3.5
None Remote Medium ??? None Partial None
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.
2369 CVE-2020-8173 311 2020-11-02 2020-11-17
3.5
None Remote Medium ??? Partial None None
A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.
2370 CVE-2020-8155 79 XSS 2020-05-12 2020-10-19
3.5
None Remote Medium ??? None Partial None
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
2371 CVE-2020-8103 59 2020-06-05 2020-06-11
3.6
None Local Low Not required None Partial Partial
A vulnerability in the improper handling of symbolic links in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects Bitdefender Antivirus Free versions prior to 1.0.17.178.
2372 CVE-2020-8090 79 XSS 2020-01-27 2020-01-29
3.5
None Remote Medium ??? None Partial None
The Username field in the Storage Service settings of A1 WLAN Box ADB VV2220v2 devices allows stored XSS (after a successful Administrator login).
2373 CVE-2020-8089 79 XSS 2020-02-10 2020-02-14
3.5
None Remote Medium ??? None Partial None
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
2374 CVE-2020-8031 79 XSS 2021-02-11 2021-02-17
3.5
None Remote Medium ??? None Partial None
A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8.
2375 CVE-2020-8030 377 2021-02-11 2021-02-19
3.6
None Local Low Not required Partial Partial None
A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to leak the bootstrapToken or modify the configuration file before it is processed, leading to arbitrary modifications of the machine/cluster.
2376 CVE-2020-8017 362 2020-04-02 2020-06-13
3.3
None Local Medium Not required None Partial Partial
A Race Condition Enabling Link Following vulnerability in the cron job shipped with texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users in group mktex to delete arbitrary files on the system This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1.
2377 CVE-2020-7937 79 XSS 2020-01-23 2020-01-24
3.5
None Remote Medium ??? None Partial None
An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.
2378 CVE-2020-7934 79 XSS 2020-01-28 2020-11-23
3.5
None Remote Medium ??? None Partial None
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.
2379 CVE-2020-7932 200 +Info 2020-06-17 2020-06-24
3.5
None Remote Medium ??? Partial None None
OMERO.web before 5.6.3 optionally allows sensitive data elements (e.g., a session key) to be passed as URL query parameters. If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the query parameters may be exposed in the Referer header seen by the target. Information in the URL path such as object IDs may also be exposed.
2380 CVE-2020-7921 863 Bypass 2020-05-06 2020-07-07
3.5
None Remote Medium ??? None Partial None
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.
2381 CVE-2020-7915 79 XSS 2020-01-22 2020-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
2382 CVE-2020-7910 79 XSS 2020-01-30 2020-01-31
3.5
None Remote Medium ??? None Partial None
JetBrains TeamCity before 2019.2 was vulnerable to a stored XSS attack by a user with the developer role.
2383 CVE-2020-7776 79 XSS 2020-12-09 2021-01-19
3.5
None Remote Medium ??? None Partial None
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
2384 CVE-2020-7747 79 XSS 2020-10-20 2020-10-22
3.5
None Remote Medium ??? None Partial None
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.
2385 CVE-2020-7734 79 XSS 2020-09-22 2020-09-30
3.5
None Remote Medium ??? None Partial None
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
2386 CVE-2020-7676 79 XSS 2020-06-08 2020-10-09
3.5
None Remote Medium ??? None Partial None
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.
2387 CVE-2020-7642 79 XSS 2020-04-22 2020-05-01
3.5
None Remote Medium ??? None Partial None
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript.
2388 CVE-2020-7599 532 2020-03-30 2020-04-02
3.3
None Local Network Low Not required Partial None None
All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.
2389 CVE-2020-7592 319 2020-07-14 2020-07-22
3.3
None Local Network Low Not required Partial None None
A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI KTP700F Mobile Arctic (All versions), SIMATIC HMI Mobile Panels 2nd Generation (All versions), SIMATIC WinCC Runtime Advanced (All versions). Unencrypted communication between the configuration software and the respective device could allow an attacker to capture potential plain text communication and have access to sensitive information.
2390 CVE-2020-7576 79 XSS 2020-07-14 2020-08-14
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2), Opcenter Execution Core (V8.2). An authenticated user with the ability to create containers, packages or register defects could perform stored Cross-Site Scripting (XSS) attacks within the vulnerable software. The impact of this attack could result in the session cookies of legitimate users being stolen. Should the attacker gain access to these cookies, they could then hijack the session and perform arbitrary actions in the name of the victim.
2391 CVE-2020-7571 79 XSS 2020-11-19 2020-11-27
3.5
None Remote Medium ??? None Partial None
A CWE-79 Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.
2392 CVE-2020-7570 79 XSS 2020-11-19 2020-11-27
3.5
None Remote Medium ??? None Partial None
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.
2393 CVE-2020-7568 200 +Info 2020-11-19 2020-12-11
3.3
None Local Network Low Not required Partial None None
A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon M221 (all references, all versions) that could allow non sensitive information disclosure when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.
2394 CVE-2020-7546 79 XSS 2020-12-01 2020-12-04
3.5
None Remote Medium ??? None Partial None
A CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow an attacker to perform actions on behalf of the authorized user when accessing an affected webpage.
2395 CVE-2020-7470 79 XSS 2020-01-21 2020-01-24
3.5
None Remote Medium ??? None Partial None
Sonoff TH 10 and 16 devices with firmware 6.6.0.21 allows XSS via the Friendly Name 1 field (after a successful login with the Web Admin Password).
2396 CVE-2020-7453 754 2020-04-29 2020-05-06
3.3
None Local Medium Not required Partial Partial None
In FreeBSD 12.1-STABLE before r359021, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r359020, and 11.3-RELEASE before 11.3-RELEASE-p7, a missing null termination check in the jail_set configuration option "osrelease" may return more bytes with a subsequent jail_get system call allowing a malicious jail superuser with permission to create nested jails to read kernel memory.
2397 CVE-2020-7390 79 XSS 2021-07-22 2021-08-02
3.5
None Remote Medium ??? None Partial None
Sage X3 Stored XSS Vulnerability on ‘Edit’ Page of User Profile. An authenticated user can pass XSS strings the "First Name," "Last Name," and "Email Address" fields of this web application component. Updates are available for on-premises versions of Version 12 (components shipped with Syracuse 12.10.0 and later) of Sage X3. Other on-premises versions of Sage X3 are unaffected or unsupported by the vendor.
2398 CVE-2020-7333 79 XSS 2020-11-12 2020-11-23
3.5
None Remote Medium ??? None Partial None
Cross site scripting vulnerability in the firewall ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows administrators to inject arbitrary web script or HTML via the configuration wizard.
2399 CVE-2020-7324 269 Bypass 2020-09-09 2020-09-14
3.6
None Local Low Not required None Partial Partial
Improper Access Control vulnerability in McAfee MVISION Endpoint prior to 20.9 Update allows local users to bypass security mechanisms and deny access to the SYSTEM folder via incorrectly applied permissions.
2400 CVE-2020-7310 269 2020-08-21 2020-10-19
3.3
None Local Medium Not required None Partial Partial
Privilege Escalation vulnerability in the installer in McAfee McAfee Total Protection (MTP) trial prior to 4.0.161.1 allows local users to change files that are part of write protection rules via manipulating symbolic links to redirect a McAfee file operations to an unintended file.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.