CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2451 CVE-2020-6272 79 XSS 2020-10-15 2020-10-19
3.5
None Remote Medium ??? None Partial None
SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability.
2452 CVE-2020-6257 79 XSS 2020-05-12 2020-05-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
2453 CVE-2020-6231 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2454 CVE-2020-6226 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2455 CVE-2020-6224 200 +Info 2020-04-14 2021-07-21
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
2456 CVE-2020-6222 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2457 CVE-2020-6221 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2458 CVE-2020-6200 79 XSS 2020-03-10 2020-03-11
3.5
None Remote Medium ??? None Partial None
The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework.
2459 CVE-2020-6185 79 XSS 2020-02-12 2020-02-19
3.5
None Remote Medium ??? None Partial None
Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.
2460 CVE-2020-6022 2020-10-27 2020-10-27
3.6
None Local Low Not required None Partial Partial
Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware.
2461 CVE-2020-5988 416 DoS 2020-10-02 2021-07-21
3.6
None Local Low Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which allocated memory can be freed twice, which may lead to information disclosure or denial of service. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
2462 CVE-2020-5985 20 DoS 2020-10-02 2020-10-14
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input data length is not validated, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
2463 CVE-2020-5983 787 DoS 2020-10-02 2020-10-14
3.6
None Local Low Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin and the host driver kernel module, in which the potential exists to write to a memory location that is outside the intended boundary of the frame buffer memory allocated to guest operating systems, which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
2464 CVE-2020-5972 763 DoS 2020-06-30 2020-07-09
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which local pointer variables are not initialized and may be freed later, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
2465 CVE-2020-5970 20 DoS 2020-06-30 2020-07-10
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input data size is not validated, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
2466 CVE-2020-5969 362 DoS 2020-06-30 2020-07-10
3.3
None Local Medium Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which it validates a shared resource before using it, creating a race condition which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
2467 CVE-2020-5940 79 XSS 2020-11-05 2020-11-12
3.5
None Remote Medium ??? None Partial None
In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2.3, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the BIG-IP Configuration utility.
2468 CVE-2020-5934 2020-10-29 2020-11-09
3.3
None Local Network Low Not required None None Partial
On BIG-IP APM 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when multiple HTTP requests from the same client to configured SAML Single Logout (SLO) URL are passing through a TCP Keep-Alive connection, traffic to TMM can be disrupted.
2469 CVE-2020-5932 79 Exec Code XSS 2020-10-29 2020-11-09
3.5
None Remote Medium ??? None Partial None
On BIG-IP ASM 15.1.0-15.1.0.5, a cross-site scripting (XSS) vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed when preview is opened.
2470 CVE-2020-5928 352 CSRF 2020-08-26 2020-09-02
3.3
None Local Medium Not required None Partial Partial
In versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, BIG-IP ASM Configuration utility CSRF protection token can be reused multiple times.
2471 CVE-2020-5912 20 2020-08-26 2021-07-21
3.6
None Local Low Not required None Partial Partial
In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the restjavad process's dump command does not follow current best coding practices and may overwrite arbitrary files.
2472 CVE-2020-5889 79 XSS 2020-04-30 2020-05-05
3.5
None Remote Medium ??? None Partial None
On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response from the untrusted backend server and sends it to the client.
2473 CVE-2020-5888 Bypass 2020-04-30 2020-05-06
3.3
None Local Network Low Not required Partial None None
On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network (layer 2) attackers to access local daemons and bypass port lockdown settings.
2474 CVE-2020-5853 79 XSS 2020-01-14 2020-01-17
3.5
None Remote Medium ??? None Partial None
In BIG-IP APM portal access on versions 15.0.0-15.1.0, 14.0.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, when backend servers serve HTTP pages with special JavaScript code, this can lead to internal portal access name conflict.
2475 CVE-2020-5843 79 XSS 2020-01-07 2020-01-08
3.5
None Remote Medium ??? None Partial None
Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen.
2476 CVE-2020-5838 79 XSS 2020-05-13 2020-05-15
3.5
None Remote Medium ??? None Partial None
Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can potentially enable attackers to inject client-side scripts into web pages viewed by other users.
2477 CVE-2020-5825 269 2020-02-11 2021-07-21
3.6
None Local Low Not required None Partial Partial
Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to an arbitrary file write vulnerability, which is a type of issue whereby an attacker is able to overwrite existing files on the resident system without proper privileges.
2478 CVE-2020-5810 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.
2479 CVE-2020-5809 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.
2480 CVE-2020-5797 59 2020-11-21 2020-12-03
3.6
None Local Low Not required Partial Partial None
UNIX Symbolic Link (Symlink) Following in TP-Link Archer C9(US)_V1_180125 firmware allows an unauthenticated actor, with physical access and network access, to read sensitive files and write to a limited set of files after plugging a crafted USB drive into the router.
2481 CVE-2020-5774 613 2020-08-21 2020-08-28
3.6
None Local Low Not required Partial Partial None
Nessus versions 8.11.0 and earlier were found to maintain sessions longer than the permitted period in certain scenarios. The lack of proper session expiration could allow attackers with local access to login into an existing browser session.
2482 CVE-2020-5769 79 XSS 2020-07-17 2020-07-22
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in Teltonika firmware TRB2_R_00.02.02 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by injecting malicious client-side code into the 'URL/ Host / Connection' form in the 'DATA TO SERVER' configuration section.
2483 CVE-2020-5765 79 Exec Code XSS 2020-07-15 2020-07-20
3.5
None Remote Medium ??? None Partial None
Nessus 8.10.0 and earlier were found to contain a Stored XSS vulnerability due to improper validation of input during scan configuration. An authenticated, remote attacker could potentially exploit this vulnerability to execute arbitrary code in a user's session. Tenable has implemented additional input validation mechanisms to correct this issue in Nessus 8.11.0.
2484 CVE-2020-5751 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator.
2485 CVE-2020-5749 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group.
2486 CVE-2020-5747 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
2487 CVE-2020-5746 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
2488 CVE-2020-5737 79 Exec Code XSS 2020-04-17 2020-04-23
3.5
None Remote Medium ??? None Partial None
Stored XSS in Tenable.Sc before 5.14.0 could allow an authenticated remote attacker to craft a request to execute arbitrary script code in a user's browser session. Updated input validation techniques have been implemented to correct this issue.
2489 CVE-2020-5669 79 XSS 2021-10-26 2021-10-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
2490 CVE-2020-5665 755 2020-12-14 2021-07-21
3.3
None Local Network Low Not required None None Partial
Improper check or handling of exceptional conditions in MELSEC iQ-F series FX5U(C) CPU unit firmware version 1.060 and earlier allows an attacker to cause a denial-of-service (DoS) condition on program execution and communication by sending a specially crafted ARP packet.
2491 CVE-2020-5662 79 XSS 2020-11-16 2020-11-20
3.5
None Remote Medium ??? None Partial None
Reflected cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors.
2492 CVE-2020-5657 88 2020-11-02 2020-11-10
3.3
None Local Network Low Not required None None Partial
Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in TCP/IP function included in the firmware of MELSEC iQ-R series (RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before, RJ71PN92 PROFINET IO Controller Module First 2 digits of serial number are '01' or before, RD81DL96 High Speed Data Logger Module First 2 digits of serial number are '08' or before, RD81MES96N MES Interface Module First 2 digits of serial number are '04' or before, and RD81OPC96 OPC UA Server Module First 2 digits of serial number are '04' or before) allows unauthenticated attackers on adjacent network to stop the network functions of the products via a specially crafted packet.
2493 CVE-2020-5620 79 XSS 2020-08-25 2020-08-25
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Exment prior to v3.6.0 allows remote authenticated attackers to inject arbitrary script or HTML via a specially crafted file.
2494 CVE-2020-5619 79 XSS 2020-08-25 2020-08-26
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Exment prior to v3.6.0 allows remote authenticated attackers to inject arbitrary script or HTML via unspecified vectors.
2495 CVE-2020-5586 79 XSS 2020-06-30 2020-07-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Garoon 4.10.3 to 5.0.1 allows attacker with administrator rights to inject an arbitrary script via unspecified vectors.
2496 CVE-2020-5585 79 XSS 2020-06-30 2020-07-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Garoon 5.0.0 to 5.0.1 allows attacker with administrator rights to inject an arbitrary script via unspecified vectors.
2497 CVE-2020-5570 79 XSS 2020-04-28 2020-05-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Sales Force Assistant version 11.2.48 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
2498 CVE-2020-5421 Bypass 2020-09-19 2021-12-02
3.6
None Remote High ??? Partial Partial None
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
2499 CVE-2020-5346 79 Exec Code XSS 2020-04-15 2020-08-31
3.5
None Remote Medium ??? None Partial None
RSA Authentication Manager versions prior to 8.4 P11 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected page, the injected scripts could potentially be executed in their browser.
2500 CVE-2020-5340 79 Exec Code XSS 2020-03-26 2020-08-31
3.5
None Remote Medium ??? None Partial None
RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators attempt to change the default security domain mapping, the injected scripts could potentially be executed in their browser.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.