CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2020-35228 79 XSS 2021-03-10 2021-03-17
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in the administration web panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote attackers to inject arbitrary web script or HTML via the language parameter.
552 CVE-2020-35221 327 2021-03-10 2021-03-17
3.3
None Local Network Low Not required Partial None None
The hashing algorithm implemented for NSDP password authentication on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was found to be insecure, allowing attackers (with access to a network capture) to quickly generate multiple collisions to generate valid passwords, or infer some parts of the original.
553 CVE-2020-35208 287 Bypass 2020-12-12 2020-12-15
3.3
None Local Medium Not required Partial Partial None
** DISPUTED ** An issue was discovered in the LogMein LastPass Password Manager (aka com.lastpass.ilastpass) app 4.8.11.2403 for iOS. The password authentication for unlocking can be bypassed by forcing the authentication result to be true through runtime manipulation. In other words, an attacker could authenticate with an arbitrary password. NOTE: the vendor has indicated that this is not an attack of interest within the context of their threat model, which excludes jailbroken devices.
554 CVE-2020-35207 287 Bypass 2020-12-12 2020-12-15
3.3
None Local Medium Not required Partial Partial None
** DISPUTED ** An issue was discovered in the LogMein LastPass Password Manager (aka com.lastpass.ilastpass) app 4.8.11.2403 for iOS. The PIN authentication for unlocking can be bypassed by forcing the authentication result to be true through runtime manipulation. In other words, an attacker could authenticate with an arbitrary PIN. NOTE: the vendor has indicated that this is not an attack of interest within the context of their threat model, which excludes jailbroken devices.
555 CVE-2020-35202 79 XSS 2020-12-12 2020-12-15
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS.
556 CVE-2020-35201 79 XSS 2020-12-12 2020-12-15
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS.
557 CVE-2020-35199 79 XSS 2020-12-12 2020-12-15
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS.
558 CVE-2020-35170 79 XSS 2021-01-05 2021-01-08
3.5
None Remote Medium ??? None Partial None
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users’ sessions.
559 CVE-2020-35132 79 XSS 2020-12-11 2020-12-22
3.5
None Remote Medium ??? None Partial None
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php.
560 CVE-2020-35127 79 XSS 2020-12-11 2020-12-11
3.5
None Remote Medium ??? None Partial None
Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.
561 CVE-2020-35126 79 XSS 2020-12-11 2020-12-14
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."
562 CVE-2020-29593 79 XSS 2021-04-14 2021-04-21
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Orchard before 1.10. The Media Settings Allowed File Types list field allows an attacker to add a XSS payload that will execute when users attempt to upload a disallowed file type, causing the error to display.
563 CVE-2020-29587 79 XSS 2021-01-14 2021-01-21
3.5
None Remote Medium ??? None Partial None
SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input, which results in a DOM XSS, because it uses the jQuery .html() function to directly append the payload to a dialog.
564 CVE-2020-29539 79 XSS 2020-12-08 2020-12-10
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting (XSS) issue in WebUI Translation in Systran Pure Neural Server before 9.7.0 allows a threat actor to have a remote authenticated user run JavaScript from a malicious site.
565 CVE-2020-29535 79 Exec Code XSS 2021-01-29 2021-02-03
3.5
None Remote Medium ??? None Partial None
Archer before 6.8 P4 (6.8.0.4) contains a stored XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.
566 CVE-2020-29497 79 Exec Code XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious HTML or JavaScript code under the device tag. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.
567 CVE-2020-29496 79 Exec Code XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.
568 CVE-2020-29477 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
569 CVE-2020-29475 79 XSS 2020-12-29 2020-12-30
3.5
None Remote Medium ??? None Partial None
nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
570 CVE-2020-29471 79 Exec Code XSS 2020-12-29 2020-12-30
3.5
None Remote Medium ??? None Partial None
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger.
571 CVE-2020-29470 79 XSS 2020-12-29 2020-12-30
3.5
None Remote Medium ??? None Partial None
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
572 CVE-2020-29469 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can steal the cookie according to the crafted payload.
573 CVE-2020-29444 79 XSS 2021-05-07 2021-05-13
3.5
None Remote Medium ??? None Partial None
Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters.
574 CVE-2020-29443 125 2021-01-26 2021-03-15
3.3
None Local Medium Not required Partial None Partial
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
575 CVE-2020-29438 347 2020-11-30 2020-12-04
3.3
None Local Network Low Not required Partial None None
Tesla Model X vehicles before 2020-11-23 have key fobs that accept firmware updates without signature verification. This allows attackers to construct firmware that retrieves an unlock code from a secure enclave chip.
576 CVE-2020-29364 79 XSS 2020-11-30 2020-12-01
3.5
None Remote Medium ??? None Partial None
In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles.
577 CVE-2020-29247 79 XSS 2020-12-24 2021-04-22
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel. An attacker can inject the XSS payload in Page keywords and each time any user will visit the website, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload.
578 CVE-2020-29241 79 XSS 2021-01-26 2021-02-01
3.5
None Remote Medium ??? None Partial None
Online News Portal using PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML via the "Title" parameter.
579 CVE-2020-29240 79 XSS 2020-12-02 2020-12-02
3.5
None Remote Medium ??? None Partial None
Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.
580 CVE-2020-29233 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will visits the website, the XSS triggers and attacker can steal the cookie according to the crafted payload.
581 CVE-2020-29231 79 XSS 2020-12-30 2021-01-04
3.5
None Remote Medium ??? None Partial None
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers.
582 CVE-2020-29145 79 XSS 2020-11-27 2020-12-04
3.5
None Remote Medium ??? None Partial None
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework.
583 CVE-2020-29144 79 XSS 2020-11-27 2020-12-04
3.5
None Remote Medium ??? None Partial None
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework.
584 CVE-2020-29135 74 2020-11-27 2020-12-01
3.5
None Remote Medium ??? None Partial None
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
585 CVE-2020-29070 79 XSS 2020-11-25 2020-11-27
3.5
None Remote Medium ??? None Partial None
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
586 CVE-2020-29027 79 XSS 2021-02-16 2021-02-18
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) vulnerability in GUI of Secomea SiteManager could allow an attacker to cause an XSS Attack. This issue affects: Secomea SiteManager all versions prior to 9.3.
587 CVE-2020-29021 79 XSS 2021-02-08 2021-02-11
3.5
None Remote Medium ??? None Partial None
A vulnerability in web UI input field of GateManager allows authenticated attacker to enter script tags that could cause XSS. This issue affects: GateManager all versions prior to 9.3.
588 CVE-2020-29003 79 XSS 2020-11-24 2020-11-30
3.5
None Remote Medium ??? None Partial None
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
589 CVE-2020-29002 79 XSS 2020-11-24 2020-11-30
3.5
None Remote Medium ??? None Partial None
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
590 CVE-2020-28938 79 XSS 2020-12-03 2020-12-03
3.5
None Remote Medium ??? None Partial None
OpenClinic version 0.8.2 is affected by a stored XSS vulnerability in lib/Check.php that allows users of the application to force actions on behalf of other users.
591 CVE-2020-28930 79 XSS 2020-12-16 2020-12-17
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting (XSS) issue in the 'update user' and 'delete user' functionalities in settings/users.php in EPSON EPS TSE Server 8 (21.0.11) allows an authenticated attacker to inject a JavaScript payload in the user management page that is executed by an administrator.
592 CVE-2020-28914 732 2020-11-17 2020-12-04
3.6
None Local Low Not required None Partial Partial
An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.
593 CVE-2020-28838 352 CSRF 2020-12-11 2020-12-15
3.5
None Remote Medium ??? None Partial None
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.
594 CVE-2020-28722 79 XSS 2021-05-12 2021-05-19
3.5
None Remote Medium ??? None Partial None
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
595 CVE-2020-28650 79 XSS 2020-11-16 2020-11-27
3.5
None Remote Medium ??? None Partial None
The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles.
596 CVE-2020-28647 79 Exec Code XSS 2020-11-17 2020-12-18
3.5
None Remote Medium ??? None Partial None
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).
597 CVE-2020-28457 79 XSS 2020-12-15 2020-12-16
3.5
None Remote Medium ??? None Partial None
This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS.
598 CVE-2020-28409 79 XSS 2020-11-10 2020-11-18
3.5
None Remote Medium ??? None Partial None
The server in Dundas BI through 8.0.0.1001 allows XSS via addition of a Component (e.g., a button) when events such as click, hover, etc. occur.
599 CVE-2020-28408 79 XSS 2020-11-10 2020-11-18
3.5
None Remote Medium ??? None Partial None
The server in Dundas BI through 8.0.0.1001 allows XSS via an HTML label when creating or editing a dashboard.
600 CVE-2020-28184 79 XSS 2020-12-24 2020-12-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.