CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
701 CVE-2020-25651 200 DoS +Info 2020-11-26 2021-02-19
3.3
None Local Medium Not required Partial None Partial
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.
702 CVE-2020-25640 532 2020-11-24 2020-12-23
3.5
None Remote Medium ??? Partial None None
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
703 CVE-2020-25636 552 2020-10-05 2020-10-09
3.6
None Local Low Not required None Partial Partial
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.
704 CVE-2020-25619 2020-12-16 2020-12-21
3.6
None Local Low Not required Partial Partial None
An issue was discovered in SolarWinds N-Central 12.3.0.670. The SSH component does not restrict the Communication Channel to Intended Endpoints. An attacker can leverage an SSH feature (port forwarding with a temporary key pair) to access network services on the 127.0.0.1 interface, even though this feature was only intended for user-to-agent communication.
705 CVE-2020-25609 79 XSS 2020-12-18 2020-12-18
3.5
None Remote Medium ??? None Partial None
The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data.
706 CVE-2020-25516 79 XSS 2020-10-29 2020-11-03
3.5
None Remote Medium ??? None Partial None
WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks.
707 CVE-2020-25498 79 XSS 2021-01-06 2021-01-08
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter.
708 CVE-2020-25454 79 XSS 2020-11-18 2020-11-27
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.
709 CVE-2020-25449 79 XSS 2020-12-04 2020-12-07
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Arachnys Cabot 0.11.12 can be exploited via the Address column.
710 CVE-2020-25380 79 Exec Code XSS 2020-09-14 2020-09-18
3.5
None Remote Medium ??? None Partial None
Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 is affected by: Cross Site Scripting (XSS) via the 'Recall Settings' field in admin.php. An attacker can inject JavaScript code that will be stored and executed.
711 CVE-2020-25375 79 XSS 2020-09-14 2020-09-18
3.5
None Remote Medium ??? None Partial None
Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affected by: Cross Site Scripting via the Business Name field, Tax Code field, First Name field, Address field, Town field, Phone field, Mobile field, Place of Birth field, Web Site field, VAT Number field, Last Name field, Fax field, Email field, and Skype field.
712 CVE-2020-25343 79 XSS 2020-10-07 2020-10-14
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php
713 CVE-2020-25288 79 XSS 2020-09-30 2020-10-13
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript.
714 CVE-2020-25271 79 XSS 2020-10-08 2020-10-16
3.5
None Remote Medium ??? None Partial None
PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/patient-search.php, doctor/search.php, book-appointment.php, doctor/appointment-history.php, or admin/appointment-history.php.
715 CVE-2020-25270 79 XSS 2020-10-08 2020-10-20
3.5
None Remote Medium ??? None Partial None
PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City.
716 CVE-2020-25267 79 XSS 2020-11-10 2020-11-18
3.5
None Remote Medium ??? None Partial None
An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4.
717 CVE-2020-25234 321 2020-12-14 2020-12-16
3.6
None Local Low Not required Partial Partial None
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3), LOGO! Soft Comfort (All versions < V8.3). The LOGO! program files generated and used by the affected components offer the possibility to save user-defined functions (UDF) in a password protected way. This protection is implemented in the software that displays the information. An attacker could reverse engineer the UDFs directly from stored program files.
718 CVE-2020-25211 120 Overflow 2020-09-09 2020-11-02
3.6
None Local Low Not required None Partial Partial
In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
719 CVE-2020-25124 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
720 CVE-2020-25123 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.
721 CVE-2020-25122 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.
722 CVE-2020-25121 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.
723 CVE-2020-25120 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
724 CVE-2020-25119 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
725 CVE-2020-25118 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.
726 CVE-2020-25117 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
727 CVE-2020-25116 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
728 CVE-2020-25115 79 XSS 2020-09-03 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
729 CVE-2020-25104 79 XSS 2020-09-03 2020-09-10
3.5
None Remote Medium ??? None Partial None
eramba c2.8.1 and Enterprise before e2.19.3 allows XSS via a crafted filename for a file attached to an object. For example, the filename has a complete XSS payload followed by the .png extension.
730 CVE-2020-25071 79 XSS 2020-09-15 2020-09-24
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Nifty Project Management Web Application 2020-08-26 allows XSS, via Add Task, that is rendered upon a Project Home visit. Note: It has been argued that this is not reproducible. "The original issue was that the task would be created and an alert would be shown on the screen. Now the task would be created, but the alert won't be executed as those attributes are now stripped."
731 CVE-2020-25044 2020-09-02 2020-09-10
3.6
None Local Low Not required None Partial Partial
Kaspersky Virus Removal Tool (KVRT) prior to 15.0.23.0 was vulnerable to arbitrary file corruption that could provide an attacker with the opportunity to eliminate content of any file in the system.
732 CVE-2020-25043 2020-09-02 2020-09-10
3.6
None Local Low Not required None Partial Partial
The installer of Kaspersky VPN Secure Connection prior to 5.0 was vulnerable to arbitrary file deletion that could allow an attacker to delete any file in the system.
733 CVE-2020-24993 79 XSS 2021-05-17 2021-05-24
3.5
None Remote Medium ??? None Partial None
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when visitors access the article module.
734 CVE-2020-24992 79 XSS 2021-05-17 2021-05-24
3.5
None Remote Medium ??? None Partial None
There is a cross site scripting vulnerability on CmsWing 1.3.7. This vulnerability (stored XSS) is triggered when an administrator accesses the content management module.
735 CVE-2020-24963 79 XSS 2020-09-04 2020-09-11
3.5
None Remote Medium ??? None Partial None
An Authenticated Persistent XSS vulnerability was discovered in the Best Support System, tested version v3.0.4.
736 CVE-2020-24925 326 2020-09-15 2020-09-24
3.5
None Remote Medium ??? Partial None None
A Sensitive Source Code Path Disclosure vulnerability is found in ElkarBackup v1.3.3. An attacker is able to view the path of the source code jobs/sort where entire source code path is displayed in the browser itself helping the attacker identify the code structure /app/elkarbackup/src/Binovo/ElkarBackupBundle/Controller/DefaultController.php
737 CVE-2020-24924 79 XSS 2020-09-15 2020-09-18
3.5
None Remote Medium ??? None Partial None
A Persistent Cross-site Scripting vulnerability is found in ElkarBackup v1.3.3, where an attacker can steal the user session cookie using this vulnerability present on Policies >> action >> Name Parameter
738 CVE-2020-24897 79 XSS 2020-08-29 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the provided Markdown markup to the "Table from CSV" macro.
739 CVE-2020-24861 79 XSS 2020-10-01 2020-10-08
3.5
None Remote Medium ??? None Partial None
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
740 CVE-2020-24860 79 XSS 2020-10-01 2020-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
741 CVE-2020-24723 79 XSS 2020-11-18 2021-04-22
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1.
742 CVE-2020-24721 2020-09-30 2020-10-22
3.3
None Local Medium Not required Partial Partial None
An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.
743 CVE-2020-24712 79 XSS 2020-10-28 2020-10-30
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
744 CVE-2020-24709 79 XSS 2020-10-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
745 CVE-2020-24708 79 XSS 2020-10-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
746 CVE-2020-24692 20 XSS 2020-09-25 2020-09-30
3.6
None Local Low Not required Partial Partial None
The Ignite portal in Mitel MiContact Center Business before 9.3.0.0 could allow an attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session.
747 CVE-2020-24670 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'type' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA.
748 CVE-2020-24669 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Analysis Report Description' field in 'About this Report' section. Remediated in >= 8.3.0.9, >= 9.0.0.1, and >= 9.1.0.0 GA.
749 CVE-2020-24668 79 XSS 2021-06-10 2021-06-11
3.5
None Remote Medium ??? None Partial None
Trace Financial Crest Bridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.
750 CVE-2020-24666 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Display Name' parameter. Remediated in >= 9.1.0.1
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.