CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
751 CVE-2020-24664 79 Exec Code XSS 2021-01-29 2021-02-04
3.5
None Remote Medium ??? None Partial None
The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'pho:title' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA.
752 CVE-2020-24663 79 XSS 2021-06-10 2021-06-11
3.5
None Remote Medium ??? None Partial None
Trace Financial CRESTBridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.
753 CVE-2020-24627 79 XSS 2020-10-02 2020-10-14
3.5
None Remote Medium ??? None Partial None
A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3.
754 CVE-2020-24623 89 Sql 2020-09-18 2020-09-30
3.3
None Local Network Low Not required Partial None None
A potential security vulnerability has been identified in Hewlett Packard Enterprise Universal API Framework. The vulnerability could be remotely exploited to allow SQL injection in HPE Universal API Framework for VMware Esxi v2.5.2 and HPE Universal API Framework for Microsoft Hyper-V (VHD).
755 CVE-2020-24578 732 2020-12-22 2020-12-23
3.3
None Local Network Low Not required Partial None None
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. It has a misconfigured FTP service that allows a malicious network user to access system folders and download sensitive files (such as the password hash file).
756 CVE-2020-24558 125 Exec Code 2020-09-01 2021-04-22
3.6
None Local Low Not required Partial None Partial
A vulnerability in an Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services dll may allow an attacker to manipulate it to cause an out-of-bounds read that crashes multiple processes in the product. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
757 CVE-2020-24501 120 DoS Overflow 2021-02-17 2021-02-22
3.3
None Local Network Low Not required None None Partial
Buffer overflow in the firmware for Intel(R) E810 Ethernet Controllers before version 1.4.1.13 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
758 CVE-2020-24490 119 DoS Overflow 2021-02-02 2021-02-08
3.3
None Local Network Low Not required None None Partial
Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.
759 CVE-2020-24447 427 Exec Code 2020-12-11 2020-12-11
3.7
None Local High Not required Partial Partial Partial
Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
760 CVE-2020-24445 79 XSS 2020-12-10 2021-01-13
3.5
None Remote Medium ??? None Partial None
AEM's Cloud Service offering, as well as version 6.5.6.0 (and below), are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
761 CVE-2020-24440 427 Exec Code 2020-12-11 2020-12-11
3.7
None Local High Not required Partial Partial Partial
Adobe Prelude version 9.0.1 (and earlier) is affected by an uncontrolled search path element that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
762 CVE-2020-24394 732 2020-08-19 2020-09-15
3.6
None Local Low Not required Partial Partial None
In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered.
763 CVE-2020-23989 79 XSS 2020-11-02 2020-11-03
3.5
None Remote Medium ??? None Partial None
NeDi 1.9C allows pwsec.php oid XSS.
764 CVE-2020-23984 79 XSS 2020-08-27 2020-09-02
3.5
None Remote Medium ??? None Partial None
Online Hotel Booking System Pro PHP Version 1.3 has Persistent Cross-site Scripting in Customer registration-form all-tags.
765 CVE-2020-23983 79 XSS 2020-08-27 2020-09-02
3.5
None Remote Medium ??? None Partial None
Michael-design iChat Realtime PHP Live Support System 1.6 has persistent Cross-site Scripting via chat,text-filed tags.
766 CVE-2020-23974 79 XSS 2020-08-27 2020-09-02
3.5
None Remote Medium ??? None Partial None
Create-Project Manager 1.07 has Multi Persistent Cross-site Scripting and HTML injection in via Online chat, Social feed,Message(title-tag), Add new client (all-tags).
767 CVE-2020-23868 79 XSS 2020-11-02 2020-11-03
3.5
None Remote Medium ??? None Partial None
NeDi 1.9C allows inc/rt-popup.php d XSS.
768 CVE-2020-23762 79 XSS 2021-04-09 2021-04-13
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in the Larsens Calender plugin Version <= 1.2 for WordPress allows remote attackers to execute arbitrary web script via the "titel" column on the "Eintrage hinzufugen" tab.
769 CVE-2020-23721 79 XSS Bypass 2021-03-10 2021-03-12
3.5
None Remote Medium ??? None Partial None
An issue was discovered in FUEL CMS V1.4.7. An attacker can use a XSS payload and bypass a filter via /fuelCM/fuel/pages/edit/1?lang=english.
770 CVE-2020-23689 79 XSS 2021-05-14 2021-05-21
3.5
None Remote Medium ??? None Partial None
In YFCMF v2.3.1, there is a stored XSS vulnerability in the comments section of the news page.
771 CVE-2020-23660 79 XSS 2020-08-26 2020-08-28
3.5
None Remote Medium ??? None Partial None
webTareas v2.1 is affected by Cross Site Scripting (XSS) on "Search."
772 CVE-2020-23659 79 XSS 2020-08-26 2020-08-28
3.5
None Remote Medium ??? None Partial None
WebPort-v1.19.17121 is affected by Cross Site Scripting (XSS) on the "connections" feature.
773 CVE-2020-23658 79 XSS 2020-08-26 2020-09-01
3.5
None Remote Medium ??? None Partial None
PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php.
774 CVE-2020-23657 79 XSS 2020-08-26 2020-08-26
3.5
None Remote Medium ??? None Partial None
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
775 CVE-2020-23656 79 XSS 2020-08-26 2020-08-26
3.5
None Remote Medium ??? None Partial None
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Content."
776 CVE-2020-23655 79 XSS 2020-08-26 2020-08-26
3.5
None Remote Medium ??? None Partial None
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
777 CVE-2020-23654 79 XSS 2020-08-26 2020-08-26
3.5
None Remote Medium ??? None Partial None
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop."
778 CVE-2020-23576 79 XSS 2020-08-27 2020-09-02
3.5
None Remote Medium ??? None Partial None
Laborator Neon dashboard v3 is affected by stored Cross Site Scripting (XSS) via the chat tab.
779 CVE-2020-23518 79 XSS 2021-03-02 2021-03-08
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML.
780 CVE-2020-23450 79 XSS 2020-09-01 2020-09-08
3.5
None Remote Medium ??? None Partial None
Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization.
781 CVE-2020-23374 79 XSS 2021-05-10 2021-05-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
782 CVE-2020-23373 79 XSS 2021-05-10 2021-05-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
783 CVE-2020-23370 79 XSS 2021-05-10 2021-05-13
3.5
None Remote Medium ??? None Partial None
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
784 CVE-2020-23014 79 XSS 2021-01-26 2021-01-29
3.5
None Remote Medium ??? None Partial None
APfell 1.4 is vulnerable to authenticated reflected cross-site scripting (XSS) in /apiui/command_ through the payloadtypes_callback function, which allows an attacker to steal remote admin/user session and/or adding new users to the administration panel.
785 CVE-2020-22842 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php.
786 CVE-2020-22841 79 Exec Code XSS 2021-02-09 2021-02-17
3.5
None Remote Medium ??? None Partial None
Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module.
787 CVE-2020-22790 79 Exec Code XSS 2021-04-28 2021-06-08
3.5
None Remote Medium ??? None Partial None
Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator access the logs.
788 CVE-2020-22428 79 XSS 2021-05-05 2021-05-17
3.5
None Remote Medium ??? None Partial None
SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload.
789 CVE-2020-21147 79 Exec Code XSS 2021-01-26 2021-01-29
3.5
None Remote Medium ??? None Partial None
RockOA V1.9.8 is affected by a cross-site scripting (XSS) vulnerability which allows remote attackers to send malicious code to the administrator and execute JavaScript code, because webmain/flow/input/mode_emailmAction.php does not perform strict filtering.
790 CVE-2020-21101 79 Exec Code XSS 2021-04-29 2021-05-10
3.5
None Remote Medium ??? None Partial None
Cross Site Scriptiong vulnerabilityin Screenly screenly-ose all versions, including v1.8.2 (2019-09-25-Screenly-OSE-lite.img), in the 'Add Asset' page via manipulation of a 'URL' field, which could let a remote malicious user execute arbitrary code.
791 CVE-2020-21088 79 XSS +Info 2021-04-14 2021-04-21
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"
792 CVE-2020-21003 79 XSS 2021-06-03 2021-06-10
3.5
None Remote Medium ??? None Partial None
Pbootcms v2.0.3 is vulnerable to Cross Site Scripting (XSS) via admin.php.
793 CVE-2020-20633 79 XSS 2020-08-21 2020-08-28
3.5
None Remote Medium ??? None Partial None
ajax_policy_generator in admin/modules/cli-policy-generator/classes/class-policy-generator-ajax.php in GDPR Cookie Consent (cookie-law-info) 1.8.2 and below plugin for WordPress, allows authenticated stored XSS and privilege escalation.
794 CVE-2020-20626 79 XSS 2020-08-31 2020-09-08
3.5
None Remote Medium ??? None Partial None
lara-google-analytics.php in Lara Google Analytics plugin through 2.0.4 for WordPress allows authenticated stored XSS.
795 CVE-2020-20545 79 XSS 2021-03-30 2021-04-01
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting (XSS) vulnerability in Zhiyuan G6 Government Collaboration System V6.1SP1, via the 'method' parameter to 'seeyon/hrSalary.do'.
796 CVE-2020-20406 79 XSS 2020-09-16 2020-09-18
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the Custom Link Attributes control Affect function in Elementor Page Builder 2.9.2 and earlier versions. It is caused by inadequate filtering on the link custom attributes.
797 CVE-2020-20285 79 XSS 2020-12-18 2020-12-22
3.5
None Remote Medium ??? None Partial None
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
798 CVE-2020-19924 79 XSS 2021-05-18 2021-05-24
3.5
None Remote Medium ??? None Partial None
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
799 CVE-2020-19887 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored XSS vulnerability as there is no htmlspecialchars function for '$_POST['pageparam_insert_description']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
800 CVE-2020-19885 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function for '$_POST['pageparam_insert_name']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.