CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
801 CVE-2020-19884 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function in dbhcms\mod\mod.domain.edit.php line 119.
802 CVE-2020-19883 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no security filter in dbhcms\mod\mod.users.view.php line 57 for user_login, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
803 CVE-2020-19882 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function for 'menu_description' variable in dbhcms\mod\mod.menus.edit.php line 83 and in dbhcms\mod\mod.menus.view.php line 111, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
804 CVE-2020-19881 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a reflected xss vulnerability as there is no security filter in dbhcms\mod\mod.selector.php line 108 for $_GET['return_name'] parameter, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
805 CVE-2020-19626 79 XSS 2021-03-26 2021-03-26
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
806 CVE-2020-19619 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the signature field to /settings/profile.
807 CVE-2020-19618 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post content field to /post/editing.
808 CVE-2020-19617 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the nickname field to /settings/profile.
809 CVE-2020-19616 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post header field to /post/editing.
810 CVE-2020-19007 79 Exec Code XSS 2020-08-26 2020-08-31
3.5
None Remote Medium ??? None Partial None
Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser.
811 CVE-2020-19005 863 2020-08-25 2020-09-03
3.5
None Remote Medium ??? Partial None None
zrlog v2.1.0 has a vulnerability with the permission check. If admin account is logged in, other unauthorized users can download the database backup file directly.
812 CVE-2020-18724 79 Exec Code XSS 2021-02-03 2021-02-25
3.5
None Remote Medium ??? None Partial None
Authenticated stored cross-site scripting (XSS) in the contact name field in the distribution list of MDaemon webmail 19.5.5 allows an attacker to executes code and perform a XSS attack while opening a contact list.
813 CVE-2020-18723 79 Exec Code XSS 2021-02-03 2021-02-25
3.5
None Remote Medium ??? None Partial None
Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities.
814 CVE-2020-18230 79 Exec Code XSS 2021-05-27 2021-05-28
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php".
815 CVE-2020-18229 79 Exec Code XSS 2021-05-27 2021-05-28
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php".
816 CVE-2020-18167 79 Exec Code XSS 2021-05-14 2021-05-21
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Homepage Introduction" field of component "admin/info.php?shuyu".
817 CVE-2020-18165 79 Exec Code XSS 2021-05-12 2021-05-18
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
818 CVE-2020-17551 79 Exec Code XSS 2020-10-07 2020-10-14
3.5
None Remote Medium ??? None Partial None
ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution.
819 CVE-2020-17542 79 Exec Code XSS 2021-04-23 2021-04-30
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component.
820 CVE-2020-17526 269 2020-12-21 2020-12-22
3.5
None Remote Medium ??? Partial None None
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.
821 CVE-2020-17458 79 XSS 2020-09-02 2020-09-08
3.5
None Remote Medium ??? None Partial None
A post-authenticated stored XSS was found in MultiUx v.3.1.12.0 via the /multiux/SaveMailbox LastName field.
822 CVE-2020-17457 79 XSS 2021-03-17 2021-03-25
3.5
None Remote Medium ??? None Partial None
Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCU_FILE_INIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages.
823 CVE-2020-17451 79 XSS 2020-08-09 2020-08-10
3.5
None Remote Medium ??? None Partial None
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
824 CVE-2020-17449 79 XSS 2020-08-12 2020-08-13
3.5
None Remote Medium ??? None Partial None
PHP-Fusion 9.03 allows XSS via the error_log file.
825 CVE-2020-17409 288 2020-10-13 2020-12-03
3.3
None Local Network Low Not required Partial None None
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R6120, R6080, R6260, R6220, R6020, JNR3210, and WNR2020 routers with firmware 1.0.66. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10754.
826 CVE-2020-17373 89 Sql 2020-08-12 2020-10-28
3.5
None Remote Medium ??? Partial None None
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
827 CVE-2020-17372 79 XSS 2020-08-12 2020-08-13
3.5
None Remote Medium ??? None Partial None
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
828 CVE-2020-17147 79 XSS 2020-12-10 2021-03-03
3.5
None Remote Medium ??? None Partial None
Dynamics CRM Webclient Cross-site Scripting Vulnerability
829 CVE-2020-17083 79 Exec Code XSS 2020-11-11 2020-11-17
3.5
None Remote Medium ??? None Partial None
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17084.
830 CVE-2020-17021 79 XSS 2020-11-11 2020-11-16
3.5
None Remote Medium ??? None Partial None
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability This CVE ID is unique from CVE-2020-17005, CVE-2020-17006, CVE-2020-17018.
831 CVE-2020-17018 79 XSS 2020-11-11 2020-11-16
3.5
None Remote Medium ??? None Partial None
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability This CVE ID is unique from CVE-2020-17005, CVE-2020-17006, CVE-2020-17021.
832 CVE-2020-17006 79 XSS 2020-11-11 2020-11-16
3.5
None Remote Medium ??? None Partial None
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability This CVE ID is unique from CVE-2020-17005, CVE-2020-17018, CVE-2020-17021.
833 CVE-2020-17005 79 XSS 2020-11-11 2020-11-16
3.5
None Remote Medium ??? None Partial None
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability This CVE ID is unique from CVE-2020-17006, CVE-2020-17018, CVE-2020-17021.
834 CVE-2020-16978 79 XSS 2020-10-16 2020-10-20
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16956.
835 CVE-2020-16956 79 XSS 2020-10-16 2020-10-20
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16978.
836 CVE-2020-16946 79 XSS 2020-10-16 2020-10-20
3.5
None Remote Medium ??? None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-16945.
837 CVE-2020-16945 79 XSS 2020-10-16 2020-10-20
3.5
None Remote Medium ??? None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-16946.
838 CVE-2020-16944 79 XSS 2020-10-16 2020-10-20
3.5
None Remote Medium ??? None Partial None
This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.An authenticated attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server, aka 'Microsoft SharePoint Reflective XSS Vulnerability'.
839 CVE-2020-16943 863 2020-10-16 2020-10-20
3.3
None Local Network Low Not required None Partial None
An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Commerce, aka 'Dynamics 365 Commerce Elevation of Privilege Vulnerability'.
840 CVE-2020-16878 79 XSS 2020-09-11 2020-09-13
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16858, CVE-2020-16859, CVE-2020-16861, CVE-2020-16864, CVE-2020-16871, CVE-2020-16872.
841 CVE-2020-16877 269 2020-10-16 2020-10-22
3.6
None Local Low Not required None Partial Partial
An elevation of privilege vulnerability exists when Microsoft Windows improperly handles reparse points, aka 'Windows Elevation of Privilege Vulnerability'.
842 CVE-2020-16872 79 XSS 2020-09-11 2020-09-13
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16858, CVE-2020-16859, CVE-2020-16861, CVE-2020-16864, CVE-2020-16871, CVE-2020-16878.
843 CVE-2020-16871 79 XSS 2020-09-11 2020-09-13
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16858, CVE-2020-16859, CVE-2020-16861, CVE-2020-16864, CVE-2020-16872, CVE-2020-16878.
844 CVE-2020-16864 79 XSS 2020-09-11 2020-09-13
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16858, CVE-2020-16859, CVE-2020-16861, CVE-2020-16871, CVE-2020-16872, CVE-2020-16878.
845 CVE-2020-16861 79 XSS 2020-09-11 2020-09-13
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16858, CVE-2020-16859, CVE-2020-16864, CVE-2020-16871, CVE-2020-16872, CVE-2020-16878.
846 CVE-2020-16859 79 XSS 2020-09-11 2020-09-13
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16858, CVE-2020-16861, CVE-2020-16864, CVE-2020-16871, CVE-2020-16872, CVE-2020-16878.
847 CVE-2020-16858 79 XSS 2020-09-11 2020-09-13
3.5
None Remote Medium ??? None Partial None
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. This CVE ID is unique from CVE-2020-16859, CVE-2020-16861, CVE-2020-16864, CVE-2020-16871, CVE-2020-16872, CVE-2020-16878.
848 CVE-2020-16853 59 2020-09-11 2020-09-14
3.6
None Local Low Not required Partial Partial None
An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links, aka 'OneDrive for Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-16851, CVE-2020-16852.
849 CVE-2020-16852 269 2020-09-11 2020-09-14
3.6
None Local Low Not required None Partial Partial
An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links, aka 'OneDrive for Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-16851, CVE-2020-16853.
850 CVE-2020-16851 59 2020-09-11 2020-09-14
3.6
None Local Low Not required None Partial Partial
An elevation of privilege vulnerability exists when the OneDrive for Windows Desktop application improperly handles symbolic links, aka 'OneDrive for Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-16852, CVE-2020-16853.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.