CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1001 CVE-2020-13429 79 XSS 2020-05-24 2020-05-26
3.5
None Remote Medium ??? None Partial None
legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1.5.0 for Grafana allows XSS via the Values Header (aka legend header) option.
1002 CVE-2020-13423 79 XSS 2020-06-29 2020-07-02
3.5
None Remote Medium ??? None Partial None
Form Builder 2.1.0 for Magento has multiple XSS issues that can be exploited against Magento 2 admin accounts via the Current_url or email field, or the User-Agent HTTP header.
1003 CVE-2020-13361 787 2020-05-28 2020-11-11
3.3
None Local Medium Not required None Partial Partial
In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
1004 CVE-2020-13345 79 XSS 2020-10-06 2020-10-15
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes
1005 CVE-2020-13340 79 XSS 2020-10-08 2020-10-14
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log
1006 CVE-2020-13338 79 XSS 2020-10-02 2020-10-08
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references.
1007 CVE-2020-13337 79 XSS 2020-10-02 2020-10-08
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name.
1008 CVE-2020-13336 79 XSS 2020-09-30 2020-10-08
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature.
1009 CVE-2020-13331 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges.
1010 CVE-2020-13330 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature.
1011 CVE-2020-13329 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature.
1012 CVE-2020-13328 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API.
1013 CVE-2020-13326 Bypass 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed.
1014 CVE-2020-13324 2020-09-30 2020-10-08
3.5
None Remote Medium ??? Partial None None
A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the private activity of a user could be exposed via the API.
1015 CVE-2020-13301 79 XSS 2020-09-14 2020-09-16
3.5
None Remote Medium ??? None Partial None
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a stored XSS on the standalone vulnerability page.
1016 CVE-2020-13288 79 XSS 2020-08-12 2020-08-14
3.5
None Remote Medium ??? None Partial None
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
1017 CVE-2020-13285 79 XSS 2020-08-13 2021-05-03
3.5
None Remote Medium ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip.
1018 CVE-2020-13283 79 XSS 2020-08-13 2020-08-14
3.5
None Remote Medium ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
1019 CVE-2020-13248 79 XSS 2020-06-24 2021-02-10
3.5
None Remote Medium ??? None Partial None
BooleBox Secure File Sharing Utility before 4.2.3.0 allows stored XSS via a crafted avatar field within My Account JSON data to Account.aspx.
1020 CVE-2020-13239 79 XSS 2020-05-20 2020-05-20
3.5
None Remote Medium ??? None Partial None
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
1021 CVE-2020-13225 79 XSS 2020-05-20 2020-05-20
3.5
None Remote Medium ??? None Partial None
phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget.
1022 CVE-2020-13145 79 XSS 2020-05-18 2020-05-20
3.5
None Remote Medium ??? None Partial None
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS.
1023 CVE-2020-13135 200 +Info 2020-05-18 2020-05-19
3.3
None Local Network Low Not required Partial None None
D-Link DSP-W215 1.26b03 devices allow information disclosure by intercepting messages on the local network, as demonstrated by a Squid Proxy.
1024 CVE-2020-13134 79 XSS 2021-01-20 2021-01-23
3.5
None Remote Medium ??? None Partial None
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1.
1025 CVE-2020-13116 79 XSS 2021-01-12 2021-01-14
3.5
None Remote Medium ??? None Partial None
OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy creation.
1026 CVE-2020-13094 79 XSS 2020-05-18 2020-05-19
3.5
None Remote Medium ??? None Partial None
Dolibarr before 11.0.4 allows XSS.
1027 CVE-2020-12882 79 XSS 2020-05-15 2020-05-19
3.5
None Remote Medium ??? None Partial None
Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow.
1028 CVE-2020-12869 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
RainbowFish PacsOne Server 6.8.4 allows XSS.
1029 CVE-2020-12864 908 2020-06-24 2020-11-02
3.3
None Local Network Low Not required Partial None None
An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-081.
1030 CVE-2020-12863 125 2020-06-24 2020-11-02
3.3
None Local Network Low Not required Partial None None
An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-083.
1031 CVE-2020-12862 125 2020-06-24 2020-11-02
3.3
None Local Network Low Not required Partial None None
An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-082.
1032 CVE-2020-12849 79 XSS 2020-06-05 2020-06-12
3.5
None Remote Medium ??? None Partial None
Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user.
1033 CVE-2020-12815 79 XSS 2020-09-24 2020-10-06
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields.
1034 CVE-2020-12779 79 XSS 2020-08-10 2020-10-28
3.5
None Remote Medium ??? None Partial None
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
1035 CVE-2020-12718 79 XSS Bypass 2020-05-08 2020-05-14
3.5
None Remote Medium ??? None Partial None
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
1036 CVE-2020-12717 20 2020-05-14 2020-05-15
3.3
None Local Network Low Not required None None Partial
The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.
1037 CVE-2020-12706 79 XSS 2020-05-07 2020-05-12
3.5
None Remote Medium ??? None Partial None
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
1038 CVE-2020-12683 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Katyshop2 before 2.12 has multiple stored XSS issues.
1039 CVE-2020-12646 79 XSS 2020-08-31 2020-09-09
3.5
None Remote Medium ??? None Partial None
OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.
1040 CVE-2020-12629 79 XSS 2020-05-04 2020-05-06
3.5
None Remote Medium ??? None Partial None
include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.
1041 CVE-2020-12621 863 2020-09-02 2020-09-11
3.6
None Local Low Not required Partial Partial None
The Teamwire application 5.3.0 for Android allows physically proximate attackers to exploit a flaw related to the pass-code component.
1042 CVE-2020-12512 79 XSS 2021-01-22 2021-01-27
3.5
None Remote Medium ??? None Partial None
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
1043 CVE-2020-12472 79 XSS 2020-04-29 2020-05-04
3.5
None Remote Medium ??? None Partial None
MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comments, or Blog Description.
1044 CVE-2020-12438 79 XSS 2020-04-28 2020-05-05
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.
1045 CVE-2020-12352 200 +Info 2020-11-23 2021-04-08
3.3
None Local Network Low Not required Partial None None
Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
1046 CVE-2020-12322 20 DoS 2020-11-12 2020-11-24
3.3
None Local Network Low Not required None None Partial
Improper input validation in some Intel(R) Wireless Bluetooth(R) products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1047 CVE-2020-12319 DoS 2020-11-12 2020-11-20
3.3
None Local Network Low Not required None None Partial
Insufficient control flow management in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1048 CVE-2020-12317 119 DoS Overflow 2020-11-12 2020-11-20
3.3
None Local Network Low Not required None None Partial
Improper buffer restriction in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1049 CVE-2020-12314 20 DoS 2020-11-12 2020-11-20
3.3
None Local Network Low Not required None None Partial
Improper input validation in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1050 CVE-2020-12276 79 XSS 2020-04-29 2020-05-04
3.5
None Remote Medium ??? None Partial None
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.