CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1301 CVE-2020-9101 787 2020-07-18 2020-07-24
3.3
None Local Network Low Not required None None Partial
There is an out-of-bounds write vulnerability in some products. An unauthenticated attacker crafts malformed packets with specific parameter and sends the packets to the affected products. Due to insufficient validation of packets, which may be exploited to cause the process reboot. Affected product versions include: IPS Module versions V500R005C00, V500R005C10; NGFW Module versions V500R005C00, V500R005C10; Secospace USG6300 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10; Secospace USG6500 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10; Secospace USG6600 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10; USG9500 versions V500R001C30, V500R001C60, V500R005C00, V500R005C10
1302 CVE-2020-9069 200 +Info 2020-05-21 2020-05-29
3.3
None Local Network Low Not required Partial None None
There is an information leakage vulnerability in some Huawei products. An unauthenticated, adjacent attacker could exploit this vulnerability to decrypt data. Successful exploitation may leak information randomly. Affected product versions include: Anne-AL00 Versions earlier than 9.1.0.331(C675E9R1P3T8); Berkeley-L09 Versions earlier than 10.0.1.1(C675R1); CD16-10 Versions earlier than 10.0.2.8; CD17-10 Versions earlier than 10.0.2.8; CD17-16 Versions earlier than 10.0.2.8; CD18-10 Versions earlier than 10.0.2.8; CD18-16 Versions earlier than 10.0.2.8; Columbia-TL00B Versions earlier than 9.0.0.187(C01E181R1P20T8); E6878-370 Versions earlier than 10.0.5.1(H610SP10C00); HUAWEI P30 lite Versions earlier than 10.0.0.185(C605E3R1P3), Versions earlier than 10.0.0.197(C432E8R2P7); HUAWEI nova 4e Versions earlier than 10.0.0.158(C00E64R1P9); Honor 10 Lite 9.0.1.113(C675E11R1P12); LelandP-L22A Versions earlier than 9.1.0.166(C675E5R1P4T8); Marie-AL00AX Versions earlier than 10.0.0.158(C00E64R1P9); Marie-AL00AY Versions earlier than 10.0.0.158(C00E64R1P9); Marie-AL00BX Versions earlier than 10.0.0.158(C00E64R1P9); Marie-L03BX Versions earlier than 10.0.0.188(C605E5R1P1); Marie-L21BX Versions earlier than 10.0.0.188(C432E4R4P1), Versions earlier than 10.0.0.188(C461E5R3P1); Marie-L22BX Versions earlier than 10.0.0.188(C636E3R3P1); Marie-L23BX Versions earlier than 10.0.0.188(C605E5R1P1); TC5200-16 Versions earlier than 10.0.2.8; WS5200-11 Versions earlier than 10.0.2.8; WS5200-12 Versions earlier than 10.0.2.23; WS5200-16 Versions earlier than 10.0.2.8; WS5200-17 Versions earlier than 10.0.2.23; WS5800-10 Versions earlier than 10.0.3.27; WS6500-10 Versions earlier than 10.0.2.8; WS6500-16 Versions earlier than 10.0.2.8
1303 CVE-2020-9056 79 XSS 2020-04-10 2020-04-13
3.5
None Remote Medium ??? None Partial None
Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization and is executed in the browser of the user, which could possibly cause website redirection, session hijacking, or information disclosure. This vulnerability has been patched in BuySpeed version 15.3.
1304 CVE-2020-9055 79 XSS 2020-03-30 2020-04-01
3.5
None Remote Medium ??? None Partial None
Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user. This could lead to website redirects, session cookie hijacking, or information disclosure.
1305 CVE-2020-9016 79 XSS 2020-02-16 2020-02-18
3.5
None Remote Medium ??? None Partial None
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
1306 CVE-2020-9008 79 XSS 2020-02-25 2020-03-09
3.5
None Remote Medium ??? None Partial None
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
1307 CVE-2020-9007 79 XSS 2020-02-16 2020-02-18
3.5
None Remote Medium ??? None Partial None
Codoforum 4.8.8 allows self-XSS via the title of a new topic.
1308 CVE-2020-9003 79 XSS 2020-02-20 2020-02-24
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
1309 CVE-2020-8951 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
Fiserv Accurate Reconciliation 2.19.0 allows XSS via the Source or Destination field of the Configuration Manager (Configuration Parameter Translation) page.
1310 CVE-2020-8918 665 2020-08-11 2020-08-18
3.6
None Local Low Not required Partial Partial None
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for 'migrationAuth'.
1311 CVE-2020-8825 79 XSS 2020-02-10 2020-02-11
3.5
None Remote Medium ??? None Partial None
index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS.
1312 CVE-2020-8824 79 XSS 2020-02-19 2020-02-27
3.5
None Remote Medium ??? None Partial None
Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name on the Wireless > Access Control > Add Managed Device screen.
1313 CVE-2020-8822 79 XSS 2020-02-10 2020-02-11
3.5
None Remote Medium ??? None Partial None
Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices allow stored XSS in the web application.
1314 CVE-2020-8821 74 Exec Code 2020-10-12 2020-10-16
3.5
None Remote Medium ??? None Partial None
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users.
1315 CVE-2020-8820 79 Exec Code XSS 2020-10-12 2020-10-16
3.5
None Remote Medium ??? None Partial None
An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed.
1316 CVE-2020-8812 79 XSS 2020-02-07 2020-02-10
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert malicious JavaScript on the WYSIWYG editor. NOTE: the vendor's perspective is that this is "not a bug."
1317 CVE-2020-8799 79 XSS 2020-05-05 2020-05-07
3.5
None Remote Medium ??? None Partial None
A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin through 1.4.5 for WordPress. Once the administrator has submitted the data, the script stored is executed for all the users visiting the website.
1318 CVE-2020-8789 79 XSS 2020-05-22 2020-05-26
3.5
None Remote Medium ??? None Partial None
Composr 10.0.30 allows Persistent XSS via a Usergroup name under the Security configuration.
1319 CVE-2020-8778 79 XSS 2020-03-02 2020-03-03
3.5
None Remote Medium ??? None Partial None
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.
1320 CVE-2020-8777 79 XSS 2020-03-02 2020-03-03
3.5
None Remote Medium ??? None Partial None
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.
1321 CVE-2020-8776 79 XSS 2020-03-02 2020-03-03
3.5
None Remote Medium ??? None Partial None
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.
1322 CVE-2020-8766 754 DoS 2020-11-12 2020-11-30
3.3
None Local Network Low Not required None None Partial
Improper conditions check in the Intel(R) SGX DCAP software before version 1.6 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1323 CVE-2020-8746 190 DoS Overflow 2020-11-12 2020-11-18
3.3
None Local Network Low Not required None None Partial
Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1324 CVE-2020-8689 119 DoS Overflow 2020-08-13 2020-08-19
3.3
None Local Network Low Not required None None Partial
Improper buffer restrictions in the Intel(R) Wireless for Open Source before version 1.5 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1325 CVE-2020-8649 416 2020-02-06 2020-06-10
3.6
None Local Low Not required Partial None Partial
There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.
1326 CVE-2020-8648 416 2020-02-06 2020-09-24
3.6
None Local Low Not required Partial None Partial
There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.
1327 CVE-2020-8647 416 2020-02-06 2020-06-10
3.6
None Local Low Not required Partial None Partial
There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.
1328 CVE-2020-8594 79 XSS 2020-02-14 2020-02-18
3.5
None Remote Medium ??? None Partial None
The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].
1329 CVE-2020-8581 863 2021-01-19 2021-01-26
3.5
None Remote Medium ??? None Partial None
Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled.
1330 CVE-2020-8555 918 +Info 2020-06-05 2021-05-04
3.5
None Remote Medium ??? Partial None None
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
1331 CVE-2020-8551 770 DoS 2020-03-27 2020-07-24
3.3
None Local Network Low Not required None None Partial
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
1332 CVE-2020-8542 79 XSS 2020-06-16 2020-08-22
3.5
None Remote Medium ??? None Partial None
OX App Suite through 7.10.3 allows XSS.
1333 CVE-2020-8503 639 2020-01-31 2020-02-05
3.5
None Remote Medium ??? Partial None None
Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004.
1334 CVE-2020-8498 79 Exec Code XSS 2020-01-30 2020-02-03
3.5
None Remote Medium ??? None Partial None
XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users (e.g., ones who have the publish_posts capability).
1335 CVE-2020-8496 79 XSS 2020-01-30 2020-02-05
3.5
None Remote Medium ??? None Partial None
In Kronos Web Time and Attendance (webTA) 4.1.x and later 4.x versions before 5.0, there is a Stored XSS vulnerability by setting the Application Banner input field of the /ApplicationBanner page as an authenticated administrator.
1336 CVE-2020-8493 79 XSS 2020-01-30 2020-02-05
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) affects 3.8.x and later 3.x versions before 4.0 via multiple input fields (Login Message, Banner Message, and Password Instructions) of the com.threeis.webta.H261configMenu servlet via an authenticated administrator.
1337 CVE-2020-8462 79 XSS 2020-12-17 2020-12-21
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product.
1338 CVE-2020-8428 416 DoS +Info 2020-01-29 2020-06-10
3.6
None Local Low Not required Partial None Partial
fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.
1339 CVE-2020-8426 79 XSS 2020-01-28 2020-01-31
3.5
None Remote Medium ??? None Partial None
The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user.
1340 CVE-2020-8294 79 XSS 2021-02-03 2021-02-05
3.5
None Remote Medium ??? None Partial None
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
1341 CVE-2020-8288 79 XSS 2021-01-26 2021-02-01
3.5
None Remote Medium ??? None Partial None
The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter.
1342 CVE-2020-8281 79 XSS 2021-01-06 2021-01-11
3.5
None Remote Medium ??? None Partial None
A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.
1343 CVE-2020-8280 79 XSS 2021-01-06 2021-01-11
3.5
None Remote Medium ??? None Partial None
A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.
1344 CVE-2020-8263 79 XSS 2020-10-28 2020-10-30
3.5
None Remote Medium ??? None Partial None
A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
1345 CVE-2020-8223 269 2020-10-05 2020-10-26
3.5
None Remote Medium ??? None Partial None
A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
1346 CVE-2020-8217 79 XSS 2020-07-30 2020-07-31
3.5
None Remote Medium ??? None Partial None
A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
1347 CVE-2020-8189 79 XSS 2020-08-21 2020-09-14
3.5
None Remote Medium ??? None Partial None
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.
1348 CVE-2020-8173 311 2020-11-02 2020-11-17
3.5
None Remote Medium ??? Partial None None
A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.
1349 CVE-2020-8155 79 XSS 2020-05-12 2020-10-19
3.5
None Remote Medium ??? None Partial None
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
1350 CVE-2020-8103 59 2020-06-05 2020-06-11
3.6
None Local Low Not required None Partial Partial
A vulnerability in the improper handling of symbolic links in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects Bitdefender Antivirus Free versions prior to 1.0.17.178.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.