CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1401 CVE-2020-7015 79 XSS +Info 2020-06-03 2020-06-05
3.5
None Remote Medium ??? None Partial None
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.
1402 CVE-2020-6876 79 XSS 2020-10-26 2020-10-30
3.5
None Remote Medium ??? None Partial None
A ZTE product is impacted by an XSS vulnerability. The vulnerability is caused by the lack of correct verification of client data in the WEB module. By inserting malicious scripts into the web module, a remote attacker could trigger an XSS attack when the user browses the web page. Then the attacker could use the vulnerability to steal user cookies or destroy the page structure. This affects: eVDC ZXCLOUD-iROSV6.03.04
1403 CVE-2020-6868 20 Bypass 2020-06-01 2020-12-04
3.3
None Local Network Low Not required None Partial None
There is an input validation vulnerability in a PON terminal product of ZTE, which supports the creation of WAN connections through WEB management pages. The front-end limits the length of the WAN connection name that is created, but the HTTP proxy is available to be used to bypass the limitation. An attacker can exploit the vulnerability to tamper with the parameter value. This affects: ZTE F680 V9.0.10P1N6
1404 CVE-2020-6864 200 +Info 2020-02-27 2020-03-03
3.3
None Local Network Low Not required Partial None None
ZTE E8820V3 router product is impacted by an information leak vulnerability. Attackers could use this vulnerability to to gain wireless passwords. After obtaining the wireless password, the attacker could collect information and attack the router.
1405 CVE-2020-6863 732 2020-02-27 2020-03-03
3.3
None Local Network Low Not required None None Partial
ZTE E8820V3 router product is impacted by a permission and access control vulnerability. Attackers could use this vulnerability to tamper with DDNS parameters and send DoS attacks on the specified URL.
1406 CVE-2020-6854 79 XSS 2020-02-05 2020-02-07
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in the JOC Cockpit component of SOS JobScheduler 1.11 and 1.13.2 allows attackers to inject arbitrary web script or HTML via JSON properties available from the REST API.
1407 CVE-2020-6847 79 XSS 2020-01-11 2020-01-15
3.5
None Remote Medium ??? None Partial None
OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator attempts to delete a message that contains JavaScript.
1408 CVE-2020-6843 79 XSS 2020-01-23 2020-01-27
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
1409 CVE-2020-6777 79 Exec Code +Priv XSS 2021-01-14 2021-01-21
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an authenticated remote attacker with admin privileges to mount a stored Cross-Site-Scripting (XSS) attack against another user. When the victim logs into the management interface, the stored script code is executed in the context of his browser. A successful exploit would allow an attacker to interact with the management interface with the privileges of the victim. However, as the attacker already needs admin privileges, there is no additional impact on the management interface itself.
1410 CVE-2020-6647 79 XSS 2020-04-07 2020-04-09
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
1411 CVE-2020-6646 79 XSS 2020-03-17 2020-03-19
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message.
1412 CVE-2020-6643 79 XSS 2020-03-12 2020-03-17
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in the URL Description in Fortinet FortiIsolator version 1.2.2 allows a remote authenticated attacker to perform a cross site scripting attack (XSS).
1413 CVE-2020-6640 79 XSS 2020-06-04 2020-06-08
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
1414 CVE-2020-6616 338 2020-05-08 2020-06-11
3.3
None Local Network Low Not required None Partial None
Some Broadcom chips mishandle Bluetooth random-number generation because a low-entropy Pseudo Random Number Generator (PRNG) is used in situations where a Hardware Random Number Generator (HRNG) should have been used to prevent spoofing. This affects, for example, Samsung Galaxy S8, S8+, and Note8 devices with the BCM4361 chipset. The Samsung ID is SVE-2020-16882 (May 2020).
1415 CVE-2020-6586 79 XSS 2020-03-16 2020-03-18
3.5
None Remote Medium ??? None Partial None
Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is triggered.
1416 CVE-2020-6581 74 2020-03-16 2020-07-10
3.7
None Local High Not required Partial Partial Partial
Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection.
1417 CVE-2020-6370 79 XSS 2020-10-20 2020-10-22
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
1418 CVE-2020-6368 79 XSS +Info 2020-10-15 2020-10-19
3.5
None Remote Medium ??? None Partial None
SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.
1419 CVE-2020-6326 79 XSS 2020-09-09 2020-09-14
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting.
1420 CVE-2020-6312 79 XSS 2020-09-09 2020-09-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), versions - 4.1, 4.2, allows an attacker with a non-administrative user account that can edit certain web page properties, can modify how a browser processes particular page elements, leading to stored Cross Site Scripting. In certain situations, when a user accesses an affected web page element, the attacker will be able to access or modify metadata for which they are not authorized.
1421 CVE-2020-6303 79 XSS 2020-01-14 2020-01-24
3.5
None Remote Medium ??? None Partial None
SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting.
1422 CVE-2020-6300 79 XSS 2020-08-12 2020-08-13
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Central Management Console), versions- 4.2, 4.3, allows an attacker with administrator rights can use the web application to send malicious code to a different end user (victim), as it does not sufficiently encode user-controlled inputs for RecycleBin, resulting in Stored Cross-Site Scripting (XSS) vulnerability.
1423 CVE-2020-6285 200 +Info 2020-07-14 2020-07-15
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
1424 CVE-2020-6278 79 XSS 2020-07-14 2020-07-14
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting
1425 CVE-2020-6272 79 XSS 2020-10-15 2020-10-19
3.5
None Remote Medium ??? None Partial None
SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability.
1426 CVE-2020-6257 79 XSS 2020-05-12 2020-05-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
1427 CVE-2020-6231 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
1428 CVE-2020-6226 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
1429 CVE-2020-6224 200 +Info 2020-04-14 2020-04-17
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
1430 CVE-2020-6222 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
1431 CVE-2020-6221 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
1432 CVE-2020-6200 79 XSS 2020-03-10 2020-03-11
3.5
None Remote Medium ??? None Partial None
The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework.
1433 CVE-2020-6185 79 XSS 2020-02-12 2020-02-19
3.5
None Remote Medium ??? None Partial None
Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.
1434 CVE-2020-6022 2020-10-27 2020-10-27
3.6
None Local Low Not required None Partial Partial
Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware.
1435 CVE-2020-5988 416 DoS 2020-10-02 2020-10-13
3.6
None Local Low Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which allocated memory can be freed twice, which may lead to information disclosure or denial of service. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
1436 CVE-2020-5985 20 DoS 2020-10-02 2020-10-14
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input data length is not validated, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
1437 CVE-2020-5983 787 DoS 2020-10-02 2020-10-14
3.6
None Local Low Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin and the host driver kernel module, in which the potential exists to write to a memory location that is outside the intended boundary of the frame buffer memory allocated to guest operating systems, which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
1438 CVE-2020-5972 763 DoS 2020-06-30 2020-07-09
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which local pointer variables are not initialized and may be freed later, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
1439 CVE-2020-5970 20 DoS 2020-06-30 2020-07-10
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input data size is not validated, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
1440 CVE-2020-5969 362 DoS 2020-06-30 2020-07-10
3.3
None Local Medium Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which it validates a shared resource before using it, creating a race condition which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
1441 CVE-2020-5940 79 XSS 2020-11-05 2020-11-12
3.5
None Remote Medium ??? None Partial None
In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2.3, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the BIG-IP Configuration utility.
1442 CVE-2020-5934 2020-10-29 2020-11-09
3.3
None Local Network Low Not required None None Partial
On BIG-IP APM 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when multiple HTTP requests from the same client to configured SAML Single Logout (SLO) URL are passing through a TCP Keep-Alive connection, traffic to TMM can be disrupted.
1443 CVE-2020-5932 79 Exec Code XSS 2020-10-29 2020-11-09
3.5
None Remote Medium ??? None Partial None
On BIG-IP ASM 15.1.0-15.1.0.5, a cross-site scripting (XSS) vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed when preview is opened.
1444 CVE-2020-5928 352 CSRF 2020-08-26 2020-09-02
3.3
None Local Medium Not required None Partial Partial
In versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, BIG-IP ASM Configuration utility CSRF protection token can be reused multiple times.
1445 CVE-2020-5912 20 2020-08-26 2020-08-31
3.6
None Local Low Not required None Partial Partial
In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the restjavad process's dump command does not follow current best coding practices and may overwrite arbitrary files.
1446 CVE-2020-5889 79 XSS 2020-04-30 2020-05-05
3.5
None Remote Medium ??? None Partial None
On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response from the untrusted backend server and sends it to the client.
1447 CVE-2020-5888 Bypass 2020-04-30 2020-05-06
3.3
None Local Network Low Not required Partial None None
On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network (layer 2) attackers to access local daemons and bypass port lockdown settings.
1448 CVE-2020-5853 79 XSS 2020-01-14 2020-01-17
3.5
None Remote Medium ??? None Partial None
In BIG-IP APM portal access on versions 15.0.0-15.1.0, 14.0.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, when backend servers serve HTTP pages with special JavaScript code, this can lead to internal portal access name conflict.
1449 CVE-2020-5843 79 XSS 2020-01-07 2020-01-08
3.5
None Remote Medium ??? None Partial None
Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen.
1450 CVE-2020-5838 79 XSS 2020-05-13 2020-05-15
3.5
None Remote Medium ??? None Partial None
Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can potentially enable attackers to inject client-side scripts into web pages viewed by other users.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.