Total
37114 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8031 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 3.5 LOW | 6.3 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8. | |||||
| CVE-2020-8020 | 2 Debian, Opensuse | 2 Debian Linux, Open Build Service | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. | |||||
| CVE-2020-7997 | 1 Asus | 2 Rt-ac66u, Rt-ac66u Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ASUS WRT-AC66U 3 RT 3.0.0.4.372_67 devices allow XSS via the Client Name field to the Parental Control feature. | |||||
| CVE-2020-7996 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. | |||||
| CVE-2020-7994 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page. | |||||
| CVE-2020-7990 | 1 Adive | 1 Framework | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adive Framework 2.0.8 has admin/user/add userName XSS. | |||||
| CVE-2020-7989 | 1 Adive | 1 Framework | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adive Framework 2.0.8 has admin/user/add userUsername XSS. | |||||
| CVE-2020-7973 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| GitLab through 12.7.2 allows XSS. | |||||
| CVE-2020-7971 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| GitLab EE 11.0 and later through 12.7.2 allows XSS. | |||||
| CVE-2020-7937 | 1 Plone | 1 Plone | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | |||||
| CVE-2020-7934 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1. | |||||
| CVE-2020-7915 | 1 Eaton | 2 5p 850, 5p 850 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator. | |||||
| CVE-2020-7913 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description. | |||||
| CVE-2020-7911 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains TeamCity before 2019.2, several user-level pages were vulnerable to XSS. | |||||
| CVE-2020-7910 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| JetBrains TeamCity before 2019.2 was vulnerable to a stored XSS attack by a user with the developer role. | |||||
| CVE-2020-7809 | 1 Altools | 1 Alsong | 2024-11-21 | 4.3 MEDIUM | 4.4 MEDIUM |
| ALSong 3.46 and earlier version contain a Document Object Model (DOM) based cross-site scripting vulnerability caused by improper validation of user input. A remote attacker could exploit this vulnerability by tricking the victim to open ALSong Album(sab) file. | |||||
| CVE-2020-7776 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 3.5 LOW | 7.1 HIGH |
| This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch. | |||||
| CVE-2020-7773 | 1 Markdown-it-highlightjs Project | 1 Markdown-it-highlightjs | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss); | |||||
| CVE-2020-7750 | 1 Mit | 1 Scratch-svg-renderer | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function. | |||||
| CVE-2020-7749 | 1 Osm-static-maps Project | 1 Osm-static-maps | 2024-11-21 | 6.5 MEDIUM | 7.6 HIGH |
| This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read. | |||||