Vulnerabilities (CVE)

Filtered by CWE-79
Total 37101 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-35659 1 Pi-hole 1 Pi-hole 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page.
CVE-2020-35650 1 Uncannyowl 1 Uncanny Groups For Learndash 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php.
CVE-2020-35622 1 Mediawiki 1 Mediawiki 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.
CVE-2020-35594 1 Zohocorp 1 Manageengine Admanager Plus 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
CVE-2020-35592 1 Pi-hole 1 Pi-hole 2024-11-21 3.5 LOW 5.4 MEDIUM
Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie.
CVE-2020-35589 1 Limitloginattempts 1 Limit Login Attempts Reloaded 2024-11-21 3.5 LOW 5.4 MEDIUM
The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
CVE-2020-35582 1 Enviragallery 1 Envira Gallery 2024-11-21 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.
CVE-2020-35581 1 Enviragallery 1 Envira Gallery 2024-11-21 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.
CVE-2020-35572 1 Adminer 1 Adminer 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Adminer through 4.7.8 allows XSS via the history parameter to the default URI.
CVE-2020-35571 1 Mantisbt 1 Mantisbt 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the custom field name is not sanitized. This may be problematic depending on CSP settings.
CVE-2020-35569 1 Mbconnectline 2 Mbconnect24, Mymbconnect24 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page.
CVE-2020-35563 1 Mbconnectline 2 Mbconnect24, Mymbconnect24 2024-11-21 3.5 LOW 5.4 MEDIUM
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page.
CVE-2020-35542 1 Unisys 1 Data Exchange Management Studio 2024-11-21 3.5 LOW 5.4 MEDIUM
Unisys Data Exchange Management Studio through 5.0.34 doesn't sanitize the input to a HTML document field. This could be used for an XSS attack.
CVE-2020-35482 1 Solarwinds 1 Serv-u 2024-11-21 3.5 LOW 5.4 MEDIUM
SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.
CVE-2020-35479 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
CVE-2020-35478 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.
CVE-2020-35475 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2024-11-21 5.0 MEDIUM 7.5 HIGH
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
CVE-2020-35474 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
CVE-2020-35438 1 Kamalkhan 1 Kk Star Ratings 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Cross Site Scripting (XSS) vulnerability in the kk Star Ratings plugin before 4.1.5.
CVE-2020-35437 1 Intelliants 1 Subrion Cms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI.