Total
37087 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28857 | 1 Openasset | 1 Digital Asset Management | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenAsset Digital Asset Management (DAM) through 12.0.19, does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for stored cross-site scripting attacks. | |||||
| CVE-2020-28849 | 1 Churchcrm | 1 Churchcrm | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. | |||||
| CVE-2020-28847 | 1 Valine.js | 1 Valine | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment. | |||||
| CVE-2020-28727 | 1 Seeddms | 1 Seeddms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) exists in SeedDMS 6.0.13 via the folderid parameter to views/bootstrap/class.DropFolderChooser.php. | |||||
| CVE-2020-28722 | 1 Deskpro | 1 Deskpro | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates. | |||||
| CVE-2020-28717 | 1 Kindsoft | 1 Kindeditor | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in content1 parameter in demo.jsp in kindsoft kindeditor version 4.1.12, allows attackers to execute arbitrary code. | |||||
| CVE-2020-28707 | 1 Stockdio | 1 Stockdio Historical Chart | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object. | |||||
| CVE-2020-28650 | 1 Wpbakery | 1 Page Builder | 2024-11-21 | 3.5 LOW | 6.4 MEDIUM |
| The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. | |||||
| CVE-2020-28647 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS). | |||||
| CVE-2020-28487 | 1 Visjs | 1 Vis-timeline | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
| This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application. | |||||
| CVE-2020-28470 | 1 Scully | 1 Scully | 2024-11-21 | 4.3 MEDIUM | 7.3 HIGH |
| This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page. | |||||
| CVE-2020-28459 | 1 Markdown-it-decorate Project | 1 Markdown-it-decorate | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. | |||||
| CVE-2020-28457 | 1 S-cart | 1 S-cart | 2024-11-21 | 3.5 LOW | 7.2 HIGH |
| This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS. | |||||
| CVE-2020-28456 | 1 S-cart | 1 S-cart | 2024-11-21 | 4.3 MEDIUM | 7.3 HIGH |
| The package s-cart/core before 4.4 are vulnerable to Cross-site Scripting (XSS) via the admin panel. | |||||
| CVE-2020-28455 | 1 Markdown-it-toc Project | 1 Markdown-it-toc | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. | |||||
| CVE-2020-28415 | 1 Tranzware Payment Gateway Project | 1 Tranzware Payment Gateway | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28414). | |||||
| CVE-2020-28414 | 1 Tranzware Payment Gateway Project | 1 Tranzware Payment Gateway | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415). | |||||
| CVE-2020-28409 | 1 Dundas | 1 Dundas Bi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The server in Dundas BI through 8.0.0.1001 allows XSS via addition of a Component (e.g., a button) when events such as click, hover, etc. occur. | |||||
| CVE-2020-28408 | 1 Dundas | 1 Dundas Bi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The server in Dundas BI through 8.0.0.1001 allows XSS via an HTML label when creating or editing a dashboard. | |||||
| CVE-2020-28365 | 1 Sapplica | 1 Sentrifugo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||