| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. |
| In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS). |
| This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application. |
| This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page. |
| This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. |
| This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS. |
| The package s-cart/core before 4.4 are vulnerable to Cross-site Scripting (XSS) via the admin panel. |
| This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. |
| A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28414). |
| A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415). |
| The server in Dundas BI through 8.0.0.1001 allows XSS via addition of a Component (e.g., a button) when events such as click, hover, etc. occur. |
| The server in Dundas BI through 8.0.0.1001 allows XSS via an HTML label when creating or editing a dashboard. |
| A vulnerability has been identified in SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.0). Devices do not create a new unique private key after factory reset. An attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic. |
| A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.5), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7). Devices create a new unique key upon factory reset, except when used with C-PLUG. When used with C-PLUG the devices use the hardcoded private RSA-key shipped with the firmware-image. An attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic. |
| Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer |
| A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust before 1.3.2, if the installation violates the usage expectations by exposing this UI to outside users. |
| The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page. |
| A Cross Site Scripting (XSS) vulnerability exists in OPAC in Sokrates SOWA SowaSQL through 5.6.1 via the sowacgi.php typ parameter. |
| Barco wePresent WiPG-1600W devices use Hard-coded Credentials (issue 2 of 2). Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W device has a hardcoded root password hash included in the firmware image. Exploiting CVE-2020-28329, CVE-2020-28330 and CVE-2020-28331 could potentially be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell. |
| Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. |
