Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): browser
  • Search Type: Search All
There are 2,585 matching records.
Displaying matches 161 through 180.
Vuln ID Summary CVSS Severity
CVE-2020-8160

MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.

Published: January 06, 2021; 10:15:16 AM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-4336

IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 177932.

Published: January 06, 2021; 8:15:14 AM -0500
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2019-20484

An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in.

Published: January 05, 2021; 5:15:13 PM -0500
V3.1: 8.1 HIGH
V2.0: 5.5 MEDIUM
CVE-2020-4761

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 188895.

Published: January 05, 2021; 10:15:13 AM -0500
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2020-29497

Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious HTML or JavaScript code under the device tag. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.

Published: January 04, 2021; 5:15:13 PM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-29496

Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.

Published: January 04, 2021; 5:15:13 PM -0500
V3.1: 4.8 MEDIUM
V2.0: 3.5 LOW
CVE-2020-26297

mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it.

Published: January 04, 2021; 2:15:15 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-25799

LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.

Published: December 31, 2020; 1:15:13 PM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-25797

LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser.

Published: December 31, 2020; 1:15:13 PM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-26291

URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]

Published: December 30, 2020; 7:15:12 PM -0500
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2020-35710

Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data.

Published: December 25, 2020; 2:15:13 PM -0500
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2020-26282

BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests. A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been patched in version 2.1.2.

Published: December 24, 2020; 4:15:12 PM -0500
V3.1: 10.0 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-28169

The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.

Published: December 24, 2020; 10:15:12 AM -0500
V3.1: 7.0 HIGH
V2.0: 6.9 MEDIUM
CVE-2020-35584

In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the web services and obtain any information the user supplies, including Administrator passwords and screen keys.

Published: December 23, 2020; 10:15:16 AM -0500
V3.1: 5.9 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-35656

Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product.

Published: December 22, 2020; 10:15:12 PM -0500
V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-13547

A type confusion vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger an improper use of an object, resulting in memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Published: December 22, 2020; 2:15:13 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-13570

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger the reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Published: December 22, 2020; 1:15:12 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-13560

A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Published: December 22, 2020; 1:15:12 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-13557

A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Published: December 22, 2020; 1:15:12 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2018-15641

Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.

Published: December 22, 2020; 12:15:12 PM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW