CWE:
 

Topic
Date
Author
Med.
OX App Suite / OX Guard SSRF / DoS / Cross Site Scripting
30.04.2021
Martin Heiland
High
OX App Suite / OX Documents 7.10.3 XSS / Server-Side Request Forgery
19.10.2020
Martin Heiland
Low
OX App Suite 7.10.2 Cross Site Scripting / Improper Access Control
05.01.2020
Martin Heiland
Low
Open-Xchange OX Guard Cross Site Scripting / Signature Validation
17.08.2019
Hanno Boeck
Med.
Ox App Suite 7.8.4 / 7.8.3 XSS / CSRF / Information Disclosure
08.01.2019
Secator
Low
Base Soundtouch 18.1.4 Cross Site Scripting
08.01.2019
Tim Schughart
Med.
OX App Suite 7.8.4 XSS / Privilege Management / SSRF / Traversal
12.06.2018
Martin Heiland
Low
Open-Xchange App Suite 7.8.1 Cross Site Scripting
14.07.2016
Sasi Levi
Low
Open-Xchange Server 6 / OX AppSuite Cross Site Scripting
28.04.2015
Martin Heiland
Low
Open-Xchange Server 6 / OX AppSuite 7.6.1 Cross Site Scripting
06.01.2015
John de Kroon
Med.
Open-Xchange 7.6.0 XSS / SSRF / Traversal
16.09.2014
Martin Heiland
Low
Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting
18.03.2014
Open-Xchange
Low
Open-Xchange 7.4.1 Script Insertion
12.02.2014
joernchen
Low
Open-Xchange AppSuite Script Insertion
07.11.2013
Martin Braun


CVEMAP Search Results

CVE
Details
Description
2021-05-19
Low
CVE-2021-29503

Vendor: Hedgedoc
Software: Hedgedoc
 

 
HedgeDoc is a platform to write and share markdown. HedgeDoc before version 1.8.2 is vulnerable to a cross-site scripting attack using the YAML-metadata of a note. An attacker with write access to a note can embed HTML tags in the Open Graph metadata section of the note, resulting in the frontend rendering the script tag as part of the `<head>` section. Unless your instance prevents guests from editing notes, this vulnerability allows unauthenticated attackers to inject JavaScript into notes that allow guest edits. If your instance prevents guests from editing notes, this vulnerability allows authenticated attackers to inject JavaScript into any note pages they have write-access to. This vulnerability is patched in version 1.8.2. As a workaround, one can disable guest edits until the next update.

 
2021-04-08
Low
CVE-2021-1420

Vendor: Cisco
Software: Webex meetings
 

 
A vulnerability in certain web pages of Cisco Webex Meetings could allow an unauthenticated, remote attacker to modify a web page in the context of a user's browser. The vulnerability is due to improper checks on parameter values in affected pages. An attacker could exploit this vulnerability by persuading a user to follow a crafted link that is designed to pass HTML code into an affected parameter. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks.

 
2021-02-17
Low
CVE-2021-1351

Vendor: Cisco
Software: Webex meetings
 

 
A vulnerability in the web-based interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

 
2020-12-14
Low
CVE-2019-19285

Vendor: Siemens
Software: XHQ
 

 
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow injections that could lead to XSS attacks if unsuspecting users are tricked into accessing a malicious link.

 
2020-09-16
Medium
CVE-2020-14509

Vendor: WIBU
Software: Codemeter
 

 
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.

 
2020-06-12
Waiting for details
CVE-2020-4046

Updating...
 

 
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

 
Waiting for details
CVE-2020-4047

Updating...
 

 
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

 
Low
CVE-2020-4049

Vendor: Wordpress
Software: Wordpress
 

 
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

 

 


Copyright 2021, cxsecurity.com

 

Back to Top