| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
| Certain builds of NEC SV9100 software could allow an unauthenticated, remote attacker to log into a device running an affected release with a hardcoded username and password, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with manufacturer privilege level. An attacker could exploit this vulnerability by using this account to remotely log into an affected device. A successful exploit could allow the attacker to log into the device with manufacturer level access. This vulnerability affects SV9100 PBXes that are running software release 6.0 or higher. This vulnerability does not affect SV9100 software releases prior to 6.0. |
| In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page. |
| Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored XSS via the Debug-Log and Display-Log components. This could be exploited when an attacker sends an crafted string for FTP authentication. |
| A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system's database. |
| A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account with static credentials in the underlying Linux operating system. An attacker could exploit this vulnerability by logging in to the command line of the affected VM with the static account. A successful exploit could allow the attacker to log in with root-level privileges. This vulnerability affects only Cisco FindIT Network Manager and Cisco FindIT Network Probe Release 1.1.4 if these products are using Cisco-supplied VM images. No other releases or deployment models are known to be vulnerable. |
| A vulnerability in the Cisco Common Services Platform Collector (CSPC) could allow an unauthenticated, remote attacker to access an affected device by using an account that has a default, static password. This account does not have administrator privileges. The vulnerability exists because the affected software has a user account with a default, static password. An attacker could exploit this vulnerability by remotely connecting to the affected system using this account. A successful exploit could allow the attacker to log in to the CSPC using the default account. For Cisco CSPC 2.7.x, Cisco fixed this vulnerability in Release 2.7.4.6. For Cisco CSPC 2.8.x, Cisco fixed this vulnerability in Release 2.8.1.2. |
| A vulnerability in the default configuration of the Cisco Aironet Active Sensor could allow an unauthenticated, remote attacker to restart the sensor. The vulnerability is due to a default local account with a static password. The account has privileges only to reboot the device. An attacker could exploit this vulnerability by guessing the account name and password to access the CLI. A successful exploit could allow the attacker to reboot the device repeatedly, creating a denial of service (DoS) condition. It is not possible to change the configuration or view sensitive data with this account. Versions prior to DNAC1.2.8 are affected. |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device. |
| Escalation of privilege vulnerability in the Palo Alto Networks Twistlock console 19.07.358 and earlier allows a Twistlock user with Operator capabilities to escalate privileges to that of another user. Active interaction with an affected component is required for the payload to execute on the victim. |
| Cross-site scripting vulnerability in Palo Alto Networks MineMeld version 0.9.60 and earlier may allow a remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser. |
| Cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition Migration tool 1.1.12 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the Devices View. |
| The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the RADIUS server settings. |
| The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the LDAP server settings. |
| The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings for account name of admin user. |
| Cross-site scripting (XSS) vulnerability in Palo Alto Networks Demisto 4.5 build 40249 may allow an unauthenticated attacker to run arbitrary JavaScript or HTML. |
| The Expedition Migration tool 1.1.6 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings. |
| The PAN-OS management web interface in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. |
| The PAN-OS external dynamics lists in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary JavaScript or HTML. |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'. |
