Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4426 | 1 Ibm | 2 Business Automation Workflow, Case Manager | 2019-12-18 | 3.5 LOW | 5.4 MEDIUM |
| The Case Builder component shipped with 18.0.0.1 through 19.0.0.2 and IBM Case Manager 5.1.1 through 5.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162772. | |||||
| CVE-2019-19327 | 1 Wikimedia | 1 Wikidata Query Gui | 2019-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| ui/ResultView.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection when reporting the number of results and number of milliseconds. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT. | |||||
| CVE-2019-19329 | 1 Wikimedia | 1 Wikidata Query Gui | 2019-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07, when mathematical expressions in results are displayed directly, arbitrary JavaScript execution can occur, aka XSS. This was addressed by introducing MathJax as a new mathematics rendering engine. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT. | |||||
| CVE-2019-17599 | 1 Expresstech | 1 Quiz And Survey Master | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter (and/or the quiz_id parameter). The component is: admin/quiz-options-page.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL. | |||||
| CVE-2019-14344 | 1 Vocabularyserver | 1 Tematres | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| TemaTres 3.0 has reflected XSS via the replace_string or search_string parameter to the vocab/admin.php?doAdmin=bulkReplace URI. | |||||
| CVE-2019-10772 | 1 Svg-sanitizer Project | 1 Svg-sanitizer | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. | |||||
| CVE-2019-14849 | 1 Redhat | 1 3scale | 2019-12-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information. | |||||
| CVE-2013-4158 | 3 Debian, Fedoraproject, Smokeping | 3 Debian Linux, Fedora, Smokeping | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| smokeping before 2.6.9 has XSS (incomplete fix for CVE-2012-0790) | |||||
| CVE-2013-7370 | 4 Debian, Opensuse, Redhat and 1 more | 4 Debian Linux, Opensuse, Openshift and 1 more | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware | |||||
| CVE-2019-0395 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-12-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability. | |||||
| CVE-2013-7371 | 2 Debian, Sencha | 2 Debian Linux, Connect | 2019-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370) | |||||
| CVE-2019-18993 | 1 Openwrt | 1 Openwrt | 2019-12-16 | 3.5 LOW | 5.4 MEDIUM |
| OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device). | |||||
| CVE-2019-18992 | 1 Openwrt | 1 Openwrt | 2019-12-16 | 3.5 LOW | 5.4 MEDIUM |
| OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device). | |||||
| CVE-2013-5978 | 1 Cart66 | 1 Cart66 Lite Plugin | 2019-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in products.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Product name or (2) Price description fields via a request to wp-admin/admin.php. NOTE: This issue may only cross privilege boundaries if used in combination with CVE-2013-5977. | |||||
| CVE-2019-18347 | 1 Davical | 1 Davical | 2019-12-14 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email. | |||||
| CVE-2013-4968 | 1 Puppet | 1 Puppet Enterprise | 2019-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct clickjacking attacks via unspecified vectors related to the console, and (2) conduct cross-site scripting (XSS) attacks via unspecified vectors related to "live management." | |||||
| CVE-2013-6495 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Portal | 2019-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| JBossWeb Bayeux has reflected XSS | |||||
| CVE-2019-15935 | 1 Intesync | 1 Solismed | 2019-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Intesync Solismed 3.3sp has XSS. | |||||
| CVE-2019-18378 | 1 Symantec | 1 Messaging Gateway | 2019-12-13 | 3.5 LOW | 4.8 MEDIUM |
| Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy. | |||||
| CVE-2019-19748 | 1 Brizoit | 1 Work Time Calendar | 2019-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Work Time Calendar app before 4.7.1 for Jira allows XSS. | |||||
| CVE-2019-19719 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2019-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page. | |||||
| CVE-2019-4665 | 1 Ibm | 1 Spectrum Scale | 2019-12-12 | 3.5 LOW | 5.4 MEDIUM |
| IBM Spectrum Scale 4.2 and 5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171247. | |||||
| CVE-2012-1114 | 3 Debian, Fedoraproject, Ldap-account-manager | 3 Debian Linux, Fedora, Ldap Account Manager | 2019-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php. | |||||
| CVE-2019-15007 | 1 Atlassian | 2 Crucible, Fisheye | 2019-12-12 | 3.5 LOW | 4.8 MEDIUM |
| The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. | |||||
| CVE-2019-15008 | 1 Atlassian | 2 Crucible, Fisheye | 2019-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter. | |||||
| CVE-2011-3373 | 1 Drupal | 1 Views Builk Operations | 2019-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used. A remote attacker could provide a specially-crafted URL that could lead to cross-site scripting (XSS) attack. | |||||
| CVE-2017-10673 | 1 Get-simple | 1 Getsimple Cms | 2019-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| admin/profile.php in GetSimple CMS 3.x has XSS in a name field. | |||||
| CVE-2019-4226 | 1 Ibm | 1 Cloud Pak System | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159243. | |||||
| CVE-2012-1637 | 1 Drupal | 1 Quick Tabs | 2019-12-11 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal. | |||||
| CVE-2011-3606 | 1 Redhat | 1 Jboss Application Server | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution. | |||||
| CVE-2011-4090 | 1 S9y | 1 Serendipity | 2019-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation. | |||||
| CVE-2019-19496 | 1 Alfresco | 1 Alfresco | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document. | |||||
| CVE-2013-2101 | 2 Redhat, Theforeman | 2 Satellite, Katello | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| Katello has multiple XSS issues in various entities | |||||
| CVE-2019-19708 | 1 Mediawiki | 1 Visual Editor | 2019-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute. | |||||
| CVE-2017-3151 | 1 Apache | 1 Atlas | 2019-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality. | |||||
| CVE-2019-19551 | 1 Sangoma | 1 Freepbx | 2019-12-11 | 3.5 LOW | 4.8 MEDIUM |
| In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user's profile, the XSS payload will render and execute in the context of the victim user's account. | |||||
| CVE-2017-7352 | 1 Purestorage | 1 Purity | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-site scripting (XSS) vulnerability in Pure Storage Purity 4.7.5 allows remote authenticated users to inject arbitrary web script or HTML via the "host" parameter on the 'System > Configuration > SNMP > Add SNMP Trap Manager' screen. | |||||
| CVE-2012-2078 | 1 Drupal | 1 Activity | 2019-12-11 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal. | |||||
| CVE-2015-3425 | 1 Accentis | 1 Content Resource Management System | 2019-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter. | |||||
| CVE-2019-19457 | 1 Saltosystem | 1 Proaccess Space | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| SALTO ProAccess SPACE 5.4.3.0 allows XSS. | |||||
| CVE-2019-4428 | 1 Ibm | 1 Watson Assistant For Ibm Cloud Pak For Data | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162807. | |||||
| CVE-2019-19678 | 1 Xpand-it | 1 Xray Test Mangaement | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue. | |||||
| CVE-2019-19679 | 1 Xpand-it | 1 Xray Test Mangaement | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue. | |||||
| CVE-2019-4611 | 1 Ibm | 1 Planning Analytics | 2019-12-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519. | |||||
| CVE-2019-14315 | 1 Sunhater | 1 Kcfinder | 2019-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in upload.php in SunHater KCFinder 3.20-test1, 3.20-test2, 3.12, and earlier allows remote attackers to inject arbitrary web script or HTML via the CKEditorFuncNum parameter. | |||||
| CVE-2019-18574 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2019-12-10 | 3.5 LOW | 4.8 MEDIUM |
| RSA Authentication Manager software versions prior to 8.4 P8 contain a stored cross-site scripting vulnerability in the Security Console. A malicious Security Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface which could then be included in a report. When other Security Console administrators open the affected report, the injected scripts could potentially be executed in their browser. | |||||
| CVE-2019-19682 | 1 Nopcommerce | 1 Nopcommerce | 2019-12-10 | 3.5 LOW | 4.8 MEDIUM |
| nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a "feature" because the affected components are an HTML content editor. | |||||
| CVE-2019-4663 | 1 Ibm | 1 Websphere Application Server | 2019-12-10 | 3.5 LOW | 5.4 MEDIUM |
| IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245. | |||||
| CVE-2019-19552 | 1 Sangoma | 1 Freepbx | 2019-12-10 | 3.5 LOW | 4.8 MEDIUM |
| In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account. | |||||
| CVE-2018-15891 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2019-12-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name. | |||||