Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3656 | 1 Redhat | 1 Jboss Keycloak | 2019-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| JBoss KeyCloak: XSS in login-status-iframe.html | |||||
| CVE-2019-16966 | 2 Freepbx, Sangoma | 2 Contactmanager, Freepbx | 2019-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager. | |||||
| CVE-2019-16967 | 2 Freepbx, Sangoma | 2 Manager, Freepbx | 2019-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager. | |||||
| CVE-2019-19619 | 1 Documize | 1 Documize | 2019-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS. | |||||
| CVE-2019-19206 | 1 Dolibarr | 1 Dolibarr | 2019-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture. | |||||
| CVE-2012-1115 | 3 Debian, Fedoraproject, Ldap-account-manager | 3 Debian Linux, Fedora, Ldap Account Manager | 2019-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php. | |||||
| CVE-2019-19466 | 1 Sceditor | 1 Sceditor | 2019-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| SCEditor 2.1.3 allows XSS. | |||||
| CVE-2013-0283 | 1 Theforeman | 1 Katello | 2019-12-09 | 3.5 LOW | 5.4 MEDIUM |
| Katello: Username in Notification page has cross site scripting | |||||
| CVE-2019-19129 | 1 Afterlogic | 2 Aurora, Webmail Pro | 2019-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name. | |||||
| CVE-2019-4098 | 1 Ibm | 1 Cloud Pak System | 2019-12-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158020. | |||||
| CVE-2019-4468 | 1 Ibm | 1 Cloud Pak System | 2019-12-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163777. | |||||
| CVE-2019-4467 | 1 Ibm | 1 Cloud Pak System | 2019-12-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163776. | |||||
| CVE-2018-15583 | 1 Gnuboard | 1 Gnuboard5 | 2019-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter. | |||||
| CVE-2019-19133 | 1 Csshero | 1 Csshero | 2019-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookies or launch other attacks. | |||||
| CVE-2019-16772 | 1 Serialize-to-js Project | 1 Serialize-to-js | 2019-12-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability. | |||||
| CVE-2017-15881 | 1 Keystonejs | 1 Keystone | 2019-12-09 | 3.5 LOW | 4.8 MEDIUM |
| Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878. | |||||
| CVE-2019-11281 | 1 Pivotal Software | 1 Rabbitmq | 2019-12-07 | 3.5 LOW | 4.8 MEDIUM |
| Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information. | |||||
| CVE-2019-7197 | 1 Qnap | 1 Qts | 2019-12-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console. To fix this vulnerability, QNAP recommend updating QTS to the latest version. | |||||
| CVE-2019-19596 | 1 Gitbook | 1 Gitbook | 2019-12-06 | 3.5 LOW | 5.4 MEDIUM |
| GitBook through 2.6.9 allows XSS via a local .md file. | |||||
| CVE-2019-19587 | 1 Wso2 | 1 Enterprise Integrator | 2019-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WSO2 Enterprise Integrator 6.5.0, reflected XSS occurs when updating the message processor configuration from the source view in the Management Console. | |||||
| CVE-2014-3875 | 1 Ulli Horlacher | 1 Fex | 2019-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The addto parameter to fup in Frams' Fast File EXchange (F*EX, aka fex) before fex-2014053 allows remote attackers to conduct cross-site scripting (XSS) attacks | |||||
| CVE-2019-15994 | 1 Cisco | 1 Stealthwatch Enterprise | 2019-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Stealthwatch Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-15968 | 1 Cisco | 2 Hosted Collaboration Solution, Unified Communications Domain Manager | 2019-12-06 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager (Unified CDM) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-16195 | 1 Centreon | 1 Centreon | 2019-12-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 allows XSS via myAccount alias and name fields. | |||||
| CVE-2019-13935 | 1 Siemens | 1 Polarion | 2019-12-05 | 3.5 LOW | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a reflected XSS vulnerability. This issue affects: Siemens AG Polarion All versions < 19.2. | |||||
| CVE-2019-13936 | 1 Siemens | 1 Polarion | 2019-12-05 | 3.5 LOW | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a persistent XSS vulnerability. This issue affects: Siemens AG Polarion All versions < 19.2. | |||||
| CVE-2019-13934 | 1 Siemens | 1 Polarion | 2019-12-05 | 3.5 LOW | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a reflected XSS vulnerability. This issue affects: Siemens AG Polarion All versions < 19.2. | |||||
| CVE-2019-15973 | 1 Cisco | 2 Industrial Network Director, Network Level Service | 2019-12-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected application. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected application. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-14449 | 1 Cloudera | 1 Cloudera Manager | 2019-12-05 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Cloudera Manager 5.x before 5.16.2, 6.0.x before 6.0.2, and 6.1.x before 6.1.1. Malicious impala queries can result in Cross Site Scripting (XSS) when viewed within this product. | |||||
| CVE-2016-9271 | 1 Cloudera | 1 Cloudera Manager | 2019-12-05 | 3.5 LOW | 5.4 MEDIUM |
| Cloudera Manager 5.7.x before 5.7.6, 5.8.x before 5.8.4, and 5.9.x before 5.9.1 allows XSS in the help search feature. | |||||
| CVE-2011-4924 | 1 Zope | 1 Zope | 2019-12-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104 | |||||
| CVE-2019-16763 | 1 Pannellum | 1 Pannellum | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if pannellum.htm was hosted on a domain that shared cookies with the targeted site's user authentication; an <iframe> could then be embedded on the attacker's site using pannellum.htm from the targeted site, which would allow the attacker to potentially access information from the targeted site as the authenticated user (or worse if the targeted site did not have adequate CSRF protections) if the user clicked on a hot spot in the attacker's embedded panorama viewer. This was patched in version 2.5.5. | |||||
| CVE-2019-17405 | 1 Nokia | 1 Impact | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nokia IMPACT < 18A: has Reflected self XSS | |||||
| CVE-2012-4525 | 1 Piwigo | 1 Piwigo | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| piwigo has XSS in password.php | |||||
| CVE-2012-4526 | 1 Piwigo | 1 Piwigo | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| piwigo has XSS in password.php (incomplete fix for CVE-2012-4525) | |||||
| CVE-2019-19491 | 1 Testlink | 1 Testlink | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request. | |||||
| CVE-2019-10771 | 1 Iobroker | 1 Iobroker.web | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Characters in the GET url path are not properly escaped and can be reflected in the server response. | |||||
| CVE-2012-1001 | 1 Chyrp | 1 Chyrp | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php. | |||||
| CVE-2018-10854 | 2 Linux, Redhat | 2 Linux Kernel, Cloudforms Management Engine | 2019-12-04 | 3.5 LOW | 5.4 MEDIUM |
| cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field. | |||||
| CVE-2019-19367 | 1 Fusionpbx | 1 Fusionpbx | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||||
| CVE-2019-19366 | 1 Fusionpbx | 1 Fusionpbx | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter. | |||||
| CVE-2019-15652 | 1 Nssglobal | 4 Satlink 2000, Satlink 2900, Satlink 2910 and 1 more | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code. | |||||
| CVE-2019-6853 | 1 Schneider-electric | 22 Andover Continuum 5720, Andover Continuum 5720 Firmware, Andover Continuum 5740 and 19 more | 2019-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server. | |||||
| CVE-2019-12094 | 1 Horde | 1 Groupware | 2019-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI. | |||||
| CVE-2019-4569 | 1 Ibm | 1 Tivoli Netcool\/impact | 2019-12-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.16 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166719. | |||||
| CVE-2015-2793 | 2 Fedoraproject, Ikiwiki | 2 Fedora, Ikiwiki | 2019-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi. | |||||
| CVE-2013-6880 | 1 Elvedia | 1 Flashcanvas | 2019-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting (XSS) attacks via the HTTP Referer header. | |||||
| CVE-2013-0203 | 1 Owncloud | 1 Owncloud | 2019-12-02 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php. | |||||
| CVE-2013-6878 | 1 Miwisoft | 1 Mijosearch | 2019-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Mijosoft MijoSearch component 2.0.4 and earlier for Joomla! allows remote attackers to inject arbitrary web script or HTML via the query parameter to component/mijosearch/search. | |||||
| CVE-2013-6239 | 1 Exis-ti | 1 Exis Contexis | 2019-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the photo gallery model in Exis Contexis before 2.0 allows remote attackers to inject arbitrary web script or HTML via the image parameter in a detail action. | |||||