Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8083 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.5, 6.4 and 6.3 have a cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2015-9503 | 1 Webmandesign | 1 Modern Theme | 2019-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Modern theme before 1.4.2 for WordPress has XSS via the genericons/example.html anchor identifier. | |||||
| CVE-2015-9502 | 1 Webmandesign | 1 Auberge Theme | 2019-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Auberge theme before 1.4.5 for WordPress has XSS via the genericons/example.html anchor identifier. | |||||
| CVE-2019-18219 | 1 Sitemagic | 1 Sitemagic | 2019-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sitemagic CMS 4.4.1 is affected by a Cross-Site-Scripting (XSS) vulnerability, as it fails to validate user input. The affected components (index.php, upgrade.php) allow for JavaScript injection within both GET or POST requests, via a crafted URL or via the UpgradeMode POST parameter. | |||||
| CVE-2019-18203 | 1 Ricoh | 2 Mp 501, Mp 501 Firmware | 2019-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi. | |||||
| CVE-2015-9500 | 1 Exquisite Ultimate Newspaper Project | 1 Exquisite Ultimate Newspaper | 2019-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via the anchor identifier to assets/js/jquery.foundation.plugins.js. | |||||
| CVE-2019-16975 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2015-9495 | 1 Syndication Links Project | 1 Syndication Links | 2019-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The syndication-links plugin before 1.0.3 for WordPress has XSS via the genericons/example.html anchor identifier. | |||||
| CVE-2015-9494 | 1 Indieweb Post Kinds Project | 1 Indieweb Post Kinds | 2019-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The indieweb-post-kinds plugin before 1.3.1.1 for WordPress has XSS via the genericons/example.html anchor identifier. | |||||
| CVE-2019-16982 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16987 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16984 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS. | |||||
| CVE-2019-16983 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS. | |||||
| CVE-2019-16981 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | |||||
| CVE-2019-16979 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16973 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16989 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-5586 | 1 Fortinet | 1 Fortios | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.2.0 to 5.6.10, 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the "param" parameter of the error process HTTP requests. | |||||
| CVE-2019-17220 | 1 Rocket.chat | 1 Rocket.chat | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. | |||||
| CVE-2019-8089 | 1 Adobe | 1 Experience Manager Forms | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2015-9493 | 1 Nlb-creationst | 1 My Wish List | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The my-wish-list plugin before 1.4.2 for WordPress has multiple XSS issues. | |||||
| CVE-2018-20758 | 1 Modx | 1 Modx Revolution | 2019-10-23 | 3.5 LOW | 5.4 MEDIUM |
| MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description. | |||||
| CVE-2019-16972 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16971 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | |||||
| CVE-2019-16968 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in FusionPBX up to 4.5.7. In the file app\conference_controls\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. | |||||
| CVE-2019-16978 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | |||||
| CVE-2019-16969 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16974 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16970 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses an unsanitized "savemsg" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16988 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | |||||
| CVE-2019-16991 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2015-9501 | 1 Artificial Intelligence Project | 1 Artificial Intelligence | 2019-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root. | |||||
| CVE-2019-17114 | 1 Wikidsystems | 1 Two Factor Authentication Enterprise Server | 2019-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allows remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/userPreregistration.jsp. The preRegistrationData parameter is vulnerable: a reflected cross-site scripting occurs immediately after a .csv file is uploaded. The malicious script is stored and can be executed again when the List Pre-Registration functionality is used. | |||||
| CVE-2019-17115 | 1 Wikidsystems | 1 Two Factor Authentication Enterprise Server | 2019-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML that is triggered when Logs.jsp is visited. The rendered_message column is retrieved and displayed, unsanitized, on Logs.jsp. A remote attack can populate the rendered_message column with malicious values via: (1) H parameter to /wikid/servlet/com.wikidsystems.server.GetDomainHash (2) S parameter to: - /wikid/DomainData - /wikid/PreRegisterLookup - /wikid/PreRegister - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES (3) a parameter to: - /wikid/PreRegisterLookup - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES. | |||||
| CVE-2019-17116 | 1 Wikidsystems | 1 Two Factor Authentication Enterprise Server | 2019-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/groups.jsp. The groupName parameter is vulnerable: the reflected cross-site scripting occurs immediately after the group is created. The malicious script is stored and will be executed again whenever /WiKIDAdmin/groups.jsp is visited. | |||||
| CVE-2019-12705 | 1 Cisco | 1 Telepresence Video Communication Server | 2019-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2019-17189 | 1 Totemo | 1 Totemodata | 2019-10-22 | 3.5 LOW | 5.4 MEDIUM |
| totemodata 3.0.0_b936 has XSS via a folder name. | |||||
| CVE-2019-15269 | 1 Cisco | 68 Amp 7150, Amp 7150 Firmware, Amp 8150 and 65 more | 2019-10-22 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2019-15268 | 1 Cisco | 68 Amp 7150, Amp 7150 Firmware, Amp 8150 and 65 more | 2019-10-22 | 3.5 LOW | 4.8 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2019-15270 | 1 Cisco | 12 Firepower Management Center, Firepower Management Center 1000, Firepower Management Center 1600 and 9 more | 2019-10-22 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2019-18209 | 1 Etherpad | 1 Etherpad | 2019-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer. | |||||
| CVE-2019-8160 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2019-10-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have a cross-site scripting vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2019-15280 | 1 Cisco | 1 Firepower Management Center | 2019-10-22 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious code in certain sections of the interface that are visible to other users. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. An attacker would need valid administrator credentials to exploit this vulnerability. | |||||
| CVE-2019-15281 | 1 Cisco | 1 Identity Services Engine Software | 2019-10-22 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must have valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a troubleshooting file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-10715 | 1 Verodin | 1 Director | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages. | |||||
| CVE-2019-17409 | 1 Open-emr | 1 Openemr | 2019-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter. | |||||
| CVE-2019-16862 | 1 Open-emr | 1 Openemr | 2019-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter. | |||||
| CVE-2019-12638 | 1 Cisco | 1 Identity Services Engine | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2019-17207 | 1 Managewp | 1 Broken Link Checker | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action. | |||||
| CVE-2019-16330 | 1 Nchsoftware | 1 Express Accounts Accounting | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript. | |||||