Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16931 | 1 Themeisle | 1 Visualizer | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because classes/Visualizer/Gutenberg/Block.php registers wp-json/visualizer/v1/update-chart with no access control, and classes/Visualizer/Render/Page/Data.php lacks output sanitization. | |||||
| CVE-2019-15499 | 2 Apple, Hackmd | 2 Safari, Codimd | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL. | |||||
| CVE-2019-4342 | 1 Ibm | 1 Cognos Analytics | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 161421. | |||||
| CVE-2019-15750 | 1 Sitos | 1 Sitos Six | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in the blog function in SITOS six Build v6.2.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||||
| CVE-2016-1144 | 1 Websquare | 1 Job-cube | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in JOB-CUBE -JOB WEB SYSTEM before 1.2.2 and -JOB WEB SYSTEM High Income 1.0.6 and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-11656 | 1 Hp | 1 Arcsight Logger | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS vulnerability in Micro Focus ArcSight Logger, affects versions prior to Logger 6.7.1 HotFix 6.7.1.8262.0. This vulnerability could allow Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). | |||||
| CVE-2019-17213 | 1 Webarxsecurity | 1 Webarx | 2019-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS via the URI or the X-Forwarded-For HTTP header. | |||||
| CVE-2019-17121 | 1 Vanderbilt | 1 Redcap | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values. | |||||
| CVE-2019-17225 | 1 Intelliants | 1 Subrion | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue. | |||||
| CVE-2019-17226 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-08 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field. | |||||
| CVE-2019-16332 | 1 Api Bearer Auth Project | 1 Api Bearer Auth | 2019-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS. | |||||
| CVE-2017-18102 | 1 Atlassian | 1 Jira | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup. | |||||
| CVE-2019-17203 | 1 Teampass | 1 Teampass | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder. | |||||
| CVE-2019-17204 | 1 Teampass | 1 Teampass | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item. | |||||
| CVE-2019-17205 | 1 Teampass | 1 Teampass | 2019-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed. | |||||
| CVE-2018-7274 | 1 Quarx Cms Project | 1 Quarx Cms | 2019-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Yab Quarx through 2.4.3 is prone to multiple persistent cross-site scripting vulnerabilities: Blog (Title), FAQ (Question), Pages (Title), Widgets (Name), and Menus (Name). | |||||
| CVE-2019-17074 | 1 Xunruicms | 1 Xunruicms | 2019-10-07 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in the module_category area. | |||||
| CVE-2019-8290 | 1 Online Store System Project | 1 Online Store System | 2019-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Vulnerability in Online Store v1.0, The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected. | |||||
| CVE-2019-11744 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. | |||||
| CVE-2019-8289 | 1 Online Store System Project | 1 Online Store System | 2019-10-04 | 3.5 LOW | 5.4 MEDIUM |
| Vulnerability in Online Store v1.0, stored XSS in admin/user_view.php adidas_member_email variable | |||||
| CVE-2019-8288 | 1 Online Store System Project | 1 Online Store System | 2019-10-04 | 3.5 LOW | 5.4 MEDIUM |
| Vulnerability in Online Store v1.0, Stored XSS in user_view.php where adidas_member_user variable is not sanitized. | |||||
| CVE-2018-11011 | 1 Halo | 1 Halo | 2019-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java. | |||||
| CVE-2018-11012 | 1 Halo | 1 Halo | 2019-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java. | |||||
| CVE-2019-16684 | 1 Xoops | 1 Xoops | 2019-10-04 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes. | |||||
| CVE-2019-16683 | 1 Xoops | 1 Xoops | 2019-10-04 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes. | |||||
| CVE-2019-16414 | 1 Gfi | 1 Kerio Control | 2019-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI. | |||||
| CVE-2019-16171 | 1 Jetbrains | 1 Youtrack | 2019-10-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page. | |||||
| CVE-2019-17045 | 1 Ilch | 1 Ilch Cms | 2019-10-03 | 3.5 LOW | 4.8 MEDIUM |
| Ilch 2.1.22 allows stored XSS via the title, text, or email id to the Jobs Tab. | |||||
| CVE-2019-15037 | 1 Jetbrains | 1 Teamcity | 2019-10-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in JetBrains TeamCity 2018.2.4. It had several XSS vulnerabilities on the settings pages. The issues were fixed in TeamCity 2019.1. | |||||
| CVE-2018-16204 | 1 Google Xml Sitemaps Project | 1 Google Xml Sitemaps | 2019-10-03 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Google XML Sitemaps Version 4.0.9 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-8247 | 1 Microsoft | 2 Office Online Server, Office Web Apps | 2019-10-03 | 5.8 MEDIUM | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Office Web Apps Server 2013 and Office Online Server fail to properly handle web requests, aka "Microsoft Office Elevation of Privilege Vulnerability." This affects Microsoft Office, Microsoft Office Online Server. This CVE ID is unique from CVE-2018-8245. | |||||
| CVE-2018-1136 | 1 Moodle | 1 Moodle | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users. | |||||
| CVE-2018-1005 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-1014, CVE-2018-1032, CVE-2018-1034. | |||||
| CVE-2018-15181 | 1 Jio | 2 4g Hotspot M2s, 4g Hotspot M2s Firmware | 2019-10-03 | 6.8 MEDIUM | 6.5 MEDIUM |
| JioFi 4G Hotspot M2S devices allow attackers to cause a denial of service (secure configuration outage) via an XSS payload in the SSID name and Security Key fields. | |||||
| CVE-2018-8498 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8480, CVE-2018-8488, CVE-2018-8518. | |||||
| CVE-2018-8518 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8480, CVE-2018-8488, CVE-2018-8498. | |||||
| CVE-2018-15676 | 1 Btiteam | 1 Xbtit | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in BTITeam XBTIT. By using String.replace and eval, it is possible to bypass the includes/crk_protection.php anti-XSS mechanism that looks for a number of dangerous fingerprints. | |||||
| CVE-2018-8572 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8568. | |||||
| CVE-2018-1014 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2019-10-03 | 4.9 MEDIUM | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-1005, CVE-2018-1032, CVE-2018-1034. | |||||
| CVE-2018-8152 | 1 Microsoft | 1 Exchange Server | 2019-10-03 | 5.8 MEDIUM | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server. | |||||
| CVE-2018-8159 | 1 Microsoft | 1 Exchange Server | 2019-10-03 | 5.8 MEDIUM | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server. | |||||
| CVE-2018-1032 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint. This CVE ID is unique from CVE-2018-1005, CVE-2018-1014, CVE-2018-1034. | |||||
| CVE-2018-8568 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8572. | |||||
| CVE-2018-5175 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2019-10-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This vulnerability affects Firefox < 60. | |||||
| CVE-2018-6070 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-10-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Lack of CSP enforcement on WebUI pages in Bink in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. | |||||
| CVE-2018-8428 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8431. | |||||
| CVE-2018-8431 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8428. | |||||
| CVE-2018-8448 | 1 Microsoft | 1 Exchange Server | 2019-10-03 | 5.8 MEDIUM | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server. | |||||
| CVE-2018-1034 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2019-10-03 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-1005, CVE-2018-1014, CVE-2018-1032. | |||||
| CVE-2018-16636 | 1 Nucleuscms | 1 Nucleus Cms | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nucleus CMS 3.70 allows HTML Injection via the index.php body parameter. | |||||