Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-10992 | 1 Codepeople | 1 Music Store | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports from_year parameter. | |||||
| CVE-2019-16216 | 1 Zulip | 1 Zulip Server | 2019-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself. | |||||
| CVE-2016-10976 | 1 Kodebyraaet | 1 Safe Editor | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS. | |||||
| CVE-2019-15848 | 1 Jetbrains | 1 Teamcity | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XSS), potentially making it possible to send an arbitrary HTTP request to a TeamCity server under the name of the currently logged-in user. | |||||
| CVE-2019-16321 | 1 Scadabr | 1 Scadabr | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. | |||||
| CVE-2018-13136 | 1 Ultimatemember | 1 Ultimate Member | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. | |||||
| CVE-2016-10990 | 1 Wpcerber | 1 Cerber Security Antispam \& Malware Scan | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header. | |||||
| CVE-2016-10975 | 1 Tonjoostudio | 1 Fluid-responsive-slideshow | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter. | |||||
| CVE-2016-10985 | 1 Smackcoders | 1 Echo Sign | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter. | |||||
| CVE-2019-16197 | 1 Dolibarr | 1 Dolibarr | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS. | |||||
| CVE-2016-10988 | 1 Leenk | 1 Leenk.me | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The leenkme plugin before 2.6.0 for WordPress has stored XSS via facebook_message, facebook_linkname, facebook_caption, facebook_description, default_image, or _wp_http_referer. | |||||
| CVE-2016-10986 | 1 Nerdcow | 1 Tweet Wheel | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret. | |||||
| CVE-2016-10984 | 1 Smackcoders | 1 Echo Sign | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter. | |||||
| CVE-2016-10981 | 1 Kentothemes | 1 Kento-post-view-counter | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kento_pvc_numbers_lang, kento_pvc_today_text, or kento_pvc_total_text. | |||||
| CVE-2016-10987 | 1 Woocommerce | 1 Persian Woocommerce Sms | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS. | |||||
| CVE-2016-10979 | 1 Fossura | 1 Tag Miner | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS. | |||||
| CVE-2016-10980 | 1 Kentothemes | 1 Kento-post-view-counter | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kento-post-view-counter plugin through 2.8 for WordPress has XSS via kento_pvc_geo. | |||||
| CVE-2018-7547 | 1 Lingyun | 1 Lyadmin | 2019-09-17 | 3.5 LOW | 4.8 MEDIUM |
| lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the /admin.php?s=/admin/config/groupsave.html URI. | |||||
| CVE-2019-15950 | 1 Redmineup | 1 Crm | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. | |||||
| CVE-2019-15739 | 1 Gitlab | 1 Gitlab | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads. | |||||
| CVE-2016-10957 | 1 Akal Project | 1 Akal | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter. | |||||
| CVE-2016-10964 | 1 Findshorty | 1 Dwnldr | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header. | |||||
| CVE-2016-10967 | 1 Creativeinteractivemedia | 1 Real3d Flipbook | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter. | |||||
| CVE-2016-10969 | 1 Supportflow Project | 1 Supportflow | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The supportflow plugin before 0.7 for WordPress has XSS via a discussion ticket title. | |||||
| CVE-2016-10973 | 1 Brafton | 1 Brafton | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php. | |||||
| CVE-2016-10970 | 1 Supportflow Project | 1 Supportflow | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The supportflow plugin before 0.7 for WordPress has XSS via a ticket excerpt. | |||||
| CVE-2019-8368 | 1 Open-emr | 1 Openemr | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenEMR v5.0.1-6 allows XSS. | |||||
| CVE-2019-8444 | 1 Atlassian | 1 Jira | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. | |||||
| CVE-2019-16334 | 1 Bludit | 1 Bludit | 2019-09-16 | 3.5 LOW | 4.8 MEDIUM |
| In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636. | |||||
| CVE-2019-5985 | 2 Ntt-east, Ntt-west | 92 Pr-400ki, Pr-400ki Firmware, Pr-400mi and 89 more | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version Ver.19.01.0005 and earlier, PR-S300SE/RT-S300SE/RV-S340SE firmware version Ver.19.40 and earlier, PR-400NE/RT-400NE/RV-440NE firmware version Ver.7.42 and earlier, PR-400KI/RT-400KI/RV-440KI firmware version Ver.07.00.1010 and earlier, PR-400MI/RT-400MI/RV-440MI firmware version Ver. 07.00.1012 and earlier, PR-500KI/RT-500KI firmware version Ver.01.00.0090 and earlier, RS-500KI firmware version Ver.01.00.0070 and earlier, PR-500MI/RT-500MI firmware version Ver.01.01.0014 and earlier, and RS-500MI firmware version Ver.03.01.0019 and earlier, and Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version Ver.19.01.0005 and earlier, PR-S300SE/RT-S300SE/RV-S340SE firmware version Ver.19.40 and earlier, PR-400NE/RT-400NE/RV-440NE firmware version Ver.7.42 and earlier, PR-400KI/RT-400KI/RV-440KI firmware version Ver.07.00.1010 and earlier, PR-400MI/RT-400MI/RV-440MI firmware version Ver. 07.00.1012 and earlier, PR-500KI/RT-500KI firmware version Ver.01.00.0090 and earlier, and PR-500MI/RT-500MI firmware version Ver.01.01.0011 and earlier) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-6003 | 1 Ec-cube | 1 Amazon Pay | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE plugin 'Amazon Pay Plugin 2.12,2.13' version 2.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-16312 | 1 S-cms | 1 S-cms | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| s-cms V3.0 has XSS in index.php?type=text via the S_id parameter. | |||||
| CVE-2019-16310 | 1 Niushop | 1 Niushop | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| NIUSHOP V1.11 has XSS via the index.php?s=/admin URI. | |||||
| CVE-2019-16289 | 1 Webcraftic | 1 Woody Ad Snippets | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter. | |||||
| CVE-2016-10952 | 1 Quotes Collection Project | 1 Quotes Collection | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter. | |||||
| CVE-2018-17300 | 1 Cuppacms | 1 Cuppacms | 2019-09-16 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name. | |||||
| CVE-2019-12517 | 1 Slickquiz Project | 1 Slickquiz | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 for WordPress. The save_quiz_score functionality available via the /wp-admin/admin-ajax.php endpoint allows unauthenticated users to submit quiz solutions/answers, which are stored in the database and later shown in the WordPress backend for all users with at least Subscriber rights. Because the plugin does not properly validate and sanitize this data, a malicious payload in either the name or email field is executed directly within the backend at /wp-admin/admin.php?page=slickquiz across all users with the privileges of at least Subscriber. | |||||
| CVE-2017-18615 | 1 Wp-kama | 1 Kama Click Counter | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kama-clic-counter plugin before 3.5.0 for WordPress has XSS. | |||||
| CVE-2017-18613 | 1 Trust Form Project | 1 Trust Form | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin.php?page=trust-form-edit page parameter. | |||||
| CVE-2017-18612 | 1 Netattingo | 1 Wp-whois-domain | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/func-whois.php domain parameter. | |||||
| CVE-2019-16218 | 1 Wordpress | 1 Wordpress | 2019-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows XSS in stored comments. | |||||
| CVE-2016-10941 | 1 Podlove | 1 Podlove Podcast Publisher | 2019-09-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF. | |||||
| CVE-2019-16238 | 1 Afterlogic | 1 Aurora | 2019-09-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login. | |||||
| CVE-2017-0912 | 1 Ui | 1 Ucrm | 2019-09-13 | 3.5 LOW | 5.4 MEDIUM |
| Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling". | |||||
| CVE-2019-1305 | 1 Microsoft | 2 Azure Devops Server, Team Foundation Server | 2019-09-13 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka 'Team Foundation Server Cross-site Scripting Vulnerability'. | |||||
| CVE-2019-16173 | 1 Limesurvey | 1 Limesurvey | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php, | |||||
| CVE-2019-16172 | 1 Limesurvey | 1 Limesurvey | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion. | |||||
| CVE-2019-16193 | 1 Esri | 1 Arcgis Enterprise | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to trigger a Cross Frame Scripting (XFS) attack through the EDIT MY PROFILE feature. | |||||
| CVE-2017-18603 | 1 Postman-smtp Project | 1 Postman-smtp | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter. | |||||
| CVE-2019-1273 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize certain error messages, aka 'Active Directory Federation Services XSS Vulnerability'. | |||||