Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16219 | 1 Wordpress | 1 Wordpress | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows XSS in shortcode previews. | |||||
| CVE-2019-16222 | 1 Wordpress | 1 Wordpress | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. | |||||
| CVE-2019-16221 | 1 Wordpress | 1 Wordpress | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows reflected XSS in the dashboard. | |||||
| CVE-2019-8450 | 1 Atlassian | 1 Jira | 2019-09-11 | 3.5 LOW | 4.8 MEDIUM |
| Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field. | |||||
| CVE-2019-14996 | 1 Atlassian | 1 Jira | 2019-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
| CVE-2019-16145 | 1 Padrinorb | 1 Padrino-contrib | 2019-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The breadcrumbs contributed module through 0.2.0 for Padrino Framework allows XSS via a caption. | |||||
| CVE-2019-0361 | 1 Sap | 1 Supplier Relationship Management | 2019-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-11548 | 1 Gitlab | 1 Gitlab | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint. | |||||
| CVE-2017-18610 | 1 Magicfields | 1 Magic Fields | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-group-id parameter. | |||||
| CVE-2017-18611 | 1 Magicfields | 1 Magic Fields | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-field-css parameter. | |||||
| CVE-2017-18601 | 1 Ibps Online Exam Project | 1 Ibps Online Exam | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| The examapp plugin 1.0 for WordPress has XSS via exam input text fields. | |||||
| CVE-2017-18606 | 1 Theme-fusion | 1 Avada | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The avada theme before 5.1.5 for WordPress has stored XSS. | |||||
| CVE-2017-18600 | 1 Ncrafts | 1 Formcraft | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field. | |||||
| CVE-2019-6784 | 1 Gitlab | 1 Gitlab | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 1 of 2). Markdown fields contain a lack of input validation and output encoding when processing KaTeX that results in a persistent XSS. | |||||
| CVE-2019-16147 | 1 Liferay | 1 Liferay Portal | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib. | |||||
| CVE-2017-18598 | 1 Designmodo | 1 Qards | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php. | |||||
| CVE-2017-18599 | 1 Pinfinity Project | 1 Pinfinity | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pinfinity theme before 2.0 for WordPress has XSS via the s parameter. | |||||
| CVE-2017-18609 | 1 Magicfields | 1 Magic Fields | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The magic-fields plugin before 1.7.2 for WordPress has XSS via the custom-write-panel-id parameter. | |||||
| CVE-2017-18608 | 1 Spot | 1 Spot.im Comments | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues. | |||||
| CVE-2019-16182 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files. | |||||
| CVE-2019-16178 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home page. | |||||
| CVE-2019-10670 | 1 Librenms | 1 Librenms | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these contexts, leading to attacker controlled JavaScript executing in the browser. One example of this is the string parameter in html/pages/inventory.inc.php. | |||||
| CVE-2019-16148 | 1 Sakailms | 1 Sakai | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sakai through 12.6 allows XSS via a chat user name. | |||||
| CVE-2017-1000426 | 1 Omniscale | 1 Mapproxy | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| MapProxy version 1.10.3 and older is vulnerable to a Cross Site Scripting attack in the demo service resulting in possible information disclosure. | |||||
| CVE-2019-16146 | 1 Getgophish | 1 Gophish | 2019-09-10 | 3.5 LOW | 4.8 MEDIUM |
| Gophish through 0.8.0 allows XSS via a username. | |||||
| CVE-2018-21014 | 1 Buddyboss | 1 Buddymoss Media | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS. | |||||
| CVE-2018-18373 | 1 Schiocco | 1 Support Board - Chat And Help Desk | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action. | |||||
| CVE-2019-15833 | 1 Simple Mail Address Encoder Project | 1 Simple Mail Address Encoder | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS. | |||||
| CVE-2019-16118 | 1 10web | 1 Photo Gallery | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php. | |||||
| CVE-2019-16117 | 1 10web | 1 Photo Gallery | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php. | |||||
| CVE-2017-18539 | 1 Deepsoft | 1 Weblibrarian | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes. | |||||
| CVE-2018-21012 | 1 Vsourz | 1 Cf7 Invisible Recaptcha | 2019-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS. | |||||
| CVE-2019-6796 | 1 Gitlab | 1 Gitlab | 2019-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 2 of 2). The user status field contains a lack of input validation and output encoding that results in a persistent XSS. | |||||
| CVE-2019-16126 | 1 Getgrav | 1 Grav Cms | 2019-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images. | |||||
| CVE-2019-16130 | 1 Hgw168cc | 1 Yii-cms | 2019-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| YII2-CMS v1.0 has XSS in protected\core\modules\home\models\Contact.php via a name field to /contact.html. | |||||
| CVE-2019-16104 | 1 Silver-peak | 2 Unity Edgeconnect Sd-wan, Unity Edgeconnect Sd-wan Firmware | 2019-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Silver Peak EdgeConnect SD-WAN before 8.1.7.x has reflected XSS via the rest/json/configdb/download/ PATH_INFO. | |||||
| CVE-2019-10677 | 1 Dasanzhone | 2 Znid Gpon 2426a Eu, Znid Gpon 2426a Eu Firmware | 2019-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues in the web interface on DASAN Zhone ZNID GPON 2426A EU version S3.1.285 devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg). | |||||
| CVE-2017-18559 | 1 Cformsii Project | 1 Cformsii | 2019-09-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cforms2 plugin before 14.13.3 for WordPress has multiple XSS issues. | |||||
| CVE-2017-18499 | 1 Simple-membership-plugin | 1 Simple Membership | 2019-09-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The simple-membership plugin before 3.5.7 for WordPress has XSS. | |||||
| CVE-2018-17586 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2019-09-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the rules[0][content] parameter in a wpfc_save_timeout_pages action. | |||||
| CVE-2018-17583 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2019-09-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the rules[0][content] parameter in a wpfc_save_exclude_pages action. | |||||
| CVE-2018-17585 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2019-09-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the wpfastestcacheoptions wpFastestCachePreload_number or wpFastestCacheLanguage parameter. | |||||
| CVE-2019-13209 | 1 Rancher | 1 Rancher | 2019-09-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim. | |||||
| CVE-2019-1020010 | 1 Misskey | 1 Misskey | 2019-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Misskey before 10.102.4 allows hijacking a user's token. | |||||
| CVE-2019-14470 | 2 Instagram-php-api Project, Userproplugin | 2 Instagram-php-api, User Pro | 2019-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter. | |||||
| CVE-2019-15814 | 1 Sentrifugo | 1 Sentrifugo | 2019-09-04 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored XSS vulnerabilities in Sentrifugo 3.2 could allow authenticated users to inject arbitrary web script or HTML. | |||||
| CVE-2018-20977 | 1 Brainstormforce | 1 Schema | 2019-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The all-in-one-schemaorg-rich-snippets plugin before 1.5.0 for WordPress has XSS on the settings page. | |||||
| CVE-2019-15109 | 1 Tri | 1 The Events Calendar | 2019-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter. | |||||
| CVE-2016-10892 | 1 Kibokolabs | 1 Chained Quiz | 2019-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The chained-quiz plugin before 1.0 for WordPress has multiple XSS issues. | |||||
| CVE-2019-15889 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2019-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter. | |||||