Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19579 | 1 Gitlab | 1 Gitlab | 2019-07-11 | 3.5 LOW | 5.4 MEDIUM |
| GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1. | |||||
| CVE-2018-19493 | 1 Gitlab | 1 Gitlab | 2019-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is a persistent XSS vulnerability in the environment pages due to a lack of input validation and output encoding. | |||||
| CVE-2018-17147 | 1 Nagios | 1 Nagios Xi | 2019-07-11 | 3.5 LOW | 4.8 MEDIUM |
| Nagios XI before 5.5.4 has XSS in the auto login admin management page. | |||||
| CVE-2019-8920 | 1 Apachefriends | 1 Xampp | 2019-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. | |||||
| CVE-2017-6217 | 1 Paypal | 1 Adaptive Payments Sdk | 2019-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution | |||||
| CVE-2017-18364 | 1 Frank-karau | 1 Phpfk | 2019-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter. | |||||
| CVE-2019-5967 | 1 Joruri | 1 Joruri Cms 2017 | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Joruri CMS 2017 Release2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-13472 | 1 Phpwind | 1 Phpwind | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file. | |||||
| CVE-2019-13186 | 1 1234n | 1 Minicms | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520. | |||||
| CVE-2018-12623 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. htdocs/switch.php has XSS via the current_page parameter. | |||||
| CVE-2018-12625 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. /htdocs/validate.php has XSS via the values parameter. | |||||
| CVE-2018-12626 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. /htdocs/popup.php has XSS via the cat parameter. | |||||
| CVE-2018-12622 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. htdocs/ajax/update.php has XSS via the field_name parameter. | |||||
| CVE-2018-12627 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. /htdocs/list.php has XSS via the show_notification_list_issues or show_authorized_issues parameter. | |||||
| CVE-2019-13397 | 1 Enhancesoft | 1 Osticket | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via arbitrary file extension while creating a support ticket. | |||||
| CVE-2019-13070 | 1 Cyberpowersystems | 1 Powerpanel | 2019-07-10 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim. | |||||
| CVE-2019-13374 | 2 Dlink, Microsoft | 2 Central Wifimanager, Windows | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter. | |||||
| CVE-2019-11647 | 1 Microfocus | 1 Netiq Self Service Password Reset | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A potential XSS exists in Self Service Password Reset, in Micro Focus NetIQ Software all versions prior to version 4.4. The vulnerability could be exploited to enable an XSS attack. | |||||
| CVE-2019-13072 | 1 Zoneminder | 1 Zoneminder | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. | |||||
| CVE-2019-6639 | 1 F5 | 2 Big-ip Advanced Firewall Manager, Big-ip Policy Enforcement Manager | 2019-07-09 | 3.5 LOW | 4.8 MEDIUM |
| On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the XSS. | |||||
| CVE-2019-12930 | 1 Wikindx Project | 1 Wikindx | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in noMenu() and noSubMenu() in core/navigation/MENU.php in WIKINDX prior to version 5.8.1 allows remote attackers to inject arbitrary web script or HTML via the method parameter. | |||||
| CVE-2018-14027 | 1 Digisol | 2 Dg-hr-3300, Dg-hr-3300 Firmware | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or password parameter to the admin login page. | |||||
| CVE-2018-11227 | 1 Monstra | 1 Monstra Cms | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS 3.0.4 and earlier has XSS via index.php. | |||||
| CVE-2018-1000874 | 1 Cebe | 1 Markdown | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```<script>alert();</script>```". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document. | |||||
| CVE-2015-2324 | 1 10web | 1 Photo Gallery | 2019-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.13 for WordPress allows remote authenticated users with edit permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-6626 | 1 F5 | 3 Big-ip Advanced Firewall Manager, Big-ip Analytics, Big-ip Application Security Manager | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility. | |||||
| CVE-2019-6625 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility. | |||||
| CVE-2019-13239 | 1 Glpi-project | 1 Glpi | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture. | |||||
| CVE-2018-20807 | 1 Pulsesecure | 1 Pulse Connect Secure | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly. | |||||
| CVE-2019-13339 | 1 1234n | 1 Minicms | 2019-07-07 | 3.5 LOW | 4.8 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie. | |||||
| CVE-2019-13340 | 1 1234n | 1 Minicms | 2019-07-07 | 3.5 LOW | 4.8 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186. | |||||
| CVE-2019-13341 | 1 1234n | 1 Minicms | 2019-07-07 | 3.5 LOW | 4.8 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie. | |||||
| CVE-2017-17972 | 1 Archon Project | 1 Archon | 2019-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?subjecttypeid=xxx request, aka Open Bug Bounty ID OBB-466362. | |||||
| CVE-2019-12842 | 1 Jetbrains | 1 Teamcity | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS on a user page was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.2. | |||||
| CVE-2017-6216 | 1 Novaksolutions | 1 Infusionsoft-php-sdk | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a reflected XSS in the leadscoring.php resulting code execution | |||||
| CVE-2018-17560 | 1 Teamwire | 1 Teamwire | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The admin interface of the Grouptime Teamwire Client 1.5.1 prior to 1.9.0 on-premises messenger server allows stored XSS. All backend versions prior to prod-2018-11-13-15-00-42 are affected. | |||||
| CVE-2018-11317 | 1 Intelliants | 1 Subrion | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Subrion CMS before 4.1.4 has XSS. | |||||
| CVE-2018-20814 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2019-07-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX. | |||||
| CVE-2019-9701 | 1 Symantec | 1 Data Loss Prevention | 2019-07-03 | 3.5 LOW | 4.8 MEDIUM |
| DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. | |||||
| CVE-2019-12932 | 1 Seeddms | 1 Seeddms | 2019-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly escaping the search result in the autocomplete search form placed in the header of out/out.Viewfolder.php. | |||||
| CVE-2018-20808 | 1 Pulsesecure | 1 Pulse Connect Secure | 2019-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX. | |||||
| CVE-2018-14919 | 1 Loytec | 2 Lgate-902, Lgate-902 Firmware | 2019-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| LOYTEC LGATE-902 6.3.2 devices allow XSS. | |||||
| CVE-2019-4410 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2019-07-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162657. | |||||
| CVE-2016-5235 | 1 F5 | 1 Websafe Alert Server | 2019-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in versions of F5 WebSafe Dashboard 3.9.x and earlier, aka F5 WebSafe Alert Server, allows an unauthenticated user to inject HTML via a crafted alert. | |||||
| CVE-2016-5236 | 1 F5 | 1 Websafe Alert Server | 2019-07-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9.5 and earlier, aka F5 WebSafe Alert Server, allow privileged authenticated users to inject arbitrary web script or HTML when creating a new user, account or signature. | |||||
| CVE-2018-6145 | 1 Google | 1 Chrome | 2019-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient data validation in HTML parser in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2018-20849 | 1 Arastta | 1 Ecommerce | 2019-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Arastta eCommerce 1.6.2 is vulnerable to XSS via the PATH_INFO to the login/ URI. | |||||
| CVE-2018-6128 | 2 Apple, Google | 2 Iphone Os, Chrome | 2019-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Incorrect URL parsing in WebKit in Google Chrome on iOS prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
| CVE-2019-12581 | 1 Zyxel | 18 Uag2100, Uag2100 Firmware, Uag4100 and 15 more | 2019-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter. | |||||
| CVE-2019-9957 | 1 Quadbase | 1 Espressreport Es | 2019-06-27 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload can then be triggered by accessing the "Set Security Levels" or "View User/Group Relationships" page. If the attacker does not currently have permission to create a new user, another vulnerability such as CSRF must be exploited first. | |||||