Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12766 | 1 Joomla | 1 Joomla\! | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. | |||||
| CVE-2018-1325 | 1 Wicket-jquery-ui Project | 1 Wicket-jquery-ui | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display. | |||||
| CVE-2017-15719 | 1 Wicket-jquery-ui Project | 1 Wicket-jquery-ui | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor. | |||||
| CVE-2018-10934 | 1 Redhat | 3 Enterprise Linux Server, Jboss Enterprise Application Platform, Single Sign-on | 2019-06-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users. | |||||
| CVE-2017-1000386 | 1 Jenkins | 1 Active Choices | 2019-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Active Choices now sanitizes the HTML inserted on the 'Build With Parameters' page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up to the administrator to allow or disallow problematic script output. | |||||
| CVE-2015-9282 | 1 Grafana | 1 Piechart-panel | 2019-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard. | |||||
| CVE-2019-11877 | 1 Pix-link | 2 Lv-wr09, Lv-wr09 Firmware | 2019-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID. | |||||
| CVE-2018-10700 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection. | |||||
| CVE-2018-10692 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. | |||||
| CVE-2019-11398 | 1 Ulicms | 1 Ulicms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon. | |||||
| CVE-2018-7653 | 1 Yzmcms | 1 Yzmcms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. | |||||
| CVE-2019-12774 | 1 Enttec | 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A number of stored XSS vulnerabilities have been identified in the web configuration feature in ENTTEC Datagate Mk2 70044_update_05032019-482 that could allow an unauthenticated threat actor to inject malicious code directly into the application. This affects, for example, the Profile Description field in JSON data to the Profile Editor. | |||||
| CVE-2018-19465 | 1 Maccms | 1 Maccms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html. | |||||
| CVE-2018-5798 | 1 Cloudera | 1 Cloudera Manager | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager. | |||||
| CVE-2019-7554 | 1 Api Based Travel Booking Project | 1 Api Based Travel Booking | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter. | |||||
| CVE-2019-7553 | 1 Chartered Accountant \ | 1 Auditor Website Project | 2019-06-09 | 3.5 LOW | 5.4 MEDIUM |
| PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field. | |||||
| CVE-2018-19461 | 1 Phome | 1 Empirecms | 2019-06-09 | 3.5 LOW | 4.8 MEDIUM |
| admin\db\DoSql.php in EmpireCMS through 7.5 allows XSS via crafted SQL syntax to admin/admin.php. | |||||
| CVE-2018-8047 | 1 Vtiger | 1 Vtiger Crm | 2019-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter). | |||||
| CVE-2019-3578 | 1 Mybb | 1 Mybb | 2019-06-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| MyBB 1.8.19 has XSS in the resetpassword function. | |||||
| CVE-2018-8035 | 1 Apache | 1 Unstructured Information Management Architecture Distributed Uima Cluster Computing | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| This vulnerability relates to the user's browser processing of DUCC webpage input data.The javascript comprising Apache UIMA DUCC (<= 2.2.2) which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code. | |||||
| CVE-2016-7469 | 1 F5 | 16 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 13 more | 2019-06-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Configuration utility device name change page in BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, WOM and WebSafe version 12.0.0 - 12.1.2, 11.4.0 - 11.6.1, and 11.2.1 allows an authenticated user to inject arbitrary web script or HTML. Exploitation requires Resource Administrator or Administrator privileges, and it could cause the Configuration utility client to become unstable. | |||||
| CVE-2019-12542 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. | |||||
| CVE-2019-12541 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. | |||||
| CVE-2019-12538 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field. | |||||
| CVE-2019-12741 | 1 Fhir | 1 Hapi Fhir | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.) | |||||
| CVE-2019-12543 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. | |||||
| CVE-2019-9647 | 1 Gilacms | 1 Gila Cms | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gila CMS 1.9.1 has XSS. | |||||
| CVE-2019-5588 | 1 Fortinet | 1 Fortios | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the "err" parameter of the error process HTTP requests. | |||||
| CVE-2019-11226 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-06-05 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News. | |||||
| CVE-2019-11368 | 1 Auo | 1 Solar Data Recorder | 2019-06-05 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS was discovered in AUO Solar Data Recorder before 1.3.0 via the protect/config.htm addr parameter. | |||||
| CVE-2019-12584 | 2 Apcupsd, Netgate | 2 Apcupsd, Pfsense | 2019-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php. | |||||
| CVE-2019-9838 | 1 Vfront | 1 Vfront | 2019-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| VFront 0.99.5 has stored XSS via the admin/sync_reg_tab.php azzera parameter, which is mishandled during admin/error_log.php rendering. | |||||
| CVE-2019-9839 | 1 Vfront | 1 Vfront | 2019-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| VFront 0.99.5 has Reflected XSS via the admin/menu_registri.php descrizione_g parameter or the admin/sync_reg_tab.php azzera parameter. | |||||
| CVE-2017-14850 | 1 Orpak | 1 Siteomat | 2019-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper external user-input validation. An attacker with access to the web interface is able to hijack sessions or navigate victims outside of SiteOmat, to a malicious server owned by him. | |||||
| CVE-2019-11370 | 1 Carel | 2 Pcoweb Card, Pcoweb Card Firmware | 2019-06-04 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field. | |||||
| CVE-2019-11511 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. | |||||
| CVE-2016-10245 | 1 Doxygen | 1 Doxygen | 2019-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection. | |||||
| CVE-2019-10047 | 1 Pydio | 1 Pydio | 2019-06-03 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application, and tricks an authenticated victim into accessing a URL that results in the HTML code being interpreted by the web browser, then the included JavaScript code is executed under the context of the victim user session. | |||||
| CVE-2019-10325 | 1 Jenkins | 1 Warnings Next Generation | 2019-06-03 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages. | |||||
| CVE-2019-12566 | 1 Veronalabs | 1 Wp Statistics | 2019-06-03 | 3.5 LOW | 5.4 MEDIUM |
| The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user. | |||||
| CVE-2019-4137 | 1 Ibm | 1 Spectrum Control | 2019-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158333. | |||||
| CVE-2019-12507 | 1 Phprelativepath Project | 1 Phprelativepath | 2019-05-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability exists in PHPRelativePath (aka Relative Path) through 1.0.2 via the RelativePath.Example1.php path parameter. | |||||
| CVE-2015-7609 | 1 Synacor | 1 Zimbra Collaboration Suite | 2019-05-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Synacor Zimbra Mail Client 8.6 before 8.6.0 Patch 5 has XSS via the error/warning dialog and email body content in Zimbra. | |||||
| CVE-2019-4184 | 1 Ibm | 1 Jazz Reporting Service | 2019-05-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Reporting Service 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158974. | |||||
| CVE-2018-10948 | 1 Synacor | 1 Zimbra Collaboration Suite | 2019-05-31 | 3.5 LOW | 4.8 MEDIUM |
| Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS via mail addrs. | |||||
| CVE-2018-14425 | 1 Synacor | 1 Zimbra Collaboration Suite | 2019-05-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a Persistent XSS vulnerability in the briefcase component of Synacor Zimbra Collaboration Suite (ZCS) Zimbra Web Client (ZWC) 8.8.8 before 8.8.8 Patch 7 and 8.8.9 before 8.8.9 Patch 1. | |||||
| CVE-2018-18631 | 1 Synacor | 1 Zimbra Collaboration Suite | 2019-05-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| mailboxd component in Synacor Zimbra Collaboration Suite 8.6, 8.7 before 8.7.11 Patch 7, and 8.8 before 8.8.10 Patch 2 has Persistent XSS. | |||||
| CVE-2018-14013 | 1 Synacor | 1 Zimbra Collaboration Suite | 2019-05-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients. | |||||
| CVE-2018-13375 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2019-05-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5.6.0 and below and FortiManager 5.6.0 and below allows an attacker to send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in FortiAnalyzer and FortiManager (with FortiAnalyzer feature enabled). | |||||
| CVE-2019-12347 | 1 Netgate | 1 Pfsense | 2019-05-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors. | |||||