Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-5760 | 1 Novell | 1 Groupwise | 2019-05-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the administrator console in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allow remote attackers to inject arbitrary web script or HTML via the (1) token parameter to gwadmin-console/install/login.jsp or (2) PATH_INFO to gwadmin-console/index.jsp. | |||||
| CVE-2016-5761 | 1 Novell | 1 Groupwise | 2019-05-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allows remote attackers to inject arbitrary web script or HTML via a crafted email. | |||||
| CVE-2019-7324 | 1 Kanboard | 1 Kanboard | 2019-05-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting. | |||||
| CVE-2019-11604 | 1 Quest | 1 Kace Systems Management Appliance | 2019-05-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. | |||||
| CVE-2019-7129 | 1 Adobe | 1 Experience Manager Forms | 2019-05-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2017-14186 | 1 Fortinet | 1 Fortios | 2019-05-29 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter. | |||||
| CVE-2019-8346 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-05-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token. | |||||
| CVE-2019-12195 | 1 Tp-link | 2 Tl-wr840n, Tl-wr840n Firmware | 2019-05-29 | 3.5 LOW | 4.8 MEDIUM |
| TP-Link TL-WR840N v5 00000005 devices allow XSS via the network name. The attacker must log into the router by breaking the password and going to the admin login page by THC-HYDRA to get the network name. With an XSS payload, the network name changed automatically and the internet connection was disconnected. All the users become disconnected from the internet. | |||||
| CVE-2019-12362 | 1 Phome | 1 Empirecms | 2019-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php. | |||||
| CVE-2019-12315 | 1 Samsung | 2 Scx-824, Scx-824 Firmware | 2019-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Samsung SCX-824 printers allow a reflected Cross-Site-Scripting (XSS) vulnerability that can be triggered by using the "print from file" feature, as demonstrated by the sws/swsAlert.sws?popupid=successMsg msg parameter. | |||||
| CVE-2019-12313 | 1 Dollarshaveclub | 1 Shave | 2019-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Shave before 2.5.3 because output encoding is mishandled during the overwrite of an HTML element. | |||||
| CVE-2019-11876 | 2 Drupal, Prestashop | 2 Drupal, Prestashop | 2019-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. | |||||
| CVE-2018-12624 | 1 Eventum Project | 1 Eventum | 2019-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. /htdocs/post_note.php has XSS via the garlic_prefix parameter. | |||||
| CVE-2019-10685 | 1 Heidelberg | 1 Prinect Archiver | 2019-05-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0. | |||||
| CVE-2017-11739 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-05-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS. | |||||
| CVE-2019-12167 | 1 Emerson | 2 Liebert Challenger, Liebert Challenger Firmware | 2019-05-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter. | |||||
| CVE-2018-19614 | 1 Westermo | 6 Dr-250, Dr-250 Firmware, Dr-260 and 3 more | 2019-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the /cmdexec/cmdexe?cmd= function in Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers. | |||||
| CVE-2017-11560 | 1 Zohocorp | 1 Manageengine Opmanager | 2019-05-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application. | |||||
| CVE-2017-13668 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 3.5 LOW | 5.4 MEDIUM |
| OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS). | |||||
| CVE-2017-15030 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS). | |||||
| CVE-2017-17061 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 3.5 LOW | 5.4 MEDIUM |
| OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS). | |||||
| CVE-2019-12189 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field. | |||||
| CVE-2017-5213 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS). | |||||
| CVE-2019-10076 | 1 Apache | 1 Jspwiki | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. | |||||
| CVE-2019-10077 | 1 Apache | 1 Jspwiki | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. | |||||
| CVE-2019-10078 | 1 Apache | 1 Jspwiki | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable. | |||||
| CVE-2019-3402 | 1 Atlassian | 1 Jira | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
| CVE-2018-7202 | 1 Projectsend | 1 Projectsend | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page. | |||||
| CVE-2017-5864 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS). | |||||
| CVE-2017-9808 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS). | |||||
| CVE-2019-6577 | 1 Siemens | 22 Simatic Hmi Comfort Outdoor Panels, Simatic Hmi Comfort Outdoor Panels Firmware, Simatic Hmi Comfort Panels and 19 more | 2019-05-22 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions < V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions < V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The integrated web server could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify particular parts of the device configuration via SNMP. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires system privileges and user interaction. An attacker could use the vulnerability to compromise confidentiality and the integrity of the affected system. At the stage of publishing this security advisory no public exploitation is known. | |||||
| CVE-2019-10066 | 1 Otrs | 1 Otrs | 2019-05-22 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS. | |||||
| CVE-2019-12190 | 1 Centos-webpanel | 1 Centos Web Panel | 2019-05-21 | 3.5 LOW | 5.4 MEDIUM |
| XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter. | |||||
| CVE-2018-7064 | 2 Arubanetworks, Siemens | 3 Aruba Instant, Scalance W1750d, Scalance W1750d Firmware | 2019-05-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session cookie for an administrative session. Workaround: Administrators should make sure they log out of the Aruba Instant UI when not actively managing the system, and should use caution clicking links from external sources while logged into the IAP administrative interface. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 | |||||
| CVE-2019-3602 | 1 Mcafee | 1 Network Security Manager | 2019-05-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML. | |||||
| CVE-2019-12184 | 1 Boostio | 1 Boostnote | 2019-05-20 | 3.5 LOW | 5.4 MEDIUM |
| There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136. | |||||
| CVE-2019-11205 | 1 Tibco | 2 Spotfire Analytics Platform For Aws, Spotfire Server | 2019-05-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains vulnerabilities that theoretically allow reflected cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: 7.14.0; 7.14.1; 10.0.0; 10.0.1; 10.1.0; 10.2.0, and TIBCO Spotfire Server: 7.14.0; 10.0.0; 10.0.1; 10.1.0; 10.2.0. | |||||
| CVE-2019-11846 | 1 Dotcms | 1 Dotcms | 2019-05-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| /servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection. | |||||
| CVE-2019-11809 | 1 Joomla | 1 Joomla\! | 2019-05-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. | |||||
| CVE-2018-1000078 | 2 Debian, Rubygems | 2 Debian Linux, Rubygems | 2019-05-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. | |||||
| CVE-2018-20242 | 1 Apache | 1 Jspwiki | 2019-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking. | |||||
| CVE-2019-0224 | 1 Apache | 1 Jspwiki | 2019-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser. | |||||
| CVE-2018-7117 | 1 Hp | 20 Integrated Lights-out 5 Firmware, Proliant Bl460c Gen10, Proliant Dl120 Gen10 and 17 more | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote Cross-Site Scripting in HPE iLO 5 Web User Interface vulnerability was identified in HPE Integrated Lights-Out 5 (iLO 5) for Gen10 ProLiant Servers earlier than version v1.40. | |||||
| CVE-2019-5932 | 1 Cybozu | 1 Garoon | 2019-05-17 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the application 'Portal'. | |||||
| CVE-2019-5940 | 1 Cybozu | 1 Garoon | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Scheduler'. | |||||
| CVE-2019-5938 | 1 Cybozu | 1 Garoon | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Mail'. | |||||
| CVE-2019-5939 | 1 Cybozu | 1 Garoon | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Portal'. | |||||
| CVE-2019-5937 | 1 Cybozu | 1 Garoon | 2019-05-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the user information. | |||||
| CVE-2019-5947 | 1 Cybozu | 1 Garoon | 2019-05-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the application 'Cabinet'. | |||||
| CVE-2019-5929 | 1 Cybozu | 1 Garoon | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to inject arbitrary web script or HTML via the application 'Memo'. | |||||