Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-5928 | 1 Cybozu | 1 Garoon | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to inject arbitrary web script or HTML via Customize Item function. | |||||
| CVE-2019-8926 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource. | |||||
| CVE-2019-8937 | 1 Digitaldruid | 1 Hoteldruid | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php. | |||||
| CVE-2019-8928 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName. | |||||
| CVE-2019-8927 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11. | |||||
| CVE-2019-8929 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype. | |||||
| CVE-2019-0963 | 1 Microsoft | 1 Sharepoint Foundation | 2019-05-17 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. | |||||
| CVE-2019-8924 | 1 Apachefriends | 1 Xampp | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued. | |||||
| CVE-2019-12139 | 1 Ez | 2 Ezplatform-admin-ui, Ezplatform-page-builder | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in the Admin UI in eZ Platform 2.x. This affects ezplatform-admin-ui 1.3.x before 1.3.5 and 1.4.x before 1.4.4, and ezplatform-page-builder 1.1.x before 1.1.5 and 1.2.x before 1.2.4. | |||||
| CVE-2019-11033 | 1 Applaudsolutions | 1 Applaud Hcm | 2019-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. This leads to an XSS vulnerability with a payload starting with the <iframe./> substring. | |||||
| CVE-2019-12136 | 1 Boostio | 1 Boostnote | 2019-05-16 | 3.5 LOW | 5.4 MEDIUM |
| There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, as demonstrated by a crafted SRC attribute of an IFRAME element. | |||||
| CVE-2019-0298 | 1 Sap | 1 E-commerce | 2019-05-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Fixed in the following components SAP-CRMJAV SAP-CRMWEB SAP-SHRWEB SAP-SHRJAV SAP-CRMAPP SAP-SHRAPP, versions 7.30, 7.31, 7.32, 7.33, 7.54. | |||||
| CVE-2016-10719 | 1 Tp-link | 2 Archer Cr700, Archer Cr700 Firmware | 2019-05-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| TP-Link Archer CR-700 1.0.6 devices have an XSS vulnerability that can be introduced into the admin account through a DHCP request, allowing the attacker to steal the cookie information, which contains the base64 encoded username and password. | |||||
| CVE-2019-6341 | 3 Debian, Drupal, Fedoraproject | 3 Debian Linux, Drupal, Fedora | 2019-05-16 | 3.5 LOW | 5.4 MEDIUM |
| In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2019-10111 | 1 Gitlab | 1 Gitlab | 2019-05-16 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page. | |||||
| CVE-2018-16138 | 1 Ipbrick | 1 Ipbrick Os | 2019-05-15 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the administration page in IPBRICK OS 6.3. There are multiple XSS vulnerabilities. | |||||
| CVE-2014-9917 | 1 Bilboplanet | 1 Bilboplanet | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Bilboplanet 2.0. There is a stored XSS vulnerability when adding a tag via the user/?page=tribes tags parameter. | |||||
| CVE-2014-9919 | 1 Bilboplanet | 1 Bilboplanet | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the fullname parameter to signup.php. | |||||
| CVE-2014-9918 | 1 Bilboplanet | 1 Bilboplanet | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the user_id parameter to signup.php. | |||||
| CVE-2019-11429 | 1 Centos-webpanel | 1 Centos Web Panel | 2019-05-15 | 3.5 LOW | 4.8 MEDIUM |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen. | |||||
| CVE-2019-8390 | 1 Qdpm | 1 Qdpm | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. | |||||
| CVE-2019-8391 | 1 Qdpm | 1 Qdpm | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. | |||||
| CVE-2018-16139 | 1 Bibliosoft | 1 Bibliopac | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in BIBLIOsoft BIBLIOpac 2008 allows remote attackers to inject arbitrary web script or HTML via the db or action parameter to to bin/wxis.exe/bibliopac/. | |||||
| CVE-2019-4204 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2019-05-15 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159125. | |||||
| CVE-2018-20838 | 1 Magazine3 | 1 Amp For Wp | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS. | |||||
| CVE-2019-6514 | 1 Wso2 | 1 Dashboard Server | 2019-05-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to inject a JavaScript payload that will be stored in the database and then displayed and executed on the same page, aka XSS. | |||||
| CVE-2018-14664 | 1 Theforeman | 1 Foreman | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| A flaw was found in foreman from versions 1.18. A stored cross-site scripting vulnerability exists due to an improperly escaped HTML code in the breadcrumbs bar. This allows a user with permissions to edit which attribute is used in the breadcrumbs bar to store code that will be executed on the client side. | |||||
| CVE-2018-16887 | 2 Redhat, Theforeman | 2 Satellite, Katello | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable. | |||||
| CVE-2018-16861 | 1 Theforeman | 1 Foreman | 2019-05-14 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable. | |||||
| CVE-2018-14710 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. | |||||
| CVE-2018-15530 | 1 Xerox | 2 Colorqube 8580, Colorqube 8580 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code. | |||||
| CVE-2019-7411 | 1 Mythemeshop | 1 Launcher | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). | |||||
| CVE-2019-11869 | 1 Yuzopro | 1 Yuzo | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting. | |||||
| CVE-2018-19048 | 1 Mycolorway | 1 Simditor | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element. | |||||
| CVE-2018-16624 | 1 Getkirby | 1 Kirby | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. | |||||
| CVE-2018-16623 | 1 Getkirby | 1 Kirby | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. | |||||
| CVE-2018-12302 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting. | |||||
| CVE-2018-18524 | 1 Evernote | 1 Evernote | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on the victim's computer. | |||||
| CVE-2018-12303 | 1 Seagate | 1 Nas Os | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names. | |||||
| CVE-2019-12043 | 1 Remarkable Project | 1 Remarkable | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL. | |||||
| CVE-2018-18872 | 1 Kieranoshea | 1 Calendar | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories URI. | |||||
| CVE-2019-7409 | 1 Vegadesign | 1 Profiledesign Cms | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page, (2) gbs, (3) side, (4) id, (5) imgid, (6) cat, or (7) orderby parameter. | |||||
| CVE-2019-12047 | 1 Gridea | 1 Gridea | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by child_process.exec and the "<img src=# onerror='eval(new Buffer(" substring. | |||||
| CVE-2018-12299 | 1 Seagate | 1 Nas Os | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names. | |||||
| CVE-2018-12297 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names. | |||||
| CVE-2017-18121 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser. | |||||
| CVE-2018-12304 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL. | |||||
| CVE-2018-16626 | 1 Typesettercms | 1 Typesetter | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. | |||||
| CVE-2018-16625 | 1 Typesettercms | 1 Typesetter | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. | |||||
| CVE-2018-16639 | 1 Typesettercms | 1 Typesetter | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation. | |||||