Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-9186 | 1 Fortinet | 1 Fortiauthenticator | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. | |||||
| CVE-2019-11428 | 1 I-librarian | 1 I\, Librarian | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| I, Librarian 4.10 has XSS via the export.php export_files parameter. | |||||
| CVE-2017-9781 | 1 Check Mk Project | 1 Check Mk | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html. | |||||
| CVE-2019-11359 | 1 I-librarian | 1 I\, Librarian | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter. | |||||
| CVE-2018-19970 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name. | |||||
| CVE-2019-9841 | 1 Vestacp | 1 Control Panel | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL. | |||||
| CVE-2018-17288 | 1 Kofax | 1 Front Office Server | 2019-04-19 | 3.5 LOW | 5.4 MEDIUM |
| Kofax Front Office Server version 4.1.1.11.0.5212 (both Thin Client and Administration Console) suffers from multiple authenticated stored XSS vulnerabilities via the (1) "Filename" field in /Kofax/KFS/ThinClient/document/upload/ - (Thin Client) or (2) "DeviceName" field in /Kofax/KFS/Admin/DeviceService/device/ - (Administration Console). | |||||
| CVE-2019-11084 | 1 Gbraad | 1 Gauth | 2019-04-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| GAuth 0.9.9 beta has stored XSS that shows a popup repeatedly and discloses cookies. | |||||
| CVE-2019-5778 | 4 Debian, Fedoraproject, Google and 1 more | 6 Debian Linux, Fedora, Chrome and 3 more | 2019-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to bypass extension permission checks for privileged pages via a crafted Chrome Extension. | |||||
| CVE-2018-19498 | 1 Simplenia | 1 Pages | 2019-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simplenia Pages plugin 2.6.0 for Atlassian Bitbucket Server has XSS. | |||||
| CVE-2017-15294 | 1 Sap | 1 Customer Relationship Management | 2019-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. | |||||
| CVE-2018-10680 | 1 Zblogcn | 1 Z-blogphp | 2019-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug." | |||||
| CVE-2018-7736 | 1 Zblogcn | 1 Z-blogphp | 2019-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability. | |||||
| CVE-2016-5005 | 1 Apache | 1 Archiva | 2019-04-16 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter to admin/addProxyConnector_commit.action. | |||||
| CVE-2018-11208 | 1 Zblogcn | 1 Z-blogphp | 2019-04-16 | 3.5 LOW | 4.8 MEDIUM |
| ** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege. | |||||
| CVE-2018-12653 | 1 Myadrenalin | 1 Adrenalin | 2019-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross Site Scripting (XSS) vulnerability exists in Adrenalin HRMS 5.4.0. An attacker can input malicious JavaScript code in /RPT/SSRSDynamicEditReports.aspx via 'ReportId' parameter. | |||||
| CVE-2018-18017 | 1 Tribulant | 1 Slideshow Gallery | 2019-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] or Gallery[title] parameter. | |||||
| CVE-2018-18019 | 1 Tribulant | 1 Slideshow Gallery | 2019-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-slides&method=save Slide[title], Slide[media_file], or Slide[image_url] parameter. | |||||
| CVE-2019-1574 | 1 Paloaltonetworks | 1 Expedition Migration Tool | 2019-04-15 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition Migration tool 1.1.12 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the Devices View. | |||||
| CVE-2018-18261 | 1 Bijiadao | 1 Waimai Super Cms | 2019-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In waimai Super Cms 20150505, there is an XSS vulnerability via the /admin.php/Foodcat/addsave fcname parameter. | |||||
| CVE-2019-9167 | 1 Nagios | 1 Nagios Xi | 2019-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | |||||
| CVE-2019-9844 | 2 Fedoraproject, Khanacademy | 2 Fedora, Simple-markdown | 2019-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| simple-markdown.js in Khan Academy simple-markdown before 0.4.4 allows XSS via a data: or vbscript: URI. | |||||
| CVE-2018-18308 | 1 Bigtreecms | 1 Bigtree Cms | 2019-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area). | |||||
| CVE-2018-20244 | 1 Apache | 1 Airflow | 2019-04-12 | 3.5 LOW | 5.5 MEDIUM |
| In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | |||||
| CVE-2018-19201 | 1 Mybb | 1 Mybb | 2019-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter. | |||||
| CVE-2018-19202 | 1 Mybb | 1 Mybb | 2019-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter. | |||||
| CVE-2019-9644 | 1 Jupyter | 1 Notebook | 2019-04-12 | 4.3 MEDIUM | 5.4 MEDIUM |
| An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered. | |||||
| CVE-2019-0216 | 1 Apache | 1 Airflow | 2019-04-11 | 3.5 LOW | 4.8 MEDIUM |
| A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | |||||
| CVE-2019-9696 | 1 Symantec | 1 Vip Enterprise Gateway | 2019-04-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Symantec VIP Enterprise Gateway (all versions) may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy. | |||||
| CVE-2019-6117 | 1 Wpape | 1 Ape Gallery | 2019-04-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wpape APE GALLERY plugin 1.6.14 for WordPress has stored XSS via the classGallery.php getCategories function. | |||||
| CVE-2019-0830 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2019-04-10 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2019-0831. | |||||
| CVE-2019-0831 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2019-04-10 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2019-0830. | |||||
| CVE-2019-10904 | 2 Debian, Roundup-tracker | 2 Debian Linux, Roundup | 2019-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. | |||||
| CVE-2019-0778 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Foundation | 2019-04-09 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. | |||||
| CVE-2019-0777 | 1 Microsoft | 1 Team Foundation Server | 2019-04-09 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka 'Team Foundation Server Cross-site Scripting Vulnerability'. | |||||
| CVE-2019-10634 | 1 Zyxel | 2 Nas326, Nas326 Firmware | 2019-04-09 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields. | |||||
| CVE-2019-11002 | 1 Materializecss | 1 Materialize | 2019-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Tooltip feature. | |||||
| CVE-2019-11003 | 1 Materializecss | 1 Materialize | 2019-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Autocomplete feature. | |||||
| CVE-2019-9593 | 1 Mitel | 1 Connect Onsite | 2019-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 18.82.2000.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||||
| CVE-2019-9592 | 1 Mitel | 1 Connect Onsite | 2019-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 19.45.1602.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||||
| CVE-2019-9591 | 1 Mitel | 1 Connect Onsite | 2019-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE before 19.49.1500.0 allows remote attackers to inject arbitrary web script or HTML via the brandUrl parameter. | |||||
| CVE-2019-11004 | 1 Materializecss | 1 Materialize | 2019-04-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Toast feature. | |||||
| CVE-2018-4374 | 2 Apple, Microsoft | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-04-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved validation. This issue affected versions prior to iOS 12.1, watchOS 5.1, Safari 12.0.1, iTunes 12.9.1, iCloud for Windows 7.8. | |||||
| CVE-2018-4377 | 2 Apple, Microsoft | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-04-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. This issue affected versions prior to iOS 12.1, watchOS 5.1, Safari 12.0.1, iTunes 12.9.1, iCloud for Windows 7.8. | |||||
| CVE-2018-4345 | 2 Apple, Microsoft | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-04-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. | |||||
| CVE-2018-1731 | 1 Ibm | 1 Doors Next Generation | 2019-04-05 | 3.5 LOW | 4.8 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.3 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 147710. | |||||
| CVE-2018-4309 | 2 Apple, Microsoft | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. | |||||
| CVE-2018-18882 | 1 Controlbyweb | 2 X-320m-i, X-320m-i Firmware | 2019-04-03 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can inject arbitrary script via setup.html in the web interface. | |||||
| CVE-2018-17989 | 1 Dlink | 2 Dsl-3782, Dsl-3782 Firmware | 2019-04-02 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user's browser when "/cgi-bin/New_GUI/Acl.asp" is requested. | |||||
| CVE-2019-7400 | 1 Rukovoditel | 1 Rukovoditel | 2019-04-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rukovoditel before 2.4.1 allows XSS. | |||||