Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7325 | 1 Zoneminder | 1 Zoneminder | 2019-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as multiple views under web/skins/classic/views insecurely utilize $_REQUEST['PHP_SELF'], without applying any proper filtration. | |||||
| CVE-2019-7326 | 1 Zoneminder | 1 Zoneminder | 2019-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'Host' parameter value in the view console (console.php) because proper filtration is omitted. This relates to the index.php?view=monitor Host Name field. | |||||
| CVE-2018-1000841 | 1 Zend | 1 Zendto | 2019-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zend.To version Prior to 5.15-1 contains a Cross Site Scripting (XSS) vulnerability in The verify.php page that can result in An attacker could execute arbitrary Javascript code in the context of the victim's browser.. This attack appear to be exploitable via HTTP POST request. This vulnerability appears to have been fixed in 5.16-1 Beta. | |||||
| CVE-2018-19922 | 1 Actiontec | 2 C1000a, C1000a Firmware | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to inject arbitrary HTML into the Website Blocking page by inserting arbitrary HTML into the 'TodUrlAdd' URL parameter in a /urlfilter.cmd POST request. | |||||
| CVE-2018-19041 | 1 Media File Manager Project | 1 Media File Manager | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Media File Manager plugin 1.4.2 for WordPress allows XSS via the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI. | |||||
| CVE-2018-18940 | 1 Netscape | 1 Enterprise Server | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| servlet/SnoopServlet (a servlet installed by default) in Netscape Enterprise 3.63 has reflected XSS via an arbitrary parameter=[XSS] in the query string. A remote unauthenticated attacker could potentially exploit this vulnerability to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. NOTE: this product is discontinued. | |||||
| CVE-2019-7295 | 1 Typora | 1 Typora | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| typora through 0.9.63 has XSS, with resultant remote command execution, during block rendering of a mathematical formula. | |||||
| CVE-2019-7296 | 1 Typora | 1 Typora | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| typora through 0.9.64 has XSS, with resultant remote command execution, during inline rendering of a mathematical formula. | |||||
| CVE-2019-7250 | 1 Cross Reference Project | 1 Cross Reference | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the Cross Reference Add-on 36 for Google Docs. Stored XSS in the preview boxes in the configuration panel may allow a malicious user to use both label text and references text to inject arbitrary JavaScript code (via SCRIPT elements, event handlers, etc.). Since this code is stored by the plugin, the attacker may be able to target anyone who opens the configuration panel of the plugin. | |||||
| CVE-2018-12611 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.8.4 and earlier allows Directory Traversal. | |||||
| CVE-2018-19782 | 1 Freshrss | 1 Freshrss | 2019-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter. | |||||
| CVE-2018-1000415 | 1 Rebuild Project | 1 Rebuild | 2019-01-30 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms. | |||||
| CVE-2018-20071 | 1 Google | 1 Chrome | 2019-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page. | |||||
| CVE-2018-20367 | 1 Wstmart | 1 Wstmart | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "mall some commodity details: commodity consultation" component in WSTMart 2.0.8_181212 has stored XSS via the consultContent parameter, as demonstrated by the index.php/home/goodsconsult/add.html URI. | |||||
| CVE-2019-6992 | 1 Zoneminder | 1 Zoneminder | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the index.php?view=controlcaps URI. | |||||
| CVE-2019-7172 | 1 Atutor | 1 Atutor | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php. | |||||
| CVE-2019-7168 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog. | |||||
| CVE-2019-7169 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/menus/menus/edit/3. | |||||
| CVE-2019-7170 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/taxonomy/vocabularies. | |||||
| CVE-2019-7171 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8. | |||||
| CVE-2019-7173 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4. | |||||
| CVE-2018-16084 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default selected dialog button in CustomHandlers in Google Chrome prior to 69.0.3497.81 allowed a remote attacker who convinced the user to perform certain operations to open external programs via a crafted HTML page. | |||||
| CVE-2019-6979 | 1 Ip History Logs Project | 1 Ip History Logs | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the User IP History Logs (aka IP_History_Logs) plugin 1.0.2 for MyBB. There is XSS via the admin/modules/tools/ip_history_logs.php useragent field. | |||||
| CVE-2019-6990 | 1 Zoneminder | 1 Zoneminder | 2019-01-29 | 3.5 LOW | 5.4 MEDIUM |
| A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zones&action=zoneImage&mid=1 URI. | |||||
| CVE-2018-19727 | 1 Adobe | 1 Experience Manager | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-19724 | 1 Adobe | 1 Experience Manager | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-19726 | 1 Adobe | 1 Experience Manager | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-6803 | 1 Typora | 1 Typora | 2019-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| typora through 0.9.9.20.3 beta has XSS, with resultant remote command execution, via the left outline bar. | |||||
| CVE-2015-9276 | 1 Smartertools | 1 Smartermail | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could be reset by using an XSS attack, as the password reset page did not need the current password. | |||||
| CVE-2015-9281 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows reflected XSS on the Timeout page. | |||||
| CVE-2019-6777 | 1 Zoneminder | 1 Zoneminder | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter. | |||||
| CVE-2018-14846 | 1 Mondula | 1 Multi Step Form | 2019-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The Mondula Multi Step Form plugin before 1.2.8 for WordPress has multiple stored XSS via wp-admin/admin-ajax.php. | |||||
| CVE-2017-18358 | 1 Limesurvey | 1 Limesurvey | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel. | |||||
| CVE-2018-16199 | 1 Toshiba | 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an remote attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0698 | 1 Weseek | 1 Growi | 2019-01-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-16206 | 1 Ohtanz | 1 Spam-byebye | 2019-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-20682 | 1 Fork-cms | 1 Fork Cms | 2019-01-23 | 3.5 LOW | 5.4 MEDIUM |
| Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka "Admin ids" input in the Facebook section). | |||||
| CVE-2016-10737 | 1 S9y | 1 Serendipity | 2019-01-23 | 3.5 LOW | 5.4 MEDIUM |
| Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter. | |||||
| CVE-2018-20731 | 1 Nedi | 1 Nedi | 2019-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 allows remote attackers to inject arbitrary web script or HTML via User-Chat.php. | |||||
| CVE-2018-20729 | 1 Nedi | 1 Nedi | 2019-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 allows remote attackers to inject arbitrary web script or HTML via the reg parameter in mh.php. | |||||
| CVE-2019-0646 | 1 Microsoft | 1 Team Foundation Server | 2019-01-22 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team. | |||||
| CVE-2019-6278 | 1 Jpress | 1 Jpress | 2019-01-18 | 3.5 LOW | 5.4 MEDIUM |
| XSS exists in JPress v1.0.4 via Markdown input, or Markdown input with the code input option. | |||||
| CVE-2019-6248 | 1 Citysearch \/ Hotfrog \/ Gelbeseiten Clone Script Project | 1 Citysearch \/ Hotfrog \/ Gelbeseiten Clone Script | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php. | |||||
| CVE-2018-16193 | 1 Nec | 4 Aterm Wf1200cr, Aterm Wf1200cr Firmware, Aterm Wg1200cr and 1 more | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-0238 | 1 Sap | 1 Hybris | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-16180 | 1 Daj | 1 I-filter | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-20524 | 1 Urlchatbox | 1 Chat Anywhere | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of <<a> in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy (CSP). | |||||
| CVE-2019-0244 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0245 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-6267 | 1 Premiumwpsuite | 1 Easy Redirect Manager | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Premium WP Suite Easy Redirect Manager plugin 28.07-17 for WordPress has XSS via a crafted GET request that is mishandled during log viewing at the templates/admin/redirect-log.php URI. | |||||