Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19352 | 1 Jupyter | 1 Notebook | 2018-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely. | |||||
| CVE-2018-19350 | 1 Seacms | 1 Seacms | 2018-12-17 | 3.5 LOW | 5.4 MEDIUM |
| In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element. | |||||
| CVE-2018-0697 | 1 Metabase | 1 Metabase | 2018-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0699 | 1 Hyuki | 1 Yukiwiki | 2018-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in YukiWiki 2.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-14935 | 1 Polycom | 2 Trio 8500, Trio 8500 Firmware | 2018-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS. | |||||
| CVE-2018-0687 | 1 Neo | 2 Debun Imap, Debun Pop | 2018-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-19287 | 1 Ninjaforma | 1 Ninja Forms | 2018-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. | |||||
| CVE-2018-6081 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Linux Desktop and 2 more | 2018-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS vulnerabilities in Interstitials in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension or open Developer Console to inject arbitrary scripts or HTML via a crafted HTML page. | |||||
| CVE-2018-8605 | 1 Microsoft | 1 Dynamics 365 | 2018-12-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability." This affects Microsoft Dynamics 365. This CVE ID is unique from CVE-2018-8606, CVE-2018-8607, CVE-2018-8608. | |||||
| CVE-2018-8606 | 1 Microsoft | 1 Dynamics 365 | 2018-12-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability." This affects Microsoft Dynamics 365. This CVE ID is unique from CVE-2018-8605, CVE-2018-8607, CVE-2018-8608. | |||||
| CVE-2018-8607 | 1 Microsoft | 1 Dynamics 365 | 2018-12-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability." This affects Microsoft Dynamics 365. This CVE ID is unique from CVE-2018-8605, CVE-2018-8606, CVE-2018-8608. | |||||
| CVE-2018-8608 | 1 Microsoft | 1 Dynamics 365 | 2018-12-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability." This affects Microsoft Dynamics 365. This CVE ID is unique from CVE-2018-8605, CVE-2018-8606, CVE-2018-8607. | |||||
| CVE-2018-8547 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2018-12-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Active Directory Federation Services XSS Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. | |||||
| CVE-2018-19195 | 1 Xiaocms | 1 Xiaocms | 2018-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\show_product.html file. | |||||
| CVE-2018-19170 | 1 Jpress | 1 Jpress | 2018-12-13 | 3.5 LOW | 4.8 MEDIUM |
| In JPress v1.0-rc.5, there is stored XSS via each of the first three input fields to the starter-tomcat-1.0/admin/setting URI, as demonstrated by the web_name parameter. | |||||
| CVE-2018-19193 | 1 Xiaocms | 1 Xiaocms | 2018-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen. | |||||
| CVE-2018-19080 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2018-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SetHostname method allows unauthenticated persistent XSS. | |||||
| CVE-2018-19178 | 1 Jeesns | 1 Jeesns | 2018-12-13 | 3.5 LOW | 5.4 MEDIUM |
| In JEESNS 1.3, com/lxinet/jeesns/core/utils/XssHttpServletRequestWrapper.java allows stored XSS via an HTML EMBED element, a different vulnerability than CVE-2018-17886. | |||||
| CVE-2018-19092 | 1 Yzmcms | 1 Yzmcms | 2018-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in YzmCMS v5.2. It has XSS via a search/index/archives/pubtime/ query string, as demonstrated by the search/index/archives/pubtime/1526387722/page/1.html URI. NOTE: this does not obtain a user's cookie. | |||||
| CVE-2018-17184 | 1 Apache | 1 Syncope | 2018-12-13 | 3.5 LOW | 5.4 MEDIUM |
| A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed. | |||||
| CVE-2018-19206 | 2 Debian, Roundcube | 2 Debian Linux, Roundcube | 2018-12-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. | |||||
| CVE-2018-10586 | 1 Netgain-systems | 1 Enterprise Manager | 2018-12-12 | 3.5 LOW | 4.8 MEDIUM |
| NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12. | |||||
| CVE-2018-19141 | 2 Debian, Otrs | 2 Debian Linux, Open Ticket Request System | 2018-12-12 | 3.5 LOW | 4.8 MEDIUM |
| Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before 5.0.31 allows an admin to conduct an XSS attack via a modified URL because user and customer preferences are mishandled. | |||||
| CVE-2018-19142 | 1 Otrs | 1 Open Ticket Request System | 2018-12-12 | 3.5 LOW | 4.8 MEDIUM |
| Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an admin to conduct an XSS attack via a modified URL. | |||||
| CVE-2018-15707 | 1 Advantech | 1 Webaccess | 2018-12-12 | 3.5 LOW | 5.4 MEDIUM |
| Advantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scripting in the Bwmainleft.asp page. An attacker could leverage this vulnerability to disclose credentials amongst other things. | |||||
| CVE-2018-19056 | 1 Ipandao | 1 Editor.md | 2018-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| pandao Editor.md 1.5.0 has DOM XSS via input starting with a "<<" substring, which is mishandled during construction of an A element. | |||||
| CVE-2018-19057 | 1 Sparksuite | 1 Simplemde | 2018-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| SimpleMDE 1.11.2 has XSS via an onerror attribute of a crafted IMG element, or via certain input with [ and ( characters, which is mishandled during construction of an A element. | |||||
| CVE-2018-18775 | 1 Microstrategy | 1 Microstrategy Web | 2018-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product. | |||||
| CVE-2018-18776 | 1 Microstrategy | 1 Microstrategy Web | 2018-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product. | |||||
| CVE-2018-19131 | 1 Squid-cache | 1 Squid | 2018-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors. | |||||
| CVE-2018-19136 | 1 Domainmod | 1 Domainmod | 2018-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| DomainMOD through 4.11.01 has XSS via the assets/edit/registrar-account.php raid parameter. | |||||
| CVE-2018-19137 | 1 Domainmod | 1 Domainmod | 2018-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| DomainMOD through 4.11.01 has XSS via the assets/edit/ip-address.php ipid parameter. | |||||
| CVE-2018-19227 | 1 Laobancms | 1 Laobancms | 2018-12-11 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/liuyan.php neirong[] parameter. | |||||
| CVE-2018-19223 | 1 Laobancms | 1 Laobancms | 2018-12-11 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI. | |||||
| CVE-2018-19229 | 1 Laobancms | 1 Laobancms | 2018-12-11 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/art.php?typeid=1 biaoti parameter. | |||||
| CVE-2018-18927 | 1 Publiccms | 1 Publiccms | 2018-12-11 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in PublicCMS V4.0. It allows XSS by modifying the page_list "attached" attribute (which typically has 'class="icon-globe icon-large"' in its value), as demonstrated by an 'UPDATE sys_module SET attached = "[XSS]" WHERE id="page_list"' statement. | |||||
| CVE-2018-19145 | 1 S-cms | 1 S-cms | 2018-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in S-CMS v1.5. There is an XSS vulnerability in search.php via the keyword parameter. | |||||
| CVE-2018-19083 | 1 Wecenter | 1 Wecenter | 2018-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| WeCenter 3.2.0 through 3.2.2 has XSS in the views/default/question/index.tpl.html htmlspecialchars_decode function via the /?/publish/ajax/publish_question/ question_content parameter. | |||||
| CVE-2018-19091 | 1 Tianti Project | 1 Tianti | 2018-12-11 | 3.5 LOW | 5.4 MEDIUM |
| tianti 2.3 has reflected XSS in the user management module via the tianti-module-admin/user/list userName parameter. | |||||
| CVE-2018-19089 | 1 Tianti Project | 1 Tianti | 2018-12-11 | 3.5 LOW | 5.4 MEDIUM |
| tianti 2.3 has stored XSS in the userlist module via the tianti-module-admin/user/ajax/save_role name parameter, which is mishandled in tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp. | |||||
| CVE-2018-19090 | 1 Tianti Project | 1 Tianti | 2018-12-11 | 3.5 LOW | 5.4 MEDIUM |
| tianti 2.3 has stored XSS in the article management module via an article title. | |||||
| CVE-2018-18909 | 1 Xheditor | 1 Xheditor | 2018-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| xhEditor 1.2.2 allows XSS via JavaScript code in the SRC attribute of an IFRAME element within the editor's source-code view. | |||||
| CVE-2018-18825 | 1 Pagoda Linux Project | 1 Pagoda Linux | 2018-12-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log. | |||||
| CVE-2018-18919 | 1 Iiong | 1 Wp Editor.md | 2018-12-11 | 3.5 LOW | 4.8 MEDIUM |
| The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area. | |||||
| CVE-2018-7427 | 1 Splunk | 1 Splunk | 2018-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-18717 | 1 Eleanor-cms | 1 Eleanor Cms | 2018-12-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Eleanor CMS through 2015-03-19. XSS exists via the ajax.php?direct=admin&file=autocomplete&query=[XSS] URI. | |||||
| CVE-2018-18868 | 1 No-cms Project | 1 No-cms | 2018-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| No-CMS 1.1.3 is prone to Persistent XSS via a contact_us name parameter, as demonstrated by the VG48Z5PqVWname parameter. | |||||
| CVE-2018-18943 | 1 Basercms | 1 Basercms | 2018-12-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI. | |||||
| CVE-2017-11460 | 1 Sap | 1 Netweaver Portal | 2018-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535. | |||||
| CVE-2016-1911 | 1 Sap | 1 Netweaver | 2018-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Notes 2206793 and 2234918. | |||||