Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17054 | 1 Progress | 1 Sitefinity Cms | 2018-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053. | |||||
| CVE-2018-17056 | 1 Progress | 1 Sitefinity Cms | 2018-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-17556 | 1 Modx | 1 Modx Revolution | 2018-11-15 | 3.5 LOW | 5.4 MEDIUM |
| MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Source action. | |||||
| CVE-2018-15606 | 1 Salesagility | 1 Suitecrm | 2018-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message. | |||||
| CVE-2018-17832 | 1 Wuzhicms | 1 Wuzhi Cms | 2018-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in WUZHI CMS 2.0 via the index.php v or f parameter. | |||||
| CVE-2018-16277 | 1 Xwiki | 1 Xwiki | 2018-11-15 | 3.5 LOW | 5.4 MEDIUM |
| The Image Import function in XWiki through 10.7 has XSS. | |||||
| CVE-2018-17369 | 1 Springboot Authority Project | 1 Springboot Authority | 2018-11-15 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in springboot_authority through 2017-03-06. There is stored XSS via the admin/role/edit roleKey, name, or description parameter. | |||||
| CVE-2018-17574 | 1 Ymfe | 1 Yapi | 2018-11-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project. | |||||
| CVE-2015-9270 | 1 Theholidaycalendar | 1 Holiday Calendar | 2018-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the the-holiday-calendar plugin before 1.11.3 for WordPress via the thc-month parameter. | |||||
| CVE-2018-16779 | 1 Blogcms Project | 1 Blogcms | 2018-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| BlogCMS through 2016-10-25 has XSS via a comment. | |||||
| CVE-2018-17320 | 1 Ucms Project | 1 Ucms | 2018-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in UCMS 1.4.6. aaddpost.php has stored XSS via the sadmin/aindex.php minfo parameter in a sadmin_aaddpost action. | |||||
| CVE-2018-16147 | 1 Opsview | 1 Opsview | 2018-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. | |||||
| CVE-2018-16148 | 1 Opsview | 1 Opsview | 2018-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. | |||||
| CVE-2018-0642 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2018-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-17361 | 1 Weaselcms Project | 1 Weaselcms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php because $_SERVER['PHP_SELF'] is mishandled. | |||||
| CVE-2018-4133 | 3 Apple, Canonical, Webkitgtk | 3 Safari, Ubuntu Linux, Webkitgtk\+ | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in certain Apple products. Safari before 11.1 is affected. The issue involves the "WebKit" component. A Safari cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2018-17002 | 1 Ricoh | 2 Mp 2001sp, Mp 2001sp Firmware | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| On the RICOH MP 2001 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi. | |||||
| CVE-2018-17001 | 1 Ricoh | 2 Sp 4510sf, Sp 4510sf Firmware | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| On the RICOH SP 4510SF printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi. | |||||
| CVE-2018-17322 | 1 Yunucms | 1 Yunucms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in index.php/index/category/index in YUNUCMS 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the area parameter. | |||||
| CVE-2018-17003 | 1 Limesurvey | 1 Limesurvey | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert. | |||||
| CVE-2018-16965 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter. | |||||
| CVE-2018-16833 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI. | |||||
| CVE-2018-16346 | 1 Chemcms Project | 1 Chemcms | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| ChemCMS 1.0.6 has XSS via the "setting -> website information" field. | |||||
| CVE-2018-9282 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript payload, this flaw could be used to manipulate a user's session, or elevate privileges by targeting an administrative user. | |||||
| CVE-2018-11352 | 1 Wallabag | 1 Wallabag | 2018-11-09 | 2.1 LOW | 4.0 MEDIUM |
| The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions. | |||||
| CVE-2018-2464 | 1 Sap | 1 Netweaver | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-16955 | 1 Oracle | 1 Webcenter Interaction | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The login function of Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). The content of the in_hi_redirect parameter, when prefixed with the https:// scheme, is unsafely reflected in a HTML META tag in the HTTP response. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-16953 | 1 Oracle | 1 Webcenter Interaction | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). User input from the name parameter is unsafely reflected in the server response. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-16327 | 1 Intelliants | 1 Subrion | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration. | |||||
| CVE-2018-17140 | 1 Vms-studio | 1 Quizlord | 2018-11-09 | 3.5 LOW | 5.4 MEDIUM |
| The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php. | |||||
| CVE-2018-17113 | 1 Easycms | 1 Easycms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173. | |||||
| CVE-2018-16316 | 1 Portainer | 1 Portainer | 2018-11-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field. | |||||
| CVE-2018-17077 | 1 Yiqicms Project | 1 Yiqicms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in yiqicms through 2016-11-20. There is stored XSS in comment.php because a length limit can be bypassed. | |||||
| CVE-2018-10763 | 1 Synametrics | 1 Synaman | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Synametrics SynaMan 4.0 build 1488 via the (1) Main heading or (2) Sub heading fields in the Partial Branding configuration page. | |||||
| CVE-2018-17051 | 1 Knet | 1 Cisco Configuration Manager | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| K-Net Cisco Configuration Manager through 2014-11-19 has XSS via devices.php. | |||||
| CVE-2018-17044 | 1 Yzmcms | 1 Yzmcms | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_config_add.html title parameter. | |||||
| CVE-2018-17049 | 1 Cqu Lankers Project | 1 Cqu Lankers | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback parameter in an uploadpic action. | |||||
| CVE-2018-8470 | 1 Microsoft | 5 Internet Explorer, Windows 10, Windows 7 and 2 more | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security feature bypass vulnerability exists in Internet Explorer due to how scripts are handled that allows a universal cross-site scripting (UXSS) condition, aka "Internet Explorer Security Feature Bypass Vulnerability." This affects Internet Explorer 11. | |||||
| CVE-2018-16729 | 1 Pluck-cms | 1 Pluck | 2018-11-09 | 3.5 LOW | 5.4 MEDIUM |
| Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. | |||||
| CVE-2018-16805 | 1 B3log | 1 Solo | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field, allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator. | |||||
| CVE-2018-16775 | 1 Victor Cms Project | 1 Victor Cms | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the site name in the "Categories" menu. | |||||
| CVE-2018-16655 | 1 Gxlcms | 1 Gxlcms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php. | |||||
| CVE-2018-14688 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The radio settings are affected by three stored cross-site scripting vulnerabilities in the name[x], streamUrl[x], homepageUrl[x] parameters (where x is an integer) to internetRadioSettings.view that could be used to steal session information of a victim. | |||||
| CVE-2018-14689 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The transcoding settings are affected by five stored cross-site scripting vulnerabilities in the name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] parameters (where x is an integer) to transcodingSettings.view that could be used to steal session information of a victim. | |||||
| CVE-2018-14691 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The music tags feature is affected by three stored cross-site scripting vulnerabilities in the c0-param2, c0-param3, and c0-param4 parameters to dwr/call/plaincall/tagService.setTags.dwr that could be used to steal session information of a victim. | |||||
| CVE-2018-14690 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim. | |||||
| CVE-2018-14899 | 1 Epson | 2 Wf-2750, Wf-2750 Firmware | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| On the EPSON WF-2750 printer with firmware JP02I2, the Web interface AirPrint Setup page is vulnerable to HTML Injection that can redirect users to malicious sites. | |||||
| CVE-2018-15563 | 1 Intelliants | 1 Subrion | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| _core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter. | |||||
| CVE-2018-14840 | 1 Intelliants | 1 Subrion | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads). | |||||
| CVE-2017-6913 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag. | |||||