Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16786 | 1 Dedecms | 1 Dedecms | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. | |||||
| CVE-2018-17039 | 2 1234n, Microsoft | 2 Minicms, Internet Explorer | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $_SERVER['REQUEST_URI'] is mishandled. | |||||
| CVE-2018-17138 | 1 Nickelpro | 1 Jibu Pro | 2018-11-08 | 3.5 LOW | 5.4 MEDIUM |
| The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS via the wp-content/plugins/jibu-pro/quiz_action.php name (aka Quiz Name) field. | |||||
| CVE-2018-13395 | 1 Atlassian | 1 Jira | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved. | |||||
| CVE-2017-10795 | 1 Intelliants | 1 Subrion | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069. | |||||
| CVE-2018-15596 | 1 Mybb | 1 Mybb | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS. | |||||
| CVE-2018-14890 | 1 Vectra | 1 Cognito | 2018-11-07 | 3.5 LOW | 5.4 MEDIUM |
| Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-site scripting (XSS) vulnerability in the Web Management Console. | |||||
| CVE-2018-1000665 | 1 Dojotoolkit | 1 Dojo | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14. | |||||
| CVE-2018-17321 | 1 Seacms | 1 Seacms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action. | |||||
| CVE-2018-7795 | 1 Schneider-electric | 2 Powerlogic Pm5560, Powerlogic Pm5560 Firmware | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code. | |||||
| CVE-2018-17031 | 1 Gogs | 1 Gogs | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent. | |||||
| CVE-2017-15429 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Inappropriate implementation in V8 WebAssembly JS bindings in Google Chrome prior to 63.0.3239.108 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2018-1000670 | 1 Koha | 1 Koha | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11. | |||||
| CVE-2018-17021 | 1 Asus | 2 Gt-ac5300, Gt-ac5300 Firmware | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability on ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 allows remote attackers to inject arbitrary web script or HTML via the appGet.cgi hook parameter. | |||||
| CVE-2018-17034 | 1 Ucms Project | 1 Ucms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| UCMS 1.4.6 has XSS via the install/index.php mysql_dbname parameter. | |||||
| CVE-2018-17061 | 1 Bullguard | 1 Safe Browsing | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| BullGuard Safe Browsing before 18.1.355.9 allows XSS on Google, Bing, and Yahoo! pages via domains indexed in search results. | |||||
| CVE-2018-17062 | 1 Seacms | 1 Seacms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php via the action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney, or v_ispsd parameter. | |||||
| CVE-2018-17085 | 1 Otcms | 1 Otcms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in OTCMS 3.61. XSS exists in admin/users.php via these parameters: dataTypeCN dataMode dataModeStr. | |||||
| CVE-2018-17086 | 1 Otcms | 1 Otcms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in OTCMS 3.61. XSS exists in admin/share_switch.php via these parameters: fieldName fieldName2 tabName. | |||||
| CVE-2018-17128 | 1 Mybb | 1 Mybb | 2018-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. | |||||
| CVE-2018-16607 | 1 Opmantek | 1 Open-audit | 2018-11-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudIT Professional edition in 2.2.7 allows remote attackers to inject arbitrary web script via the Orgs name field. | |||||
| CVE-2018-16759 | 1 Easycms | 1 Easycms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event. | |||||
| CVE-2018-16736 | 1 Rcfilters Project | 1 Rcfilters | 2018-11-06 | 3.5 LOW | 5.4 MEDIUM |
| In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings). | |||||
| CVE-2018-16363 | 1 Webdesi9 | 1 File Manager | 2018-11-06 | 3.5 LOW | 5.4 MEDIUM |
| The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php. | |||||
| CVE-2018-16324 | 1 Icewarp | 1 Mail Server | 2018-11-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field. | |||||
| CVE-2018-15574 | 1 Reprisesoftware | 1 Reprise License Manager | 2018-11-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability." | |||||
| CVE-2018-15679 | 1 Btiteam | 1 Xbtit | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. The "keywords" parameter in the search function available at /index.php?page=forums&action=search is vulnerable to reflected cross-site scripting. | |||||
| CVE-2018-15678 | 1 Btiteam | 1 Xbtit | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. The "act" parameter in the sign-up page available at /index.php?page=signup is vulnerable to reflected cross-site scripting. | |||||
| CVE-2018-6643 | 1 Infoblox | 1 Netmri | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter. | |||||
| CVE-2018-15562 | 1 Isweb | 1 Isweb | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| CMS ISWEB 3.5.3 has XSS via the ordineRis, sezioneRicerca, or oggettiRicerca parameter to index.php. | |||||
| CVE-2018-16298 | 1 1234n | 1 Minicms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request. | |||||
| CVE-2018-16313 | 1 Bludit | 1 Bludit | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bludit 2.3.4 allows XSS via a user name. | |||||
| CVE-2018-16325 | 1 Get-simple | 1 Getsimple Cms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field. | |||||
| CVE-2018-16622 | 1 Html-js | 1 Doracms | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments field, related to users/userAddContent. | |||||
| CVE-2018-16285 | 1 Userproplugin | 1 Userpro | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php. | |||||
| CVE-2018-16654 | 1 Zurmo | 1 Zurmo Crm | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zurmo 3.2.4 Stable allows XSS via app/index.php/accounts/default/details?id=2&kanbanBoard=1&openToTaskId=1. | |||||
| CVE-2018-16728 | 1 Feindura | 1 Feindura | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| feindura 2.0.7 allows XSS via the tags field of a new page created at index.php?category=0&page=new. | |||||
| CVE-2018-16980 | 1 Dotcms | 1 Dotcms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters. | |||||
| CVE-2017-15427 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar. | |||||
| CVE-2018-0715 | 1 Qnap | 1 Photo Station | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application. | |||||
| CVE-2018-15546 | 1 Accusoft | 1 Prizmdoc | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Accusoft PrizmDoc version 13.3 and earlier contains a Stored Cross-Site Scripting issue through a crafted PDF file. | |||||
| CVE-2018-15880 | 1 Joomla | 1 Joomla\! | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack. | |||||
| CVE-2018-8426 | 1 Microsoft | 3 Sharepoint Enterprise Server 2013, Sharepoint Enterprise Server 2016, Sharepoint Server 2010 | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint. | |||||
| CVE-2018-17046 | 1 Translate Man Project | 1 Translate Man | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| translate man before 2018-08-21 has XSS via containers/outputBox/outputBox.vue and store/index.js. | |||||
| CVE-2018-16727 | 1 Razorcms | 1 Razorcms | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| razorCMS 3.4.7 allows Stored XSS via the keywords of the homepage within the settings component. | |||||
| CVE-2018-16726 | 1 Razorcms | 1 Razorcms | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| razorCMS 3.4.7 allows HTML injection via the description of the homepage within the settings component. | |||||
| CVE-2018-16776 | 1 Creatiwity | 1 Witycms | 2018-11-02 | 3.5 LOW | 4.8 MEDIUM |
| wityCMS 0.6.2 has XSS via the "Site Name" field found in the "Contact" "Configuration" page. | |||||
| CVE-2018-16653 | 1 Rejucms Project | 1 Rejucms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| rejucms 2.1 has XSS via the ucenter/cms_user_add.php u_name parameter. | |||||
| CVE-2018-14059 | 1 Pimcore | 1 Pimcore | 2018-11-01 | 3.5 LOW | 5.4 MEDIUM |
| Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions. | |||||
| CVE-2018-17090 | 1 I4a | 1 Donlinkage | 2018-11-01 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in DonLinkage 6.6.8. The modules /pages/bazy/bazy_adresow.php and /pages/proxy/add.php are vulnerable to stored XSS that can be triggered by closing <textarea> followed by <script></script> tags. | |||||