Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17130 | 1 Phpmywind | 1 Phpmywind | 2018-11-01 | 3.5 LOW | 5.4 MEDIUM |
| PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header, | |||||
| CVE-2018-16978 | 1 Monstra | 1 Monstra | 2018-10-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. | |||||
| CVE-2018-14396 | 1 Cremecrm | 1 Cremecrm | 2018-10-31 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Creme CRM 1.6.12. The salesman creation page is affected by 10 stored cross-site scripting vulnerabilities involving the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters. | |||||
| CVE-2018-14397 | 1 Cremecrm | 1 Cremecrm | 2018-10-31 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Creme CRM 1.6.12. The organization creation page is affected by 9 stored cross-site scripting vulnerabilities involving the name, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters. | |||||
| CVE-2018-15896 | 1 Website Seller Script Project | 1 Website Seller Script | 2018-10-31 | 3.5 LOW | 5.4 MEDIUM |
| PHP Scripts Mall Website Seller Script 2.0.5 has XSS via Personal Address or Company Name. | |||||
| CVE-2018-16405 | 1 Mayan-edms | 1 Mayan Edms | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS. | |||||
| CVE-2018-16406 | 1 Mayan-edms | 1 Mayan Edms | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app has XSS via a crafted cabinet label. | |||||
| CVE-2018-16407 | 1 Mayan-edms | 1 Mayan Edms | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has XSS because tag label values are mishandled. | |||||
| CVE-2018-17025 | 1 Monstra | 1 Monstra | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role. | |||||
| CVE-2018-17026 | 1 Monstra | 1 Monstra | 2018-10-30 | 3.5 LOW | 4.8 MEDIUM |
| admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121. | |||||
| CVE-2018-16233 | 1 1234n | 1 Minicms | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| MiniCMS V1.10 has XSS via the mc-admin/post-edit.php tags parameter. | |||||
| CVE-2018-15899 | 1 1234n | 1 Minicms | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability. | |||||
| CVE-2018-10227 | 1 1234n | 1 Minicms | 2018-10-30 | 3.5 LOW | 5.4 MEDIUM |
| MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter. | |||||
| CVE-2018-10296 | 1 1234n | 1 Minicms | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| MiniCMS V1.10 has XSS via the mc-admin/post-edit.php title parameter. | |||||
| CVE-2018-1000638 | 1 1234n | 1 Minicms | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection. | |||||
| CVE-2016-4848 | 1 Clip-bucket | 1 Clipbucket | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ClipBucket before 2.8.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-8010 | 3 Icinga, Opensuse, Opensuse Project | 3 Icinga, Leap, Leap | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi. | |||||
| CVE-2016-4068 | 2 Opensuse, Roundcube | 4 Leap, Opensuse, Roundcube Webmail and 1 more | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. | |||||
| CVE-2016-2833 | 3 Canonical, Mozilla, Opensuse | 4 Ubuntu Linux, Firefox, Leap and 1 more | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mozilla Firefox before 47.0 ignores Content Security Policy (CSP) directives for cross-domain Java applets, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted applet. | |||||
| CVE-2017-6820 | 1 Roundcube | 1 Webmail | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. | |||||
| CVE-2015-8864 | 2 Opensuse, Roundcube | 4 Leap, Opensuse, Roundcube Webmail and 1 more | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. | |||||
| CVE-2015-5381 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. | |||||
| CVE-2016-5099 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. | |||||
| CVE-2016-1652 | 4 Debian, Google, Opensuse and 1 more | 4 Debian Linux, Chrome, Leap and 1 more | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the Extensions subsystem in Google Chrome before 50.0.2661.75 allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)." | |||||
| CVE-2017-5938 | 4 Debian, Opensuse, Opensuse Project and 1 more | 4 Debian Linux, Leap, Leap and 1 more | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name. | |||||
| CVE-2016-5733 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. | |||||
| CVE-2016-5731 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. | |||||
| CVE-2016-5705 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. | |||||
| CVE-2016-1937 | 2 Mozilla, Opensuse | 3 Firefox, Leap, Opensuse | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The protocol-handler dialog in Mozilla Firefox before 44.0 allows remote attackers to conduct clickjacking attacks via a crafted web site that triggers a single-click action in a situation where a double-click action was intended. | |||||
| CVE-2016-5164 | 2 Google, Opensuse | 2 Chrome, Leap | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in WebKit/Source/platform/v8_inspector/V8Debugger.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to inject arbitrary web script or HTML into the Developer Tools (aka DevTools) subsystem via a crafted web site, aka "Universal XSS (UXSS)." | |||||
| CVE-2016-5165 | 2 Google, Opensuse | 2 Chrome, Leap | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Developer Tools (aka DevTools) subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux allows remote attackers to inject arbitrary web script or HTML via the settings parameter in a chrome-devtools-frontend.appspot.com URL's query string. | |||||
| CVE-2016-2040 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2018-10-30 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. | |||||
| CVE-2016-2043 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2018-10-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. | |||||
| CVE-2018-9283 | 1 Cremecrm | 1 Cremecrm | 2018-10-30 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in CremeCRM 1.6.12. It is affected by 10 stored Cross-Site Scripting (XSS) vulnerabilities in the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters in the contact creation and modification page. The payload is stored within the application database and allows the execution of JavaScript code each time a client visit an infected page. | |||||
| CVE-2014-4932 | 1 Wordfence | 1 Wordfence Security | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php. | |||||
| CVE-2018-15699 | 1 Asustor | 1 Data Master | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field. | |||||
| CVE-2018-16142 | 1 Phpok | 1 Phpok | 2018-10-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login_control.php via the _back parameter to the ok_f function. | |||||
| CVE-2018-16381 | 1 E107 | 1 E107 | 2018-10-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter. | |||||
| CVE-2018-16780 | 1 Complete Responsive Cms Blog Project | 1 Complete Responsive Cms Blog | 2018-10-29 | 3.5 LOW | 5.4 MEDIUM |
| Complete Responsive CMS Blog through 2018-05-20 has XSS via a comment. | |||||
| CVE-2018-16725 | 1 Baijiacms Project | 1 Baijiacms | 2018-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue is discovered in baijiacms V4. XSS exists via the assets/weengine/components/zclip/ZeroClipboard.swf id parameter, aka "Non-standard use of the flash component." | |||||
| CVE-2018-15605 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature. | |||||
| CVE-2018-16330 | 1 Ipandao | 1 Editor.md | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pandao Editor.md 1.5.0 allows XSS via crafted attributes of an invalid IMG element. | |||||
| CVE-2018-16348 | 1 Seacms | 1 Seacms | 2018-10-25 | 3.5 LOW | 4.8 MEDIUM |
| SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name. | |||||
| CVE-2018-16347 | 1 Gleezcms | 1 Gleez Cms | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Gleez CMS v1.2.0. There is XSS via media/imagecache/resize. | |||||
| CVE-2018-16342 | 1 Showdoc | 1 Showdoc | 2018-10-25 | 3.5 LOW | 5.4 MEDIUM |
| ShowDoc v1.8.0 has XSS via a new page. | |||||
| CVE-2018-16361 | 1 Btiteam | 1 Xbtit | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. news.php allows XSS via the id parameter. | |||||
| CVE-2018-16372 | 1 Ideacms | 1 Ideacms | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The issue was discovered in IdeaCMS through 2016-04-30. There is reflected XSS via the index.php?c=content&a=search kw parameter. NOTE: this product is discontinued. | |||||
| CVE-2018-16450 | 1 Craftedweb Project | 1 Craftedweb | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| CraftedWeb through 2013-09-24 has reflected XSS via the p parameter. | |||||
| CVE-2018-0672 | 1 Sixapart | 1 Movable Type | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-16358 | 1 Dotclear | 1 Dotclear | 2018-10-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml. | |||||