Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-3747 | 1 Public.js Project | 1 Public.js | 2018-09-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The public node module versions <= 1.0.3 allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript. | |||||
| CVE-2018-2431 | 1 Sap | 1 Businessobjects Business Intelligence | 2018-09-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-11350 | 1 Jirafeau | 1 Jirafeau | 2018-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Jirafeau before 3.4.1. The file "search by name" form is affected by one Cross-Site Scripting vulnerability via the name parameter. | |||||
| CVE-2018-13252 | 1 Entrustdatacard | 1 Syntera Customization Suite | 2018-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Entrust Datacard Syntera CS 5.x has XSS via the name field of "Domain or Computer Name" in the login page. | |||||
| CVE-2018-13878 | 1 Rocket.chat | 1 Rocket.chat | 2018-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel. | |||||
| CVE-2018-13879 | 1 Rocket.chat | 1 Rocket.chat | 2018-09-05 | 3.5 LOW | 5.4 MEDIUM |
| A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username unescaped via packages/rocketchat-ui-login/client/username/username.js in packages/rocketchat-ui-login/client/username/username.html. | |||||
| CVE-2018-2435 | 1 Sap | 1 Netweaver Enterprise Portal | 2018-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-13849 | 1 Instagram-clone Project | 1 Instagram-clone | 2018-09-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| edit_requests.php in yTakkar Instagram-clone through 2018-04-23 has XSS via an onmouseover payload because of an inadequate XSS protection mechanism based on preg_replace. | |||||
| CVE-2017-16710 | 1 Crestron | 4 Airmedia Am-100, Airmedia Am-100 Firmware, Airmedia Am-101 and 1 more | 2018-09-05 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-8299 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Foundation | 2018-09-05 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8323. | |||||
| CVE-2018-8323 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2018-09-05 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8299. | |||||
| CVE-2018-8326 | 1 Microsoft | 1 Web Customizations | 2018-09-05 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Open Source Customization for Active Directory Federation Services XSS Vulnerability." This affects Web Customizations. | |||||
| CVE-2018-13998 | 1 Clippercms | 1 Clippercms | 2018-09-04 | 3.5 LOW | 4.8 MEDIUM |
| ClipperCMS 1.3.3 has stored XSS via the Full Name field of (1) Security -> Manager Users or (2) Security -> Web Users. | |||||
| CVE-2018-13999 | 1 Catfish-cms | 1 Catfish Cms | 2018-09-04 | 3.5 LOW | 4.8 MEDIUM |
| Catfish CMS v4.7.9 allows XSS via the admin/Index/write.html editorValue parameter (aka an article posted by an administrator). | |||||
| CVE-2018-10231 | 1 Topdesk | 1 Topdesk | 2018-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2018-8046 | 1 Sencha | 1 Ext Js | 2018-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks, even when passed HTML-escaped data. This framework brings no built-in XSS protection, so the developer has to ensure that data is correctly sanitized. However, the getTip() method of Action Columns takes HTML-escaped data and un-escapes it. If the tooltip contains user-controlled data, an attacker could exploit this to create a cross-site scripting attack, even when developers took precautions and escaped data. | |||||
| CVE-2013-0592 | 1 Ibm | 1 Inotes | 2018-09-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 83815. | |||||
| CVE-2018-13388 | 1 Atlassian | 2 Crucible, Fisheye | 2018-09-04 | 3.5 LOW | 5.4 MEDIUM |
| The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files. | |||||
| CVE-2018-11124 | 1 Opmantek | 1 Open-audit | 2018-09-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of an Attribute. | |||||
| CVE-2018-13106 | 1 Clippercms | 1 Clippercms | 2018-08-31 | 3.5 LOW | 4.8 MEDIUM |
| ClipperCMS 1.3.3 has stored XSS via the "Tools -> Configuration" screen of the manager/ URI. | |||||
| CVE-2018-1000559 | 1 Qutebrowser | 1 Qutebrowser | 2018-08-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week). | |||||
| CVE-2018-10076 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard). | |||||
| CVE-2018-12903 | 1 Cyberark | 1 Endpoint Privilege Manager | 2018-08-30 | 3.5 LOW | 5.4 MEDIUM |
| In CyberArk Endpoint Privilege Manager (formerly Viewfinity) 10.2.1.603, there is persistent XSS via an account name on the create token screen, the VfManager.asmx SelectAccounts->DisplayName screen, a user's groups in ConfigurationPage, the Dialog Title field, and App Group Name in the Application Group Wizard. | |||||
| CVE-2018-10075 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature. | |||||
| CVE-2018-12255 | 1 Invoiceplane | 1 Invoiceplane | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field. | |||||
| CVE-2018-1000528 | 2 Debian, Gonicus | 2 Debian Linux, Gosa | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001. | |||||
| CVE-2018-1000516 | 1 Galaxyproject | 1 Galaxy | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user's input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code execution. This attack appear to be exploitable via The victim must interact with component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01. | |||||
| CVE-2018-12705 | 1 Digisol | 2 Dg-br4000ng, Dg-br4000ng Firmware | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side). | |||||
| CVE-2013-2999 | 1 Ibm | 1 Infosphere Data Replication Dashboard | 2018-08-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM InfoSphere Data Replication Dashboard 9.7 and 10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 84115. | |||||
| CVE-2018-11351 | 1 Jirafeau | 1 Jirafeau | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| script.php in Jirafeau before 3.4.1 is affected by two stored Cross-Site Scripting (XSS) vulnerabilities. These are stored within the shared files description file and allow the execution of a JavaScript payload each time an administrator searches or lists uploaded files. These two injections could be triggered without authentication, and target the administrator. The attack vectors are the Content-Type field and the filename parameter. | |||||
| CVE-2018-0499 | 2 Canonical, Xapian | 2 Ubuntu Linux, Xapian-core | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability in queryparser/termgenerator_internal.cc in Xapian xapian-core before 1.4.6 exists due to incomplete HTML escaping by Xapian::MSet::snippet(). | |||||
| CVE-2018-11588 | 1 Centreon | 2 Centreon, Centreon Web | 2018-08-28 | 3.5 LOW | 5.4 MEDIUM |
| Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php. | |||||
| CVE-2018-1000529 | 1 Grails | 1 Grails Fields | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8. | |||||
| CVE-2018-3748 | 1 Glance Project | 1 Glance | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name. | |||||
| CVE-2018-13433 | 1 Boostnote | 1 Boostnote | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Boostnote v0.11.7 allows XSS during highlighting of Markdown text, as demonstrated by an onerror attribute of an IMG element. | |||||
| CVE-2018-8738 | 1 Airties | 4 5444, 5444 Firmware, 5444tt and 1 more | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Airties 5444 1.0.0.18 and 5444TT 1.0.0.18 devices allow XSS. | |||||
| CVE-2018-7786 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Schneider Electric U.motion Builder software versions prior to v1.3.4, a cross site scripting (XSS) vulnerability exists which could allow injection of malicious scripts. | |||||
| CVE-2018-13339 | 1 Angular Redactor Project | 1 Angular Redactor | 2018-08-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Imperavi Redactor 3 in Angular Redactor 1.1.6, when HTML content mode is used, allows stored XSS, as demonstrated by an onerror attribute of an IMG element, a related issue to CVE-2018-7035. | |||||
| CVE-2018-13422 | 1 Tecnick | 1 Tcexam | 2018-08-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| TCExam before 14.1.2 has XSS via an ff_ or xl_ field. | |||||
| CVE-2018-13423 | 1 Omeka | 1 Omeka | 2018-08-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| admin/themes/default/items/tag-form.php in Omeka before 2.6.1 allows XSS by adding or editing a tag. | |||||
| CVE-2018-1000536 | 1 Getmedis | 1 Medis | 2018-08-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key creation that can result in Unauthorized code execution in the victim's machine, within the rights of the running application. This attack appear to be exploitable via Victim is synchronizing data from the redis server which contains malicious key value. | |||||
| CVE-2018-1000521 | 1 Bigtreecms | 1 Bigtree Cms | 2018-08-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. This attack appear to be exploitable via no. This vulnerability appears to have been fixed in after commit b652cfdc14d0670c81ac4401ad5a04376745c279. | |||||
| CVE-2018-0605 | 1 Pixelpost | 1 Pixelpost | 2018-08-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Pixelpost v1.7.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-1299 | 1 Ibm | 2 Rational Collaborative Lifecycle Management, Rational Quality Manager | 2018-08-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125161. | |||||
| CVE-2018-1000604 | 1 Jenkins | 1 Badge | 2018-08-23 | 3.5 LOW | 5.4 MEDIUM |
| A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-13408 | 1 Jirafeau | 1 Jirafeau | 2018-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Jirafeau before 3.4.1. The "search file by link" form is affected by reflected XSS that could allow, by targeting an administrator, stealing a session and gaining administrative privileges. | |||||
| CVE-2018-13409 | 1 Jirafeau | 1 Jirafeau | 2018-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Jirafeau before 3.4.1. The "search file by hash" form is affected by reflected XSS that could allow, by targeting an administrator, stealing a session and gaining administrative privileges. | |||||
| CVE-2018-0574 | 1 Basercms | 1 Basercms | 2018-08-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0570 | 1 Basercms | 1 Basercms | 2018-08-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-12973 | 1 Opentsdb | 1 Opentsdb | 2018-08-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'json' to the /q URI. | |||||