Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-13003 | 1 Opentsdb | 1 Opentsdb | 2018-08-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'type' to the /suggest URI. | |||||
| CVE-2018-1000534 | 1 Joplin Project | 1 Joplin | 2018-08-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later. | |||||
| CVE-2018-1000513 | 1 Limesurvey | 1 Limesurvey | 2018-08-21 | 3.5 LOW | 4.8 MEDIUM |
| LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x. | |||||
| CVE-2018-1000508 | 1 Wpulike | 1 Ulike | 2018-08-20 | 3.5 LOW | 4.8 MEDIUM |
| WP ULike version 2.8.1, 3.1 contains a Cross Site Scripting (XSS) vulnerability in Settings screen that can result in allows unauthorised users to do almost anything an admin can. This attack appear to be exploitable via Admin must visit logs page. This vulnerability appears to have been fixed in 3.2. | |||||
| CVE-2018-1000512 | 1 Tooltipy Project | 1 Tooltipy | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tooltipy Tooltipy (tooltips for WP) version 5 contains a Cross Site Scripting (XSS) vulnerability in Glossary shortcode that can result in could allow anybody to do almost anything an admin can. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been fixed in 5.1. | |||||
| CVE-2018-12902 | 1 Easymagazine Project | 1 Easymagazine | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Easy Magazine through 2012-10-26, there is XSS in the search bar of the web site. | |||||
| CVE-2018-12905 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| joyplus-cms 1.6.0 has XSS in admin_player.php, related to manager/index.php "system manage" and "add" actions. | |||||
| CVE-2018-12711 | 1 Joomla | 1 Joomla\! | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL. | |||||
| CVE-2018-1000557 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form and search functionality that can result in An attacker is able to execute arbitrary (javascript) code within a victims' browser. This attack appear to be exploitable via Victim must open a crafted link to the application. This vulnerability appears to have been fixed in ocsreports 2.4.1. | |||||
| CVE-2018-1000556 | 1 Veronalabs | 1 Wp Statistics | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . | |||||
| CVE-2018-1000543 | 1 Rockiger | 1 Akiee | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Akiee version 0.0.3 contains a XSS leading to code execution due to the use of node integration vulnerability in "Details" of a task is not validated that can result in XSS leading to abritrary code execution. This attack appear to be exploitable via The attacker tricks the victim into opening a crafted markdown. | |||||
| CVE-2018-13002 | 1 Weblication | 1 Cms Core \& Grid | 2018-08-20 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in Inhaltsprojekte in Weblication CMS Core & Grid v12.6.24. The vulnerability is located in the `wFilemanager.php` and `index.php` files of the `/grid5/scripts/` modules. The injection point is located in the Project `Title` and the execution point occurs in the `Inhaltsprojekte` output listing section. Remote attackers with privileged user accounts are able to inject their own malicious script code with a persistent attack vector to compromise user session credentials or to manipulate the affected web-application module output context. The request method to inject is POST. | |||||
| CVE-2018-13001 | 1 Sandoba | 1 Cp\ | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Sandoba CP:Shop v2016.1. The vulnerability is located in the `admin.php` file of the `./cpshop/` module. Remote attackers are able to inject their own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is non-persistent and the request method to inject/execute is GET with the path, search, rename, or dir parameter. | |||||
| CVE-2018-13000 | 1 Anelectron | 1 Advanced Electron Forum | 2018-08-20 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in Advanced Electron Forum (AEF) v1.0.9. A persistent XSS vulnerability is located in the `FTP Link` element of the `Private Message` module. The editor of the private message module allows inserting links without sanitizing the content. This allows remote attackers to inject malicious script code payloads as a private message (aka pmbody). The injection point is the editor ftp link element and the execution point occurs in the message body context on arrival. The request method to inject is POST with restricted user privileges. | |||||
| CVE-2018-12996 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. | |||||
| CVE-2018-12919 | 1 Craftedweb Project | 1 Craftedweb | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In CraftedWeb through 2013-09-24, aasp_includes/pages/notice.php allows XSS via the e parameter. | |||||
| CVE-2018-0603 | 1 Geminilabs | 1 Site Reviews | 2018-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Site Reviews versions prior to 2.15.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-12696 | 1 Mao10 | 1 Mao10cms | 2018-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| mao10cms 6 allows XSS via the article page. | |||||
| CVE-2018-12695 | 1 Mao10 | 1 Mao10cms | 2018-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| mao10cms 6 allows XSS via the m=bbs&a=index page. | |||||
| CVE-2014-0013 | 1 Emberjs | 1 Ember.js | 2018-08-13 | 3.5 LOW | 5.4 MEDIUM |
| Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application that contains templates whose context is set to a user-supplied primitive value and also contain the `{{this}}` special Handlebars variable. | |||||
| CVE-2017-10991 | 1 Wp-statistics | 1 Wp Statistics | 2018-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Statistics plugin through 12.0.9 for WordPress has XSS in the rangestart and rangeend parameters on the wps_referrers_page page. | |||||
| CVE-2015-7565 | 1 Emberjs | 1 Ember.js | 2018-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x through 1.10.x, 1.11.x before 1.11.4, 1.12.x before 1.12.2, 1.13.x before 1.13.12, 2.0.x before 2.0.3, 2.1.x before 2.1.2, and 2.2.x before 2.2.1 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2018-12580 | 1 Dragonbyte-tech | 1 Vbsecurity | 2018-08-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session['user_agent'] in the "Login Sessions" feature. | |||||
| CVE-2018-12588 | 1 Public Knowledge Project | 1 Open Monograph Press | 2018-08-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-2 before 3.1.1-3 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the Search field). | |||||
| CVE-2018-12073 | 1 Eminent-online | 1 Em4544 | 2018-08-11 | 2.9 LOW | 5.3 MEDIUM |
| An issue was discovered on Eminent EM4544 9.10 devices. The device does not require the user's current password to set a new one within the web interface. Therefore, it is possible to exploit this issue (e.g., in combination with a successful XSS, or at an unattended workstation) to change the admin password to an attacker-chosen value without knowing the current password. | |||||
| CVE-2018-12104 | 1 Airbnb | 1 Knowledge Repo | 2018-08-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Airbnb Knowledge Repo 0.7.4 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/new_report.kp URI. | |||||
| CVE-2018-6212 | 1 D-link | 2 Dir-620, Dir-620 Firmware | 2018-08-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the "Search" field and incorrect processing of the XMLHttpRequest object. | |||||
| CVE-2017-13072 | 1 Qnap | 1 Qts | 2018-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in App Center in QNAP QTS 4.2.6 build 20171208, QTS 4.3.3 build 20171213, QTS 4.3.4 build 20171223, and their earlier versions could allow remote attackers to inject Javascript code. | |||||
| CVE-2018-9027 | 1 Ca | 1 Ca Privileged Access Manager | 2018-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in CA Privileged Access Manager 2.x allows remote attackers to execute malicious script with a specially crafted link. | |||||
| CVE-2018-9036 | 1 Checksec | 1 Canopy | 2018-08-10 | 3.5 LOW | 4.8 MEDIUM |
| CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users. | |||||
| CVE-2018-12581 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-08-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature. | |||||
| CVE-2017-0110 | 1 Microsoft | 1 Exchange Server | 2018-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Microsoft Exchange Outlook Web Access (OWA) allows remote attackers to inject arbitrary web script or HTML via a crafted email or chat client, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." | |||||
| CVE-2017-7823 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2018-08-09 | 4.3 MEDIUM | 5.4 MEDIUM |
| The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. | |||||
| CVE-2017-5466 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2018-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. | |||||
| CVE-2017-7799 | 1 Mozilla | 1 Firefox | 2018-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack. This vulnerability affects Firefox < 55. | |||||
| CVE-2018-0527 | 1 Cybozu | 1 Office | 2018-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-11647 | 1 Oauth2orize-fprm Project | 1 Oauth2orize-fprm | 2018-08-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.js in oauth2orize-fprm before 0.2.1 has XSS via a crafted URL. | |||||
| CVE-2018-0557 | 1 Cybozu | 1 Mailwise | 2018-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting vulnerability in Cybozu Mailwise 5.0.0 to 5.4.1 allows remote attackers to inject arbitrary web script or HTML 'E-mail Details Screen' via unspecified vectors. | |||||
| CVE-2018-12229 | 1 Sfu | 1 Open Journal System | 2018-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Public Knowledge Project (PKP) Open Journal System (OJS) 3.0.0 to 3.1.1-1 allows remote attackers to inject arbitrary web script or HTML via the templates/frontend/pages/search.tpl parameter (aka the By Author field). | |||||
| CVE-2018-0558 | 1 Cybozu | 1 Mailwise | 2018-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting vulnerability in Cybozu Mailwise 5.0.0 to 5.4.1 allows remote attackers to inject arbitrary web script or HTML in 'System settings' via unspecified vectors. | |||||
| CVE-2018-0559 | 1 Cybozu | 1 Mailwise | 2018-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Mailwise 5.0.0 to 5.4.1 allows remote attackers to inject arbitrary web script or HTML 'Address' via unspecified vectors. | |||||
| CVE-2018-0565 | 1 Cybozu | 1 Office | 2018-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.8.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-12654 | 1 Slims Akasia Project | 1 Slims Akasia | 2018-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) exists in the Bibliography module in SLiMS 8 Akasia 8.3.1 via an admin/modules/bibliography/index.php?keywords= URI. | |||||
| CVE-2018-12657 | 1 Slims Akasia Project | 1 Slims Akasia | 2018-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI. | |||||
| CVE-2018-12655 | 1 Slims Akasia Project | 1 Slims Akasia | 2018-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) exists in the Circulation module in SLiMS 8 Akasia 8.3.1 via an admin/modules/circulation/loan_rules.php?keywords= URI, a related issue to CVE-2017-7242. | |||||
| CVE-2018-12656 | 1 Slims Akasia Project | 1 Slims Akasia | 2018-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI. | |||||
| CVE-2017-5393 | 1 Mozilla | 1 Firefox | 2018-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "mozAddonManager" allows for the installation of extensions from the CDN for addons.mozilla.org, a publicly accessible site. This could allow malicious extensions to install additional extensions from the CDN in combination with an XSS attack on Mozilla AMO sites. This vulnerability affects Firefox < 51. | |||||
| CVE-2017-5458 | 1 Mozilla | 1 Firefox | 2018-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| When a "javascript:" URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves. This vulnerability affects Firefox < 53. | |||||
| CVE-2016-9490 | 1 Manageengine | 1 Applications Manager | 2018-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from a Reflected Cross-Site Scripting vulnerability. Applications Manager is prone to a Cross-Site Scripting vulnerability in parameter LIMIT, in URL path /DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233. The URL is also available without authentication. | |||||
| CVE-2018-8252 | 1 Microsoft | 2 Sharepoint Foundation, Sharepoint Server | 2018-08-06 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-8254. | |||||