Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-8254 | 1 Microsoft | 3 Project Server, Sharepoint Foundation, Sharepoint Server | 2018-08-06 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft Project Server, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8252. | |||||
| CVE-2018-12290 | 1 Yii2-statemachine | 1 Yii2-statemachine | 2018-08-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Yii2-StateMachine extension v2.x.x for Yii2 has XSS. | |||||
| CVE-2018-5754 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-08-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard. | |||||
| CVE-2018-5164 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60. | |||||
| CVE-2018-11223 | 1 Pandorafms | 1 Artica Pandora Fms | 2018-08-02 | 3.5 LOW | 5.4 MEDIUM |
| XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted "refr" parameter in a "/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=" call. | |||||
| CVE-2018-12431 | 1 Seacms | 1 Seacms | 2018-08-02 | 3.5 LOW | 4.8 MEDIUM |
| SeaCMS V6.61 has XSS via the site name parameter on an adm1n/admin_config.php page (aka a system management page). | |||||
| CVE-2018-12432 | 1 Javamelody Project | 1 Javamelody | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI. | |||||
| CVE-2018-5143 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59. | |||||
| CVE-2018-12501 | 1 Nagios | 1 Fusion | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335. | |||||
| CVE-2018-12339 | 1 Articlecms Project | 1 Articlecms | 2018-08-02 | 3.5 LOW | 5.4 MEDIUM |
| ArticleCMS through 2017-02-19 has XSS via an "add an article" action. | |||||
| CVE-2018-12273 | 1 Ximdex | 1 Ximdex | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The /edit URI in the DMS component in Ximdex 4.0 has XSS via the Ciudad or Nombre parameter. | |||||
| CVE-2018-12272 | 1 Ximdex | 1 Ximdex | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| xowl/request.php in Ximdex 4.0 has XSS via the content parameter. | |||||
| CVE-2018-5521 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2018-08-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, carefully crafted URLs can be used to reflect arbitrary content into GeoIP lookup responses, potentially exposing clients to XSS. | |||||
| CVE-2018-12094 | 1 Dimofinf | 1 Dimofinf Cms | 2018-08-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in news.php in Dimofinf CMS Version 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||||
| CVE-2018-12095 | 1 Oecms Project | 1 Oecms | 2018-08-01 | 3.5 LOW | 5.4 MEDIUM |
| A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php. | |||||
| CVE-2016-9903 | 1 Mozilla | 1 Firefox | 2018-08-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context. This vulnerability affects Firefox < 50.1. | |||||
| CVE-2018-12030 | 1 Chevereto | 1 Chevereto | 2018-08-01 | 3.5 LOW | 5.4 MEDIUM |
| Chevereto Free before 1.0.13 has XSS. | |||||
| CVE-2018-11553 | 1 Sgin | 1 Xiangyun Platform | 2018-07-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| SGIN.CN xiangyun platform V9.4.10 has XSS via the login_url parameter to /login.php. | |||||
| CVE-2017-18286 | 1 Nzedb | 1 Nzedb | 2018-07-31 | 3.5 LOW | 5.4 MEDIUM |
| nZEDb v0.7.3.3 has XSS in the 404 error page. | |||||
| CVE-2018-9182 | 1 Lynxtechnology | 1 Twonky Server | 2018-07-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Twonky Server before 8.5.1 has XSS via a modified "language" parameter in the Language section. | |||||
| CVE-2018-12111 | 1 Canon | 1 Efi Printme | 2018-07-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Canon PrintMe EFI webinterface allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /wt3/mydocs.php URI. | |||||
| CVE-2018-12266 | 1 Hongcms Project | 1 Hongcms | 2018-07-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| system\errors\404.php in HongCMS 3.0.0 has XSS via crafted input that triggers a 404 HTTP status code. | |||||
| CVE-2018-12353 | 1 Knowage-suite | 1 Knowage | 2018-07-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name field to the "Business Model's Catalogue" catalogue. | |||||
| CVE-2018-11735 | 1 Ximdex | 1 Ximdex | 2018-07-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.php?action=createaccount in Ximdex 4.0 has XSS via the sname or fname parameter. | |||||
| CVE-2018-11715 | 1 Recent Threads Project | 1 Recent Threads | 2018-07-18 | 3.5 LOW | 5.4 MEDIUM |
| The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject. | |||||
| CVE-2018-1000202 | 1 Jenkins | 1 Groovy Postbuild | 2018-07-18 | 3.5 LOW | 5.4 MEDIUM |
| A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-7747 | 1 Calderalabs | 1 Caldera Forms | 2018-07-17 | 3.5 LOW | 4.8 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form. | |||||
| CVE-2018-11709 | 1 Gvectors | 1 Wpforo Forum | 2018-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI. | |||||
| CVE-2018-11568 | 1 Cactusthemes | 1 Gameplan-event And Gym Fitness | 2018-07-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. In some (but not all) cases, the '<' and '>' characters have < and > representations. | |||||
| CVE-2017-7636 | 1 Qnap | 1 Nas Proxy Server | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2018-12047 | 1 Ximdex | 1 Ximdex | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| xfind/search in Ximdex 4.0 has XSS via the filter[n][value] parameters for non-negative values of n, as demonstrated by n equal to 0 through 12. | |||||
| CVE-2018-9177 | 1 Lynxtechnology | 1 Twonky Server | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Twonky Server before 8.5.1 has XSS via a folder name on the Shared Folders screen. | |||||
| CVE-2018-12043 | 1 Getsymphony | 1 Symphony | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page. | |||||
| CVE-2016-6615 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. | |||||
| CVE-2018-11564 | 1 Pagekit | 1 Pagekit | 2018-07-05 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack. | |||||
| CVE-2018-7976 | 1 Huawei | 1 Espace Desktop | 2018-07-05 | 3.5 LOW | 5.4 MEDIUM |
| There is a stored cross-site scripting (XSS) vulnerability in Huawei eSpace Desktop V300R001C00 and V300R001C50 version. Due to the insufficient validation of the input, an authenticated, remote attacker could exploit this vulnerability to send abnormal messages to the system and perform a XSS attack. A successful exploit could cause the eSpace Desktop to hang up, and the function will restore to normal after restarting the eSpace Desktop. | |||||
| CVE-2018-11580 | 1 Multidots | 1 Mass Pages\/posts Creator | 2018-07-05 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site and create hundreds of thousands of posts with custom content. | |||||
| CVE-2018-11628 | 1 Emssoftware | 1 Ems Master Calendar | 2018-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS. | |||||
| CVE-2018-11522 | 1 Yosoro Project | 1 Yosoro | 2018-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Yosoro 1.0.4 has stored XSS. | |||||
| CVE-2018-11552 | 1 Nch | 1 Axon Pbx | 2018-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON->Auto-Dialer->Agents->Name" field. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable application. | |||||
| CVE-2018-11486 | 1 Multidots | 1 Advance Search For Woocommerce | 2018-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field, which will be loaded on every site page. | |||||
| CVE-2018-11485 | 1 Multidots | 1 Woocommerce Quick Reports | 2018-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce -> Orders admin page. The attack is possible by modifying the "referral_site" cookie to have an XSS payload, and placing an order. | |||||
| CVE-2018-11549 | 1 Wuzhicms | 1 Wuzhi Cms | 2018-06-29 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings -> Member Centre -> Chinese information -> Ordinary member" via a QQ number, as demonstrated by a form[qq_10]= substring. | |||||
| CVE-2018-11562 | 1 Misp | 1 Misp | 2018-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. | |||||
| CVE-2018-11583 | 1 Seacms | 1 Seacms | 2018-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter. | |||||
| CVE-2018-10379 | 1 Gitlab | 1 Gitlab | 2018-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. The Move Issue feature contained a persistent XSS vulnerability. | |||||
| CVE-2018-11512 | 1 Creatiwity | 1 Witycms | 2018-06-29 | 3.5 LOW | 4.8 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general. | |||||
| CVE-2018-11532 | 1 Changuondyu Advanced Statistics Project | 1 Changuondyu Advanced Statistics | 2018-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB. changstats.php has XSS, as demonstrated by a subject field. | |||||
| CVE-2018-11133 | 1 Quest | 1 Kace System Management Appliance | 2018-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. | |||||
| CVE-2018-11430 | 1 Moderator Log Notes Project | 1 Moderator Log Notes | 2018-06-28 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. The XSS is located in the mod notes textarea. | |||||