Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11557 | 1 Yiban | 1 Easy Class Education Platform | 2018-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| YIBAN Easy class education platform 2.0 has XSS via the articlelist.php k parameter. | |||||
| CVE-2018-11487 | 1 Phpmywind | 1 Phpmywind | 2018-06-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php. | |||||
| CVE-2018-11572 | 1 Clippercms | 1 Clippercms | 2018-06-27 | 3.5 LOW | 5.4 MEDIUM |
| ClipperCMS 1.3.3 has XSS in the "Module name" field in a "Modules -> Manage modules -> edit" action to the manager/ URI. | |||||
| CVE-2018-10382 | 1 Modx | 1 Modx Revolution | 2018-06-27 | 3.5 LOW | 5.4 MEDIUM |
| MODX Revolution 2.6.3 has XSS. | |||||
| CVE-2018-11651 | 1 Graylog | 1 Graylog | 2018-06-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx. | |||||
| CVE-2018-11649 | 1 Gethue | 1 Hue | 2018-06-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Hue 3.12 has XSS via the /pig/save/ name and script parameters. | |||||
| CVE-2018-11650 | 1 Graylog | 1 Graylog | 2018-06-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js. | |||||
| CVE-2018-11472 | 1 Monstra | 1 Monstra | 2018-06-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php). | |||||
| CVE-2018-11339 | 1 Frappe | 1 Erpnext | 2018-06-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment. | |||||
| CVE-2018-11473 | 1 Monstra | 1 Monstra | 2018-06-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration). | |||||
| CVE-2018-11415 | 1 Sap | 1 Internet Transaction Server | 2018-06-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Internet Transaction Server (ITS) 6200.X.X has Reflected Cross Site Scripting (XSS) via certain wgate URIs. NOTE: the vendor has reportedly indicated that there will not be any further releases of this product. | |||||
| CVE-2018-11366 | 1 Loginizer | 1 Loginizer | 2018-06-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| init.php in the Loginizer plugin 1.3.8 through 1.3.9 for WordPress has Unauthenticated Stored Cross-Site Scripting (XSS) because logging is mishandled. This is fixed in 1.4.0. | |||||
| CVE-2018-11443 | 1 Easyservice Billing Project | 1 Easyservice Billing | 2018-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The parameter q is affected by Cross-site Scripting in jobcard-ongoing.php in EasyService Billing 1.0. | |||||
| CVE-2017-7840 | 1 Mozilla | 1 Firefox | 2018-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks if users were convinced to add malicious tags to bookmarks, export them, and then open the resulting file. This vulnerability affects Firefox < 57. | |||||
| CVE-2017-7834 | 1 Mozilla | 1 Firefox | 2018-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A "data:" URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when "data:" documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks. This vulnerability affects Firefox < 57. | |||||
| CVE-2017-7839 | 1 Mozilla | 1 Firefox | 2018-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerability affects Firefox < 57. | |||||
| CVE-2018-10649 | 1 Citrix | 1 Xenmobile Server | 2018-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a Cross-Site Scripting Vulnerability in Citrix XenMobile Server 10.7 before RP3. | |||||
| CVE-2018-11332 | 1 Clippercms | 1 Clippercms | 2018-06-25 | 3.5 LOW | 4.8 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php file. | |||||
| CVE-2018-11403 | 1 Domainmod | 1 Domainmod | 2018-06-25 | 3.5 LOW | 5.4 MEDIUM |
| DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter. | |||||
| CVE-2018-11471 | 1 Getcockpit | 1 Cockpit | 2018-06-25 | 3.5 LOW | 5.4 MEDIUM |
| Cockpit 0.5.5 has XSS via a collection, form, or region. | |||||
| CVE-2018-6378 | 1 Joomla | 1 Joomla\! | 2018-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager. | |||||
| CVE-2018-4930 | 1 Adobe | 1 Experience Manager | 2018-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.3 and earlier have an exploitable Cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-4929 | 1 Adobe | 1 Experience Manager | 2018-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.2 and earlier have an exploitable stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-4931 | 1 Adobe | 1 Experience Manager | 2018-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.1 and earlier have an exploitable stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-11328 | 1 Joomla | 1 Joomla\! | 2018-06-22 | 2.6 LOW | 4.7 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in an XSS vulnerability. | |||||
| CVE-2018-11326 | 1 Joomla | 1 Joomla\! | 2018-06-22 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack. | |||||
| CVE-2018-11404 | 1 Domainmod | 1 Domainmod | 2018-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter. | |||||
| CVE-2018-11330 | 1 Pluck-cms | 1 Pluck | 2018-06-22 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted. | |||||
| CVE-2018-11101 | 1 Signal | 1 Signal-desktop | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability. The Signal-Desktop software fails to sanitize specific HTML elements that can be used to inject HTML code into remote chat windows when replying to an HTML message. Specifically the IMG and IFRAME elements can be used to include remote or local resources. For example, the use of an IFRAME element enables full code execution, allowing an attacker to download/upload files, information, etc. The SCRIPT element was also found to be injectable. On the Windows operating system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script on an SMB share within an IFRAME element, for example: <IFRAME src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it. The included JavaScript code is then executed automatically, without any interaction needed from the user. The vulnerability can be triggered in the Signal-Desktop client by sending a specially crafted message and then replying to it with any text or content in the reply (it doesn't matter). | |||||
| CVE-2018-5230 | 1 Atlassian | 1 Jira | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified. | |||||
| CVE-2018-0579 | 1 Webdados | 1 Open Graph For Facebook\, Google\+ And Twitter Card Tags | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Open Graph for Facebook, Google+ and Twitter Card Tags plugin prior to version 2.2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-11245 | 1 Misp-project | 1 Misp | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. | |||||
| CVE-2018-10326 | 1 Printeron | 1 Printeron | 2018-06-19 | 3.5 LOW | 5.4 MEDIUM |
| PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities via the (1) department field in the printer configuration, (2) description field in the print server configuration, and (3) username field for authentication to print as guest. | |||||
| CVE-2018-1147 | 1 Tenable | 1 Nessus | 2018-06-19 | 3.5 LOW | 5.4 MEDIUM |
| In Nessus before 7.1.0, a XSS vulnerability exists due to improper input validation. A remote authenticated attacker could create and upload a .nessus file, which may be viewed by an administrator allowing for the execution of arbitrary script code in a user's browser session. In other scenarios, XSS could also occur by altering variables from the Advanced Settings. | |||||
| CVE-2017-16860 | 1 Atlassian | 1 Application Links | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message. | |||||
| CVE-2018-10810 | 1 Livezilla | 1 Livezilla | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| chat/mobile/index.php in LiveZilla Live Chat 7.0.9.5 and prior is affected by Cross-Site Scripting via the Accept-Language HTTP header. | |||||
| CVE-2018-11105 | 1 Wp-livechat | 1 Wp Live Chat Support | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864. | |||||
| CVE-2018-10306 | 1 Ilias | 1 Ilias | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date. | |||||
| CVE-2017-7583 | 1 Ilias | 1 Ilias | 2018-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ILIAS before 5.2.3 has XSS via SVG documents. | |||||
| CVE-2017-15538 | 1 Ilias | 1 Ilias | 2018-06-19 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php. | |||||
| CVE-2018-0581 | 1 Asus | 2 Rt-ac87u, Rt-ac87u Firmware | 2018-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in ASUS RT-AC87U Firmware version prior to 3.0.0.4.378.9383 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-10994 | 1 Signal | 1 Signal-desktop | 2018-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| js/views/message_view.js in Open Whisper Signal (aka Signal-Desktop) before 1.10.1 allows XSS via a URL. | |||||
| CVE-2018-11090 | 1 Mybiz | 1 Myprocurenet | 2018-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in MyBiz MyProcureNet 5.0.0. This vulnerability within "ProxyPage.aspx" allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. | |||||
| CVE-2018-10307 | 1 Ilias | 1 Ilias | 2018-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception. | |||||
| CVE-2018-11118 | 1 Ilias | 1 Ilias | 2018-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php. | |||||
| CVE-2018-11120 | 1 Ilias | 1 Ilias | 2018-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS. | |||||
| CVE-2018-11117 | 1 Ilias | 1 Ilias | 2018-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a link attribute. | |||||
| CVE-2018-0582 | 1 Asus | 2 Rt-ac68u, Rt-ac68u Firmware | 2018-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in ASUS RT-AC68U Firmware version prior to 3.0.0.4.380.1031 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0583 | 1 Asus | 2 Rt-ac1200hp, Rt-ac1200hp Firmware | 2018-06-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in ASUS RT-AC1200HP Firmware version prior to 3.0.0.4.380.4180 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-10580 | 1 Latest Posts On Profile Project | 1 Latest Posts On Profile | 2018-06-14 | 3.5 LOW | 5.4 MEDIUM |
| The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field. | |||||