Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7707 | 1 Securenvoy | 1 Securmail | 2018-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote attackers to inject arbitrary web script or HTML via an HTML-formatted e-mail message. | |||||
| CVE-2018-7703 | 1 Securenvoy | 1 Securmail | 2018-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote attackers to inject arbitrary web script or HTML via the mailboxid parameter to secmail/getmessage.exe. | |||||
| CVE-2018-8722 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026. | |||||
| CVE-2018-8721 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2018-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen | |||||
| CVE-2018-1000084 | 1 Wolfcms | 1 Wolf Cms | 2018-04-06 | 3.5 LOW | 5.4 MEDIUM |
| WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name . | |||||
| CVE-2018-1000113 | 1 Jenkins | 1 Testlink | 2018-04-04 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript | |||||
| CVE-2018-1000108 | 1 Jenkins | 1 Cppncss | 2018-04-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed. | |||||
| CVE-2018-6226 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 3.5 LOW | 5.4 MEDIUM |
| Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micro Email Encryption Gateway 5.5 configuration files could allow an attacker to inject client-side scripts into vulnerable systems. | |||||
| CVE-2018-6227 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject client-side scripts into vulnerable systems. | |||||
| CVE-2018-8069 | 1 Qcms | 1 Qcms | 2018-03-30 | 3.5 LOW | 5.4 MEDIUM |
| QCMS version 3.0 has XSS via the webname parameter to the /backend/system.html URI. | |||||
| CVE-2018-8070 | 1 Qcms | 1 Qcms | 2018-03-30 | 3.5 LOW | 5.4 MEDIUM |
| QCMS version 3.0 has XSS via the title parameter to the /guest/index.html URI. | |||||
| CVE-2017-2147 | 1 Wp-statistics | 1 Wp Statistics | 2018-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WP Statistics version 12.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-1000425 | 1 Liferay | 1 Liferay Portal | 2018-03-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter. | |||||
| CVE-2018-7893 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-03-29 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter. | |||||
| CVE-2018-8058 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-03-29 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter. | |||||
| CVE-2018-8078 | 1 Yzmcms | 1 Yzmcms | 2018-03-29 | 3.5 LOW | 5.4 MEDIUM |
| YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html. | |||||
| CVE-2018-0547 | 1 Soflyy | 1 Wp All Import | 2018-03-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0546 | 1 Soflyy | 1 Wp All Import | 2018-03-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.6 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-6527 | 1 D-link | 6 Dir-860l, Dir-860l Firmware, Dir-865l and 3 more | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi. | |||||
| CVE-2018-6529 | 1 D-link | 6 Dir-860l, Dir-860l Firmware, Dir-865l and 3 more | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi. | |||||
| CVE-2018-6528 | 1 D-link | 6 Dir-860l, Dir-860l Firmware, Dir-865l and 3 more | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted receiver parameter to soap.cgi. | |||||
| CVE-2018-7663 | 1 Voten | 1 Voten | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in resources/views/layouts/app.blade.php in Voten.co before 2017-08-25. An unescaped template literal in the bio field of a user profile (resources/views/layouts/app.blade.php) allows for server-side template injection of arbitrary JavaScript. | |||||
| CVE-2018-7717 | 1 Kubik-rubik | 1 Simple Image Gallery Extended | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The htmlImageAddTitleAttribute function in sige.php in the Kubik-Rubik Simple Image Gallery Extended (SIGE) extension 3.2.3 for Joomla! has XSS via a crafted image header, as demonstrated by the Caption-Abstract header object in a JPEG file. This is fixed in 3.3.1. | |||||
| CVE-2018-7650 | 1 Hot Scripts Clone Project | 1 Hot Scripts Clone | 2018-03-27 | 3.5 LOW | 4.8 MEDIUM |
| PHP Scripts Mall Hot Scripts Clone:Script Classified Version 3.1 Application is vulnerable to stored XSS within the "Add New" function for a Management User. Within the "Add New" section, the application does not sanitize user supplied input to the name parameter, and renders injected JavaScript code to the user's browser. This is different from CVE-2018-6878. | |||||
| CVE-2017-9783 | 1 Projectsend | 1 Projectsend | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in a Site name updated. | |||||
| CVE-2017-9786 | 1 Projectsend | 1 Projectsend | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in My account Name updated, related to home.php and actions-log.php. | |||||
| CVE-2018-7741 | 1 Eramba | 1 Eramba | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Eramba e1.0.6.033 has Reflected XSS in the Date Filter via the created parameter to the /crons URI. | |||||
| CVE-2017-7634 | 1 Qnap | 2 Media Streaming Add-on, Qts | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier allows remote attackers to inject arbitrary web script or HTML. The injected code will only be triggered by a crafted link, not the normal page. | |||||
| CVE-2018-7894 | 1 Eramba | 1 Eramba | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Eramba e1.0.6.033 has Reflected XSS in reviews/filterIndex/ThirdPartyRiskReview via the advanced_filter parameter (aka the Search Parameter). | |||||
| CVE-2018-7996 | 1 Eramba | 1 Eramba | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Eramba e1.0.6.033 has Stored XSS on the tooltip box via the /programScopes description parameter. | |||||
| CVE-2018-7997 | 1 Eramba | 1 Eramba | 2018-03-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Eramba e1.0.6.033 has Reflected XSS on the Error page of the CSV file inclusion tab of the /importTool/preview URI, with a CSV file polluted with malicious JavaScript. | |||||
| CVE-2018-7290 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2018-03-27 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1. | |||||
| CVE-2018-7564 | 1 Polycom | 2 Qdx 6000, Qdx 6000 Firmware | 2018-03-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored XSS exists on Polycom QDX 6000 devices. | |||||
| CVE-2016-0253 | 1 Ibm | 1 Financial Transaction Manager | 2018-03-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110562. | |||||
| CVE-2018-7721 | 1 Metinfo | 1 Metinfo | 2018-03-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via /feedback/index.php because app/system/feedback/web/feedback.class.php mishandles input data. | |||||
| CVE-2018-6811 | 1 Citrix | 2 Netscaler Application Delivery Controller Firmware, Netscaler Gateway Firmware | 2018-03-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12.0 allow remote attackers to inject arbitrary web script or HTML via the Citrix NetScaler interface. | |||||
| CVE-2018-7722 | 1 Piwigo | 1 Piwigo | 2018-03-26 | 3.5 LOW | 5.4 MEDIUM |
| The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible. | |||||
| CVE-2018-7723 | 1 Piwigo | 1 Piwigo | 2018-03-26 | 3.5 LOW | 5.4 MEDIUM |
| The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible. | |||||
| CVE-2018-2365 | 1 Sap | 1 Netweaver Portal | 2018-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2017-6927 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2018-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. | |||||
| CVE-2017-6929 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2018-03-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module. | |||||
| CVE-2018-7277 | 1 Rletech | 4 Fds-wi, Fds-wi Firmware, Wi-mgr and 1 more | 2018-03-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on RLE Wi-MGR/FDS-Wi 6.2 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP. | |||||
| CVE-2018-7278 | 1 Rletech | 4 Fds-pc, Fds-pc-dp, Fds-pc-dp Firmware and 1 more | 2018-03-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP 2.1 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP. | |||||
| CVE-2018-7265 | 1 Shimmie2 Project | 1 Shimmie2 | 2018-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shimmie 2 2.6.0 allows an attacker to upload a crafted SVG file that enables stored XSS. | |||||
| CVE-2018-0519 | 1 Fsi | 2 Fs010w, Fs010w Firmware | 2018-03-19 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-4875 | 1 Adobe | 1 Experience Manager | 2018-03-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.1 and 6.0 are vulnerable to a reflected cross-site scripting vulnerability related to the handling of malicious content embedded in image files uploaded to the DAM. | |||||
| CVE-2017-9425 | 1 Facetag Project | 1 Facetag | 2018-03-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Facetag extension 0.0.3 for Piwigo allows XSS via the name parameter to ws.php in a facetag.changeTag action. | |||||
| CVE-2018-1399 | 1 Ibm | 1 Daeja Viewone | 2018-03-17 | 3.5 LOW | 5.4 MEDIUM |
| IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5 and 5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138435. | |||||
| CVE-2018-7469 | 1 Entrepreneur Job Portal Script Project | 1 Entrepreneur Job Portal Script | 2018-03-16 | 3.5 LOW | 4.8 MEDIUM |
| PHP Scripts Mall Entrepreneur Job Portal Script 2.0.9 has XSS via the p_name (aka Edit Category Name) field to admin/categories_industry.php (aka Categories - Industry Type). | |||||
| CVE-2018-7476 | 1 Finecms | 1 Finecms | 2018-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character. | |||||