Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1416 | 1 Ibm | 1 Websphere Portal | 2018-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138822. | |||||
| CVE-2012-3536 | 1 Apache | 1 Hupa | 2018-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Two XSS vulnerabilities were fixed in message list and view in the Hupa Webmail application from the Apache James project. An attacker could send a carefully crafted email to a user of Hupa which would trigger a XSS when the email was opened or when a list of messages were viewed. This issue was addressed in Hupa 0.0.3. | |||||
| CVE-2017-17454 | 1 Mahara | 1 Mahara | 2018-03-16 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value. | |||||
| CVE-2017-16789 | 2 Integrationmatters, Tibco | 2 Njams, Businessworks Process Monitor | 2018-03-16 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS 3 before 3.2.0 Hotfix 7, as used in TIBCO BusinessWorks Process Monitor through 3.0.1.3 and other products, allows remote authenticated administrators to inject arbitrary web script or HTML via the users management panel of the web interface. | |||||
| CVE-2017-12794 | 1 Djangoproject | 1 Django | 2018-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. | |||||
| CVE-2018-2371 | 1 Sap | 1 Netweaver Java Web Application | 2018-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2017-5798 | 1 Hp | 1 Opencall Media Platform | 2018-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x). | |||||
| CVE-2018-6189 | 1 F-secure | 1 Radar | 2018-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors involving the Tags parameter in the JSON request body in an outbound request for the /api/latest/vulnerabilityscans/tags/batch resource, aka a "suggested metadata tags for assets" issue. | |||||
| CVE-2018-4876 | 1 Adobe | 1 Experience Manager | 2018-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.3, 6.2, and 6.1 are vulnerable to cross-site scripting via a bypass of the Sling XSSAPI#getValidHref function. | |||||
| CVE-2018-0864 | 1 Microsoft | 1 Sharepoint Server | 2018-03-14 | 3.5 LOW | 5.4 MEDIUM |
| SharePoint Project Server 2013 and SharePoint Enterprise Server 2016 allow an information disclosure vulnerability due to how web requests are handled, aka "Microsoft SharePoint Information Disclosure Vulnerability". | |||||
| CVE-2016-7394 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2018-03-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie. | |||||
| CVE-2018-6936 | 1 D-link | 2 Dir-600m C1, Dir-600m C1 Firmware | 2018-03-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) exists on the D-Link DIR-600M C1 3.01 via the SSID or the name of a user account. | |||||
| CVE-2018-7303 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2018-03-13 | 3.5 LOW | 5.4 MEDIUM |
| The Calendar component in Tiki 17.1 allows HTML injection. | |||||
| CVE-2018-7188 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2018-03-13 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php. | |||||
| CVE-2017-8993 | 1 Microfocus | 1 Project And Portfolio Management | 2018-03-12 | 3.5 LOW | 5.4 MEDIUM |
| A Remote Cross-Site Scripting vulnerability in HPE Project and Portfolio Management (PPM) version v9.30, v9.31, v9.32, v9.40 was found. | |||||
| CVE-2017-5800 | 1 Hp | 1 Operations Bridge Analytics | 2018-03-12 | 3.5 LOW | 5.4 MEDIUM |
| A Remote Cross-Site Scripting (XSS) vulnerability in HPE Operations Bridge Analytics version v3.0 was found. | |||||
| CVE-2018-7057 | 1 Steelcase | 2 Roomwizard, Roomwizard Firmware | 2018-03-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| RoomWizard before 4.4.x allows XSS via the HelpAction.action pageName parameter. | |||||
| CVE-2017-1682 | 1 Ibm | 1 Connections | 2018-03-12 | 3.5 LOW | 5.4 MEDIUM |
| IBM Connections 4.0, 4.5, 5.0, 5.5, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134004. | |||||
| CVE-2017-1462 | 1 Ibm | 1 Rational Rhapsody Design Manager | 2018-03-12 | 3.5 LOW | 5.4 MEDIUM |
| IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128461. | |||||
| CVE-2018-7302 | 1 Tiki | 1 Tiki | 2018-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS. | |||||
| CVE-2017-18093 | 1 Atlassian | 2 Crucible, Fisheye | 2018-03-12 | 3.5 LOW | 4.8 MEDIUM |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository. | |||||
| CVE-2017-18092 | 1 Atlassian | 1 Crucible | 2018-03-12 | 3.5 LOW | 5.4 MEDIUM |
| The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet. | |||||
| CVE-2018-0513 | 1 Mtssb.mt-systems | 1 Simple Booking | 2018-03-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in MTS Simple Booking C, MTS Simple Booking Business version 1.28.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-16755 | 1 Userscape | 1 Helpspot | 2018-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Userscape HelpSpot before 4.7.2. A reflected cross-site scripting vulnerability exists in the "return" parameter of the "index.php?pg=moderated" endpoint. It executes when the return link is clicked. | |||||
| CVE-2016-0344 | 1 Ibm | 1 Tririga Application Platform | 2018-03-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the My Reports component in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111785. | |||||
| CVE-2017-1604 | 1 Ibm | 1 Maximo Anywhere | 2018-03-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Anywhere 7.5 and 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132851. | |||||
| CVE-2015-6544 | 1 Combodo | 1 Itop | 2018-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. | |||||
| CVE-2013-4891 | 1 Codeigniter | 1 Codeigniter | 2018-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag. | |||||
| CVE-2018-1415 | 1 Ibm | 1 Maximo Asset Management | 2018-03-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138821. | |||||
| CVE-2018-1000029 | 1 Elsa Project | 1 Elsa | 2018-03-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/). | |||||
| CVE-2017-8953 | 1 Hp | 2 Loadrunner, Performance Center | 2018-03-07 | 3.5 LOW | 5.4 MEDIUM |
| A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found. | |||||
| CVE-2018-0869 | 1 Microsoft | 1 Sharepoint Enterprise Server | 2018-03-07 | 3.5 LOW | 5.4 MEDIUM |
| SharePoint Server 2016 allows an elevation of privilege vulnerability due to how web requests are handled, aka "Microsoft SharePoint Elevation of Privilege Vulnerability". | |||||
| CVE-2018-2364 | 1 Sap | 2 Customer Relationship Management Webclient Ui, S4fnd | 2018-03-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2017-14536 | 1 Netfortris | 1 Trixbox | 2018-03-06 | 3.5 LOW | 5.4 MEDIUM |
| trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or /user/includes/language/langChooser.php. | |||||
| CVE-2017-18091 | 1 Atlassian | 2 Crucible, Fisheye | 2018-03-06 | 3.5 LOW | 4.8 MEDIUM |
| The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup. | |||||
| CVE-2017-18090 | 1 Atlassian | 1 Fisheye | 2018-03-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Fisheye before version 4.5.1 (the fixed version for 4.5.x) and before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a commit author. | |||||
| CVE-2017-18089 | 1 Atlassian | 1 Crucible | 2018-03-06 | 3.5 LOW | 5.4 MEDIUM |
| The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review. | |||||
| CVE-2018-7260 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-03-06 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2018-6506 | 1 Minibb | 1 Minibb | 2018-03-06 | 3.5 LOW | 4.8 MEDIUM |
| Cross-Site Scripting (XSS) exists in the Add Forum feature in the Administrative Panel in miniBB 3.2.2 via crafted use of an onload attribute of an SVG element in the supertitle field. | |||||
| CVE-2018-6890 | 1 Wolfcms | 1 Wolf Cms | 2018-03-06 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Wolf CMS 0.8.3.1 via the page editing feature, as demonstrated by /?/admin/page/edit/3. | |||||
| CVE-2017-18175 | 1 Progress | 1 Sitefinity | 2018-03-05 | 3.5 LOW | 5.4 MEDIUM |
| Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1. | |||||
| CVE-2017-18177 | 1 Progress | 1 Sitefinity | 2018-03-05 | 3.5 LOW | 5.4 MEDIUM |
| Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1. | |||||
| CVE-2017-18176 | 1 Progress | 1 Sitefinity | 2018-03-05 | 3.5 LOW | 5.4 MEDIUM |
| Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1. | |||||
| CVE-2016-8522 | 1 Hp | 1 Diagnostics | 2018-03-05 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability in HPE Diagnostics version 9.24 IP1, 9.26 , 9.26IP1 was found. | |||||
| CVE-2018-1000062 | 1 Wondercms | 1 Wondercms | 2018-03-05 | 3.5 LOW | 4.4 MEDIUM |
| WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File. | |||||
| CVE-2016-8517 | 1 Hp | 1 Systems Insight Manager | 2018-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting vulnerability in HPE Systems Insight Manager in all versions prior to 7.6 was found. | |||||
| CVE-2018-7197 | 1 Pluck-cms | 1 Pluck | 2018-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL. | |||||
| CVE-2018-7280 | 1 Ninjaforms | 1 Ninja Forms | 2018-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ninja Forms plugin before 3.2.14 for WordPress has XSS. | |||||
| CVE-2017-16356 | 1 Kubik-rubik | 1 Simple Image Gallery Extended | 2018-03-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim's browser by having them visit a plugins/content/sige/plugin_sige/print.php link with a crafted img, name, or caption parameter. | |||||
| CVE-2018-6193 | 1 Routers2 Project | 1 Routers2 | 2018-03-03 | 2.6 LOW | 4.7 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability was found in Routers2 2.24, affecting the 'rtr' GET parameter in a page=graph action to cgi-bin/routers2.pl. | |||||