Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6194 | 1 Splashing Images Project | 1 Splashing Images | 2018-02-14 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in admin/partials/wp-splashing-admin-sidebar.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search parameter to wp-admin/upload.php. | |||||
| CVE-2016-0311 | 1 Ibm | 1 Tivoli Business Service Manager | 2018-02-14 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Tivoli Business Service Manager 6.1.0 before 6.1.0-TIV-BSM-FP0004 and 6.1.1 before 6.1.1-TIV-BSM-FP0004 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111480. | |||||
| CVE-2018-0508 | 1 Kkcald Project | 1 Kkcald | 2018-02-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-6550 | 1 Monstra | 1 Monstra | 2018-02-14 | 3.5 LOW | 5.4 MEDIUM |
| Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php. | |||||
| CVE-2018-6545 | 1 Ipswitch | 1 Moveit | 2018-02-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability, as demonstrated by human.aspx. Attackers can leverage this vulnerability to send malicious messages to other users in order to steal session cookies and launch client-side attacks. | |||||
| CVE-2017-14190 | 1 Fortinet | 1 Fortios | 2018-02-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted "Host" header in user HTTP requests. | |||||
| CVE-2018-6377 | 1 Joomla | 1 Joomla\! | 2018-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox | |||||
| CVE-2017-18082 | 1 Atlassian | 1 Bamboo | 2018-02-13 | 3.5 LOW | 5.4 MEDIUM |
| The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch. | |||||
| CVE-2018-6380 | 1 Joomla | 1 Joomla\! | 2018-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system. | |||||
| CVE-2018-6379 | 1 Joomla | 1 Joomla\! | 2018-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability. | |||||
| CVE-2017-2743 | 1 Hp | 175 2a68a, 2a68a Firmware, 2a69a and 172 more | 2018-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| HP has identified a potential security vulnerability with HP Enterprise LaserJet Printers and MFPs, HP OfficeJet Enterprise Color Printers and MFP, HP PageWide Color Printers and MPS before 2308214_000901, 2308214_000900, and other firmware versions. The vulnerability could be exploited to perform a cross site scripting (XSS) attack. | |||||
| CVE-2018-5967 | 1 Netis-systems | 2 Wf2419, Wf2419 Firmware | 2018-02-12 | 3.5 LOW | 5.4 MEDIUM |
| Netis WF2419 V2.2.36123 devices allow XSS via the Description parameter on the Bandwidth Control Rule Settings page. | |||||
| CVE-2017-1000389 | 1 Jenkins | 1 Global-build-stats | 2018-02-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability. | |||||
| CVE-2018-5962 | 1 Centos-webpanel | 1 Centos Web Panel | 2018-02-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the id parameter to the phpini_editor module or the email_address parameter to the mail_add-new module. | |||||
| CVE-2017-1653 | 1 Ibm | 7 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 4 more | 2018-02-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 6.0.x) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133268. | |||||
| CVE-2018-5961 | 1 Centos-webpanel | 1 Centos Web Panel | 2018-02-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file. | |||||
| CVE-2018-6190 | 1 Netis-systems | 2 Wf2419, Wf2419 Firmware | 2018-02-09 | 3.5 LOW | 5.4 MEDIUM |
| Netis WF2419 V3.2.41381 devices allow XSS via the Description field on the MAC Filtering page. | |||||
| CVE-2018-5705 | 1 Reservo | 1 Image Hosting | 2018-02-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reservo Image Hosting 1.6 is vulnerable to XSS attacks. The affected function is its search engine (the t parameter to the /search URI). Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed. | |||||
| CVE-2017-1000404 | 1 Jenkins | 1 Delivery Pipeline | 2018-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. | |||||
| CVE-2018-6313 | 1 Wbce | 1 Wbce Cms | 2018-02-08 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) in WBCE CMS 1.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the Modify Page screen, a different issue than CVE-2017-2118. | |||||
| CVE-2017-2746 | 1 Hp | 1 Jetadvantage Security Manager | 2018-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to create a denial of service. | |||||
| CVE-2017-1506 | 1 Ibm | 1 Cognos Tm1 | 2018-02-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Cognos TM1 10.2 and 10.2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 129617. | |||||
| CVE-2017-1563 | 1 Ibm | 1 Rational Doors | 2018-02-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131763. | |||||
| CVE-2017-1540 | 1 Ibm | 1 Rational Doors | 2018-02-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130808. | |||||
| CVE-2017-1532 | 1 Ibm | 1 Rational Doors | 2018-02-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS 9.5 and 9.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130411. | |||||
| CVE-2018-5963 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-02-07 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter. | |||||
| CVE-2018-5965 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-02-07 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter. | |||||
| CVE-2018-5964 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-02-07 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter. | |||||
| CVE-2018-6001 | 1 Webartisan | 1 Soundy Audio Playlist | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Soundy Audio Playlist plugin 4.6 and below for WordPress has Cross-Site Scripting via soundy-audio-playlist\templates\front-end.php (war_sdy_pl_preview parameter). | |||||
| CVE-2018-6013 | 1 Bigtreecms | 1 Bigtree Cms | 2018-02-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. This issue exists in core/admin/ajax/developer/extensions/file-browser.php. | |||||
| CVE-2018-6002 | 1 Webartisan | 1 Soundy Background Music | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Soundy Background Music plugin 3.9 and below for WordPress has Cross-Site Scripting via soundy-background-music\templates\front-end.php (war_soundy_preview parameter). | |||||
| CVE-2016-6217 | 2 Linux, Sophos | 2 Linux Kernel, Puremessage | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Sophos PureMessage for UNIX before 6.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-14383 | 1 Dell | 4 Emc Vnx1, Emc Vnx1 Firmware, Emc Vnx2 and 1 more | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Dell EMC VNX2 versions prior to Operating Environment for File 8.1.9.217 and VNX1 versions prior to Operating Environment for File 7.1.80.8, a web server error page in VNX Control Station is impacted by a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary HTML code in the user's browser session in the context of the affected web application. | |||||
| CVE-2017-2745 | 1 Hp | 1 Jetadvantage Security Manager | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to execute scripts in a user's browser. | |||||
| CVE-2017-17947 | 1 Pulsesecure | 1 Pulse Connect Secure | 2018-02-06 | 3.5 LOW | 4.8 MEDIUM |
| A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal. | |||||
| CVE-2017-18014 | 1 Sophos | 2 Sfos, Xg Firewall | 2018-02-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page (Control Center -> Log Viewer -> in the filter option "Web Server Protection") in the webadmin interface, and execute any action available to the webadmin of the firewall (e.g., creating a new user, enabling SSH, or adding an SSH authorized key). The WAF log page will execute the "User-Agent" parameter in the HTTP POST request. | |||||
| CVE-2018-5370 | 1 Bizlogicdev | 1 Xnami | 2018-02-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| BizLogic xnami 1.0 has XSS via the comment parameter in an addComment action to the /media/ajax URI. | |||||
| CVE-2018-5773 | 1 Python-markdown2 Project | 1 Python-markdown2 | 2018-02-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag. | |||||
| CVE-2018-5688 | 1 Ilias | 1 Ilias | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component. | |||||
| CVE-2018-1045 | 1 Moodle | 1 Moodle | 2018-02-05 | 3.5 LOW | 5.4 MEDIUM |
| In Moodle 3.x, there is XSS via a calendar event name. | |||||
| CVE-2017-16863 | 1 Atlassian | 1 Jira | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter. | |||||
| CVE-2014-6027 | 1 Torrentflux Project | 1 Torrentflux | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.4 allow (1) remote attackers to inject arbitrary web script or HTML by leveraging failure to encode file contents when downloading a torrent file or (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a link to torrent details. | |||||
| CVE-2018-5479 | 1 Foxsash | 1 Imghosting | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| FoxSash ImgHosting 1.5 (according to footer information) is vulnerable to XSS attacks. The affected function is its search engine via the search parameter to the default URI. Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed. | |||||
| CVE-2016-10516 | 1 Palletsprojects | 1 Werkzeug | 2018-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. | |||||
| CVE-2017-15717 | 1 Apache | 2 Sling Xss Protection Api, Sling Xss Protection Api Compat | 2018-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0. | |||||
| CVE-2017-12097 | 1 Delayed Job Web Project | 1 Delayed Job Web | 2018-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An exploitable cross site scripting (XSS) vulnerability exists in the filter functionality of the delayed_job_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability. | |||||
| CVE-2017-12098 | 1 Rails Admin Project | 1 Rails Admin | 2018-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability. | |||||
| CVE-2018-5687 | 1 Newsbee Project | 1 Newsbee | 2018-02-02 | 3.5 LOW | 4.8 MEDIUM |
| NewsBee allows XSS via the Company Name field in the Settings under admin/admin.php. | |||||
| CVE-2018-5715 | 1 Sugarcrm | 1 Sugarcrm | 2018-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). | |||||
| CVE-2018-5071 | 1 Cobham | 2 Sea Tel 116, Sea Tel 116 Firmware | 2018-02-02 | 3.5 LOW | 5.4 MEDIUM |
| Persistent XSS exists in the web server on Cobham Sea Tel 116 build 222429 satellite communication system devices: remote attackers can inject malicious JavaScript code using the device's TELNET shell built-in commands, as demonstrated by the "set ship name" command. This is similar to a Cross Protocol Injection with SNMP. | |||||