Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-5207 | 1 Google | 1 Chrome | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android, corruption of the DOM tree could occur during the removal of a full screen element, which allowed a remote attacker to achieve arbitrary code execution via a crafted HTML page. | |||||
| CVE-2016-5205 | 1 Google | 1 Chrome | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac, incorrectly handles deferred page loads, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2015-8935 | 1 Php | 1 Php | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function. | |||||
| CVE-2016-5181 | 1 Google | 1 Chrome | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android permitted execution of v8 microtasks while the DOM was in an inconsistent state, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via crafted HTML pages. | |||||
| CVE-2016-5208 | 1 Google | 1 Chrome | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blink in Google Chrome prior to 55.0.2883.75 for Linux and Windows, and 55.0.2883.84 for Android allowed possible corruption of the DOM tree during synchronous event handling, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2016-5226 | 1 Google | 1 Chrome | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac executed javascript: URLs entered in the URL bar in the context of the current tab, which allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar. | |||||
| CVE-2016-5204 | 1 Google | 1 Chrome | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leaking of an SVG shadow tree leading to corruption of the DOM tree in Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2016-5191 | 1 Google | 1 Chrome | 2018-01-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bookmark handling in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android had insufficient validation of supplied data, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via crafted HTML pages, as demonstrated by an interpretation conflict between userinfo and scheme in an http://javascript:payload@example.com URL. | |||||
| CVE-2017-15312 | 1 Huawei | 1 Smartcare | 2018-01-04 | 3.5 LOW | 5.4 MEDIUM |
| Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) vulnerability in the dashboard module. A remote authenticated attacker could exploit this vulnerability to inject malicious scripts in the affected device. | |||||
| CVE-2017-17792 | 1 Blogotext Project | 1 Blogotext | 2018-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in the markup_clean_href function in inc/conv.php in BlogoText through 3.7.6 allows remote attackers to inject arbitrary JavaScript via a comment. | |||||
| CVE-2017-17737 | 1 Brightsign | 2 4k242, 4k242 Firmware | 2018-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html. | |||||
| CVE-2017-14134 | 1 Maplesoft | 1 Maple T.a. | 2018-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected XSS Vulnerability affects the forgotten password page of Maplesoft Maple T.A. 2016.0.6 (Customer Hosted) via the emailAddress parameter to passwordreset/PasswordReset.do, aka Open Bug Bounty ID OBB-286688. | |||||
| CVE-2017-17714 | 1 Boxug | 1 Trape | 2018-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, the /register lat parameter, the /register lon parameter, the /register org parameter, the /register query parameter, the /register region parameter, the /register regionName parameter, the /register timezone parameter, the /register vId parameter, the /register zip parameter, or the /tping id parameter. | |||||
| CVE-2017-1600 | 1 Ibm | 1 Security Guardium | 2018-01-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security Guardium 10.0 Database Activity Monitor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132613. | |||||
| CVE-2017-17825 | 1 Piwigo | 1 Piwigo | 2018-01-03 | 3.5 LOW | 4.8 MEDIUM |
| The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it. | |||||
| CVE-2017-17826 | 1 Piwigo | 1 Piwigo | 2018-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it. | |||||
| CVE-2017-17778 | 1 Paid To Read Script Project | 1 Paid To Read Script | 2018-01-03 | 3.5 LOW | 4.8 MEDIUM |
| Paid To Read Script 2.0.5 has XSS via the referrals.php tier parameter or the admin/userview.php uid parameter. | |||||
| CVE-2017-6486 | 1 Reasoncms | 1 Reasoncms | 2018-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue was discovered in reasoncms before 4.7.1. The vulnerability exists due to insufficient filtration of user-supplied data (nyroModalSel) passed to the "reasoncms-master/www/nyroModal/demoSent.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-16950 | 1 Urbackup | 1 Urbackup Server | 2018-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross - site scripting (XSS) vulnerability in UrBackup Server before 2.1.20 allows remote attackers to inject arbitrary web script or HTML via the action parameter. | |||||
| CVE-2017-16723 | 1 Phoenixcontact | 26 Fl Com Server Rs232, Fl Com Server Rs232 Firmware, Fl Com Server Rs485 and 23 more | 2018-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site Scripting issue was discovered in PHOENIX CONTACT FL COMSERVER BASIC 232/422/485, FL COMSERVER UNI 232/422/485, FL COMSERVER BAS 232/422/485-T, FL COMSERVER UNI 232/422/485-T, FL COM SERVER RS232, FL COM SERVER RS485, and PSI-MODEM/ETH (running firmware versions prior to 1.99, 2.20, or 2.40). The cross-site scripting vulnerability has been identified, which may allow remote code execution. | |||||
| CVE-2017-7554 | 1 Redhat | 1 Mobile Application Platform | 2017-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| It was found that the App Studio component of RHMAP 4.4 executes javascript provided by a user. An attacker could use this flaw to execute a stored XSS attack on an application administrator using App Studio. | |||||
| CVE-2017-14510 | 1 Sugarcrm | 1 Sugarcrm | 2017-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along. | |||||
| CVE-2017-17698 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2017-12-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. | |||||
| CVE-2017-14386 | 1 Dell | 4 2335dn, 2335dn Firmware, 2355dn and 1 more | 2017-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web user interface of Dell 2335dn and 2355dn Multifunction Laser Printers, firmware versions prior to V2.70.06.26 A13 and V2.70.45.34 A10 respectively, are affected by a cross-site scripting vulnerability. Attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the user's browser session in the context of the affected website. | |||||
| CVE-2017-1536 | 1 Ibm | 1 Websphere Portal | 2017-12-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Support Tools for Lotus WCM (IBM WebSphere Portal 7.0, 8.0, 8.5 and 9.0) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130733. | |||||
| CVE-2017-14093 | 1 Trendmicro | 1 Scanmail | 2017-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Log Query and Quarantine Query pages in Trend Micro ScanMail for Exchange 12.0 are vulnerable to cross site scripting (XSS) attacks. | |||||
| CVE-2017-1546 | 1 Ibm | 2 Rational Doors Next Generation, Rational Requirements Composer | 2017-12-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.07, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130915. | |||||
| CVE-2017-11507 | 1 Check Mk Project | 1 Check Mk | 2017-12-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.2.8x prior to 1.2.8p25 and 1.4.0x prior to 1.4.0p9, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output_format parameter, and the username parameter of failed HTTP basic authentication attempts, which is returned unencoded in an internal server error page. | |||||
| CVE-2017-1632 | 1 Ibm | 1 Sterling File Gateway | 2017-12-26 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133178. | |||||
| CVE-2017-1683 | 1 Ibm | 1 Connections Engagement Center | 2017-12-26 | 3.5 LOW | 5.4 MEDIUM |
| IBM Connections Engagement Center 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134005. | |||||
| CVE-2017-1421 | 1 Ibm | 1 Inotes | 2017-12-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2017-17383 | 1 Jenkins | 1 Jenkins | 2017-12-22 | 3.5 LOW | 4.7 MEDIUM |
| Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. | |||||
| CVE-2017-16884 | 1 Mistserver | 1 Mistserver | 2017-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in MistServer before 2.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to failed authentication requests alerts. | |||||
| CVE-2017-17451 | 1 Wpmailster | 1 Wp Mailster | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php. | |||||
| CVE-2017-17431 | 1 Genixcms | 1 Genixcms | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| GeniXCMS 1.1.5 has XSS via the from, id, lang, menuid, mod, q, status, term, to, or token parameter. NOTE: this might overlap CVE-2017-14761, CVE-2017-14762, or CVE-2017-14765. | |||||
| CVE-2017-17569 | 1 Scubez | 1 Posty Readymade Classifieds | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Scubez Posty Readymade Classifieds has XSS via the admin/user_activate_submit.php ID parameter. | |||||
| CVE-2017-16681 | 1 Sap | 1 Business Intelligence Promotion Management Application | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, 4.30, as user controlled inputs are not sufficiently encoded. | |||||
| CVE-2017-16685 | 1 Sap | 1 Business Warehouse Universal Data Integration | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data Integration, from 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, due to insufficient encoding of user controlled inputs. | |||||
| CVE-2017-17096 | 1 Content Cards Project | 1 Content Cards | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Content Cards plugin before 0.9.7 for WordPress allows remote attackers to inject arbitrary JavaScript via crafted OpenGraph data. | |||||
| CVE-2017-17057 | 1 Zkteco | 1 Zktime Web | 2017-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The vulnerability exists due to insufficient filtration of user-supplied data in the 'Range' field of the 'Department' module in a Personnel Advanced Query. A remote attacker can execute arbitrary HTML and script code in the browser in the context of the vulnerable application. | |||||
| CVE-2017-17694 | 1 Techno - Portfolio Management Panel Project | 1 Techno - Portfolio Management Panel | 2017-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Techno - Portfolio Management Panel through 2017-11-16 allows XSS via the panel/search.php s parameter. | |||||
| CVE-2017-14379 | 1 Emc | 1 Rsa Authentication Manager | 2017-12-20 | 3.5 LOW | 5.4 MEDIUM |
| EMC RSA Authentication Manager before 8.2 SP1 P6 has a cross-site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system. | |||||
| CVE-2017-1549 | 1 Ibm | 1 Sterling File Gateway | 2017-12-20 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131289. | |||||
| CVE-2017-10896 | 1 Buffalo | 4 Bbr-4hg, Bbr-4hg Firmware, Bbr-4mg and 1 more | 2017-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Buffalo BBR-4HG and and BBR-4MG broadband routers with firmware 1.00 to 1.48 and 2.00 to 2.07 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-17059 | 1 Amtythumb Project | 1 Amtythumb | 2017-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb posts or wp-thumb-post) plugin 8.1.3 for WordPress via the query string to amtyThumbPostsAdminPg.php. | |||||
| CVE-2017-14516 | 1 Sap | 1 Businessobjects Financial Consolidation | 2017-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Consolidation before 2017-06-13, aka SAP Security Note 2422292. | |||||
| CVE-2017-1482 | 1 Ibm | 1 Sterling B2b Integrator | 2017-12-19 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128620. | |||||
| CVE-2017-1465 | 1 Ibm | 1 Tririga Application Platform | 2017-12-19 | 3.5 LOW | 5.4 MEDIUM |
| IBM TRIRIGA 3.2, 3.3, 3.4, and 3.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 128464. | |||||
| CVE-2017-1498 | 1 Ibm | 1 Connections | 2017-12-19 | 3.5 LOW | 5.4 MEDIUM |
| IBM Connections 5.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 129020. | |||||
| CVE-2017-1354 | 1 Ibm | 1 Atlas Ediscovery Process Management | 2017-12-19 | 3.5 LOW | 5.4 MEDIUM |
| IBM Atlas eDiscovery Process Management 6.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126681. | |||||