Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16856 | 1 Atlassian | 1 Confluence | 2017-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. | |||||
| CVE-2017-17043 | 1 Zitec | 1 Emag Marketplace Connector | 2017-12-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. | |||||
| CVE-2017-3104 | 2 Adobe, Microsoft | 2 Robohelp, Windows | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe RoboHelp has a cross-site scripting (XSS) vulnerability. This affects versions before RH12.0.4.460 and RH2017 before RH2017.0.2. | |||||
| CVE-2017-16841 | 1 Lansweeper | 1 Lansweeper | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| LanSweeper 6.0.100.75 has XSS via the description parameter to /Calendar/CalendarActions.aspx. | |||||
| CVE-2017-14197 | 1 Squiz | 1 Matrix | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before 5.4.1.3. There are multiple reflected Cross-Site Scripting (XSS) issues in Matrix WYSIWYG plugins. | |||||
| CVE-2017-11287 | 1 Adobe | 1 Connect | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure. | |||||
| CVE-2017-11289 | 1 Adobe | 1 Connect | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure. | |||||
| CVE-2017-11296 | 1 Adobe | 1 Experience Manager | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0. A cross-site scripting vulnerability in Apache Sling Servlets Post 2.3.20 has been resolved in Adobe Experience Manager. | |||||
| CVE-2017-11288 | 1 Adobe | 1 Connect | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure. | |||||
| CVE-2017-3109 | 1 Adobe | 1 Experience Manager | 2017-12-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0. Adobe Experience Manager has a reflected cross-site scripting vulnerability in the HtmlRendererServlet. | |||||
| CVE-2017-2135 | 1 Wp-statistics | 1 Wp Statistics | 2017-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-8178 | 1 Huawei | 2 Vicky-al00, Vicky-al00 Firmware | 2017-12-12 | 3.5 LOW | 5.4 MEDIUM |
| Huawei Email APP Vicky-AL00 smartphones with software of earlier than VKY-AL00C00B171 versions has a stored cross-site scripting vulnerability. A remote attacker could exploit this vulnerability to send email that storing malicious code to a smartphone and waiting for a user to access this email that triggers execution of the code. An exploit could allow the attacker to execute arbitrary script code on the affected device. | |||||
| CVE-2017-16962 | 1 Communigate | 1 Communigate Pro | 2017-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component. | |||||
| CVE-2017-16904 | 1 Lvyecms Project | 1 Lvyecms | 2017-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Public tologin feature in admin.php in LvyeCMS through 3.1 allows XSS via a crafted username that is mishandled during later log viewing by an administrator. | |||||
| CVE-2017-16881 | 1 Symphony Project | 1 Symphony | 2017-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java, service/ArticleQueryService.java, service/AvatarQueryService.java, and service/CommentQueryService.java. | |||||
| CVE-2017-8139 | 1 Huawei | 1 Hedex Lite | 2017-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HedEx Earlier than V200R006C00 versions have the stored cross-site scripting (XSS) vulnerability. Attackers can exploit the vulnerability to plant malicious scripts into the configuration file to interrupt the services of legitimate users. | |||||
| CVE-2017-8127 | 1 Huawei | 1 Uma | 2017-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The UMA product with software V200R001 has a cross-site scripting (XSS) vulnerability due to insufficient input validation. An attacker could craft malicious links or scripts to launch XSS attacks. | |||||
| CVE-2017-8125 | 1 Huawei | 1 Uma | 2017-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The UMA product with software V200R001 and V300R001 has a cross-site scripting (XSS) vulnerability due to insufficient input validation. An attacker could craft malicious links or scripts to launch XSS attacks. | |||||
| CVE-2017-15051 | 1 Teampass | 1 Teampass | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an administrator to modify its profile. From there, whenever the administrator accesses the log, it can be XSS'ed. | |||||
| CVE-2017-1607 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132927. | |||||
| CVE-2017-1650 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133260. | |||||
| CVE-2017-1688 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134063. | |||||
| CVE-2017-1689 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134064. | |||||
| CVE-2017-1678 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134000. | |||||
| CVE-2017-1593 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132494. | |||||
| CVE-2017-1560 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131759. | |||||
| CVE-2017-1461 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128460. | |||||
| CVE-2017-7736 | 1 Fortinet | 1 Fortiweb | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb webUI Certificate View page in 5.8.0, 5.7.1 and earlier, allows attackers to inject arbitrary web script or HTML via special crafted malicious certificate import. | |||||
| CVE-2017-16956 | 1 Symphony Project | 1 Symphony | 2017-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. | |||||
| CVE-2017-16919 | 1 Mapos Project | 1 Mapos | 2017-12-05 | 3.5 LOW | 5.4 MEDIUM |
| MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in /clientes/visualizar, which allows remote attackers to inject arbitrary web script or HTML via a crafted description parameter. | |||||
| CVE-2017-16866 | 1 Finecms | 1 Finecms | 2017-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field. | |||||
| CVE-2017-10886 | 1 Cs-cart | 2 Cs-cart, Cs-cart Multivendor | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-16819 | 1 Icontime | 2 Rtc-1000, Rtc-1000 Firmware | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges. | |||||
| CVE-2017-4930 | 1 Vmware | 1 Airwatch | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device's 'Links' page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL. | |||||
| CVE-2017-4929 | 1 Vmware | 1 Nsx Edge | 2017-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| VMware NSX Edge (6.2.x before 6.2.9 and 6.3.x before 6.3.5) contains a moderate Cross-Site Scripting (XSS) issue which may lead to information disclosure. | |||||
| CVE-2017-16842 | 1 Yoast | 1 Wordpress Seo | 2017-12-03 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2017-16758 | 1 Ultimate Instagram Feed Project | 1 Ultimate Instagram Feed | 2017-12-02 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "access_token" parameter. | |||||
| CVE-2017-16843 | 1 Vonage | 2 Vdv-23, Vdv-23 Firmware | 2017-12-02 | 3.5 LOW | 5.4 MEDIUM |
| Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKeyword or NewDomain field to /goform/RgParentalBasic. | |||||
| CVE-2017-16801 | 1 Octopus | 1 Octopus Deploy | 2017-12-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter. | |||||
| CVE-2017-1000225 | 1 Relevanssi | 1 Relevanssi | 2017-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in Relevanssi Premium version 1.14.8 when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can | |||||
| CVE-2017-1000223 | 1 Modx | 1 Modx Revolution | 2017-12-01 | 3.5 LOW | 5.4 MEDIUM |
| A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS. | |||||
| CVE-2017-16880 | 1 Whoops Project | 1 Whoops | 2017-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dump function in Util/TemplateHelper.php in filp whoops before 2.1.13 has XSS. | |||||
| CVE-2017-16815 | 1 Snapcreek | 1 Duplicator | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| installer.php in the Snap Creek Duplicator (WordPress Site Migration & Backup) plugin before 1.2.30 for WordPress has XSS because the values "url_new" (/wp-content/plugins/duplicator/installer/build/view.step4.php) and "logging" (wp-content/plugins/duplicator/installer/build/view.step2.php) are not filtered correctly. | |||||
| CVE-2017-12738 | 1 Siemens | 2 Sm-2556, Sm-2556 Firmware | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00. The integrated web server (port 80/tcp) of the affected devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into clicking on a malicious link. | |||||
| CVE-2017-1000240 | 1 Open-emr | 1 Openemr | 2017-11-30 | 3.5 LOW | 5.4 MEDIUM |
| The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||||
| CVE-2017-16810 | 1 Octopus | 1 Octopus Deploy | 2017-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter. | |||||
| CVE-2017-9085 | 1 Kodak | 1 Insite | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Kodak InSite 6.5 to 8.0 allow remote attackers to inject arbitrary web script via the (1) "paramFile" parameter to /Site/Troubleshooting/DiagnosticReport.asp, or (2) "paramFile" parameter to /Site/Troubleshooting/SpeedTest.asp. | |||||
| CVE-2015-8793 | 1 Roundcube | 1 Webmail | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. | |||||
| CVE-2017-1000188 | 1 Ejs | 1 Ejs | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection | |||||
| CVE-2017-1000213 | 1 Wbce | 1 Wbce Cms | 2017-11-29 | 3.5 LOW | 4.8 MEDIUM |
| WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search | |||||