Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1000137 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop). | |||||
| CVE-2017-1000132 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 4.8 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file. | |||||
| CVE-2017-5673 | 1 Kunena | 1 Kunena | 2017-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the Kunena extension 5.0.2 through 5.0.4 for Joomla!, the forum message subject (aka topic subject) accepts JavaScript, leading to XSS. Six files are affected: crypsis/layouts/message/item/default.php, crypsis/layouts/message/item/top/default.php, crypsis/layouts/message/item/bottom/default.php, crypsisb3/layouts/message/item/default.php, crypsisb3/layouts/message/item/top/default.php, and crypsisb3/layouts/message/item/bottom/default.php. This is fixed in 5.0.5. | |||||
| CVE-2017-15863 | 1 Wp No External Links Project | 1 Wp No External Links | 2017-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) exists in the wp-noexternallinks plugin before 3.5.19 for WordPress via the date1 or date2 parameter to wp-admin/options-general.php. | |||||
| CVE-2017-15885 | 1 Axis | 2 2100 Network Camera, 2100 Network Camera Firmware | 2017-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in the web administration portal on the Axis 2100 Network Camera 2.03 allows an attacker to execute arbitrary JavaScript via the conf_Layout_OwnTitle parameter to view/view.shtml. NOTE: this might overlap CVE-2007-5214. | |||||
| CVE-2017-15810 | 1 Popcash | 1 Popcash.net Code Integration Tool | 2017-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The PopCash.Net Code Integration Tool plugin before 1.1 for WordPress has XSS via the tab parameter to wp-admin/admin.php. | |||||
| CVE-2017-15867 | 1 User-login-history Project | 1 User-login-history | 2017-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php. | |||||
| CVE-2012-4569 | 1 Letodms Project | 1 Letodms | 2017-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in out/out.UsrMgr.php in LetoDMS (formerly MyDMS) before 3.3.9 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-15936 | 1 Artica | 1 Pandora Fms | 2017-11-14 | 3.5 LOW | 5.4 MEDIUM |
| In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed. | |||||
| CVE-2017-15934 | 1 Artica | 1 Pandora Fms | 2017-11-14 | 3.5 LOW | 5.4 MEDIUM |
| Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter. | |||||
| CVE-2017-15878 | 1 Keystonejs | 1 Keystone | 2017-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature. | |||||
| CVE-2017-15811 | 1 Pootlepress | 1 Pootle Button | 2017-11-14 | 3.5 LOW | 5.4 MEDIUM |
| The Pootle Button plugin before 1.2.0 for WordPress has XSS via the assets_url parameter in assets/dialog.php, exploitable via wp-admin/admin-ajax.php. | |||||
| CVE-2017-1363 | 1 Ibm | 1 Rational Collaborative Lifecycle Management | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM Team Concert (RTC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126856. | |||||
| CVE-2017-1164 | 1 Ibm | 1 Rational Collaborative Lifecycle Management | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 123036. | |||||
| CVE-2017-1169 | 1 Ibm | 1 Rational Collaborative Lifecycle Management | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS next Generation (DNG/RRC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 123188. | |||||
| CVE-2016-3049 | 1 Ibm | 1 Openpages Grc Platform | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 114712. | |||||
| CVE-2017-15273 | 1 Mahara | 1 Mahara | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts. | |||||
| CVE-2017-14752 | 1 Mahara | 1 Mahara | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name, or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara. | |||||
| CVE-2017-14354 | 1 Hp | 1 Ucmdb Foundation Software | 2017-11-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote cross-site scripting vulnerability in HP UCMDB Foundation Software versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, and 10.33 could be remotely exploited to allow cross-site scripting. | |||||
| CVE-2017-14724 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. | |||||
| CVE-2017-14726 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. | |||||
| CVE-2017-14720 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | |||||
| CVE-2017-14721 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | |||||
| CVE-2017-14718 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. | |||||
| CVE-2017-15646 | 1 Webmin | 1 Webmin | 2017-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Webmin before 1.860 has XSS with resultant remote code execution. Under the 'Others/File Manager' menu, there is a 'Download from remote URL' option to download a file from a remote server. After setting up a malicious server, one can wait for a file download request and then send an XSS payload that will lead to Remote Code Execution, as demonstrated by an OS command in the value attribute of a name='cmd' input element. | |||||
| CVE-2017-2274 | 1 Buffalo | 4 Wmr-433, Wmr-433 Firmware, Wmr-433w and 1 more | 2017-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-15648 | 1 Phpsugar | 1 Php Melody | 2017-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PHPSUGAR PHP Melody before 2.7.3, page_manager.php has XSS via the page_title parameter. | |||||
| CVE-2017-15612 | 1 Mistune Project | 1 Mistune | 2017-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions. | |||||
| CVE-2017-15291 | 1 Tp-link | 2 Tl-mr3220, Tl-mr3220 Firmware | 2017-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering page in TP-LINK TL-MR3220 wireless routers allows remote attackers to inject arbitrary web script or HTML via the Description field. | |||||
| CVE-2010-3659 | 1 Typo3 | 1 Typo3 | 2017-11-07 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms. | |||||
| CVE-2014-0029 | 1 Redhat | 1 Subscription Asset Manager | 2017-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2017-15362 | 1 Osticket | 1 Osticket | 2017-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| osTicket 1.10.1 allows arbitrary client-side JavaScript code execution on victims who click a crafted support/scp/tickets.php?status= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. This affects a different tickets.php file than CVE-2015-1176. | |||||
| CVE-2017-8024 | 1 Emc | 1 Isilon Onefs | 2017-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| EMC Isilon OneFS (versions prior to 8.1.0.1, versions prior to 8.0.1.2, versions prior to 8.0.0.6, version 7.2.1.x) is impacted by a reflected cross-site scripting vulnerability that may potentially be exploited by malicious users to compromise the affected system. | |||||
| CVE-2017-15375 | 1 Wpjobboard | 1 Wpjobboard | 2017-11-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple client-side cross site scripting vulnerabilities have been discovered in the WpJobBoard v4.5.1 web-application for WordPress. The vulnerabilities are located in the `query` and `id` parameters of the `wpjb-email`, `wpjb-job`, `wpjb-application`, and `wpjb-membership` modules. Remote attackers are able to inject malicious script code to hijack admin session credentials via the backend, or to manipulate the backend on client-side performed requests. The attack vector is non-persistent and the request method to inject is GET. The attacker does not need a privileged user account to perform a successful exploitation. | |||||
| CVE-2017-1503 | 1 Ibm | 1 Websphere Application Server | 2017-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 129578. | |||||
| CVE-2016-7168 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | |||||
| CVE-2017-14313 | 1 Shibboleth Project | 1 Shibboleth | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The shibboleth_login_form function in shibboleth.php in the Shibboleth plugin before 1.8 for WordPress is prone to an XSS vulnerability due to improper use of add_query_arg(). | |||||
| CVE-2015-5714 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. | |||||
| CVE-2015-7989 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714. | |||||
| CVE-2016-1564 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. | |||||
| CVE-2017-5490 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php. | |||||
| CVE-2017-5488 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin. | |||||
| CVE-2016-6634 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-8016 | 1 Emc | 1 Archer Grc Platform | 2017-11-03 | 3.5 LOW | 5.4 MEDIUM |
| RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Questionnaire ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application. | |||||
| CVE-2017-8017 | 1 Emc | 1 Smarts Network Configuration Manager | 2017-11-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| EMC Network Configuration Manager (NCM) 9.3.x, 9.4.0.x, 9.4.1.x, and 9.4.2.x is affected by a reflected cross-site scripting Vulnerability that could potentially be exploited by malicious users to compromise the affected system. | |||||
| CVE-2017-14498 | 1 Silverstripe | 1 Silverstripe | 2017-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017. | |||||
| CVE-2017-1000088 | 1 Jenkins | 1 Sidebar Link | 2017-11-02 | 3.5 LOW | 5.4 MEDIUM |
| The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links. | |||||
| CVE-2017-1000103 | 1 Jenkins | 1 Dry | 2017-11-01 | 3.5 LOW | 5.4 MEDIUM |
| The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view. | |||||
| CVE-2017-1000102 | 1 Jenkins | 1 Static Analysis Utilities | 2017-11-01 | 3.5 LOW | 5.4 MEDIUM |
| The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view. | |||||
| CVE-2014-0208 | 1 Theforeman | 1 Foreman | 2017-11-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. | |||||