Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-9441 | 1 Bookmarkify Project | 1 Bookmarkify | 2019-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| The bookmarkify plugin 2.9.2 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=bookmarkify.php. | |||||
| CVE-2015-9442 | 1 Avenirsoft | 1 Directdownload | 2019-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| The avenirsoft-directdownload plugin 1.0 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=avenir_plugin. | |||||
| CVE-2015-9443 | 1 Wp Accurate Form Data Project | 1 Wp Accurate Form Data | 2019-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| The accurate-form-data-real-time-form-validation plugin 1.2 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=Accu_Data_WP. | |||||
| CVE-2015-9447 | 1 Unitegallery | 1 Unite Gallery Lite | 2019-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin.php galleryid or id parameters. | |||||
| CVE-2019-16904 | 1 Teampass | 1 Teampass | 2019-09-27 | 3.5 LOW | 5.4 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.) | |||||
| CVE-2019-12203 | 1 Silverstripe | 1 Silverstripe | 2019-09-27 | 3.7 LOW | 6.3 MEDIUM |
| SilverStripe through 4.3.3 allows session fixation in the "change password" form. | |||||
| CVE-2019-14273 | 1 Silverstripe | 1 Silverstripe | 2019-09-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| In SilverStripe assets 4.0, there is broken access control on files. | |||||
| CVE-2015-9413 | 1 Eshop Project | 1 Eshop | 2019-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| The eshop plugin through 6.3.13 for WordPress has CSRF with resultant XSS via the wp-admin/admin.php?page=eshop-downloads.php title parameter. | |||||
| CVE-2019-7608 | 1 Elastic | 1 Kibana | 2019-09-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2018-17790 | 1 Prospecta | 1 Master Data Online | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Prospecta Master Data Online (MDO) 2.0 has Stored XSS. | |||||
| CVE-2015-9444 | 1 Altosresearch | 1 Altos-connect | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The altos-connect plugin 1.3.0 for WordPress has XSS via the wp-content/plugins/altos-connect/jquery-validate/demo/demo/captcha/index.php/ PATH_SELF. | |||||
| CVE-2015-9416 | 1 Onthegosystems | 1 Sitepress-multilingual-cms | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header. | |||||
| CVE-2015-9417 | 1 Slidervilla | 1 Testimonial Slider | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS. | |||||
| CVE-2015-9422 | 1 Simplysymphony | 1 Plugnedit | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CSRF with resultant XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load plugnedit_width, pnemedcount, PlugneditBGColor, PlugneditEditorMargin, or plugneditcontent parameters. | |||||
| CVE-2015-9421 | 1 Olevmedia | 1 Olevmedia Shortcodes | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omsc_popup id parameter. | |||||
| CVE-2015-9433 | 1 Wp Social Bookmarking Light Project | 1 Wp Social Bookmarking Light | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The wp-social-bookmarking-light plugin before 1.7.10 for WordPress has CSRF with resultant XSS via configuration parameters for Tumblr, Twitter, Facebook, etc. in wp-admin/options-general.php?page=wp-social-bookmarking-light%2Fmodules%2Fadmin.php. | |||||
| CVE-2015-9431 | 1 Qtranslate X Project | 1 Qtranslate X | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config parameter. | |||||
| CVE-2019-11464 | 1 Couchbase | 1 Couchbase Server | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and X-XSS-Protection, which are more generally applicable to HTML endpoint, to be included too. These headers were not included in Couchbase Server 5.5.0 and 5.1.2 . They are now included in version 6.0.2 in responses from the Couchbase Server Views REST API (port 8092). | |||||
| CVE-2015-9432 | 1 Thealpinepress | 1 Alpine-photo-tile-for-instagram | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings tab parameter. | |||||
| CVE-2015-9428 | 1 Wplegalpages | 1 Wp Legal Pages | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The wplegalpages plugin before 1.1 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=legal-pages lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche parameters. | |||||
| CVE-2018-17218 | 1 Ptc | 1 Thingworx Platform | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is reflected XSS in the SQUEAL search function. | |||||
| CVE-2015-9425 | 1 Byonepress | 1 Social Locker | 2019-09-26 | 4.3 MEDIUM | 5.4 MEDIUM |
| The social-locker plugin before 4.2.5 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next licensekey parameter. | |||||
| CVE-2019-14272 | 1 Silverstripe | 1 Silverstripe | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. | |||||
| CVE-2015-9424 | 1 Doc4design | 1 Multicons | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php global_url or admin_url parameter. | |||||
| CVE-2015-9429 | 1 Yithemes | 1 Yith Maintenance Mode | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter. | |||||
| CVE-2015-9423 | 1 Simplysymphony | 1 Plugnedit | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters. | |||||
| CVE-2017-16792 | 1 Geminabox Project | 1 Geminabox | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb. | |||||
| CVE-2015-9426 | 1 Manual Image Crop Project | 1 Manual Image Crop | 2019-09-26 | 3.5 LOW | 4.6 MEDIUM |
| The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter. | |||||
| CVE-2015-9439 | 1 Addthis | 1 Addthis | 2019-09-26 | 3.5 LOW | 4.8 MEDIUM |
| The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter. | |||||
| CVE-2015-9427 | 1 Googmonify Project | 1 Googmonify | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The googmonify plugin through 0.5.1 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=googmonify.php PID or AID parameter. | |||||
| CVE-2019-16903 | 1 Plutinosoft | 1 Platinum | 2019-09-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /.. where it should be checking for ../ instead. | |||||
| CVE-2019-6654 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2019-09-26 | 3.3 LOW | 4.3 MEDIUM |
| On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on an adjacent system to force BIG-IP into processing packets with spoofed source addresses. | |||||
| CVE-2015-9436 | 1 Qurl | 1 Dynamic Widgets | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter. | |||||
| CVE-2015-9438 | 1 Display-widgets Project | 1 Display-widgets | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter. | |||||
| CVE-2015-9430 | 1 Crazy Bone Project | 1 Crazy Bone | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header. | |||||
| CVE-2019-12205 | 1 Silverstripe | 1 Silverstripe | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. | |||||
| CVE-2015-9414 | 1 Wpsymposiumpro | 1 Wp-symposium | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. | |||||
| CVE-2015-9409 | 1 Alo-easymail Project | 1 Alo-easymail | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php. | |||||
| CVE-2015-9437 | 1 Qurl | 1 Dynamic Widgets | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter. | |||||
| CVE-2015-9419 | 1 Captain-slider Project | 1 Captain-slider | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or Caption section. | |||||
| CVE-2015-9434 | 1 Kiwi-logo-carousel Project | 1 Kiwi-logo-carousel | 2019-09-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings tab or tab_flags_order parameter. | |||||
| CVE-2015-9412 | 1 Royal-slider Project | 1 Royal-slider | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rstype parameter. | |||||
| CVE-2019-15120 | 1 Kunena | 1 Kunena | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode. | |||||
| CVE-2019-16890 | 1 Halo | 1 Halo | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments. | |||||
| CVE-2019-10406 | 1 Jenkins | 1 Jenkins | 2019-09-25 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2019-15782 | 1 Webtorrent | 1 Webtorrent | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or file name. | |||||
| CVE-2019-14807 | 1 Mediawiki | 1 Mobilefrontend | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php. | |||||
| CVE-2019-16751 | 1 Devise Token Auth Project | 1 Devise Token Auth | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller. | |||||
| CVE-2019-14239 | 1 Nxp | 6 Kinetis K8x, Kinetis K8x Firmware, Kinetis Kv1x and 3 more | 2019-09-25 | 4.6 MEDIUM | 6.6 MEDIUM |
| On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by leveraging a load instruction inside the execute-only region to expose the protected code into a CPU register. | |||||
| CVE-2019-14238 | 1 St | 12 Stm32f4, Stm32f4 Firmware, Stm32f7 and 9 more | 2019-09-25 | 4.6 MEDIUM | 6.6 MEDIUM |
| On STMicroelectronics STM32F7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated with a debug probe via the Instruction Tightly Coupled Memory (ITCM) bus. | |||||