Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-10981 | 1 Kentothemes | 1 Kento-post-view-counter | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kento_pvc_numbers_lang, kento_pvc_today_text, or kento_pvc_total_text. | |||||
| CVE-2016-10987 | 1 Woocommerce | 1 Persian Woocommerce Sms | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS. | |||||
| CVE-2016-10979 | 1 Fossura | 1 Tag Miner | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS. | |||||
| CVE-2016-10980 | 1 Kentothemes | 1 Kento-post-view-counter | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kento-post-view-counter plugin through 2.8 for WordPress has XSS via kento_pvc_geo. | |||||
| CVE-2018-7547 | 1 Lingyun | 1 Lyadmin | 2019-09-17 | 3.5 LOW | 4.8 MEDIUM |
| lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the /admin.php?s=/admin/config/groupsave.html URI. | |||||
| CVE-2019-15950 | 1 Redmineup | 1 Crm | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. | |||||
| CVE-2019-15738 | 1 Gitlab | 1 Gitlab | 2019-09-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email. | |||||
| CVE-2019-15740 | 1 Gitlab | 1 Gitlab | 2019-09-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1. EXIF Geolocation data was not being removed from certain image uploads. | |||||
| CVE-2019-15739 | 1 Gitlab | 1 Gitlab | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads. | |||||
| CVE-2016-10957 | 1 Akal Project | 1 Akal | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter. | |||||
| CVE-2016-10964 | 1 Findshorty | 1 Dwnldr | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header. | |||||
| CVE-2016-10967 | 1 Creativeinteractivemedia | 1 Real3d Flipbook | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter. | |||||
| CVE-2016-10959 | 1 Estatik | 1 Estatik | 2019-09-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php. | |||||
| CVE-2016-10969 | 1 Supportflow Project | 1 Supportflow | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The supportflow plugin before 0.7 for WordPress has XSS via a discussion ticket title. | |||||
| CVE-2016-10973 | 1 Brafton | 1 Brafton | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php. | |||||
| CVE-2016-10970 | 1 Supportflow Project | 1 Supportflow | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The supportflow plugin before 0.7 for WordPress has XSS via a ticket excerpt. | |||||
| CVE-2019-6004 | 1 Fujixerox | 2 Apeosware Management Suite, Apeosware Management Suite 2 | 2019-09-16 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in ApeosWare Management Suite Ver.1.4.0.18 and earlier, and ApeosWare Management Suite 2 Ver.2.1.2.4 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2019-8368 | 1 Open-emr | 1 Openemr | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenEMR v5.0.1-6 allows XSS. | |||||
| CVE-2019-8444 | 1 Atlassian | 1 Jira | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. | |||||
| CVE-2019-14998 | 1 Atlassian | 1 Jira | 2019-09-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance. | |||||
| CVE-2019-14995 | 1 Atlassian | 1 Jira | 2019-09-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check. | |||||
| CVE-2019-16334 | 1 Bludit | 1 Bludit | 2019-09-16 | 3.5 LOW | 4.8 MEDIUM |
| In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636. | |||||
| CVE-2019-5985 | 2 Ntt-east, Ntt-west | 92 Pr-400ki, Pr-400ki Firmware, Pr-400mi and 89 more | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version Ver.19.01.0005 and earlier, PR-S300SE/RT-S300SE/RV-S340SE firmware version Ver.19.40 and earlier, PR-400NE/RT-400NE/RV-440NE firmware version Ver.7.42 and earlier, PR-400KI/RT-400KI/RV-440KI firmware version Ver.07.00.1010 and earlier, PR-400MI/RT-400MI/RV-440MI firmware version Ver. 07.00.1012 and earlier, PR-500KI/RT-500KI firmware version Ver.01.00.0090 and earlier, RS-500KI firmware version Ver.01.00.0070 and earlier, PR-500MI/RT-500MI firmware version Ver.01.01.0014 and earlier, and RS-500MI firmware version Ver.03.01.0019 and earlier, and Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version Ver.19.01.0005 and earlier, PR-S300SE/RT-S300SE/RV-S340SE firmware version Ver.19.40 and earlier, PR-400NE/RT-400NE/RV-440NE firmware version Ver.7.42 and earlier, PR-400KI/RT-400KI/RV-440KI firmware version Ver.07.00.1010 and earlier, PR-400MI/RT-400MI/RV-440MI firmware version Ver. 07.00.1012 and earlier, PR-500KI/RT-500KI firmware version Ver.01.00.0090 and earlier, and PR-500MI/RT-500MI firmware version Ver.01.01.0011 and earlier) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-6003 | 1 Ec-cube | 1 Amazon Pay | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in EC-CUBE plugin 'Amazon Pay Plugin 2.12,2.13' version 2.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-16312 | 1 S-cms | 1 S-cms | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| s-cms V3.0 has XSS in index.php?type=text via the S_id parameter. | |||||
| CVE-2019-16310 | 1 Niushop | 1 Niushop | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| NIUSHOP V1.11 has XSS via the index.php?s=/admin URI. | |||||
| CVE-2017-7452 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The iwbmp_read_info_header function in imagew-bmp.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-7453 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The iwgif_record_pixel function in imagew-gif.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-7962 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The iwgif_read_image function in imagew-gif.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. | |||||
| CVE-2017-9202 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| imagew-cmd.c:854:45 in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted image, related to imagew-api.c. | |||||
| CVE-2017-9201 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| imagew-cmd.c:850:46 in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted image, related to imagew-api.c. | |||||
| CVE-2017-9204 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| The iw_get_ui16le function in imagew-util.c:405:23 in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted image, related to imagew-jpeg.c. | |||||
| CVE-2017-7940 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The iw_read_gif_file function in imagew-gif.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to consume an amount of available memory via a crafted file. | |||||
| CVE-2017-9205 | 1 Entropymine | 1 Imageworsener | 2019-09-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| The iw_get_ui16be function in imagew-util.c:422:24 in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted image, related to imagew-jpeg.c. | |||||
| CVE-2019-16289 | 1 Webcraftic | 1 Woody Ad Snippets | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter. | |||||
| CVE-2016-10952 | 1 Quotes Collection Project | 1 Quotes Collection | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter. | |||||
| CVE-2018-17300 | 1 Cuppacms | 1 Cuppacms | 2019-09-16 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name. | |||||
| CVE-2019-12517 | 1 Slickquiz Project | 1 Slickquiz | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 for WordPress. The save_quiz_score functionality available via the /wp-admin/admin-ajax.php endpoint allows unauthenticated users to submit quiz solutions/answers, which are stored in the database and later shown in the WordPress backend for all users with at least Subscriber rights. Because the plugin does not properly validate and sanitize this data, a malicious payload in either the name or email field is executed directly within the backend at /wp-admin/admin.php?page=slickquiz across all users with the privileges of at least Subscriber. | |||||
| CVE-2017-18615 | 1 Wp-kama | 1 Kama Click Counter | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kama-clic-counter plugin before 3.5.0 for WordPress has XSS. | |||||
| CVE-2017-18613 | 1 Trust Form Project | 1 Trust Form | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin.php?page=trust-form-edit page parameter. | |||||
| CVE-2017-18612 | 1 Netattingo | 1 Wp-whois-domain | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/func-whois.php domain parameter. | |||||
| CVE-2019-16218 | 1 Wordpress | 1 Wordpress | 2019-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows XSS in stored comments. | |||||
| CVE-2019-15924 | 1 Linux | 1 Linux Kernel | 2019-09-14 | 4.9 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c has a NULL pointer dereference because there is no -ENOMEM upon an alloc_workqueue failure. | |||||
| CVE-2019-9488 | 1 Trendmicro | 2 Deep Security Manager, Vulnerability Protection | 2019-09-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM). | |||||
| CVE-2016-10941 | 1 Podlove | 1 Podlove Podcast Publisher | 2019-09-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF. | |||||
| CVE-2016-10938 | 1 Copy-me Project | 1 Copy-me | 2019-09-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location. | |||||
| CVE-2019-16238 | 1 Afterlogic | 1 Aurora | 2019-09-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login. | |||||
| CVE-2019-5956 | 1 Wondercms | 1 Wondercms | 2019-09-13 | 7.5 HIGH | 6.5 MEDIUM |
| Directory traversal vulnerability in WonderCMS 2.6.0 and earlier allows remote attackers to delete arbitrary files via unspecified vectors. | |||||
| CVE-2017-0912 | 1 Ui | 1 Ucrm | 2019-09-13 | 3.5 LOW | 5.4 MEDIUM |
| Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling". | |||||
| CVE-2019-5978 | 1 Cybozu | 1 Garoon | 2019-09-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the application 'Scheduler'. | |||||