Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9919 | 1 Bilboplanet | 1 Bilboplanet | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the fullname parameter to signup.php. | |||||
| CVE-2014-9918 | 1 Bilboplanet | 1 Bilboplanet | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the user_id parameter to signup.php. | |||||
| CVE-2019-11429 | 1 Centos-webpanel | 1 Centos Web Panel | 2019-05-15 | 3.5 LOW | 4.8 MEDIUM |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen. | |||||
| CVE-2019-8390 | 1 Qdpm | 1 Qdpm | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. | |||||
| CVE-2019-8391 | 1 Qdpm | 1 Qdpm | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. | |||||
| CVE-2018-16139 | 1 Bibliosoft | 1 Bibliopac | 2019-05-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in BIBLIOsoft BIBLIOpac 2008 allows remote attackers to inject arbitrary web script or HTML via the db or action parameter to to bin/wxis.exe/bibliopac/. | |||||
| CVE-2019-4204 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2019-05-15 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159125. | |||||
| CVE-2018-1990 | 1 Ibm | 1 Cloud App Management | 2019-05-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Cloud App Management V2018.2.0, V2018.4.0, and V2018.4.1 could allow an attacker to obtain sensitive configuration information using a specially crafted HTTP request. IBM X-Force ID: 154283. | |||||
| CVE-2016-8633 | 1 Linux | 1 Linux Kernel | 2019-05-14 | 6.2 MEDIUM | 6.8 MEDIUM |
| drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets. | |||||
| CVE-2017-17558 | 2 Linux, Suse | 2 Linux Kernel, Linux Enterprise Server | 2019-05-14 | 7.2 HIGH | 6.6 MEDIUM |
| The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device. | |||||
| CVE-2018-1068 | 4 Canonical, Debian, Linux and 1 more | 10 Ubuntu Linux, Debian Linux, Linux Kernel and 7 more | 2019-05-14 | 7.2 HIGH | 6.7 MEDIUM |
| A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. | |||||
| CVE-2018-20838 | 1 Magazine3 | 1 Amp For Wp | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS. | |||||
| CVE-2018-14712 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2019-05-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. | |||||
| CVE-2018-14711 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. | |||||
| CVE-2018-18558 | 1 Espressif | 1 Esp-idf | 2019-05-14 | 6.9 MEDIUM | 6.4 MEDIUM |
| An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory. | |||||
| CVE-2019-6514 | 1 Wso2 | 1 Dashboard Server | 2019-05-14 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to inject a JavaScript payload that will be stored in the database and then displayed and executed on the same page, aka XSS. | |||||
| CVE-2019-6512 | 1 Wso2 | 1 Api Manager | 2019-05-14 | 4.0 MEDIUM | 4.1 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate files because of the existence of the file:// wrapper. | |||||
| CVE-2019-6516 | 1 Wso2 | 1 Dashboard Server | 2019-05-14 | 5.0 MEDIUM | 5.8 MEDIUM |
| An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to force the application to perform requests to the internal workstation (port-scanning) and to perform requests to adjacent workstations (network-scanning), aka SSRF. | |||||
| CVE-2018-16887 | 2 Redhat, Theforeman | 2 Satellite, Katello | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable. | |||||
| CVE-2018-14664 | 1 Theforeman | 1 Foreman | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| A flaw was found in foreman from versions 1.18. A stored cross-site scripting vulnerability exists due to an improperly escaped HTML code in the breadcrumbs bar. This allows a user with permissions to edit which attribute is used in the breadcrumbs bar to store code that will be executed on the client side. | |||||
| CVE-2018-16861 | 1 Theforeman | 1 Foreman | 2019-05-14 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable. | |||||
| CVE-2018-14710 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. | |||||
| CVE-2017-6975 | 1 Apple | 1 Iphone Os | 2019-05-14 | 7.2 HIGH | 6.8 MEDIUM |
| Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack buffer overflow exploitation via a crafted access point. NOTE: because an operating system could potentially isolate itself from CVE-2017-6956 exploitation without patching Broadcom firmware functions, there is a separate CVE ID for the operating-system behavior. | |||||
| CVE-2018-15530 | 1 Xerox | 2 Colorqube 8580, Colorqube 8580 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code. | |||||
| CVE-2017-13142 | 1 Imagemagick | 1 Imagemagick | 2019-05-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files. | |||||
| CVE-2019-7411 | 1 Mythemeshop | 1 Launcher | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). | |||||
| CVE-2017-12872 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2019-05-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input. | |||||
| CVE-2019-11869 | 1 Yuzopro | 1 Yuzo | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting. | |||||
| CVE-2019-11070 | 2 Webkitgtk, Wpewebkit | 2 Webkitgtk, Wpe Webkit | 2019-05-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded. | |||||
| CVE-2017-8685 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2019-05-13 | 2.1 LOW | 5.5 MEDIUM |
| Windows GDI+ on Microsoft Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows information disclosure by the way it discloses kernel memory addresses, aka "Windows GDI+ Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-8684 and CVE-2017-8688. | |||||
| CVE-2017-14956 | 1 Alienvault | 1 Unified Security Management | 2019-05-13 | 3.5 LOW | 5.7 MEDIUM |
| AlienVault USM v5.4.2 and earlier offers authenticated users the functionality of exporting generated reports via the "/ossim/report/wizard_email.php" script. Besides offering an export via a local download, the script also offers the possibility to send out any report via email to a given address (either in PDF or XLS format). Since there is no anti-CSRF token protecting this functionality, it is vulnerable to Cross-Site Request Forgery attacks. | |||||
| CVE-2018-16624 | 1 Getkirby | 1 Kirby | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. | |||||
| CVE-2018-19048 | 1 Mycolorway | 1 Simditor | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element. | |||||
| CVE-2018-16623 | 1 Getkirby | 1 Kirby | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. | |||||
| CVE-2018-12302 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting. | |||||
| CVE-2018-18524 | 1 Evernote | 1 Evernote | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on the victim's computer. | |||||
| CVE-2018-12303 | 1 Seagate | 1 Nas Os | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names. | |||||
| CVE-2018-12300 | 1 Seagate | 1 Nas Os | 2019-05-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter. | |||||
| CVE-2018-18872 | 1 Kieranoshea | 1 Calendar | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories URI. | |||||
| CVE-2019-12043 | 1 Remarkable Project | 1 Remarkable | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL. | |||||
| CVE-2019-7409 | 1 Vegadesign | 1 Profiledesign Cms | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page, (2) gbs, (3) side, (4) id, (5) imgid, (6) cat, or (7) orderby parameter. | |||||
| CVE-2019-12047 | 1 Gridea | 1 Gridea | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by child_process.exec and the "<img src=# onerror='eval(new Buffer(" substring. | |||||
| CVE-2018-12299 | 1 Seagate | 1 Nas Os | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names. | |||||
| CVE-2018-12297 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names. | |||||
| CVE-2018-18409 | 3 Canonical, Digitalcorpora, Fedoraproject | 3 Ubuntu Linux, Tcpflow, Fedora | 2019-05-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, due to received incorrect values causing incorrect computation, leading to denial of service during an address_histogram call or a get_histogram call. | |||||
| CVE-2017-18121 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser. | |||||
| CVE-2018-12304 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL. | |||||
| CVE-2018-16626 | 1 Typesettercms | 1 Typesetter | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. | |||||
| CVE-2018-16625 | 1 Typesettercms | 1 Typesetter | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. | |||||
| CVE-2018-16639 | 1 Typesettercms | 1 Typesetter | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation. | |||||