Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15102 | 3 Canonical, Linux, Redhat | 3 Ubuntu Linux, Linux Kernel, Enterprise Linux | 2019-05-08 | 6.9 MEDIUM | 6.3 MEDIUM |
| The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference. | |||||
| CVE-2019-11818 | 1 Alkacon | 1 Opencms | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded. | |||||
| CVE-2018-1999006 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade. | |||||
| CVE-2019-4258 | 1 Ibm | 1 Sterling B2b Integrator | 2019-05-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Sterling B2B Integrator 6.0.0.0 and 6.0.0.1 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159946. | |||||
| CVE-2019-7687 | 1 Jio | 2 Jmr1140, Jmr1140 Firmware | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data. | |||||
| CVE-2019-11814 | 1 Misp | 1 Misp | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot. | |||||
| CVE-2018-1933 | 1 Ibm | 1 Planning Analytics | 2019-05-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Planning Analytics 2.0 through 2.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153177. | |||||
| CVE-2019-11813 | 1 Misp | 1 Misp | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. | |||||
| CVE-2019-11812 | 1 Misp | 1 Misp | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. | |||||
| CVE-2019-7426 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter. | |||||
| CVE-2019-7427 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter. | |||||
| CVE-2019-7541 | 1 Rukovoditel | 1 Rukovoditel | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring. | |||||
| CVE-2018-20503 | 1 Alliedtelesis | 2 8100l\/8, 8100l\/8 Firmware | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Allied Telesis 8100L/8 devices allow XSS via the edit-ipv4_interface.php vlanid or subnet_mask parameter. | |||||
| CVE-2018-4067 | 1 Sierrawireless | 2 Airlink Es450, Airlink Es450 Firmware | 2019-05-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| An exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2018-4065 | 1 Sierrawireless | 2 Airlink Es450, Airlink Es450 Firmware | 2019-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected javascript code execution, resulting in the execution of javascript code running on the victim's browser. An attacker can get a victim to click a link, or embedded URL, that redirects to the reflected cross-site scripting vulnerability to trigger this vulnerability. | |||||
| CVE-2018-14478 | 1 Coppermine-gallery | 1 Coppermine Photo Gallery | 2019-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| ecard.php in Coppermine Photo Gallery (CPG) 1.5.46 has XSS via the sender_name, recipient_email, greetings, or recipient_name parameter. | |||||
| CVE-2019-11629 | 1 Sonatype | 1 Nexus Repository Manager | 2019-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sonatype Nexus Repository Manager 2.x before 2.14.13 allows XSS. | |||||
| CVE-2019-11537 | 1 Osticket | 1 Osticket | 2019-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion. | |||||
| CVE-2018-4068 | 1 Sierrawireless | 2 Airlink Es450, Airlink Es450 Firmware | 2019-05-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An exploitable information disclosure vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A HTTP request can result in disclosure of the default configuration for the device. An attacker can send an unauthenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2019-9709 | 1 Mahara | 1 Mahara | 2019-05-07 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user. | |||||
| CVE-2019-1838 | 1 Cisco | 1 Application Policy Infrastructure Controller | 2019-05-07 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. This vulnerability has been fixed in software version 14.1(1i). | |||||
| CVE-2018-13983 | 1 Impresscms | 1 Impresscms | 2019-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.php, htdocs/install/page_langselect.php, or htdocs/install/page_modcheck.php. | |||||
| CVE-2019-3400 | 1 Atlassian | 1 Jira | 2019-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter. | |||||
| CVE-2017-1457 | 1 Ibm | 1 Qradar Network Security | 2019-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM QRadar Network Security 5.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128376. | |||||
| CVE-2019-10261 | 1 Centos-webpanel | 1 Centos Web Panel | 2019-05-06 | 3.5 LOW | 4.8 MEDIUM |
| CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action. | |||||
| CVE-2019-11504 | 1 Zotonic | 1 Zotonic | 2019-05-06 | 3.5 LOW | 4.8 MEDIUM |
| Zotonic before version 0.47 has mod_admin XSS. | |||||
| CVE-2019-11767 | 1 Phpbb | 1 Phpbb | 2019-05-06 | 5.0 MEDIUM | 5.8 MEDIUM |
| Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of the host through the remote avatar upload function. | |||||
| CVE-2019-11690 | 1 Denx | 1 U-boot | 2019-05-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| gen_rand_uuid in lib/uuid.c in Das U-Boot v2014.04 through v2019.04 lacks an srand call, which allows attackers to determine UUID values in scenarios where CONFIG_RANDOM_UUID is enabled, and Das U-Boot is relied upon for UUID values of a GUID Partition Table of a boot device. | |||||
| CVE-2019-3490 | 1 Microfocus | 1 Open Enterprise Server | 2019-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A DOM based XSS vulnerability has been identified in the Netstorage component of Open Enterprise Server (OES) allowing a remote attacker to execute javascript in the victims browser by tricking the victim into clicking on a specially crafted link. This affects OES versions OES2015SP1, OES2018, and OES2018SP1. Older versions may be affected but were not tested as they are out of support. | |||||
| CVE-2019-10864 | 1 Veronalabs | 1 Wp Statistics | 2019-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request. | |||||
| CVE-2019-10317 | 1 Jenkins | 1 Sitemonitor | 2019-05-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM. | |||||
| CVE-2019-10314 | 1 Jenkins | 1 Koji | 2019-05-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM. | |||||
| CVE-2019-10307 | 1 Jenkins | 1 Static Analysis Utilities | 2019-05-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users. | |||||
| CVE-2019-0191 | 1 Apache | 1 Karaf | 2019-05-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with ".." directory names and break out of the directories to write arbitrary content to the filesystem. This is the "Zip-slip" vulnerability - https://snyk.io/research/zip-slip-vulnerability. This vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf releases prior 4.2.3 is impacted. | |||||
| CVE-2018-2015 | 1 Ibm | 1 Api Connect | 2019-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM API Connect 2018.1 and 2018.4.1.4 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 155195. | |||||
| CVE-2019-1856 | 1 Cisco | 1 Prime Collaboration Assurance | 2019-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance (PCA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to the insufficient validation of data supplied by external devices to the web-based management interface of an affected PCA device. An attacker in control of devices integrated with an affected PCA device could exploit this vulnerability by using crafted data in certain fields of the controlled devices. A successful exploit could allow the attacker to execute arbitrary script code in the context of the PCA web-based management interface or allow the attacker to access sensitive browser-based information. | |||||
| CVE-2018-1099 | 2 Fedoraproject, Redhat | 2 Fedora, Etcd | 2019-05-06 | 2.1 LOW | 5.5 MEDIUM |
| DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address). | |||||
| CVE-2018-20824 | 1 Atlassian | 1 Jira | 2019-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | |||||
| CVE-2019-3840 | 2 Opensuse, Redhat | 2 Leap, Libvirt | 2019-05-05 | 3.5 LOW | 6.3 MEDIUM |
| A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service. | |||||
| CVE-2017-11163 | 1 Cacti | 1 Cacti | 2019-05-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. | |||||
| CVE-2018-16960 | 1 Buffalo | 1 Open Xdmod | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/login.php has Reflected XSS via the xd_user_formal_name parameter. | |||||
| CVE-2017-1380 | 1 Ibm | 1 Websphere Application Server | 2019-05-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127151. | |||||
| CVE-2018-16718 | 1 Nih | 1 Ncbi Toolbox | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability exists in wwwblast.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox via a crafted -z1 argument. | |||||
| CVE-2017-12971 | 1 Apache2triad | 1 Apache2triad | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache2Triad 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the account parameter to phpsftpd/users.php. | |||||
| CVE-2017-11503 | 1 Phpmailer Project | 1 Phpmailer | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php. | |||||
| CVE-2019-11676 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The user defined DNS name in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to stored XSS attacks. | |||||
| CVE-2018-10383 | 1 Lantronix | 2 Securelinx Spider, Securelinx Spider Firmware | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Lantronix SecureLinx Spider (SLS) 2.2+ devices have XSS in the auth.asp login page. | |||||
| CVE-2018-14875 | 1 Polarisft | 1 Intellect Core Banking | 2019-05-03 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the Core and Portal modules in Polaris FT Intellect Core Banking 9.7.1. Reflected XSS exists with an authenticated session via the Customerid, formName, FrameId, or MODE parameter. | |||||
| CVE-2018-14931 | 1 Polarisft | 1 Intellect Core Banking | 2019-05-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the Core and Portal modules in Polaris FT Intellect Core Banking 9.7.1. An open redirect exists via a /IntellectMain.jsp?IntellectSystem= URI. | |||||
| CVE-2019-10272 | 1 Weaver | 1 E-cology | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Weaver e-cology 9.0. There is a CRLF Injection vulnerability via the /workflow/request/ViewRequestForwardSPA.jsp isintervenor parameter, as demonstrated by the %0aSet-cookie: substring. | |||||