Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16179 | 1 Mizuhobank | 1 Mizuho Direct Application | 2019-01-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Mizuho Direct App for Android version 3.13.0 and earlier does not verify server certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2018-16192 | 1 Nec | 4 Aterm Wf1200cr, Aterm Wf1200cr Firmware, Aterm Wg1200cr and 1 more | 2019-01-17 | 3.3 LOW | 6.5 MEDIUM |
| Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allow an attacker on the same network segment to obtain information registered on the device via unspecified vectors. | |||||
| CVE-2016-4643 | 1 Apple | 3 Apple Tv, Iphone Os, Mac Os | 2019-01-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation. | |||||
| CVE-2018-16193 | 1 Nec | 4 Aterm Wf1200cr, Aterm Wf1200cr Firmware, Aterm Wg1200cr and 1 more | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0501 | 2 Canonical, Debian | 2 Ubuntu Linux, Advanced Package Tool | 2019-01-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail. | |||||
| CVE-2019-6455 | 1 Gnu | 1 Recutils | 2019-01-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GNU Recutils 1.8. There is a double-free problem in the function rec_mset_elem_destroy() in the file rec-mset.c. | |||||
| CVE-2019-6456 | 1 Gnu | 1 Recutils | 2019-01-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_fex_size() in the file rec-fex.c of librec.a. | |||||
| CVE-2019-6460 | 1 Gnu | 1 Recutils | 2019-01-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_field_set_name() in the file rec-field.c in librec.a. | |||||
| CVE-2019-0238 | 1 Sap | 1 Hybris | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2016-4644 | 1 Apple | 3 Apple Tv, Iphone Os, Mac Os | 2019-01-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials. | |||||
| CVE-2018-16180 | 1 Daj | 1 I-filter | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-20524 | 1 Urlchatbox | 1 Chat Anywhere | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of <<a> in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy (CSP). | |||||
| CVE-2016-4642 | 1 Apple | 3 Apple Tv, Iphone Os, Mac Os | 2019-01-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, proxy authentication incorrectly reported HTTP proxies received credentials securely. This issue was addressed through improved warnings. | |||||
| CVE-2019-0245 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0244 | 1 Sap | 3 Customer Relationship Management Webclient Ui, S4fnd, Sapscore | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2017-13891 | 1 Apple | 1 Iphone Os | 2019-01-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| In iOS before 11.2, an inconsistent user interface issue was addressed through improved state management. | |||||
| CVE-2019-6267 | 1 Premiumwpsuite | 1 Easy Redirect Manager | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Premium WP Suite Easy Redirect Manager plugin 28.07-17 for WordPress has XSS via a crafted GET request that is mishandled during log viewing at the templates/admin/redirect-log.php URI. | |||||
| CVE-2018-1772 | 1 Ibm | 1 Spss Analytic Server | 2019-01-17 | 3.5 LOW | 5.4 MEDIUM |
| IBM SPSS Analytic Server 3.1.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148689. | |||||
| CVE-2017-2411 | 1 Apple | 1 Iphone Os | 2019-01-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| In iOS before 11.2, exchange rates were retrieved from HTTP rather than HTTPS. This was addressed by enabling HTTPS for exchange rates. | |||||
| CVE-2015-9279 | 1 Mailenable | 1 Mailenable | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| MailEnable before 8.60 allows Stored XSS via malformed use of "<img/src" with no ">" character in the body of an e-mail message. | |||||
| CVE-2018-16164 | 1 Web-dorado | 1 Event Calendar Wd | 2019-01-16 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2016-9392 | 1 Jasper Project | 1 Jasper | 2019-01-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. | |||||
| CVE-2017-9526 | 1 Gnupg | 1 Libgcrypt | 2019-01-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library. | |||||
| CVE-2018-6114 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect enforcement of CSP for <object> tags in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2018-6179 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient enforcement of file access permission in the activeTab case in Extensions in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension. | |||||
| CVE-2018-16205 | 1 Weseek | 1 Growi | 2019-01-16 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal. | |||||
| CVE-2018-4256 | 1 Apple | 1 Mac Os X | 2019-01-16 | 2.1 LOW | 5.5 MEDIUM |
| In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation. | |||||
| CVE-2018-20070 | 1 Google | 1 Chrome | 2019-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||||
| CVE-2018-4255 | 1 Apple | 1 Mac Os X | 2019-01-16 | 2.1 LOW | 5.5 MEDIUM |
| In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation. | |||||
| CVE-2018-20068 | 1 Google | 1 Chrome | 2019-01-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect handling of 304 status codes in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page. | |||||
| CVE-2018-20703 | 1 Cubecart | 1 Cubecart | 2019-01-16 | 3.5 LOW | 5.4 MEDIUM |
| CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string. | |||||
| CVE-2019-6243 | 1 Frog Cms Project | 1 Frog Cms | 2019-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin/?/login/forgot URI). | |||||
| CVE-2018-1000413 | 1 Config File Provider Project | 1 Config File Provider | 2019-01-15 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins. | |||||
| CVE-2018-6117 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Confusing settings in Autofill in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2018-8827 | 1 Technicolor | 2 Tg789vac, Tg789vac Firmware | 2019-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The admin web interface on Technicolor MediaAccess TG789vac v2 HP devices with firmware v16.3.7190-2761005-20161004084353 displays unsanitised user input, which allows an unauthenticated malicious user to embed JavaScript into the Log viewer interface via a crafted HTTP Referer header, aka XSS. | |||||
| CVE-2018-16079 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2019-01-15 | 2.6 LOW | 5.3 MEDIUM |
| A race condition between permission prompts and navigations in Prompts in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2018-16082 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2019-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| An out of bounds read in Swiftshader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||||
| CVE-2018-6169 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Lack of timeout on extension install prompt in Extensions in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to trigger installation of an unwanted extension via a crafted HTML page. | |||||
| CVE-2018-20326 | 1 Chinamobile | 2 Gpn2.4p21-c-cn, Gpn2.4p21-c-cn Firmware | 2019-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W2001EN-00 have XSS via the cgi-bin/webproc?getpage=html/index.html var:subpage parameter. | |||||
| CVE-2019-3501 | 1 Ougc Awards Project | 1 Ougc Awards | 2019-01-15 | 3.5 LOW | 4.8 MEDIUM |
| The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile. | |||||
| CVE-2018-20663 | 1 Haulmont | 2 Cuba Platform, Reporting | 2019-01-15 | 3.5 LOW | 5.4 MEDIUM |
| The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA Platform through 6.10.x has Persistent XSS via the "Reports > Reports" name field. | |||||
| CVE-2018-20583 | 1 Thephpleague | 1 Commonmark | 2019-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt). | |||||
| CVE-2018-20594 | 1 Hsweb | 1 Hsweb | 2019-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in hsweb 3.0.4. It is a reflected XSS vulnerability due to the absence of type parameter checking in FlowableModelManagerController.java. | |||||
| CVE-2018-20368 | 1 Averta | 1 Master Slider | 2019-01-15 | 3.5 LOW | 5.4 MEDIUM |
| The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the MSPanel.Settings value on Callback. | |||||
| CVE-2018-20369 | 1 Barracuda | 1 Message Archiver | 2019-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Barracuda Message Archiver 2018 has XSS in the error_msg exception-handling value for the ldap_user parameter to the cgi-mod/ldap_load_entry.cgi module. The injection point of the issue is the Add_Update module. | |||||
| CVE-2016-10736 | 1 Devpups | 1 Social Pug | 2019-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter. | |||||
| CVE-2018-1000826 | 1 Microweber | 1 Microweber | 2019-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code. | |||||
| CVE-2019-5006 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2019-01-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on Windows. It is a NULL pointer dereference during PDF parsing. | |||||
| CVE-2019-0556 | 1 Microsoft | 1 Sharepoint Server | 2019-01-15 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0557, CVE-2019-0558. | |||||
| CVE-2019-0558 | 1 Microsoft | 2 Business Productivity Servers, Sharepoint Server | 2019-01-15 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers. This CVE ID is unique from CVE-2019-0556, CVE-2019-0557. | |||||