Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-20370 | 1 The-sz | 1 Netchat | 2019-01-09 | 3.5 LOW | 5.4 MEDIUM |
| SZ NetChat before 7.9 has XSS in the MyName input field of the Options module. Attackers are able to inject commands to compromise the enabled HTTP server web frontend. | |||||
| CVE-2018-20351 | 1 Evernote | 1 Evernote | 2019-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Markdown component in Evernote (Chinese) before 8.3.2 on macOS allows stored XSS, aka MAC-832. | |||||
| CVE-2018-20462 | 1 Jsmol2wp Project | 1 Jsmol2wp | 2019-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter. | |||||
| CVE-2018-12651 | 1 Myadrenalin | 1 Human Resource Management Software | 2019-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4 HRMS Software. The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the ShiftEmployeeSearch.aspx prntFrmName or prntDDLCntrlName parameter. | |||||
| CVE-2018-1000860 | 1 Phpipam | 1 Phpipam | 2019-01-08 | 2.6 LOW | 4.7 MEDIUM |
| phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'><script>alert(1)</script>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain.. | |||||
| CVE-2018-1000870 | 1 Phpipam | 1 Phpipam | 2019-01-08 | 3.5 LOW | 5.4 MEDIUM |
| PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4. | |||||
| CVE-2018-20520 | 1 1234n | 1 Minicms | 2019-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233. | |||||
| CVE-2018-0723 | 1 Qnap | 1 Q\'center Virtual Appliance | 2019-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0724. | |||||
| CVE-2018-0724 | 1 Qnap | 1 Q\'center Virtual Appliance | 2019-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0723. | |||||
| CVE-2018-1000803 | 1 Gitea | 1 Gitea | 2019-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1. | |||||
| CVE-2018-9519 | 1 Google | 1 Android | 2019-01-08 | 6.9 MEDIUM | 6.4 MEDIUM |
| In easelcomm_hw_build_scatterlist, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System privileges required. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-69808833. | |||||
| CVE-2018-14852 | 1 Samsung | 2 Galaxy S6, Galaxy S6 Firmware | 2019-01-08 | 5.8 MEDIUM | 6.3 MEDIUM |
| Out-of-bounds array access in dhd_rx_frame in drivers/net/wireless/bcmdhd4358/dhd_linux.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allows an attacker (who has obtained code execution on the Wi-Fi chip) to cause invalid accesses to operating system memory due to improper validation of the network interface index provided by the Wi-Fi chip's firmware. | |||||
| CVE-2018-14853 | 1 Samsung | 2 Galaxy S6, Galaxy S6 Firmware | 2019-01-08 | 3.3 LOW | 4.3 MEDIUM |
| A NULL pointer dereference in dhd_prot_txdata_write_flush in drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allows an attacker (who has obtained code execution on the Wi-Fi chip) to cause the device to reboot. The Samsung ID is SVE-2018-11783. | |||||
| CVE-2018-14854 | 1 Samsung | 2 Galaxy S6, Galaxy S6 Firmware | 2019-01-08 | 5.8 MEDIUM | 6.3 MEDIUM |
| Buffer overflow in dhd_bus_flow_ring_delete_response in drivers/net/wireless/bcmdhd4358/dhd_pcie.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allow an attacker (who has obtained code execution on the Wi-Fi chip) to cause the device driver to perform invalid memory accesses. The Samsung ID is SVE-2018-11785. | |||||
| CVE-2018-14855 | 1 Samsung | 2 Galaxy S6, Galaxy S6 Firmware | 2019-01-08 | 5.8 MEDIUM | 6.3 MEDIUM |
| Buffer overflow in dhd_bus_flow_ring_flush_response in drivers/net/wireless/bcmdhd4358/dhd_pcie.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 allow an attacker (who has obtained code execution on the Wi-Fi chip) to cause the device driver to perform invalid memory accesses. The Samsung ID is SVE-2018-11785. | |||||
| CVE-2018-14856 | 1 Samsung | 2 Galaxy S6, Galaxy S6 Firmware | 2019-01-08 | 5.8 MEDIUM | 6.3 MEDIUM |
| Buffer overflow in dhd_bus_flow_ring_create_response in drivers/net/wireless/bcmdhd4358/dhd_pcie.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allow an attacker (who has obtained code execution on the Wi-Fi) chip to cause the device driver to perform invalid memory accesses. The Samsung ID is SVE-2018-11785. | |||||
| CVE-2018-20306 | 1 Pulsesecure | 1 Virtual Traffic Manager | 2019-01-08 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1. | |||||
| CVE-2014-0219 | 1 Apache | 1 Karaf | 2019-01-08 | 2.1 LOW | 5.5 MEDIUM |
| Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports. | |||||
| CVE-2017-5658 | 1 Apache | 1 Pony Mail | 2019-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The statistics generator in Apache Pony Mail 0.7 to 0.9 was found to be returning timestamp data without proper authorization checks. This could lead to derived information disclosure on private lists about the timing of specific email subjects or text bodies, though without disclosing the content itself. As this was primarily used as a caching feature for faster loading times, the caching was disabled by default to prevent this. Users using 0.9 should upgrade to 0.10 to address this issue. | |||||
| CVE-2018-1000847 | 1 Freshdns Project | 1 Freshdns | 2019-01-08 | 3.5 LOW | 5.4 MEDIUM |
| FreshDNS version 1.0.3 and prior contains a Cross Site Scripting (XSS) vulnerability in Account data form; Zone editor that can result in Execution of attacker's JavaScript code in victim's session. This attack appear to be exploitable via The attacker stores a specially crafted string as their Full Name in their account details. The victim (e.g. the administrator of the FreshDNS instance) opens the User List in the admin interface.. This vulnerability appears to have been fixed in 1.0.5 and later. | |||||
| CVE-2018-17870 | 1 Btiteam | 1 Xbtit | 2019-01-08 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. The "returnto" parameter of account_change.php is vulnerable to an open redirect, a different vulnerability than CVE-2018-15683. | |||||
| CVE-2018-20301 | 1 Coherence Project | 1 Coherence | 2019-01-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherence_fields data. For example, users can automatically confirm their accounts by sending the confirmed_at parameter with their registration request. | |||||
| CVE-2018-9080 | 1 Lenovo | 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more | 2019-01-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, by setting the Iomega cookie to a known value before logging into the NAS's web application, the NAS will not provide the user a new cookie value. This allows an attacker who knows the cookie's value to compromise the user's session. | |||||
| CVE-2018-14394 | 1 Ffmpeg | 1 Ffmpeg | 2019-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted Waveform audio file. | |||||
| CVE-2018-1000816 | 1 Grafana | 1 Grafana | 2019-01-07 | 3.5 LOW | 5.4 MEDIUM |
| Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query editor that can result in Running arbitrary js code in victims browser.. This attack appear to be exploitable via Authenticated user must click on the input field where the payload was previously inserted.. | |||||
| CVE-2018-1000868 | 1 Webidsupport | 1 Webid | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| WeBid version up to current version 1.2.2 contains a Cross Site Scripting (XSS) vulnerability in user_login.php, register.php that can result in Javascript execution in the user's browser, injection of malicious markup into the page. This attack appear to be exploitable via The victim user must click a malicous link. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. | |||||
| CVE-2018-16778 | 1 Jenzabar | 1 Jenzabar | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Jenzabar v8.2.1 through 9.2.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter (aka the Search Field). | |||||
| CVE-2018-2486 | 1 Sap | 2 Marketing Sapscore, Marketing Uicuan | 2019-01-07 | 3.5 LOW | 5.4 MEDIUM |
| SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-2502 | 1 Sap | 1 Business One On Hana | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3). | |||||
| CVE-2018-7108 | 1 Hpe | 1 Storageworks Xp7 Automation Director | 2019-01-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| HPE StorageWorks XP7 Automation Director (AutoDir) version 8.5.2-02 to earlier than 8.6.1-00 has a local and remote authentication bypass vulnerability that exposed the user authentication information of the storage system. This problem sometimes occurred under specific conditions when running a service template. | |||||
| CVE-2018-1000848 | 1 Wampserver | 1 Wampserver | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wampserver version prior to version 3.1.5 contains a Cross Site Scripting (XSS) vulnerability in index.php localhost page that can result in very low. This attack appear to be exploitable via payload onmouseover. This vulnerability appears to have been fixed in 3.1.5 and later. | |||||
| CVE-2018-20172 | 1 Nagios | 1 Nagios Xi | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability. | |||||
| CVE-2018-20171 | 1 Nagios | 1 Nagios Xi | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability. | |||||
| CVE-2018-2505 | 1 Sap | 1 Hybris | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7). | |||||
| CVE-2018-19993 | 1 Dolibarr | 1 Dolibarr | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php. | |||||
| CVE-2018-19992 | 1 Dolibarr | 1 Dolibarr | 2019-01-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php. | |||||
| CVE-2018-19995 | 1 Dolibarr | 1 Dolibarr | 2019-01-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php. | |||||
| CVE-2018-18921 | 1 Phpservermonitor | 1 Php Server Monitor | 2019-01-07 | 5.8 MEDIUM | 6.5 MEDIUM |
| PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action. | |||||
| CVE-2018-19439 | 1 Oracle | 1 Secure Global Desktop | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4). helpwindow.jsp has reflected XSS via all parameters, as demonstrated by the sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp windowTitle parameter. | |||||
| CVE-2018-20168 | 1 Google | 1 Gvisor | 2019-01-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which allows attackers to cause a denial of service ("physical address not valid" panic) via a crafted application. | |||||
| CVE-2018-1000856 | 1 Domainmod | 1 Domainmod | 2019-01-07 | 3.5 LOW | 4.8 MEDIUM |
| DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) vulnerability in Segment Name field in the segments page that can result in Arbitrary script can be executed on all users browsers who visit the affected page. This attack appear to be exploitable via Victim must visit the vulnerable page. This vulnerability appears to have been fixed in No fix yet. | |||||
| CVE-2018-19933 | 1 Bolt | 1 Bolt Cms | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry. | |||||
| CVE-2018-20610 | 1 Txjia | 1 Imcat | 2019-01-07 | 4.0 MEDIUM | 4.9 MEDIUM |
| imcat 4.4 allows directory traversal via the root/run/adm.php efile parameter. | |||||
| CVE-2017-18352 | 1 Google | 1 Rendertron | 2019-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting (XSS) from invalid URLs. | |||||
| CVE-2018-20154 | 1 Designmodo | 1 Wp Maintenance Mode | 2019-01-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses. | |||||
| CVE-2018-20327 | 1 Chamilo | 1 Chamilo Lms | 2019-01-07 | 3.5 LOW | 5.4 MEDIUM |
| Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits. | |||||
| CVE-2018-20328 | 1 Chamilo | 1 Chamilo Lms | 2019-01-07 | 3.5 LOW | 5.4 MEDIUM |
| Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits. | |||||
| CVE-2018-20374 | 1 Tinycc | 1 Tinycc | 2019-01-06 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the use_section1 function in tccasm.c. | |||||
| CVE-2018-20375 | 1 Tinycc | 1 Tinycc | 2019-01-06 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the sym_pop function in tccgen.c. | |||||
| CVE-2018-20376 | 1 Tinycc | 1 Tinycc | 2019-01-06 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the asm_parse_directive function in tccasm.c. | |||||