Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1623 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2018-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133121. | |||||
| CVE-2015-9248 | 1 Skyboxsecurity | 1 Skybox Platform | 2018-01-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Skybox Platform before 7.5.201. Stored cross-site scripting vulnerabilities exist in the title, Comments, or Description field to /skyboxview/webskybox/tickets in Change Manager. | |||||
| CVE-2015-9247 | 1 Skyboxsecurity | 1 Skybox Platform | 2018-01-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Skybox Platform before 7.5.401. Reflected cross-site scripting vulnerabilities exist in /skyboxview/webservice/services/VersionRepositoryWebService via a soapenv:Body element, or in the status parameter to login.html. | |||||
| CVE-2016-10706 | 1 Automattic | 1 Jetpack | 2018-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link. | |||||
| CVE-2016-10705 | 1 Automattic | 1 Jetpack | 2018-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module. | |||||
| CVE-2018-5655 | 1 Weblizar | 1 Pinterest-feeds | 2018-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php security parameter. | |||||
| CVE-2018-5654 | 1 Weblizar | 1 Pinterest-feeds | 2018-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php PFFREE_Access_Token parameter. | |||||
| CVE-2018-5653 | 1 Weblizar | 1 Pinterest-feeds | 2018-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php weblizar_pffree_settings_save_get-users parameter. | |||||
| CVE-2018-5652 | 1 Dark Mode Project | 1 Dark Mode | 2018-01-24 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_end parameter. | |||||
| CVE-2018-5651 | 1 Dark Mode Project | 1 Dark Mode | 2018-01-24 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_start parameter. | |||||
| CVE-2017-15374 | 1 Shopware | 1 Shopware | 2018-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend. The execution occurs in the administrator backend listing when processing a preview of the customers (kunden) or orders (bestellungen). The injection can be performed interactively via user registration or by manipulation of the order information inputs. The issue can be exploited by low privileged user accounts against higher privileged (admin or moderator) accounts. | |||||
| CVE-2018-5366 | 1 Wpglobus | 1 Wpglobus | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[more_languages] parameter to wp-admin/options.php. | |||||
| CVE-2018-5365 | 1 Wpglobus | 1 Wpglobus | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[selector_wp_list_pages][show_selector] parameter to wp-admin/options.php. | |||||
| CVE-2018-5364 | 1 Wpglobus | 1 Wpglobus | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[browser_redirect][redirect_by_language] parameter to wp-admin/options.php. | |||||
| CVE-2018-5362 | 1 Wpglobus | 1 Wpglobus | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][page] parameter to wp-admin/options.php. | |||||
| CVE-2018-5363 | 1 Wpglobus | 1 Wpglobus | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[enabled_languages][en] or wpglobus_option[enabled_languages][fr] (or any other language) parameter to wp-admin/options.php. | |||||
| CVE-2018-5367 | 1 Wpglobus | 1 Wpglobus | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][post] parameter to wp-admin/options.php. | |||||
| CVE-2018-5668 | 1 Read And Understood Project | 1 Read And Understood | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_title parameter. | |||||
| CVE-2018-5667 | 1 Read And Understood Project | 1 Read And Understood | 2018-01-23 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_pattern parameter. | |||||
| CVE-2018-5288 | 1 Gd Rating System Project | 1 Gd Rating System | 2018-01-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-transfer page. | |||||
| CVE-2018-5286 | 1 Gd Rating System Project | 1 Gd Rating System | 2018-01-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-about page. | |||||
| CVE-2018-5293 | 1 Gd Rating System Project | 1 Gd Rating System | 2018-01-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-tools page. | |||||
| CVE-2018-5292 | 1 Gd Rating System Project | 1 Gd Rating System | 2018-01-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-information page. | |||||
| CVE-2017-18018 | 1 Gnu | 1 Coreutils | 2018-01-19 | 1.9 LOW | 4.7 MEDIUM |
| In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. | |||||
| CVE-2014-8540 | 1 Gitlab | 1 Gitlab | 2018-01-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks. | |||||
| CVE-2017-1000481 | 1 Plone | 1 Plone | 2018-01-18 | 5.8 MEDIUM | 6.1 MEDIUM |
| When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix. | |||||
| CVE-2017-1000484 | 1 Plone | 1 Plone | 2018-01-18 | 5.8 MEDIUM | 6.1 MEDIUM |
| By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.) | |||||
| CVE-2014-8336 | 1 Wp-dbmanager Project | 1 Wp-dbmanager | 2018-01-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The "Sql Run Query" panel in WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote attackers to read arbitrary files by leveraging failure to sufficiently limit queries, as demonstrated by use of LOAD_FILE in an INSERT statement. | |||||
| CVE-2016-0704 | 1 Openssl | 1 Openssl | 2018-01-18 | 4.3 MEDIUM | 5.9 MEDIUM |
| An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. | |||||
| CVE-2016-2550 | 1 Linux | 1 Linux Kernel | 2018-01-18 | 4.9 MEDIUM | 5.5 MEDIUM |
| The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312. | |||||
| CVE-2017-7511 | 1 Freedesktop | 1 Poppler | 2018-01-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| poppler since version 0.17.3 has been vulnerable to NULL pointer dereference in pdfunite triggered by specially crafted documents. | |||||
| CVE-2016-7977 | 1 Artifex | 1 Ghostscript | 2018-01-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document. | |||||
| CVE-2017-0783 | 1 Google | 1 Android | 2018-01-18 | 6.1 MEDIUM | 6.5 MEDIUM |
| A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63145701. | |||||
| CVE-2017-9072 | 1 Calendarxp | 2 Flatcalendarxp, Popcalendarxp | 2018-01-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Two CalendarXP products have XSS in common parts of HTML files. CalendarXP FlatCalendarXP through 9.9.290 has XSS in iflateng.htm and nflateng.htm. CalendarXP PopCalendarXP through 9.8.308 has XSS in ipopeng.htm and npopeng.htm. | |||||
| CVE-2018-5214 | 1 Add Link To Facebook Project | 1 Add Link To Facebook | 2018-01-18 | 3.5 LOW | 5.4 MEDIUM |
| The "Add Link to Facebook" plugin through 2.3 for WordPress has XSS via the al2fb_facebook_id parameter to wp-admin/profile.php. | |||||
| CVE-2017-1000434 | 1 Furikake Project | 1 Furikake | 2018-01-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redirect The furikake-redirect parameter on a page allows for a redirect to an attacker controlled page classes/Furigana.php: header('location:'.urldecode($_GET['furikake-redirect'])); | |||||
| CVE-2017-1000431 | 1 Ez | 1 Ez Publish | 2018-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g. steal authentication credentials. | |||||
| CVE-2015-7889 | 2 Google, Samsung | 2 Android, Galaxy S6 Edge | 2018-01-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| The SecEmailComposer/EmailComposer application in the Samsung S6 Edge before the October 2015 MR uses weak permissions for the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND service action, which might allow remote attackers with knowledge of the local email address to obtain sensitive information via a crafted application that sends a crafted intent. | |||||
| CVE-2013-4578 | 1 Oracle | 2 Jdk, Jre | 2018-01-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation. | |||||
| CVE-2017-1000463 | 1 Leafpub | 1 Leafpub | 2018-01-17 | 3.5 LOW | 5.4 MEDIUM |
| Leafpub version 1.2.0-beta6 is vulnerable to stored cross-site scripting vulnerability, within the edit blog post page, which can result in disruption of service and execution of javascript code. | |||||
| CVE-2017-1000492 | 1 Leanote | 1 Desktop | 2018-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leanote-desktop version v2.5 is vulnerable to a XSS which leads to code execution due to enabled node integration | |||||
| CVE-2018-5073 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2018-01-17 | 6.0 MEDIUM | 6.8 MEDIUM |
| Online Ticket Booking has CSRF via admin/movieedit.php. | |||||
| CVE-2017-1000459 | 1 Leanote | 1 Leanote | 2018-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leanote version <= 2.5 is vulnerable to XSS due to not sanitized input in markdown notes | |||||
| CVE-2018-0766 | 1 Microsoft | 3 Edge, Windows 10, Windows Server 2016 | 2018-01-17 | 4.3 MEDIUM | 4.3 MEDIUM |
| Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the Microsoft Edge PDF Reader handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability". | |||||
| CVE-2017-1000457 | 1 Mojoportal | 1 Mojoportal | 2018-01-17 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal version 2.5.0.0 allows remote attackers to inject arbitrary web script or HTML via the helpkey parameter. Exploitation requires authenticated reflected cross-site scripting for user accounts assigned either the "Administrators" or "Content Administrators" role. | |||||
| CVE-2017-18015 | 1 Share This Image Project | 1 Share This Image | 2018-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ILLID Share This Image plugin before 1.04 for WordPress has XSS via the sharer.php url parameter. | |||||
| CVE-2017-1000443 | 1 Openhacker Project | 1 Openhacker | 2018-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Eleix Openhacker version 0.1.47 is vulnerable to a XSS vulnerability in the bank transactions component resulting in arbitrary code execution in the browser. | |||||
| CVE-2017-18011 | 1 Clickbank | 1 Affiliate Ads For Clickbank Products | 2018-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MyCBGenie Affiliate Ads for Clickbank Products plugin through 1.6 for WordPress has XSS via the text_ads_ajax.php border_color parameter. | |||||
| CVE-2017-18010 | 1 E-goi | 1 Smart Marketing Sms And Newsletters Forms | 2018-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The E-goi Smart Marketing SMS and Newsletters Forms plugin before 2.0.0 for WordPress has XSS via the admin/partials/custom/egoi-for-wp-form_egoi.php url parameter. | |||||
| CVE-2017-9608 | 1 Ffmpeg | 1 Ffmpeg | 2018-01-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file. | |||||