Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6848 | 1 Axper | 2 Vision Ii, Vision Ii Firmware | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Axper Vision II 4 devices allow XSS via the DEVICE_NAME (aka Device Name) parameter to the configWebParams.cgi URI. | |||||
| CVE-2020-6758 | 1 Rasilient | 2 Pixelstor 5000, Pixelstor 5000 Firmware | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Option/optionsAll.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows remote attackers to inject arbitrary web script or HTML via the ContentFrame parameter. | |||||
| CVE-2019-1332 | 1 Microsoft | 3 Power Bi Report Server, Sql Server 2017 Reporting Services, Sql Server 2019 Reporting Services | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'. | |||||
| CVE-2020-6632 | 1 Prestashop | 1 Prestashop | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js. | |||||
| CVE-2020-6163 | 1 Mediawiki | 1 Mediawiki | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file). | |||||
| CVE-2019-18842 | 1 Usriot | 8 Usr-wifi232-g2, Usr-wifi232-g2 Firmware, Usr-wifi232-h and 5 more | 2020-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID. | |||||
| CVE-2019-20182 | 1 Fooplugins | 1 Foogallery | 2020-01-14 | 3.5 LOW | 4.8 MEDIUM |
| The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter. | |||||
| CVE-2019-20181 | 1 Getawesomesupport | 1 Awesome Support | 2020-01-14 | 3.5 LOW | 4.8 MEDIUM |
| The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter. | |||||
| CVE-2014-10398 | 1 Bssys | 1 Rbs Bs-client. Retail Client | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client. Private Client (aka RBS BS-Client. Retail Client) 2.5, 2.4, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) DICTIONARY, (2) FILTERIDENT, (3) FROMSCHEME, (4) FromPoint, or (5) FName_0 parameter and a valid sid parameter value. | |||||
| CVE-2014-4196 | 1 Bssys | 1 Rbs Bs-client | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client 3.17.9 allows remote attackers to inject arbitrary web script or HTML via the colorstyle parameter. | |||||
| CVE-2019-5988 | 1 Anglers-net | 1 Cgi An-anlyzer | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting vulnerability in Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote attackers to inject arbitrary web script or HTML via the Management Page. | |||||
| CVE-2019-16154 | 1 Fortinet | 1 Fortiauthenticator | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An improper neutralization of input during web page generation in FortiAuthenticator WEB UI 6.0.0 may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page. | |||||
| CVE-2012-4451 | 3 Fedoraproject, Redhat, Zend | 3 Fedora, Enterprise Linux, Zend Framework | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper. | |||||
| CVE-2019-19916 | 2 Microsoft, Midori-browser | 2 Windows 10, Midori | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Midori Browser 0.5.11 (on Windows 10), Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could result in script running where CSP should have blocked it, allowing for cross-site scripting (XSS) and other attacks when the product renders the content as HTML. Remediating this would also need to consider the polyglot case, e.g., a file that is a valid GIF image and also valid JavaScript. | |||||
| CVE-2012-5558 | 2 Smiley Project, Smileys Project | 2 Smiley, Smileys | 2020-01-14 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Smiley module 6.x-1.x versions prior to 6.x-1.1 and Smileys module 6.x-1.x versions prior to 6.x-1.1 for Drupal allows remote authenticated users with the "administer smiley" permission to inject arbitrary web script or HTML via a smiley acronym. | |||||
| CVE-2012-1261 | 1 Plixer | 1 Scrutinizer Netflow \& Sflow Analyzer | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML via the standalone parameter. | |||||
| CVE-2019-20376 | 1 Psi | 1 Electronic Logbook | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG document to elogd.c. | |||||
| CVE-2019-20375 | 1 Psi | 1 Electronic Logbook | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via the value parameter in a localization (loc) command to elogd.c. | |||||
| CVE-2019-20210 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query. | |||||
| CVE-2019-20211 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website. | |||||
| CVE-2019-20209 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2020-01-14 | 6.4 MEDIUM | 7.5 HIGH |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing. | |||||
| CVE-2019-20212 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form. | |||||
| CVE-2011-2670 | 1 Mozilla | 1 Firefox | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style Sheets | |||||
| CVE-2019-20377 | 1 Tophub | 1 Toplist | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| TopList before 2019-09-03 allows XSS via a title. | |||||
| CVE-2011-5018 | 1 Koala-framework | 1 Koala Framework | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Koala Framework before 2011-11-21 has XSS via the request_uri parameter. | |||||
| CVE-2014-4561 | 1 Ultimate-weather Project | 1 Ultimate-weather | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ultimate-weather plugin 1.0 for WordPress has XSS | |||||
| CVE-2019-18859 | 1 Digi | 2 Anywhereusb\/14, Anywhereusb\/14 Firmware | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Digi AnywhereUSB 14 allows XSS via a link for the Digi Page. | |||||
| CVE-2019-17016 | 4 Canonical, Debian, Mozilla and 1 more | 9 Ubuntu Linux, Debian Linux, Firefox and 6 more | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. | |||||
| CVE-2019-17022 | 4 Canonical, Debian, Mozilla and 1 more | 9 Ubuntu Linux, Debian Linux, Firefox and 6 more | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. | |||||
| CVE-2019-20379 | 1 Ganglia | 1 Ganglia-web | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter. | |||||
| CVE-2019-20378 | 1 Ganglia | 1 Ganglia-web | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter. | |||||
| CVE-2014-9405 | 1 Free | 1 Freebox Os | 2020-01-13 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code. | |||||
| CVE-2015-4039 | 1 E-plugins | 1 Wp Membership | 2020-01-13 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the WP Membership plugin 1.2.3 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via unspecified (1) profile fields or (2) new post content. NOTE: CVE-2015-4038 can be used to bypass the administrator confirmation step for vector 2. | |||||
| CVE-2014-3743 | 1 Marked Project | 1 Marked | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. | |||||
| CVE-2012-1915 | 1 Codeigniter | 1 Codeigniter | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks. | |||||
| CVE-2013-1420 | 1 Get-simple | 1 Getsimple Cms | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. NOTE: the path parameter in admin/upload.php vector is already covered by CVE-2012-6621. | |||||
| CVE-2011-4595 | 1 Caseproof | 1 Pretty Link | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pretty-Link WordPress plugin 1.5.2 has XSS | |||||
| CVE-2014-4530 | 1 Flog Project | 1 Flog | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| flog plugin 0.1 for WordPress has XSS | |||||
| CVE-2019-17001 | 1 Mozilla | 1 Firefox | 2020-01-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70. | |||||
| CVE-2019-17000 | 1 Mozilla | 1 Firefox | 2020-01-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| An object tag with a data URI did not correctly inherit the document's Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document's policy explicitly allowed data: URIs. This vulnerability affects Firefox < 70. | |||||
| CVE-2019-18652 | 1 Watchguard | 2 Xmt515, Xmt515 Firmware | 2020-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A DOM based XSS vulnerability has been identified on the WatchGuard XMT515 through 12.1.3, allowing a remote attacker to execute JavaScript in the victim's browser by tricking the victim into clicking on a crafted link. The payload was tested in Microsoft Internet Explorer 11.418.18362.0 and Microsoft Edge 44.18362.387.0 (Microsoft EdgeHTML 18.18362). | |||||
| CVE-2019-20042 | 1 Wordpress | 1 Wordpress | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. | |||||
| CVE-2019-20154 | 1 Determine | 1 Contract Lifecycle Management | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. A cross-site scripting (XSS) vulnerability in multiple getchart.jsp parameters allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2019-15602 | 1 Itwork | 1 Fileview | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cross-Site Scripting (XSS) vulnerability in files it serves. | |||||
| CVE-2013-4752 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks. | |||||
| CVE-2017-7320 | 1 Modx | 1 Modx Revolution | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value. | |||||
| CVE-2014-1454 | 1 Pearson | 1 Esis Enterprise Student Information System | 2020-01-10 | 3.5 LOW | 4.8 MEDIUM |
| Pearson eSIS (Enterprise Student Information System) message board has stored XSS due to improper validation of user input | |||||
| CVE-2014-8674 | 1 Soplanning | 1 Soplanning | 2020-01-10 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cookie in nb_mois and mb_ligness and the debug GET parameter to export.php, which allows malicious users to execute arbitrary code. | |||||
| CVE-2019-5989 | 1 Anglers-net | 1 Cgi An-anlyzer | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| DOM-based cross-site scripting vulnerability in Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote attackers to inject arbitrary web script or HTML via the Analysis Object Page. | |||||
| CVE-2014-0183 | 1 Redhat | 1 Subscription Asset Manager | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering. | |||||