Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-5592 | 1 Zenphoto | 1 Zenphoto | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks. | |||||
| CVE-2019-18267 | 1 Ge | 4 S2020, S2020 Firmware, S2020g and 1 more | 2020-01-07 | 3.5 LOW | 5.4 MEDIUM |
| An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution. | |||||
| CVE-2015-6253 | 1 Edx | 1 Edx-platform | 2020-01-07 | 3.5 LOW | 5.4 MEDIUM |
| edx-platform before 2015-08-17 allows XSS in the Studio listing of courses. | |||||
| CVE-2014-4535 | 1 Import Legacy Media Project | 1 Import Legacy Media | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php. | |||||
| CVE-2014-4536 | 1 Katz | 1 Infusionsoft Gravity Forms | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter. | |||||
| CVE-2019-18249 | 1 Reliablecontrols | 4 Mach-prowebcom, Mach-prowebcom Firmware, Mach-prowebsys and 1 more | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reliable Controls MACH-ProWebCom/Sys, all versions prior to 2.15 (Firmware versions prior to 8.26.4), may allow attacker to execute commands on behalf of the user when an authenticated user clicks on a malicious link. | |||||
| CVE-2019-19733 | 1 Mfscripts | 1 Yetishare | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| _get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | |||||
| CVE-2019-6011 | 1 Tms-outsource | 1 Wpdatatables Lite | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in wpDataTables Lite Version 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-19738 | 1 Mfscripts | 1 Yetishare | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | |||||
| CVE-2019-6033 | 1 Appleple | 1 A-blog Cms | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in a-blog cms versions prior to Ver.2.10.23 (Ver.2.10.x), Ver.2.9.26 (Ver.2.9.x), and Ver.2.8.64 (Ver.2.8.x) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-4559 | 1 Cybercompay | 1 Swipehq-payment-gateway-wp-e-commerce | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) api_key, (2) payment_page_url, (3) merchant_id, (4) api_url, or (5) currency parameter. | |||||
| CVE-2018-7859 | 1 Dlink | 16 Dgs-1510-20, Dgs-1510-20 Firmware, Dgs-1510-28 and 13 more | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit. | |||||
| CVE-2019-6016 | 1 Remise | 1 Payment Module | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-9737 | 1 Ipandao | 1 Editor.md | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Editor.md 1.5.0 has DOM-based XSS via vectors involving the '<EMBED SRC="data:image/svg+xml' substring. | |||||
| CVE-2019-9537 | 1 Telos | 1 Automated Message Handling System | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uploaditem.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. This issue affects: Telos Automated Message Handling System versions prior to 4.1.5.5. | |||||
| CVE-2019-9538 | 1 Telos | 1 Automated Message Handling System | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the LDAP cbURL parameter of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. This issue affects: Telos Automated Message Handling System versions prior to 4.1.5.5. | |||||
| CVE-2019-9539 | 1 Telos | 1 Automated Message Handling System | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ModalWindowPopup.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. This issue affects: Telos Automated Message Handling System versions prior to 4.1.5.5. | |||||
| CVE-2019-9540 | 1 Telos | 1 Automated Message Handling System | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in prefs.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. This issue affects: Telos Automated Message Handling System versions prior to 4.1.5.5. | |||||
| CVE-2019-9542 | 1 Telos | 1 Automated Message Handling System | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itemlookup.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. This issue affects: Telos Automated Message Handling System versions prior to 4.1.5.5. | |||||
| CVE-2019-6031 | 1 Dayz | 1 Kinza | 2020-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in KINZA for Windows version 5.9.2 and earlier and for Mac version 5.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via RSS reader. | |||||
| CVE-2013-4693 | 1 Xorbin | 1 Digital Flash Clock | 2020-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress Xorbin Digital Flash Clock 1.0 has XSS | |||||
| CVE-2013-4691 | 1 Sencha | 1 Connect | 2020-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sencha Labs Connect has XSS with connect.methodOverride() | |||||
| CVE-2013-4664 | 1 Spbas | 1 Business Automation Software | 2020-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| SPBAS Business Automation Software 2012 has XSS. | |||||
| CVE-2013-4692 | 1 Xorbin | 1 Analog Flash Clock | 2020-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Xorbin Analog Flash Clock 1.0 extension for Joomia has XSS | |||||
| CVE-2019-20221 | 1 Sitracker | 1 Support Incident Tracker | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Support Incident Tracker (SiT!) 3.67, Load Plugins input in the config.php page is affected by XSS. The XSS payload is, for example, executed on the about.php page. | |||||
| CVE-2019-20223 | 1 Sitracker | 1 Support Incident Tracker | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Support Incident Tracker (SiT!) 3.67, the id parameter is affected by XSS on all endpoints that use this parameter, a related issue to CVE-2012-2235. | |||||
| CVE-2019-20220 | 1 Sitracker | 1 Support Incident Tracker | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Support Incident Tracker (SiT!) 3.67, the search_id parameter in the search_incidents_advanced.php page is affected by XSS. | |||||
| CVE-2019-20222 | 1 Sitracker | 1 Support Incident Tracker | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Support Incident Tracker (SiT!) 3.67, the Short Application Name and Application Name inputs in the config.php page are affected by XSS. | |||||
| CVE-2014-6420 | 1 Livefyre | 1 Livecomments | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture. | |||||
| CVE-2019-6018 | 1 Netcommons | 1 Netcommons | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in NetCommons 3.2.2 and earlier (NetCommons3.x) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-6029 | 1 Custom Body Class Project | 1 Custom Body Class | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Custom Body Class 0.6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-20139 | 1 Nagios | 1 Nagios Xi | 2020-01-03 | 3.5 LOW | 5.4 MEDIUM |
| In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | |||||
| CVE-2019-4623 | 1 Ibm | 1 Cognos Analytics | 2020-01-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168924. | |||||
| CVE-2019-9206 | 1 Paessler | 1 Prtg Network Monitor | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm errormsg or loginurl parameter. NOTE: This product is discontinued. | |||||
| CVE-2019-9207 | 1 Paessler | 1 Prtg Network Monitor | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| PRTG Network Monitor v7.1.3.3378 allows XSS via the /search.htm searchtext parameter. NOTE: This product is discontinued. | |||||
| CVE-2019-9553 | 1 Boltcms | 1 Bolt | 2020-01-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and CVE-2018-19933. | |||||
| CVE-2019-20075 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2020-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic). | |||||
| CVE-2019-20076 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2020-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration). | |||||
| CVE-2019-20070 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2020-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration). | |||||
| CVE-2019-20072 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2020-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration). | |||||
| CVE-2019-20073 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2020-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration). | |||||
| CVE-2019-19541 | 1 Cridio | 1 Listingpro | 2020-01-02 | 3.5 LOW | 5.4 MEDIUM |
| The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Best Day/Night field on the new listing submit page. | |||||
| CVE-2019-19692 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2020-01-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Trend Micro Apex One (2019) is affected by a cross-site scripting (XSS) vulnerability on the product console. Note that the Japanese version of the product is NOT affected. | |||||
| CVE-2019-20008 | 1 Archerysec | 1 Archery | 2020-01-02 | 3.5 LOW | 5.4 MEDIUM |
| In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page. | |||||
| CVE-2019-19908 | 1 Ciprianmp | 1 Phpmychat-plus | 2019-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable. | |||||
| CVE-2016-1000229 | 2 Redhat, Smartbear | 3 Jboss Fuse, Openshift, Swagger-ui | 2019-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| swagger-ui has XSS in key names | |||||
| CVE-2019-19910 | 1 Mediawiki | 1 Mediawiki | 2019-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical header that is viewed within a mobile (MobileFrontend) context. | |||||
| CVE-2019-6204 | 1 Apple | 2 Iphone Os, Safari | 2019-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved validation. This issue is fixed in iOS 12.2, Safari 12.1. Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting. | |||||
| CVE-2014-4523 | 1 Easy Career Openings Project | 1 Easy Career Openings | 2019-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Easy Career Openings plugin 0.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2014-4525 | 1 Winwar | 1 Wp Ebay Product Feeds | 2019-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in the Ebay Feeds for WordPress plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter. | |||||