Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11132 | 1 Intel | 1 Active Management Technology Firmware | 2019-12-31 | 6.8 MEDIUM | 8.4 HIGH |
| Cross site scripting in subsystem in Intel(R) AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow a privileged user to potentially enable escalation of privilege via network access. | |||||
| CVE-2019-8505 | 1 Apple | 2 Iphone Os, Safari | 2019-12-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved validation. This issue is fixed in iOS 12.2, Safari 12.1. Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting. | |||||
| CVE-2016-1000029 | 1 Tenable | 1 Nessus | 2019-12-31 | 3.5 LOW | 4.8 MEDIUM |
| Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would potentially impact other admins (Tenable IDs 5218 and 5269). | |||||
| CVE-2016-1000028 | 1 Tenable | 1 Nessus | 2019-12-31 | 3.5 LOW | 4.8 MEDIUM |
| Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would only potentially impact other admins. (Tenable ID 5198). | |||||
| CVE-2019-19540 | 1 Cridio | 1 Listingpro | 2019-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ListingPro theme before v2.0.14.2 for WordPress has Reflected XSS via the What field on the homepage. | |||||
| CVE-2014-4519 | 1 Conversador Project | 1 Conversador | 2019-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Conversador plugin 2.61 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the 'page' parameter. | |||||
| CVE-2019-19542 | 1 Cridio | 1 Listingpro | 2019-12-30 | 3.5 LOW | 5.4 MEDIUM |
| The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Good For field on the new listing submit page. | |||||
| CVE-2019-8551 | 1 Apple | 5 Icloud, Iphone Os, Itunes and 2 more | 2019-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue was addressed with improved validation. This issue is fixed in iOS 12.2, tvOS 12.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.11. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||
| CVE-2014-4550 | 1 Visualshortcodes | 1 Ninja | 2019-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter. | |||||
| CVE-2014-4592 | 1 Czepol | 1 Wp-planet | 2019-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||||
| CVE-2010-3690 | 1 Apereo | 1 Phpcas | 2019-12-30 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls. | |||||
| CVE-2019-12397 | 1 Apache | 1 Ranger | 2019-12-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix. | |||||
| CVE-2019-18955 | 1 Lansweeper | 1 Lansweeper | 2019-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| The web console in Lansweeper 7.2.105.2 has XSS via the URL path. Product vulnerability has been fixed and disclosed within changelog as of 02 Dec 2019. | |||||
| CVE-2019-19900 | 1 Backdropcms | 1 Backdrop Cms | 2019-12-27 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission. | |||||
| CVE-2019-19901 | 1 Backdropcms | 1 Backdrop Cms | 2019-12-27 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout, aka XSS. This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task. | |||||
| CVE-2019-19903 | 1 Backdropcms | 1 Backdrop Cms | 2019-12-27 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer file types" permission. | |||||
| CVE-2016-5265 | 2 Mozilla, Oracle | 3 Firefox, Firefox Esr, Linux | 2019-12-27 | 4.0 MEDIUM | 5.5 MEDIUM |
| Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory. | |||||
| CVE-2016-5262 | 2 Mozilla, Oracle | 3 Firefox, Firefox Esr, Linux | 2019-12-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. | |||||
| CVE-2019-11992 | 1 Hp | 1 Oneview For Vmware Vcenter | 2019-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security vulnerability in HPE OneView for VMware vCenter 9.5 could be exploited remotely to allow Cross-Site Scripting. | |||||
| CVE-2019-19368 | 1 Maxum | 1 Rumpus | 2019-12-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross Site Scripting was discovered in the Login page of Rumpus FTP Web File Manager 8.2.9.1. An attacker can exploit it by sending a crafted link to end users and can execute arbitrary Javascripts | |||||
| CVE-2019-4388 | 1 Hcltech | 1 Appscan Source | 2019-12-23 | 3.5 LOW | 4.8 MEDIUM |
| HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site scripting (XSS) attacks by allowing users to embed arbitrary JavaScript code in the Web UI. | |||||
| CVE-2019-19829 | 1 Solarwinds | 1 Serv-u Ftp Server | 2019-12-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U FTP Server 15.1.7 in the email parameter, a different vulnerability than CVE-2018-19934 and CVE-2019-13182. | |||||
| CVE-2019-4744 | 1 Ibm | 1 Financial Transaction Manager For Multiplatform | 2019-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Financial Transaction Manager 3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172882. | |||||
| CVE-2012-2237 | 2 Debian, Mahara | 2 Debian Linux, Mahara | 2019-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.3 and 1.5.x before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript innerHTML as used when generating login forms, (2) links or (3) resources URLs, and (4) the Display name in a user profile. | |||||
| CVE-2019-8649 | 1 Apple | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||
| CVE-2019-8690 | 1 Apple | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A logic issue existed in the handling of document loads. This issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to universal cross site scripting. | |||||
| CVE-2019-17337 | 1 Tibco | 2 Spotfire Analytics Platform For Aws, Spotfire Server | 2019-12-20 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker to perform a reflected cross-site scripting (XSS) attack. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0. | |||||
| CVE-2019-19497 | 1 Altn | 1 Mdaemon Email Server | 2019-12-20 | 3.5 LOW | 5.4 MEDIUM |
| MDaemon Email Server 17.5.1 allows XSS via the filename of an attachment to an email message. | |||||
| CVE-2019-13943 | 1 Siemens | 6 En100 Ethernet Module, En100 Ethernet Module With Firmware Variant Dnp3 Tcp, En100 Ethernet Module With Firmware Variant Iec104 and 3 more | 2019-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in EN100 Ethernet module DNP3 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.37), EN100 Ethernet module IEC104 variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users. Successful exploitation does not require for an attacker to be authenticated to the web interface. This could allow the attacker to read or modify contents of the web application. At the time of advisory publication no public exploitation of this security. vulnerability was known. | |||||
| CVE-2013-4303 | 1 Mediawiki | 1 Mediawiki | 2019-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php. | |||||
| CVE-2019-13931 | 1 Siemens | 1 Xhq | 2019-12-19 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow for an an attacker to craft the input in a form that is not expected, causing the application to behave in unexpected ways for legitimate users. Successful exploitation requires for an attacker to be authenticated to the web interface. A successful attack could cause the application to have unexpected behavior. This could allow the attacker to modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2014-4913 | 2 Debian, Zend | 2 Debian Linux, Zend Framework | 2019-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZF2014-03 has a potential cross site scripting vector in multiple view helpers | |||||
| CVE-2016-1000114 | 1 Huge-it | 1 Gallery | 2019-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in huge IT gallery v1.1.5 for Joomla | |||||
| CVE-2019-13182 | 1 Solarwinds | 1 Serv-u Ftp Server | 2019-12-18 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server 15.1.7. | |||||
| CVE-2019-16564 | 1 Jenkins | 1 Pipeline Aggregator View | 2019-12-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names. | |||||
| CVE-2013-0202 | 1 Owncloud | 1 Owncloud | 2019-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php. | |||||
| CVE-2019-16563 | 1 Jenkins | 1 Mission Control | 2019-12-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties. | |||||
| CVE-2019-4426 | 1 Ibm | 2 Business Automation Workflow, Case Manager | 2019-12-18 | 3.5 LOW | 5.4 MEDIUM |
| The Case Builder component shipped with 18.0.0.1 through 19.0.0.2 and IBM Case Manager 5.1.1 through 5.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162772. | |||||
| CVE-2019-19327 | 1 Wikimedia | 1 Wikidata Query Gui | 2019-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| ui/ResultView.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection when reporting the number of results and number of milliseconds. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT. | |||||
| CVE-2019-19329 | 1 Wikimedia | 1 Wikidata Query Gui | 2019-12-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07, when mathematical expressions in results are displayed directly, arbitrary JavaScript execution can occur, aka XSS. This was addressed by introducing MathJax as a new mathematics rendering engine. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT. | |||||
| CVE-2019-17599 | 1 Expresstech | 1 Quiz And Survey Master | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter (and/or the quiz_id parameter). The component is: admin/quiz-options-page.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL. | |||||
| CVE-2019-14344 | 1 Vocabularyserver | 1 Tematres | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| TemaTres 3.0 has reflected XSS via the replace_string or search_string parameter to the vocab/admin.php?doAdmin=bulkReplace URI. | |||||
| CVE-2019-10772 | 1 Svg-sanitizer Project | 1 Svg-sanitizer | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. | |||||
| CVE-2008-4456 | 2 Mysql, Oracle | 2 Mysql, Mysql | 2019-12-17 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67. | |||||
| CVE-2019-14849 | 1 Redhat | 1 3scale | 2019-12-17 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information. | |||||
| CVE-2015-5326 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2019-12-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message. | |||||
| CVE-2013-4158 | 3 Debian, Fedoraproject, Smokeping | 3 Debian Linux, Fedora, Smokeping | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| smokeping before 2.6.9 has XSS (incomplete fix for CVE-2012-0790) | |||||
| CVE-2013-7370 | 4 Debian, Opensuse, Redhat and 1 more | 4 Debian Linux, Opensuse, Openshift and 1 more | 2019-12-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware | |||||
| CVE-2019-0395 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-12-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability. | |||||
| CVE-2013-7371 | 2 Debian, Sencha | 2 Debian Linux, Connect | 2019-12-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370) | |||||