Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17409 | 1 Open-emr | 1 Openemr | 2019-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter. | |||||
| CVE-2019-16862 | 1 Open-emr | 1 Openemr | 2019-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter. | |||||
| CVE-2019-12638 | 1 Cisco | 1 Identity Services Engine | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2019-17207 | 1 Managewp | 1 Broken Link Checker | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action. | |||||
| CVE-2019-16330 | 1 Nchsoftware | 1 Express Accounts Accounting | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript. | |||||
| CVE-2019-12703 | 1 Cisco | 2 Spa122, Spa122 Firmware | 2019-10-21 | 2.9 LOW | 5.2 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SPA122 ATA with Router Devices could allow an unauthenticated, adjacent attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by sending malicious input to the affected software through crafted DHCP requests, and then persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-12702 | 1 Cisco | 4 Spa112, Spa112 Firmware, Spa122 and 1 more | 2019-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-17070 | 2 Lqd, Microsoft | 2 Liquid Speech Balloon, Internet Explorer | 2019-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1.0.7 for WordPress allows XSS with Internet Explorer. | |||||
| CVE-2019-17179 | 1 Open-emr | 1 Openemr | 2019-10-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| 4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1 | |||||
| CVE-2019-16522 | 1 Eu Cookie Law Project | 1 Eu Cookie Law | 2019-10-20 | 3.5 LOW | 4.8 MEDIUM |
| The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. An attacker with high privileges can attack other users. | |||||
| CVE-2019-16523 | 1 Wp-events-plugin | 1 Events Manager | 2019-10-18 | 3.5 LOW | 5.4 MEDIUM |
| The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin. | |||||
| CVE-2019-16521 | 1 Managewp | 1 Broken Link Checker | 2019-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML. The filter function on the page listing all detected broken links can be exploited by providing an XSS payload in the s_filter GET parameter in a filter_id=search request. NOTE: this is an end-of-life product. | |||||
| CVE-2019-16520 | 1 Semperplugins | 1 All In One Seo Pack | 2019-10-18 | 3.5 LOW | 5.4 MEDIUM |
| The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement. | |||||
| CVE-2019-17607 | 1 Hongcms Project | 1 Hongcms | 2019-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| HongCMS 3.0.0 has XSS via the install/index.php servername parameter. | |||||
| CVE-2019-17608 | 1 Hongcms Project | 1 Hongcms | 2019-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| HongCMS 3.0.0 has XSS via the install/index.php dbname parameter. | |||||
| CVE-2019-17609 | 1 Hongcms Project | 1 Hongcms | 2019-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter. | |||||
| CVE-2019-17610 | 1 Hongcms Project | 1 Hongcms | 2019-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter. | |||||
| CVE-2019-17611 | 1 Hongcms Project | 1 Hongcms | 2019-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter. | |||||
| CVE-2019-13392 | 1 Mindpalette | 1 Natemail | 2019-10-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site Scripting (XSS) vulnerability in MindPalette NateMail 3.0.15 allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid. | |||||
| CVE-2019-17578 | 1 Dolibarr | 1 Dolibarr | 2019-10-18 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field. | |||||
| CVE-2019-17577 | 1 Dolibarr | 1 Dolibarr | 2019-10-18 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field. | |||||
| CVE-2019-17576 | 1 Dolibarr | 1 Dolibarr | 2019-10-18 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field. | |||||
| CVE-2019-16217 | 1 Wordpress | 1 Wordpress | 2019-10-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. | |||||
| CVE-2019-17660 | 1 Limesurvey | 1 Limesurvey | 2019-10-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO. | |||||
| CVE-2019-0368 | 1 Sap | 2 Customer Relationship Management Bbpcrm, Customer Relationship Management S4crm | 2019-10-17 | 3.5 LOW | 5.4 MEDIUM |
| SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability. | |||||
| CVE-2011-4333 | 1 Scilico | 1 Labwiki | 2019-10-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) from parameter to index.php or the (2) page_no parameter to recentchanges.php. | |||||
| CVE-2019-10756 | 1 Nodered | 1 Node-red-dashboard | 2019-10-17 | 3.5 LOW | 5.4 MEDIUM |
| It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default. | |||||
| CVE-2015-4707 | 1 Ipython | 1 Ipython | 2019-10-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/notebooks path. | |||||
| CVE-2019-17522 | 1 Hotarucms | 1 Hotarucms | 2019-10-17 | 3.5 LOW | 4.8 MEDIUM |
| A stored XSS vulnerability was discovered in Hotaru CMS v1.7.2 via the admin_index.php?page=settings SITE NAME field (aka SITE_NAME), a related issue to CVE-2011-4709.1. | |||||
| CVE-2019-17579 | 1 Sonarsource | 1 Sonarqube | 2019-10-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| SonarSource SonarQube before 7.8 has XSS in project links on account/projects. | |||||
| CVE-2019-16344 | 1 Scadabr | 1 Scadabr | 2019-10-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter. | |||||
| CVE-2017-14506 | 1 Geminabox Project | 1 Geminabox | 2019-10-17 | 3.5 LOW | 5.4 MEDIUM |
| geminabox (aka Gem in a Box) before 0.13.6 has XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file. | |||||
| CVE-2019-17625 | 1 Rambox | 1 Rambox | 2019-10-16 | 8.5 HIGH | 9.0 CRITICAL |
| There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element. | |||||
| CVE-2015-9469 | 1 Cybercraftit | 1 Content-grabber | 2019-10-16 | 3.5 LOW | 4.8 MEDIUM |
| The content-grabber plugin 1.0 for WordPress has XSS via obj_field_name or obj_field_id. | |||||
| CVE-2016-6800 | 1 Apache | 1 Ofbiz | 2019-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01. | |||||
| CVE-2019-16282 | 1 Nchsoftware | 1 Express Invoice | 2019-10-16 | 3.5 LOW | 5.4 MEDIUM |
| In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript. | |||||
| CVE-2019-17629 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-16 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen. | |||||
| CVE-2019-17630 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-16 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen. | |||||
| CVE-2019-17176 | 1 Genesys | 1 Eservices Chat | 2019-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Genesys PureEngage Digital (eServices) 8.1.x allows XSS via HtmlChatPanel.jsp or HtmlChatFrameSet.jsp (ActionColor, ClientNickNameColor, Email, email, or email_address parameter). | |||||
| CVE-2019-14227 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.1 and 7.10.2 allows XSS. | |||||
| CVE-2019-17535 | 1 Gilacms | 1 Gila Cms | 2019-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647. | |||||
| CVE-2015-1981 | 1 Ibm | 1 Domino | 2019-10-16 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the web server in IBM Domino 8.5.x before 8.5.3 FP6 IF8 and 9.x before 9.0.1 FP4, when Webmail is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka SPR KLYH9WYPR5. | |||||
| CVE-2019-17504 | 1 Kirona | 1 Dynamic Resource Scheduling | 2019-10-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. A reflected Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script via the /osm/report/ password parameter. | |||||
| CVE-2010-5339 | 1 Icewarp | 1 Webclient | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][uid] is non-persistent in 10.1.3 and 10.2.0. | |||||
| CVE-2010-5338 | 1 Icewarp | 1 Webclient | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][action] is non-persistent in 10.1.3 and 10.2.0. | |||||
| CVE-2010-5337 | 1 Icewarp | 1 Webclient | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][controller] is non-persistent in 10.1.3 and 10.2.0. | |||||
| CVE-2010-5340 | 1 Icewarp | 1 Webclient | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/ with the parameter password is non-persistent in 10.2.0. | |||||
| CVE-2010-5336 | 1 Icewarp | 1 Webclient | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: admin/login.html with the parameter username is persistent in 10.2.0. | |||||
| CVE-2015-9472 | 1 Monitorbacklinks | 1 Incoming Links | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The incoming-links plugin before 0.9.10b for WordPress has referrers.php XSS via the Referer HTTP header. | |||||
| CVE-2019-17496 | 1 Craftcms | 1 Craft Cms | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. | |||||