Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11464 | 1 Couchbase | 1 Couchbase Server | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and X-XSS-Protection, which are more generally applicable to HTML endpoint, to be included too. These headers were not included in Couchbase Server 5.5.0 and 5.1.2 . They are now included in version 6.0.2 in responses from the Couchbase Server Views REST API (port 8092). | |||||
| CVE-2018-17218 | 1 Ptc | 1 Thingworx Platform | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is reflected XSS in the SQUEAL search function. | |||||
| CVE-2019-14272 | 1 Silverstripe | 1 Silverstripe | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. | |||||
| CVE-2015-9423 | 1 Simplysymphony | 1 Plugnedit | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters. | |||||
| CVE-2017-16792 | 1 Geminabox Project | 1 Geminabox | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb. | |||||
| CVE-2015-9426 | 1 Manual Image Crop Project | 1 Manual Image Crop | 2019-09-26 | 3.5 LOW | 4.6 MEDIUM |
| The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter. | |||||
| CVE-2015-9439 | 1 Addthis | 1 Addthis | 2019-09-26 | 3.5 LOW | 4.8 MEDIUM |
| The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter. | |||||
| CVE-2015-9436 | 1 Qurl | 1 Dynamic Widgets | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter. | |||||
| CVE-2015-9438 | 1 Display-widgets Project | 1 Display-widgets | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter. | |||||
| CVE-2015-9430 | 1 Crazy Bone Project | 1 Crazy Bone | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header. | |||||
| CVE-2019-12205 | 1 Silverstripe | 1 Silverstripe | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. | |||||
| CVE-2015-9414 | 1 Wpsymposiumpro | 1 Wp-symposium | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. | |||||
| CVE-2015-9419 | 1 Captain-slider Project | 1 Captain-slider | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or Caption section. | |||||
| CVE-2015-9412 | 1 Royal-slider Project | 1 Royal-slider | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rstype parameter. | |||||
| CVE-2019-15120 | 1 Kunena | 1 Kunena | 2019-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode. | |||||
| CVE-2019-16890 | 1 Halo | 1 Halo | 2019-09-26 | 3.5 LOW | 5.4 MEDIUM |
| Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments. | |||||
| CVE-2019-10406 | 1 Jenkins | 1 Jenkins | 2019-09-25 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2019-15782 | 1 Webtorrent | 1 Webtorrent | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or file name. | |||||
| CVE-2019-14807 | 1 Mediawiki | 1 Mobilefrontend | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS exists within the edit summary field in includes/specials/MobileSpecialPageFeed.php. | |||||
| CVE-2019-16751 | 1 Devise Token Auth Project | 1 Devise Token Auth | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller. | |||||
| CVE-2019-16725 | 1 Joomla | 1 Joomla\! | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. | |||||
| CVE-2019-13923 | 1 Siemens | 2 Ie\/wsn-pa Link Wirelesshart Gateway, Ie\/wsn-pa Link Wirelesshart Gateway Firmware | 2019-09-24 | 4.3 MEDIUM | 9.6 CRITICAL |
| A vulnerability has been identified in IE/WSN-PA Link WirelessHART Gateway (All versions). The integrated configuration web server of the affected device could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. | |||||
| CVE-2019-1262 | 1 Microsoft | 1 Sharepoint Foundation | 2019-09-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. | |||||
| CVE-2019-16681 | 1 Traveloka | 1 Traveloka | 2019-09-24 | 2.6 LOW | 4.7 MEDIUM |
| The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. (When in physical possession of the device, opening local files is also possible.) NOTE: As of 2019-09-23, the vendor has not agreed that this issue has serious impact. The vendor states that the issue is not critical because it does not allow Elevation of Privilege, Sensitive Data Leakage, or any critical unauthorized activity from a malicious user. The vendor also states that a victim must first install a malicious APK to their application. | |||||
| CVE-2018-9090 | 1 Redhat | 1 Tectonic | 2019-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards. | |||||
| CVE-2019-10090 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-12407 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-12404 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-10089 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-10087 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2018-18381 | 1 Zblogcn | 1 Z-blogphp | 2019-09-23 | 3.5 LOW | 5.4 MEDIUM |
| Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments. | |||||
| CVE-2019-16703 | 1 Phpmywind | 1 Phpmywind | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. | |||||
| CVE-2019-16704 | 1 Phpmywind | 1 Phpmywind | 2019-09-23 | 3.5 LOW | 4.8 MEDIUM |
| admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. | |||||
| CVE-2015-9403 | 1 Neuvoo | 1 Neuvoo-jobroll | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS. | |||||
| CVE-2019-16657 | 1 Tuzicms | 1 Tuzicms | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/. | |||||
| CVE-2019-16661 | 1 Digimute | 1 Ogma Cms | 2019-09-23 | 3.5 LOW | 5.4 MEDIUM |
| Ogma CMS 0.5 has XSS via creation of a new blog. | |||||
| CVE-2019-14915 | 1 Prise | 1 Adas | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. Certificate data are not properly escaped. This leads to XSS when submitting a rogue certificate. | |||||
| CVE-2019-14913 | 1 Prise | 1 Adas | 2019-09-23 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. Log data are not properly escaped, leading to persistent XSS in the administration panel. | |||||
| CVE-2018-16379 | 1 Digimute | 1 Ogma Cms | 2019-09-23 | 3.5 LOW | 4.8 MEDIUM |
| Ogma CMS 0.4 Beta has XSS via the "Footer Text footer" field on the "Theme/Theme Options" screen. | |||||
| CVE-2019-14911 | 1 Prise | 1 Adas | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does not properly escape output on error, leading to reflected XSS. | |||||
| CVE-2019-16664 | 1 Thinksaas | 1 Thinksaas | 2019-09-23 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter. | |||||
| CVE-2019-16665 | 1 Thinksaas | 1 Thinksaas | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ThinkSAAS 2.91. There is XSS via the content to the index.php?app=group&ac=comment&ts=do&js=1 URI, as demonstrated by a crafted SVG document in the SRC attribute of an EMBED element. | |||||
| CVE-2018-11200 | 1 Acquia | 1 Mautic | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field. | |||||
| CVE-2015-9405 | 1 Wp-piwik Project | 1 Wp-piwik | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-piwik plugin before 1.0.5 for WordPress has XSS. | |||||
| CVE-2015-9404 | 1 Neuvoo | 1 Neuvoo-jobroll | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS. | |||||
| CVE-2019-11559 | 1 Hrworks | 1 Hrworks | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16.1 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to the Login component. | |||||
| CVE-2015-9385 | 1 Bestwebsoft | 1 Quotes And Tips | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The quotes-and-tips plugin before 1.20 for WordPress has XSS. | |||||
| CVE-2019-16643 | 1 Zrlog | 1 Zrlog | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerability in the article_edit area. | |||||
| CVE-2015-9397 | 1 Webmaster-source | 1 Gocodes | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS. | |||||
| CVE-2015-9401 | 1 Websimon-tables Project | 1 Websimon-tables | 2019-09-20 | 3.5 LOW | 4.8 MEDIUM |
| The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS. | |||||