Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16310 | 1 Niushop | 1 Niushop | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| NIUSHOP V1.11 has XSS via the index.php?s=/admin URI. | |||||
| CVE-2019-16289 | 1 Webcraftic | 1 Woody Ad Snippets | 2019-09-16 | 3.5 LOW | 5.4 MEDIUM |
| The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter. | |||||
| CVE-2016-10952 | 1 Quotes Collection Project | 1 Quotes Collection | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter. | |||||
| CVE-2018-17300 | 1 Cuppacms | 1 Cuppacms | 2019-09-16 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name. | |||||
| CVE-2019-12517 | 1 Slickquiz Project | 1 Slickquiz | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 for WordPress. The save_quiz_score functionality available via the /wp-admin/admin-ajax.php endpoint allows unauthenticated users to submit quiz solutions/answers, which are stored in the database and later shown in the WordPress backend for all users with at least Subscriber rights. Because the plugin does not properly validate and sanitize this data, a malicious payload in either the name or email field is executed directly within the backend at /wp-admin/admin.php?page=slickquiz across all users with the privileges of at least Subscriber. | |||||
| CVE-2017-18615 | 1 Wp-kama | 1 Kama Click Counter | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kama-clic-counter plugin before 3.5.0 for WordPress has XSS. | |||||
| CVE-2017-18613 | 1 Trust Form Project | 1 Trust Form | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin.php?page=trust-form-edit page parameter. | |||||
| CVE-2017-18612 | 1 Netattingo | 1 Wp-whois-domain | 2019-09-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/func-whois.php domain parameter. | |||||
| CVE-2019-16218 | 1 Wordpress | 1 Wordpress | 2019-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows XSS in stored comments. | |||||
| CVE-2016-10941 | 1 Podlove | 1 Podlove Podcast Publisher | 2019-09-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF. | |||||
| CVE-2019-16238 | 1 Afterlogic | 1 Aurora | 2019-09-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login. | |||||
| CVE-2017-0912 | 1 Ui | 1 Ucrm | 2019-09-13 | 3.5 LOW | 5.4 MEDIUM |
| Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling". | |||||
| CVE-2019-1305 | 1 Microsoft | 2 Azure Devops Server, Team Foundation Server | 2019-09-13 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka 'Team Foundation Server Cross-site Scripting Vulnerability'. | |||||
| CVE-2019-16173 | 1 Limesurvey | 1 Limesurvey | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php, | |||||
| CVE-2019-16172 | 1 Limesurvey | 1 Limesurvey | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion. | |||||
| CVE-2019-16193 | 1 Esri | 1 Arcgis Enterprise | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to trigger a Cross Frame Scripting (XFS) attack through the EDIT MY PROFILE feature. | |||||
| CVE-2017-18603 | 1 Postman-smtp Project | 1 Postman-smtp | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter. | |||||
| CVE-2019-1273 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2019-09-12 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize certain error messages, aka 'Active Directory Federation Services XSS Vulnerability'. | |||||
| CVE-2019-16219 | 1 Wordpress | 1 Wordpress | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows XSS in shortcode previews. | |||||
| CVE-2019-16222 | 1 Wordpress | 1 Wordpress | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. | |||||
| CVE-2019-16221 | 1 Wordpress | 1 Wordpress | 2019-09-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.3 allows reflected XSS in the dashboard. | |||||
| CVE-2019-8450 | 1 Atlassian | 1 Jira | 2019-09-11 | 3.5 LOW | 4.8 MEDIUM |
| Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field. | |||||
| CVE-2019-14996 | 1 Atlassian | 1 Jira | 2019-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
| CVE-2019-16145 | 1 Padrinorb | 1 Padrino-contrib | 2019-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The breadcrumbs contributed module through 0.2.0 for Padrino Framework allows XSS via a caption. | |||||
| CVE-2019-0361 | 1 Sap | 1 Supplier Relationship Management | 2019-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-11548 | 1 Gitlab | 1 Gitlab | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint. | |||||
| CVE-2017-18610 | 1 Magicfields | 1 Magic Fields | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-group-id parameter. | |||||
| CVE-2017-18611 | 1 Magicfields | 1 Magic Fields | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-field-css parameter. | |||||
| CVE-2017-18601 | 1 Ibps Online Exam Project | 1 Ibps Online Exam | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| The examapp plugin 1.0 for WordPress has XSS via exam input text fields. | |||||
| CVE-2017-18606 | 1 Theme-fusion | 1 Avada | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The avada theme before 5.1.5 for WordPress has stored XSS. | |||||
| CVE-2017-18600 | 1 Ncrafts | 1 Formcraft | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field. | |||||
| CVE-2019-6784 | 1 Gitlab | 1 Gitlab | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 1 of 2). Markdown fields contain a lack of input validation and output encoding when processing KaTeX that results in a persistent XSS. | |||||
| CVE-2019-16147 | 1 Liferay | 1 Liferay Portal | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib. | |||||
| CVE-2017-18598 | 1 Designmodo | 1 Qards | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php. | |||||
| CVE-2017-18599 | 1 Pinfinity Project | 1 Pinfinity | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pinfinity theme before 2.0 for WordPress has XSS via the s parameter. | |||||
| CVE-2017-18609 | 1 Magicfields | 1 Magic Fields | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The magic-fields plugin before 1.7.2 for WordPress has XSS via the custom-write-panel-id parameter. | |||||
| CVE-2017-18608 | 1 Spot | 1 Spot.im Comments | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues. | |||||
| CVE-2019-16182 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files. | |||||
| CVE-2019-16178 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home page. | |||||
| CVE-2019-10670 | 1 Librenms | 1 Librenms | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these contexts, leading to attacker controlled JavaScript executing in the browser. One example of this is the string parameter in html/pages/inventory.inc.php. | |||||
| CVE-2019-16148 | 1 Sakailms | 1 Sakai | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sakai through 12.6 allows XSS via a chat user name. | |||||
| CVE-2017-1000426 | 1 Omniscale | 1 Mapproxy | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| MapProxy version 1.10.3 and older is vulnerable to a Cross Site Scripting attack in the demo service resulting in possible information disclosure. | |||||
| CVE-2019-16146 | 1 Getgophish | 1 Gophish | 2019-09-10 | 3.5 LOW | 4.8 MEDIUM |
| Gophish through 0.8.0 allows XSS via a username. | |||||
| CVE-2018-21014 | 1 Buddyboss | 1 Buddymoss Media | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS. | |||||
| CVE-2019-16118 | 1 10web | 1 Photo Gallery | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php. | |||||
| CVE-2018-18373 | 1 Schiocco | 1 Support Board - Chat And Help Desk | 2019-09-10 | 3.5 LOW | 5.4 MEDIUM |
| In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action. | |||||
| CVE-2019-15833 | 1 Simple Mail Address Encoder Project | 1 Simple Mail Address Encoder | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS. | |||||
| CVE-2019-16117 | 1 10web | 1 Photo Gallery | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php. | |||||
| CVE-2017-18539 | 1 Deepsoft | 1 Weblibrarian | 2019-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes. | |||||
| CVE-2018-21012 | 1 Vsourz | 1 Cf7 Invisible Recaptcha | 2019-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS. | |||||