Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-14953 | 1 Squirrelmail | 1 Squirrelmail | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. | |||||
| CVE-2018-14954 | 1 Squirrelmail | 1 Squirrelmail | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute. | |||||
| CVE-2018-14950 | 1 Squirrelmail | 1 Squirrelmail | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack. | |||||
| CVE-2019-14976 | 1 Icmsdev | 1 Icms | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter. | |||||
| CVE-2015-9305 | 1 Flippercode | 1 Google Map | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions. | |||||
| CVE-2019-14950 | 1 Wp-livechat | 1 Wp Live Chat Support | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page. | |||||
| CVE-2016-10879 | 1 Wp-livechat | 1 Wp Live Chat Support | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS. | |||||
| CVE-2016-10877 | 1 Wp Editor Project | 1 Wp Editor | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues. | |||||
| CVE-2019-14967 | 1 Frappe | 1 Frappe | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability. | |||||
| CVE-2017-18495 | 1 Mediaburst | 1 Gravity Forms | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS. | |||||
| CVE-2019-11720 | 1 Mozilla | 1 Firefox | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering. This vulnerability affects Firefox < 68. | |||||
| CVE-2017-18497 | 1 W3eden | 1 Live Forms | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The liveforms plugin before 3.4.0 for WordPress has XSS. | |||||
| CVE-2017-18496 | 1 Bestwebsoft | 1 Htaccess | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. | |||||
| CVE-2017-18494 | 1 Bestwebsoft | 1 Custom Search | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues. | |||||
| CVE-2017-18487 | 1 Google Adsense Project | 1 Google Adsense | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues. | |||||
| CVE-2016-10866 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues. | |||||
| CVE-2017-18507 | 1 Wp-livechat | 1 Wp Live Chat Support | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS. | |||||
| CVE-2018-20858 | 1 Edx | 1 Recommender | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Recommender before 2018-07-18 allows XSS. | |||||
| CVE-2018-20963 | 1 Codepeople | 1 Contact Form Email | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The contact-form-to-email plugin before 1.2.66 for WordPress has XSS. | |||||
| CVE-2017-18498 | 1 Presstigers | 1 Simple Job Board | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The simple-job-board plugin before 2.4.4 for WordPress has reflected XSS via keyword search. | |||||
| CVE-2017-18488 | 1 Backup-guard | 1 Backup Guard | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS issues. | |||||
| CVE-2017-18484 | 1 Elementalpath | 2 Cognitoys Dino, Cognitoys Dino Firmware | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cognitoys Dino devices allow XSS via the SSID. | |||||
| CVE-2019-14769 | 1 Backdropcms | 1 Backdrop | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.) | |||||
| CVE-2019-14731 | 1 Cnezsoft | 1 Zentao | 2019-08-15 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vulnerability that leads to the capture of other people's cookies via the Rich Text Box. | |||||
| CVE-2019-14785 | 1 Codepeople | 1 Cp Contact Form With Paypal | 2019-08-15 | 3.5 LOW | 5.4 MEDIUM |
| The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter. | |||||
| CVE-2019-14792 | 1 Codecabin | 1 Wp Google Maps | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter. | |||||
| CVE-2019-14946 | 1 Ultimatemember | 1 Ultimate Member | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations. | |||||
| CVE-2019-14945 | 1 Ultimatemember | 1 Ultimate Member | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| The ultimate-member plugin before 2.0.54 for WordPress has XSS. | |||||
| CVE-2019-14947 | 1 Ultimatemember | 1 Ultimate Member | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade. | |||||
| CVE-2019-14791 | 1 Codepeople | 1 Appointment Booking Calendar | 2019-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter. | |||||
| CVE-2017-18483 | 1 Annke | 2 Sp1, Sp1 Firmware | 2019-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| ANNKE SP1 HD wireless camera 3.4.1.1604071109 devices allow XSS via a crafted SSID. | |||||
| CVE-2019-14748 | 1 Osticket | 1 Osticket | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment. | |||||
| CVE-2019-14750 | 1 Osticket | 1 Osticket | 2019-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions. | |||||
| CVE-2019-14805 | 1 Una | 1 Una | 2019-08-14 | 3.5 LOW | 4.8 MEDIUM |
| studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing. | |||||
| CVE-2019-14804 | 1 Una | 1 Una | 2019-08-14 | 3.5 LOW | 4.8 MEDIUM |
| studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing. | |||||
| CVE-2019-12950 | 1 Teampass | 1 Teampass | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload. | |||||
| CVE-2019-14797 | 1 10web | 1 Photo Gallery | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS. | |||||
| CVE-2019-14546 | 1 Espocrm | 1 Espocrm | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts). | |||||
| CVE-2019-9834 | 1 Netdata | 1 Netdata | 2019-08-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot. | |||||
| CVE-2018-20827 | 1 Atlassian | 1 Jira | 2019-08-13 | 3.5 LOW | 5.4 MEDIUM |
| The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter. | |||||
| CVE-2019-10933 | 1 Siemens | 4 Spectrum Power 3, Spectrum Power 4, Spectrum Power 5 and 1 more | 2019-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed.At the stage of publishing this security advisory no public exploitation is known. | |||||
| CVE-2019-14696 | 1 Open-school | 1 Open-school | 2019-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter. | |||||
| CVE-2017-18402 | 1 Cpanel | 1 Cpanel | 2019-08-13 | 3.5 LOW | 5.4 MEDIUM |
| cPanel before 68.0.15 allows stored XSS during a cpaddons moderated upgrade (SEC-336). | |||||
| CVE-2019-11198 | 1 Sitecore | 1 Cms | 2019-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. | |||||
| CVE-2019-14772 | 1 Verdaccio | 1 Verdaccio | 2019-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| verdaccio before 3.12.0 allows XSS. | |||||
| CVE-2019-14364 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2019-08-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for WordPress allows an attacker to inject malicious JavaScript code through a publicly available subscription form using the esfpx_name wp-admin/admin-ajax.php POST parameter. | |||||
| CVE-2014-4035 | 1 Bestsoftinc | 1 Advance Hotel Booking System | 2019-08-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in booking_details.php in Best Soft Inc. (BSI) Advance Hotel Booking System 2.0 allows remote attackers to inject arbitrary web script or HTML via the title parameter. | |||||
| CVE-2016-10795 | 1 Cpanel | 1 Cpanel | 2019-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156). | |||||
| CVE-2017-18408 | 1 Cpanel | 1 Cpanel | 2019-08-12 | 3.5 LOW | 5.4 MEDIUM |
| cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Change interfaces (SEC-282). | |||||
| CVE-2019-14747 | 1 Diaowen | 1 Dwsurvey | 2019-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| DWSurvey through 2019-07-22 has stored XSS via the design/my-survey-design!copySurvey.action surveyName parameter. | |||||