Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18364 | 1 Frank-karau | 1 Phpfk | 2019-07-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter. | |||||
| CVE-2019-5967 | 1 Joruri | 1 Joruri Cms 2017 | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Joruri CMS 2017 Release2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-13472 | 1 Phpwind | 1 Phpwind | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file. | |||||
| CVE-2019-13186 | 1 1234n | 1 Minicms | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520. | |||||
| CVE-2018-12623 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. htdocs/switch.php has XSS via the current_page parameter. | |||||
| CVE-2018-12626 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. /htdocs/popup.php has XSS via the cat parameter. | |||||
| CVE-2018-12625 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. /htdocs/validate.php has XSS via the values parameter. | |||||
| CVE-2018-12627 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. /htdocs/list.php has XSS via the show_notification_list_issues or show_authorized_issues parameter. | |||||
| CVE-2018-12622 | 1 Eventum Project | 1 Eventum | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Eventum 3.5.0. htdocs/ajax/update.php has XSS via the field_name parameter. | |||||
| CVE-2019-13397 | 1 Enhancesoft | 1 Osticket | 2019-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via arbitrary file extension while creating a support ticket. | |||||
| CVE-2019-13070 | 1 Cyberpowersystems | 1 Powerpanel | 2019-07-10 | 3.5 LOW | 5.4 MEDIUM |
| A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim. | |||||
| CVE-2019-13374 | 2 Dlink, Microsoft | 2 Central Wifimanager, Windows | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter. | |||||
| CVE-2019-11647 | 1 Microfocus | 1 Netiq Self Service Password Reset | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A potential XSS exists in Self Service Password Reset, in Micro Focus NetIQ Software all versions prior to version 4.4. The vulnerability could be exploited to enable an XSS attack. | |||||
| CVE-2019-13072 | 1 Zoneminder | 1 Zoneminder | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. | |||||
| CVE-2019-6639 | 1 F5 | 2 Big-ip Advanced Firewall Manager, Big-ip Policy Enforcement Manager | 2019-07-09 | 3.5 LOW | 4.8 MEDIUM |
| On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the XSS. | |||||
| CVE-2019-12930 | 1 Wikindx Project | 1 Wikindx | 2019-07-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in noMenu() and noSubMenu() in core/navigation/MENU.php in WIKINDX prior to version 5.8.1 allows remote attackers to inject arbitrary web script or HTML via the method parameter. | |||||
| CVE-2018-14027 | 1 Digisol | 2 Dg-hr-3300, Dg-hr-3300 Firmware | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or password parameter to the admin login page. | |||||
| CVE-2018-11227 | 1 Monstra | 1 Monstra Cms | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS 3.0.4 and earlier has XSS via index.php. | |||||
| CVE-2018-1000874 | 1 Cebe | 1 Markdown | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```<script>alert();</script>```". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document. | |||||
| CVE-2015-2324 | 1 10web | 1 Photo Gallery | 2019-07-08 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.13 for WordPress allows remote authenticated users with edit permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-6626 | 1 F5 | 3 Big-ip Advanced Firewall Manager, Big-ip Analytics, Big-ip Application Security Manager | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility. | |||||
| CVE-2019-6625 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility. | |||||
| CVE-2018-20850 | 1 Stormshield | 1 Stormshield Network Security | 2019-07-08 | 7.2 HIGH | 8.2 HIGH |
| Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3.7.1 has self-XSS in the command line interface of the SNS web server. | |||||
| CVE-2019-13239 | 1 Glpi-project | 1 Glpi | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture. | |||||
| CVE-2018-20807 | 1 Pulsesecure | 1 Pulse Connect Secure | 2019-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly. | |||||
| CVE-2019-13339 | 1 1234n | 1 Minicms | 2019-07-07 | 3.5 LOW | 4.8 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie. | |||||
| CVE-2019-13340 | 1 1234n | 1 Minicms | 2019-07-07 | 3.5 LOW | 4.8 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186. | |||||
| CVE-2019-13341 | 1 1234n | 1 Minicms | 2019-07-07 | 3.5 LOW | 4.8 MEDIUM |
| In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie. | |||||
| CVE-2017-17972 | 1 Archon Project | 1 Archon | 2019-07-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?subjecttypeid=xxx request, aka Open Bug Bounty ID OBB-466362. | |||||
| CVE-2019-3873 | 1 Redhat | 3 Enterprise Linux, Jboss Enterprise Application Platform, Single Sign-on | 2019-07-06 | 6.0 MEDIUM | 9.0 CRITICAL |
| It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks. | |||||
| CVE-2019-12842 | 1 Jetbrains | 1 Teamcity | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS on a user page was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.2. | |||||
| CVE-2017-6216 | 1 Novaksolutions | 1 Infusionsoft-php-sdk | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a reflected XSS in the leadscoring.php resulting code execution | |||||
| CVE-2018-17560 | 1 Teamwire | 1 Teamwire | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The admin interface of the Grouptime Teamwire Client 1.5.1 prior to 1.9.0 on-premises messenger server allows stored XSS. All backend versions prior to prod-2018-11-13-15-00-42 are affected. | |||||
| CVE-2018-11317 | 1 Intelliants | 1 Subrion | 2019-07-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Subrion CMS before 4.1.4 has XSS. | |||||
| CVE-2018-20814 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2019-07-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX. | |||||
| CVE-2019-9701 | 1 Symantec | 1 Data Loss Prevention | 2019-07-03 | 3.5 LOW | 4.8 MEDIUM |
| DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. | |||||
| CVE-2003-1582 | 1 Microsoft | 1 Internet Information Server | 2019-07-03 | 2.6 LOW | N/A |
| Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. | |||||
| CVE-2019-12932 | 1 Seeddms | 1 Seeddms | 2019-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly escaping the search result in the autocomplete search form placed in the header of out/out.Viewfolder.php. | |||||
| CVE-2018-20808 | 1 Pulsesecure | 1 Pulse Connect Secure | 2019-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX. | |||||
| CVE-2018-14919 | 1 Loytec | 2 Lgate-902, Lgate-902 Firmware | 2019-07-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| LOYTEC LGATE-902 6.3.2 devices allow XSS. | |||||
| CVE-2019-4410 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2019-07-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162657. | |||||
| CVE-2016-5235 | 1 F5 | 1 Websafe Alert Server | 2019-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in versions of F5 WebSafe Dashboard 3.9.x and earlier, aka F5 WebSafe Alert Server, allows an unauthenticated user to inject HTML via a crafted alert. | |||||
| CVE-2016-5236 | 1 F5 | 1 Websafe Alert Server | 2019-07-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9.5 and earlier, aka F5 WebSafe Alert Server, allow privileged authenticated users to inject arbitrary web script or HTML when creating a new user, account or signature. | |||||
| CVE-2018-6145 | 1 Google | 1 Chrome | 2019-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient data validation in HTML parser in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2018-20849 | 1 Arastta | 1 Ecommerce | 2019-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Arastta eCommerce 1.6.2 is vulnerable to XSS via the PATH_INFO to the login/ URI. | |||||
| CVE-2008-5039 | 2 Php-nuke, Phpnuke | 2 League Module, Php-nuke | 2019-07-01 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the League module for PHP-Nuke, possibly 2.4, allows remote attackers to inject arbitrary web script or HTML via the tid parameter in a team action to modules.php. | |||||
| CVE-2018-6128 | 2 Apple, Google | 2 Iphone Os, Chrome | 2019-07-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Incorrect URL parsing in WebKit in Google Chrome on iOS prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
| CVE-2019-12581 | 1 Zyxel | 18 Uag2100, Uag2100 Firmware, Uag4100 and 15 more | 2019-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter. | |||||
| CVE-2019-9957 | 1 Quadbase | 1 Espressreport Es | 2019-06-27 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload can then be triggered by accessing the "Set Security Levels" or "View User/Group Relationships" page. If the attacker does not currently have permission to create a new user, another vulnerability such as CSRF must be exploited first. | |||||
| CVE-2019-4303 | 1 Ibm | 10 Control Desk, Maximo Asset Management, Maximo For Aviation and 7 more | 2019-06-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 160949. | |||||