Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-0186 | 1 Apache | 1 Pluto | 2019-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file - or - * migrate to version 3.1.0 of the chat-room-demo war file | |||||
| CVE-2018-5124 | 1 Mozilla | 1 Firefox | 2019-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unsanitized output in the browser UI leaves HTML tags in place and can result in arbitrary code execution in Firefox before version 58.0.1. | |||||
| CVE-2018-18276 | 1 Profiles Project | 1 Profiles | 2019-04-27 | 3.5 LOW | 4.8 MEDIUM |
| XSS exists in the ProFiles 1.5 component for Joomla! via the name or path parameter when creating a new folder in the administrative panel. | |||||
| CVE-2018-15584 | 1 Gnuboard | 1 Gnuboard5 | 2019-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in adm/boardgroup_form_update.php and adm/boardgroup_list_update.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2018-15582 | 1 Gnuboard | 1 Gnuboard5 | 2019-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in adm/sms_admin/num_book_write.php and adm/sms_admin/num_book_update.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2018-15581 | 1 Gnuboard | 1 Gnuboard5 | 2019-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in adm/faqmasterformupdate.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2018-15580 | 1 Gnuboard | 1 Gnuboard5 | 2019-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in adm/contentformupdate.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2018-1413 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2019-04-27 | 3.5 LOW | 5.4 MEDIUM |
| IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138819. | |||||
| CVE-2019-11513 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-04-27 | 3.5 LOW | 4.8 MEDIUM |
| The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action. | |||||
| CVE-2018-16220 | 1 Audiocodes | 2 405hd, 405hd Firmware | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting in different input fields (domain field and personal settings) in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an attacker (local or remote) to inject JavaScript into the web interface of the device by manipulating the phone book entries or manipulating the domain name sent to the device from the domain controller. | |||||
| CVE-2018-18643 | 1 Gitlab | 1 Gitlab | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS. | |||||
| CVE-2017-18086 | 1 Atlassian | 1 Confluence | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter. | |||||
| CVE-2017-18081 | 1 Atlassian | 1 Bamboo | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie. | |||||
| CVE-2017-18084 | 1 Atlassian | 1 Confluence | 2019-04-26 | 3.5 LOW | 4.8 MEDIUM |
| The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro. | |||||
| CVE-2017-18085 | 1 Atlassian | 1 Confluence | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. | |||||
| CVE-2017-1567 | 1 Ibm | 1 Rational Doors | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
| IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131769. | |||||
| CVE-2019-0218 | 1 Apache | 1 Pony Mail | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface. | |||||
| CVE-2019-7219 | 1 Zarafa | 1 Webaccess | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead. | |||||
| CVE-2017-17092 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
| wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. | |||||
| CVE-2017-17093 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
| wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. | |||||
| CVE-2017-17094 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
| wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. | |||||
| CVE-2017-1494 | 1 Ibm | 1 Business Process Manager | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128692. | |||||
| CVE-2016-6810 | 1 Apache | 1 Activemq | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation. | |||||
| CVE-2019-7438 | 1 Jio | 2 Jiofi 4g M2s, Jiofi 4g M2s Firmware | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS and HTML injection via the mask POST parameter. | |||||
| CVE-2017-18217 | 1 Invoiceplane | 1 Invoiceplane | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in InvoicePlane before 1.5.5. It was observed that the Email address and Web address parameters are vulnerable to Cross Site Scripting, related to application/modules/clients/views/view.php, application/modules/invoices/views/view.php, and application/modules/quotes/views/view.php. | |||||
| CVE-2014-8780 | 1 Jease | 1 Jease | 2019-04-25 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Jease 2.11 allows remote authenticated users to inject arbitrary web script or HTML via a content section note. | |||||
| CVE-2018-16235 | 1 Telligent | 1 Community | 2019-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Telligent Community 6.x, 7.x, 8.x, 9.x before 9.2.10.11796, 10.1.x before 10.1.10.11792, and 10.2.x before 10.2.3.4725 has XSS via the Feed RSS widget. | |||||
| CVE-2018-19917 | 1 Microweber | 1 Microweber | 2019-04-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities. | |||||
| CVE-2018-1328 | 1 Apache | 1 Zeppelin | 2019-04-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph". | |||||
| CVE-2019-11449 | 1 I-librarian | 1 I\, Librarian | 2019-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| I, Librarian 4.10 has XSS via the notes.php notes parameter. | |||||
| CVE-2017-6533 | 1 Webpagetest Project | 1 Webpagetest | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data (benchmark) passed to the webpagetest-master/www/benchmarks/view.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-3872 | 1 Cisco | 1 Unified Communications Manager | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct XSS attacks against a user of an affected device. More Information: CSCvc21620. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.641) 12.0(0.98000.500) 12.0(0.98000.219). | |||||
| CVE-2019-11427 | 1 Idreamsoft | 1 Icms | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter. | |||||
| CVE-2019-11426 | 1 Idreamsoft | 1 Icms | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter. | |||||
| CVE-2018-9186 | 1 Fortinet | 1 Fortiauthenticator | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. | |||||
| CVE-2019-11428 | 1 I-librarian | 1 I\, Librarian | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| I, Librarian 4.10 has XSS via the export.php export_files parameter. | |||||
| CVE-2011-4726 | 3 Microsoft, Parallels, Redhat | 3 Windows, Parallels Plesk Panel, Enterprise Linux | 2019-04-22 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by admin/health/ and certain other files. | |||||
| CVE-2011-4735 | 3 Microsoft, Parallels, Redhat | 3 Windows, Parallels Plesk Panel, Enterprise Linux | 2019-04-22 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by smb/user/create and certain other files. | |||||
| CVE-2011-4745 | 2 Parallels, Redhat | 2 Parallels Plesk Panel, Enterprise Linux | 2019-04-22 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by admin/index.php/default and certain other files. | |||||
| CVE-2017-9781 | 1 Check Mk Project | 1 Check Mk | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html. | |||||
| CVE-2019-11359 | 1 I-librarian | 1 I\, Librarian | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter. | |||||
| CVE-2018-19970 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name. | |||||
| CVE-2019-9841 | 1 Vestacp | 1 Control Panel | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL. | |||||
| CVE-2018-17288 | 1 Kofax | 1 Front Office Server | 2019-04-19 | 3.5 LOW | 5.4 MEDIUM |
| Kofax Front Office Server version 4.1.1.11.0.5212 (both Thin Client and Administration Console) suffers from multiple authenticated stored XSS vulnerabilities via the (1) "Filename" field in /Kofax/KFS/ThinClient/document/upload/ - (Thin Client) or (2) "DeviceName" field in /Kofax/KFS/Admin/DeviceService/device/ - (Administration Console). | |||||
| CVE-2019-11084 | 1 Gbraad | 1 Gauth | 2019-04-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| GAuth 0.9.9 beta has stored XSS that shows a popup repeatedly and discloses cookies. | |||||
| CVE-2019-5778 | 4 Debian, Fedoraproject, Google and 1 more | 6 Debian Linux, Fedora, Chrome and 3 more | 2019-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to bypass extension permission checks for privileged pages via a crafted Chrome Extension. | |||||
| CVE-2018-19498 | 1 Simplenia | 1 Pages | 2019-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simplenia Pages plugin 2.6.0 for Atlassian Bitbucket Server has XSS. | |||||
| CVE-2017-15294 | 1 Sap | 1 Customer Relationship Management | 2019-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964. | |||||
| CVE-2018-10680 | 1 Zblogcn | 1 Z-blogphp | 2019-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug." | |||||
| CVE-2018-7736 | 1 Zblogcn | 1 Z-blogphp | 2019-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability. | |||||