Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-0642 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2018-11-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-17361 | 1 Weaselcms Project | 1 Weaselcms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php because $_SERVER['PHP_SELF'] is mishandled. | |||||
| CVE-2018-4133 | 3 Apple, Canonical, Webkitgtk | 3 Safari, Ubuntu Linux, Webkitgtk\+ | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in certain Apple products. Safari before 11.1 is affected. The issue involves the "WebKit" component. A Safari cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2018-17002 | 1 Ricoh | 2 Mp 2001sp, Mp 2001sp Firmware | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| On the RICOH MP 2001 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi. | |||||
| CVE-2018-17001 | 1 Ricoh | 2 Sp 4510sf, Sp 4510sf Firmware | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| On the RICOH SP 4510SF printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi. | |||||
| CVE-2018-17322 | 1 Yunucms | 1 Yunucms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in index.php/index/category/index in YUNUCMS 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the area parameter. | |||||
| CVE-2018-17003 | 1 Limesurvey | 1 Limesurvey | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert. | |||||
| CVE-2018-16965 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter. | |||||
| CVE-2018-16833 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI. | |||||
| CVE-2018-16346 | 1 Chemcms Project | 1 Chemcms | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| ChemCMS 1.0.6 has XSS via the "setting -> website information" field. | |||||
| CVE-2018-9282 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript payload, this flaw could be used to manipulate a user's session, or elevate privileges by targeting an administrative user. | |||||
| CVE-2018-11352 | 1 Wallabag | 1 Wallabag | 2018-11-09 | 2.1 LOW | 4.0 MEDIUM |
| The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions. | |||||
| CVE-2018-2464 | 1 Sap | 1 Netweaver | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2018-16955 | 1 Oracle | 1 Webcenter Interaction | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The login function of Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). The content of the in_hi_redirect parameter, when prefixed with the https:// scheme, is unsafely reflected in a HTML META tag in the HTTP response. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-16953 | 1 Oracle | 1 Webcenter Interaction | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). User input from the name parameter is unsafely reflected in the server response. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-16327 | 1 Intelliants | 1 Subrion | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration. | |||||
| CVE-2018-17140 | 1 Vms-studio | 1 Quizlord | 2018-11-09 | 3.5 LOW | 5.4 MEDIUM |
| The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php. | |||||
| CVE-2018-17113 | 1 Easycms | 1 Easycms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173. | |||||
| CVE-2018-16316 | 1 Portainer | 1 Portainer | 2018-11-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field. | |||||
| CVE-2018-17077 | 1 Yiqicms Project | 1 Yiqicms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in yiqicms through 2016-11-20. There is stored XSS in comment.php because a length limit can be bypassed. | |||||
| CVE-2018-10763 | 1 Synametrics | 1 Synaman | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Synametrics SynaMan 4.0 build 1488 via the (1) Main heading or (2) Sub heading fields in the Partial Branding configuration page. | |||||
| CVE-2018-17051 | 1 Knet | 1 Cisco Configuration Manager | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| K-Net Cisco Configuration Manager through 2014-11-19 has XSS via devices.php. | |||||
| CVE-2018-17044 | 1 Yzmcms | 1 Yzmcms | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_config_add.html title parameter. | |||||
| CVE-2018-17049 | 1 Cqu Lankers Project | 1 Cqu Lankers | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback parameter in an uploadpic action. | |||||
| CVE-2018-8470 | 1 Microsoft | 5 Internet Explorer, Windows 10, Windows 7 and 2 more | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A security feature bypass vulnerability exists in Internet Explorer due to how scripts are handled that allows a universal cross-site scripting (UXSS) condition, aka "Internet Explorer Security Feature Bypass Vulnerability." This affects Internet Explorer 11. | |||||
| CVE-2018-16729 | 1 Pluck-cms | 1 Pluck | 2018-11-09 | 3.5 LOW | 5.4 MEDIUM |
| Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files. | |||||
| CVE-2018-16805 | 1 B3log | 1 Solo | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field, allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator. | |||||
| CVE-2018-16775 | 1 Victor Cms Project | 1 Victor Cms | 2018-11-09 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the site name in the "Categories" menu. | |||||
| CVE-2018-16655 | 1 Gxlcms | 1 Gxlcms | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php. | |||||
| CVE-2018-14689 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The transcoding settings are affected by five stored cross-site scripting vulnerabilities in the name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] parameters (where x is an integer) to transcodingSettings.view that could be used to steal session information of a victim. | |||||
| CVE-2018-14688 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The radio settings are affected by three stored cross-site scripting vulnerabilities in the name[x], streamUrl[x], homepageUrl[x] parameters (where x is an integer) to internetRadioSettings.view that could be used to steal session information of a victim. | |||||
| CVE-2018-14690 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim. | |||||
| CVE-2018-14691 | 1 Subsonic | 1 Subsonic | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Subsonic 6.1.1. The music tags feature is affected by three stored cross-site scripting vulnerabilities in the c0-param2, c0-param3, and c0-param4 parameters to dwr/call/plaincall/tagService.setTags.dwr that could be used to steal session information of a victim. | |||||
| CVE-2018-14899 | 1 Epson | 2 Wf-2750, Wf-2750 Firmware | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| On the EPSON WF-2750 printer with firmware JP02I2, the Web interface AirPrint Setup page is vulnerable to HTML Injection that can redirect users to malicious sites. | |||||
| CVE-2018-14840 | 1 Intelliants | 1 Subrion | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads). | |||||
| CVE-2018-15563 | 1 Intelliants | 1 Subrion | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| _core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter. | |||||
| CVE-2014-9120 | 1 Intelliants | 1 Subrion | 2018-11-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Subrion CMS before 3.2.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to subrion/search/. | |||||
| CVE-2017-6913 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag. | |||||
| CVE-2018-16786 | 1 Dedecms | 1 Dedecms | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. | |||||
| CVE-2008-5513 | 3 Canonical, Debian, Mozilla | 5 Ubuntu Linux, Debian Linux, Firefox and 2 more | 2018-11-08 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in the session-restore feature in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19 allows remote attackers to bypass the same origin policy, inject content into documents associated with other domains, and conduct cross-site scripting (XSS) attacks via unknown vectors related to restoration of SessionStore data. | |||||
| CVE-2008-5511 | 3 Canonical, Debian, Mozilla | 5 Ubuntu Linux, Debian Linux, Firefox and 2 more | 2018-11-08 | 4.3 MEDIUM | N/A |
| Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document." | |||||
| CVE-2008-5325 | 1 Ibm | 1 Rational Clearquest | 2018-11-08 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CQ Web in IBM Rational ClearQuest 7.0.0 before 7.0.0.4 and 7.0.1 before 7.0.1.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-17039 | 2 1234n, Microsoft | 2 Minicms, Internet Explorer | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $_SERVER['REQUEST_URI'] is mishandled. | |||||
| CVE-2018-17138 | 1 Nickelpro | 1 Jibu Pro | 2018-11-08 | 3.5 LOW | 5.4 MEDIUM |
| The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS via the wp-content/plugins/jibu-pro/quiz_action.php name (aka Quiz Name) field. | |||||
| CVE-2018-13395 | 1 Atlassian | 1 Jira | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved. | |||||
| CVE-2017-10795 | 1 Intelliants | 1 Subrion | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069. | |||||
| CVE-2018-15596 | 1 Mybb | 1 Mybb | 2018-11-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS. | |||||
| CVE-2018-14890 | 1 Vectra | 1 Cognito | 2018-11-07 | 3.5 LOW | 5.4 MEDIUM |
| Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-site scripting (XSS) vulnerability in the Web Management Console. | |||||
| CVE-2018-1000665 | 1 Dojotoolkit | 1 Dojo | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14. | |||||
| CVE-2018-17321 | 1 Seacms | 1 Seacms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action. | |||||