Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1650 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133260. | |||||
| CVE-2017-1689 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134064. | |||||
| CVE-2017-1688 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134063. | |||||
| CVE-2017-1607 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132927. | |||||
| CVE-2017-1678 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134000. | |||||
| CVE-2017-1593 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132494. | |||||
| CVE-2017-1560 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131759. | |||||
| CVE-2017-1461 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128460. | |||||
| CVE-2017-7736 | 1 Fortinet | 1 Fortiweb | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb webUI Certificate View page in 5.8.0, 5.7.1 and earlier, allows attackers to inject arbitrary web script or HTML via special crafted malicious certificate import. | |||||
| CVE-2017-16956 | 1 Symphony Project | 1 Symphony | 2017-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. | |||||
| CVE-2012-1113 | 2 Maian, Menalto | 2 Gallery, Gallery | 2017-12-07 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the administration subsystem in Gallery 2 before 2.3.2 and 3 before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-0399 | 1 Rsa | 1 Envision | 2017-12-06 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA enVision 4.x before 4.1 Patch 4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-0047 | 1 Apache | 1 Wicket | 2017-12-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter. | |||||
| CVE-2012-1511 | 1 Vmware | 1 View | 2017-12-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in View Manager Portal in VMware View before 4.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2017-16919 | 1 Mapos Project | 1 Mapos | 2017-12-05 | 3.5 LOW | 5.4 MEDIUM |
| MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in /clientes/visualizar, which allows remote attackers to inject arbitrary web script or HTML via a crafted description parameter. | |||||
| CVE-2012-1247 | 1 Webcreate | 1 Web Mart | 2017-12-05 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in KENT-WEB WEB MART 1.7 and earlier, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML by leveraging support for Cascading Style Sheets (CSS) expressions. | |||||
| CVE-2012-1246 | 1 Webcreate | 1 Web Mart | 2017-12-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in KENT-WEB WEB MART 1.7 and earlier might allow remote attackers to inject arbitrary web script or HTML via a crafted cookie. | |||||
| CVE-2017-16866 | 1 Finecms | 1 Finecms | 2017-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field. | |||||
| CVE-2017-10886 | 1 Cs-cart | 2 Cs-cart, Cs-cart Multivendor | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-16819 | 1 Icontime | 2 Rtc-1000, Rtc-1000 Firmware | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges. | |||||
| CVE-2017-4930 | 1 Vmware | 1 Airwatch | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device's 'Links' page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL. | |||||
| CVE-2017-4929 | 1 Vmware | 1 Nsx Edge | 2017-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| VMware NSX Edge (6.2.x before 6.2.9 and 6.3.x before 6.3.5) contains a moderate Cross-Site Scripting (XSS) issue which may lead to information disclosure. | |||||
| CVE-2017-16842 | 1 Yoast | 1 Wordpress Seo | 2017-12-03 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2017-16758 | 1 Ultimate Instagram Feed Project | 1 Ultimate Instagram Feed | 2017-12-02 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "access_token" parameter. | |||||
| CVE-2017-16843 | 1 Vonage | 2 Vdv-23, Vdv-23 Firmware | 2017-12-02 | 3.5 LOW | 5.4 MEDIUM |
| Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKeyword or NewDomain field to /goform/RgParentalBasic. | |||||
| CVE-2017-16801 | 1 Octopus | 1 Octopus Deploy | 2017-12-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter. | |||||
| CVE-2017-1000225 | 1 Relevanssi | 1 Relevanssi | 2017-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in Relevanssi Premium version 1.14.8 when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can | |||||
| CVE-2017-1000223 | 1 Modx | 1 Modx Revolution | 2017-12-01 | 3.5 LOW | 5.4 MEDIUM |
| A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS. | |||||
| CVE-2017-16880 | 1 Whoops Project | 1 Whoops | 2017-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dump function in Util/TemplateHelper.php in filp whoops before 2.1.13 has XSS. | |||||
| CVE-2012-3999 | 1 Sayakbanerjee | 1 Sticky Notes | 2017-12-01 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in admin/login.php in Sticky Notes 0.3.09062012.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter. | |||||
| CVE-2017-16815 | 1 Snapcreek | 1 Duplicator | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| installer.php in the Snap Creek Duplicator (WordPress Site Migration & Backup) plugin before 1.2.30 for WordPress has XSS because the values "url_new" (/wp-content/plugins/duplicator/installer/build/view.step4.php) and "logging" (wp-content/plugins/duplicator/installer/build/view.step2.php) are not filtered correctly. | |||||
| CVE-2017-12738 | 1 Siemens | 2 Sm-2556, Sm-2556 Firmware | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00. The integrated web server (port 80/tcp) of the affected devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into clicking on a malicious link. | |||||
| CVE-2017-1000240 | 1 Open-emr | 1 Openemr | 2017-11-30 | 3.5 LOW | 5.4 MEDIUM |
| The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||||
| CVE-2017-16810 | 1 Octopus | 1 Octopus Deploy | 2017-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter. | |||||
| CVE-2017-9085 | 1 Kodak | 1 Insite | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Kodak InSite 6.5 to 8.0 allow remote attackers to inject arbitrary web script via the (1) "paramFile" parameter to /Site/Troubleshooting/DiagnosticReport.asp, or (2) "paramFile" parameter to /Site/Troubleshooting/SpeedTest.asp. | |||||
| CVE-2015-8793 | 1 Roundcube | 1 Webmail | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. | |||||
| CVE-2005-2981 | 1 Orionserver | 1 Orion Application Server | 2017-11-30 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Orion 1.3.8 and 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting 404 error page. | |||||
| CVE-2017-1000188 | 1 Ejs | 1 Ejs | 2017-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection | |||||
| CVE-2012-4496 | 2 Drupal, Inclind | 2 Drupal, Custom Pub | 2017-11-30 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter. | |||||
| CVE-2017-1000213 | 1 Wbce | 1 Wbce Cms | 2017-11-29 | 3.5 LOW | 4.8 MEDIUM |
| WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search | |||||
| CVE-2017-1000236 | 1 I-librarian | 1 I Librarian | 2017-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacker being able to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. | |||||
| CVE-2017-1000164 | 1 Tine20 | 1 Tine 2.0 | 2017-11-29 | 3.5 LOW | 5.4 MEDIUM |
| Tine 2.0 version 2017.02.4 is vulnerable to XSS in the Addressbook resulting code execution and privilege escalation | |||||
| CVE-2017-1000239 | 1 Invoiceplane | 1 Invoiceplane | 2017-11-29 | 3.5 LOW | 5.4 MEDIUM |
| InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of users if they visit the manipulated site. | |||||
| CVE-2017-16782 | 1 Home-assistant | 1 Home-assistant | 2017-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS. | |||||
| CVE-2017-7739 | 1 Fortinet | 1 Fortios | 2017-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site Scripting (XSS) vulnerability in web proxy disclaimer response web pages in Fortinet FortiOS 5.6.0, 5.4.0 to 5.4.5, 5.2.0 to 5.2.11 allows an unauthenticated attacker to inject arbitrary web script or HTML in the context of the victim's browser via sending a maliciously crafted URL to the victim. | |||||
| CVE-2017-16636 | 1 Bludit | 1 Bludit | 2017-11-29 | 3.5 LOW | 5.4 MEDIUM |
| In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context. Remote attackers are able to bypass the basic editor validation to trigger cross site scripting. The XSS is persistent and the request method to inject via editor is GET. To save the editor context, the followup POST method request must be processed to perform the attack via the application side. The basic validation of the editor does not allow injecting script codes and blocks the context. Attackers can inject the code by using an editor tag that is not recognized by the basic validation. Thus allows a restricted user account to inject malicious script code to perform a persistent attack against higher privilege web-application user accounts. | |||||
| CVE-2017-16635 | 1 Tinywebgallery | 1 Tinywebgallery | 2017-11-29 | 3.5 LOW | 5.4 MEDIUM |
| In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create. | |||||
| CVE-2017-16802 | 1 Misp-project | 1 Misp | 2017-11-29 | 3.5 LOW | 5.4 MEDIUM |
| In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added. | |||||
| CVE-2017-13700 | 1 Moxa | 2 Eds-g512e, Eds-g512e Firmware | 2017-11-29 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. There is XSS in the administration interface. | |||||
| CVE-2013-6960 | 1 Cisco | 1 Webex Meeting Center | 2017-11-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Meeting Center allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36248. | |||||