Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9387 | 1 Getvera | 4 Veraedge, Veraedge Firmware, Veralite and 1 more | 2019-06-20 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called relay.sh which is used for creating new SSH relays for the device so that the device connects to Vera servers. All the parameters passed in this specific script are logged to a log file called log.relay in the /tmp folder. The user can also read all the log files from the device using a script called log.sh. However, when the script loads the log files it displays them with content-type text/html and passes all the logs through the ansi2html binary which converts all the character text including HTML meta-characters correctly to be displayed in the browser. This allows an attacker to use the log files as a storing mechanism for the XSS payload and thus whenever a user navigates to that log.sh script, it enables the XSS payload and allows an attacker to execute his malicious payload on the user's browser. | |||||
| CVE-2018-17079 | 1 Zrlog | 1 Zrlog | 2019-06-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ZRLOG 2.0.1. There is a Stored XSS vulnerability in the nickname field of the comment area. | |||||
| CVE-2018-17423 | 1 E107 | 1 E107 | 2019-06-20 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in e107 v2.1.9. There is a XSS attack on e107_admin/comment.php. | |||||
| CVE-2019-12830 | 1 Mybb | 1 Mybb | 2019-06-20 | 3.5 LOW | 8.7 HIGH |
| In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue. | |||||
| CVE-2018-11688 | 1 Igniterealtime | 1 Openfire | 2019-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2019-10085 | 1 Apache | 1 Allura | 2019-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page. | |||||
| CVE-2019-12592 | 1 Evernote | 1 Web Clipper | 2019-06-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A universal Cross-site scripting (UXSS) vulnerability in the Evernote Web Clipper extension before 7.11.1 for Chrome allows remote attackers to run arbitrary web script or HTML in the context of any loaded 3rd-party IFrame. | |||||
| CVE-2007-5598 | 1 Web Links Project | 1 Web Links | 2019-06-19 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Weblinks for Drupal 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-5494 | 1 Webform Matrix Component Project | 1 Webform Matrix Component | 2019-06-19 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Webform Matrix Component module 7.x-4.x before 7.x-4.13 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-4384 | 1 Ubercart Webform Checkout Pane Project | 1 Ubercart Webform Checkout Pane | 2019-06-18 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Ubercart Webform Checkout Pane module 6.x-3.x before 6.x-3.10 and 7.x-3.x before 7.x-3.11 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-12250 | 1 Identityserver | 1 Identityserver4 | 2019-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not part of IdentityServer but only our development test host. | |||||
| CVE-2018-18880 | 1 Columbiaweather | 2 Weather Microserver, Weather Microserver Firmware | 2019-06-18 | 3.5 LOW | 5.4 MEDIUM |
| In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script. | |||||
| CVE-2019-0303 | 1 Sap | 1 Businessobjects | 2019-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Administration Console), versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute custom JavaScript code when the url is accessed. | |||||
| CVE-2018-18875 | 1 Columbiaweather | 2 Weather Microserver, Weather Microserver Firmware | 2019-06-18 | 3.5 LOW | 5.4 MEDIUM |
| In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php. | |||||
| CVE-2019-6965 | 1 I-doit | 1 I-doit | 2019-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in i-doit Open 1.12 via the src/tools/php/qr/qr.php url parameter. | |||||
| CVE-2019-6324 | 1 Hp | 20 T6b80a, T6b80a Firmware, T6b81a and 17 more | 2019-06-18 | 3.5 LOW | 4.8 MEDIUM |
| HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have an embedded web server potentially vulnerable to stored XSS in wireless configuration page | |||||
| CVE-2019-6323 | 1 Hp | 20 T6b80a, T6b80a Firmware, T6b81a and 17 more | 2019-06-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have an embedded web server potentially vulnerable to reflected XSS in wireless configuration page. | |||||
| CVE-2009-3701 | 1 Horde | 2 Application Framework, Groupware | 2019-06-18 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable. | |||||
| CVE-2009-4363 | 1 Horde | 2 Application Framework, Groupware | 2019-06-18 | 4.3 MEDIUM | N/A |
| Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers." | |||||
| CVE-2010-3693 | 1 Horde | 2 Dynamic Imp, Groupware | 2019-06-18 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names. | |||||