Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-0509 | 1 Vaadin | 1 Vaadin | 2019-06-13 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page. | |||||
| CVE-2019-6588 | 1 Liferay | 1 Liferay Portal | 2019-06-12 | 2.6 LOW | 4.7 MEDIUM |
| In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable. | |||||
| CVE-2019-12308 | 1 Djangoproject | 1 Django | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. | |||||
| CVE-2018-1325 | 1 Wicket-jquery-ui Project | 1 Wicket-jquery-ui | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display. | |||||
| CVE-2017-15719 | 1 Wicket-jquery-ui Project | 1 Wicket-jquery-ui | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor. | |||||
| CVE-2018-10934 | 1 Redhat | 3 Enterprise Linux Server, Jboss Enterprise Application Platform, Single Sign-on | 2019-06-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users. | |||||
| CVE-2017-1000386 | 1 Jenkins | 1 Active Choices | 2019-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Active Choices now sanitizes the HTML inserted on the 'Build With Parameters' page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up to the administrator to allow or disallow problematic script output. | |||||
| CVE-2015-9282 | 1 Grafana | 1 Piechart-panel | 2019-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard. | |||||
| CVE-2019-11877 | 1 Pix-link | 2 Lv-wr09, Lv-wr09 Firmware | 2019-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID. | |||||
| CVE-2011-4335 | 1 Contao | 1 Contao Cms | 2019-06-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Contao before 2.10.2 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php in a (1) teachers.html or (2) teachers/ action. | |||||
| CVE-2018-10700 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection. | |||||
| CVE-2018-10692 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. | |||||
| CVE-2019-11398 | 1 Ulicms | 1 Ulicms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon. | |||||
| CVE-2018-7653 | 1 Yzmcms | 1 Yzmcms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. | |||||
| CVE-2019-12774 | 1 Enttec | 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A number of stored XSS vulnerabilities have been identified in the web configuration feature in ENTTEC Datagate Mk2 70044_update_05032019-482 that could allow an unauthenticated threat actor to inject malicious code directly into the application. This affects, for example, the Profile Description field in JSON data to the Profile Editor. | |||||
| CVE-2013-3572 | 1 Ui | 1 Unifi | 2019-06-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the administer interface in the UniFi Controller in Ubiquiti Networks UniFi 2.3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted client hostname. | |||||
| CVE-2018-19465 | 1 Maccms | 1 Maccms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html. | |||||
| CVE-2018-5798 | 1 Cloudera | 1 Cloudera Manager | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager. | |||||
| CVE-2019-7554 | 1 Api Based Travel Booking Project | 1 Api Based Travel Booking | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter. | |||||
| CVE-2018-19461 | 1 Phome | 1 Empirecms | 2019-06-09 | 3.5 LOW | 4.8 MEDIUM |
| admin\db\DoSql.php in EmpireCMS through 7.5 allows XSS via crafted SQL syntax to admin/admin.php. | |||||