Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16861 | 1 Theforeman | 1 Foreman | 2019-05-14 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable. | |||||
| CVE-2018-14710 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. | |||||
| CVE-2018-15530 | 1 Xerox | 2 Colorqube 8580, Colorqube 8580 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code. | |||||
| CVE-2019-7411 | 1 Mythemeshop | 1 Launcher | 2019-05-14 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). | |||||
| CVE-2019-11869 | 1 Yuzopro | 1 Yuzo | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting. | |||||
| CVE-2018-16624 | 1 Getkirby | 1 Kirby | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. | |||||
| CVE-2018-19048 | 1 Mycolorway | 1 Simditor | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element. | |||||
| CVE-2018-16623 | 1 Getkirby | 1 Kirby | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. | |||||
| CVE-2018-12302 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting. | |||||
| CVE-2018-18524 | 1 Evernote | 1 Evernote | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on the victim's computer. | |||||
| CVE-2018-12303 | 1 Seagate | 1 Nas Os | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names. | |||||
| CVE-2018-18872 | 1 Kieranoshea | 1 Calendar | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories URI. | |||||
| CVE-2019-12043 | 1 Remarkable Project | 1 Remarkable | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL. | |||||
| CVE-2019-7409 | 1 Vegadesign | 1 Profiledesign Cms | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page, (2) gbs, (3) side, (4) id, (5) imgid, (6) cat, or (7) orderby parameter. | |||||
| CVE-2019-12047 | 1 Gridea | 1 Gridea | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by child_process.exec and the "<img src=# onerror='eval(new Buffer(" substring. | |||||
| CVE-2018-12299 | 1 Seagate | 1 Nas Os | 2019-05-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names. | |||||
| CVE-2018-12297 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names. | |||||
| CVE-2017-18121 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser. | |||||
| CVE-2018-12304 | 1 Seagate | 1 Nas Os | 2019-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL. | |||||
| CVE-2018-16626 | 1 Typesettercms | 1 Typesetter | 2019-05-13 | 3.5 LOW | 4.8 MEDIUM |
| index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. | |||||