Total
21765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-5964 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-02-07 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter. | |||||
| CVE-2018-6001 | 1 Webartisan | 1 Soundy Audio Playlist | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Soundy Audio Playlist plugin 4.6 and below for WordPress has Cross-Site Scripting via soundy-audio-playlist\templates\front-end.php (war_sdy_pl_preview parameter). | |||||
| CVE-2018-6002 | 1 Webartisan | 1 Soundy Background Music | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Soundy Background Music plugin 3.9 and below for WordPress has Cross-Site Scripting via soundy-background-music\templates\front-end.php (war_soundy_preview parameter). | |||||
| CVE-2018-6013 | 1 Bigtreecms | 1 Bigtree Cms | 2018-02-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. This issue exists in core/admin/ajax/developer/extensions/file-browser.php. | |||||
| CVE-2016-6217 | 2 Linux, Sophos | 2 Linux Kernel, Puremessage | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Sophos PureMessage for UNIX before 6.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-14383 | 1 Dell | 4 Emc Vnx1, Emc Vnx1 Firmware, Emc Vnx2 and 1 more | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Dell EMC VNX2 versions prior to Operating Environment for File 8.1.9.217 and VNX1 versions prior to Operating Environment for File 7.1.80.8, a web server error page in VNX Control Station is impacted by a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary HTML code in the user's browser session in the context of the affected web application. | |||||
| CVE-2017-2745 | 1 Hp | 1 Jetadvantage Security Manager | 2018-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to execute scripts in a user's browser. | |||||
| CVE-2017-17947 | 1 Pulsesecure | 1 Pulse Connect Secure | 2018-02-06 | 3.5 LOW | 4.8 MEDIUM |
| A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal. | |||||
| CVE-2017-18014 | 1 Sophos | 2 Sfos, Xg Firewall | 2018-02-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page (Control Center -> Log Viewer -> in the filter option "Web Server Protection") in the webadmin interface, and execute any action available to the webadmin of the firewall (e.g., creating a new user, enabling SSH, or adding an SSH authorized key). The WAF log page will execute the "User-Agent" parameter in the HTTP POST request. | |||||
| CVE-2018-5370 | 1 Bizlogicdev | 1 Xnami | 2018-02-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| BizLogic xnami 1.0 has XSS via the comment parameter in an addComment action to the /media/ajax URI. | |||||
| CVE-2018-5773 | 1 Python-markdown2 Project | 1 Python-markdown2 | 2018-02-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag. | |||||
| CVE-2018-5688 | 1 Ilias | 1 Ilias | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component. | |||||
| CVE-2018-1045 | 1 Moodle | 1 Moodle | 2018-02-05 | 3.5 LOW | 5.4 MEDIUM |
| In Moodle 3.x, there is XSS via a calendar event name. | |||||
| CVE-2017-16863 | 1 Atlassian | 1 Jira | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter. | |||||
| CVE-2014-6027 | 1 Torrentflux Project | 1 Torrentflux | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.4 allow (1) remote attackers to inject arbitrary web script or HTML by leveraging failure to encode file contents when downloading a torrent file or (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a link to torrent details. | |||||
| CVE-2018-5479 | 1 Foxsash | 1 Imghosting | 2018-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| FoxSash ImgHosting 1.5 (according to footer information) is vulnerable to XSS attacks. The affected function is its search engine via the search parameter to the default URI. Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed. | |||||
| CVE-2016-10516 | 1 Palletsprojects | 1 Werkzeug | 2018-02-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. | |||||
| CVE-2017-15717 | 1 Apache | 2 Sling Xss Protection Api, Sling Xss Protection Api Compat | 2018-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0. | |||||
| CVE-2018-5687 | 1 Newsbee Project | 1 Newsbee | 2018-02-02 | 3.5 LOW | 4.8 MEDIUM |
| NewsBee allows XSS via the Company Name field in the Settings under admin/admin.php. | |||||
| CVE-2018-5715 | 1 Sugarcrm | 1 Sugarcrm | 2018-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). | |||||