Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-17989 | 1 Iwcnetwork | 1 Biometric Shift Employee Management System | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action.
|
|||||
| CVE-2015-6035 | 1 Opsview | 1 Opsview | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Opsview before 2015-11-06 has XSS via SNMP.
|
|||||
| CVE-2017-2135 | 1 Wp-statistics | 1 Wp Statistics | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2016-3038 | 1 Ibm | 1 Cognos Business Intelligence | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Cognos TM1 10.1 and 10.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114614.
|
|||||
| CVE-2017-16768 | 1 Synology | 1 Mailplus Server | 2025-04-20 | 3.5 LOW | 4.8 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.
|
|||||
| CVE-2017-12062 | 1 Mantisbt | 1 Mantisbt | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
|
|||||
| CVE-2017-8178 | 1 Huawei | 2 Vicky-al00, Vicky-al00 Firmware | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Huawei Email APP Vicky-AL00 smartphones with software of earlier than VKY-AL00C00B171 versions has a stored cross-site scripting vulnerability. A remote attacker could exploit this vulnerability to send email that storing malicious code to a smartphone and waiting for a user to access this email that triggers execution of the code. An exploit could allow the attacker to execute arbitrary script code on the affected device.
|
|||||
| CVE-2017-11182 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found in the My Profile section. All input fields are vulnerable.
|
|||||
| CVE-2017-9292 | 1 Lansweeper | 1 Lansweeper | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Lansweeper before 6.0.0.65 has XSS in an image retrieval URI, aka Bug 542782.
|
|||||
| CVE-2017-6481 | 1 Phpipam | 1 Phpipam | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam 1.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (instructions in app/admin/instructions/preview.php; subnetId in app/admin/powerDNS/refresh-ptr-records.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
|
|||||
| CVE-2015-4721 | 1 Concretecms | 1 Concrete Cms | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1.
|
|||||
| CVE-2013-7452 | 1 Nodejs | 1 Node.js | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
|
|||||
| CVE-2017-14984 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the bp_name parameter to /module/admin_bp/add_services.php.
|
|||||
| CVE-2017-1208 | 1 Ibm | 1 Maximo Asset Management | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 123778.
|
|||||
| CVE-2015-8975 | 1 Mybb | 2 Merge System, Mybb | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2015-8477 | 1 Redmine | 1 Redmine | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering.
|
|||||
| CVE-2015-5532 | 1 Strangerstudios | 1 Paid Memberships Pro | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php.
|
|||||
| CVE-2017-14134 | 1 Maplesoft | 1 Maple T.a. | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Reflected XSS Vulnerability affects the forgotten password page of Maplesoft Maple T.A. 2016.0.6 (Customer Hosted) via the emailAddress parameter to passwordreset/PasswordReset.do, aka Open Bug Bounty ID OBB-286688.
|
|||||
| CVE-2017-16821 | 1 B3log | 1 Symphony | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
|
|||||
| CVE-2017-1189 | 1 Ibm | 1 Websphere Portal | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
IBM WebSphere Portal and Web Content Manager 6.1, 7.0, and 8.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 123558.
|
|||||
| CVE-2017-17971 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.
|
|||||
| CVE-2017-7215 | 1 Misp Project | 1 Misp | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote attackers to inject arbitrary web script or HTML.
|
|||||
| CVE-2014-6189 | 1 Ibm | 8 Security Network Protection 3100, Security Network Protection 3100 Firmware, Security Network Protection 4100 and 5 more | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in IBM Security Network Protection 3100, 4100, 5100, and 7100 devices with firmware 5.2 before 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008 and 5.3 before 5.3.0.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2017-12630 | 1 Apache | 1 Drill | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.
|
|||||
| CVE-2017-1000042 | 1 Mapbox Project | 1 Mapbox | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.
|
|||||
| CVE-2017-7384 | 1 Flipbuilder | 1 Flip Pdf | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in FlipBuilder Flip PDF allows remote attackers to inject arbitrary web script or HTML via the currentHTMLURL parameter.
|
|||||
| CVE-2017-3868 | 1 Cisco | 1 Unified Computing System Director | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc44344. Known Affected Releases: 6.0(0.0).
|
|||||
| CVE-2015-8350 | 1 Inboundnow | 1 Call To Action | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Calls to Action plugin before 2.5.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) open-tab parameter in a wp_cta_global_settings action to wp-admin/edit.php or (2) wp-cta-variation-id parameter to ab-testing-call-to-action-example/.
|
|||||
| CVE-2016-5756 | 1 Netiq | 1 Access Manager | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple components of the web tools in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 were vulnerable to Reflected Cross Site Scripting attacks which could be used to hijack user sessions: nps/servlet/frameservice, nps/servlet/webacc, roma/admin/cntl, roma/jsp/admin/appliance/devicedetail_edit.jsp, roma/jsp/admin/managementip/mgmt_ip_details_frameset.jsp, roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp, roma/jsp/volsc/monitoring/appliance.jsp, and roma/jsp/vols ...
Show More |
|||||
| CVE-2017-6724 | 1 Cisco | 1 Prime Infrastructure | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCuw65843. Known Affected Releases: 3.1(0.0).
|
|||||
| CVE-2016-6347 | 1 Redhat | 1 Resteasy | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2017-12066 | 1 Cacti | 1 Cacti | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163.
|
|||||
| CVE-2016-0305 | 1 Ibm | 1 Connections | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Connections is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
|
|||||
| CVE-2017-16758 | 1 Ultimate Instagram Feed Project | 1 Ultimate Instagram Feed | 2025-04-20 | 3.5 LOW | 4.8 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "access_token" parameter.
|
|||||
| CVE-2017-14186 | 1 Fortinet | 1 Fortios | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.
|
|||||
| CVE-2017-12777 | 1 Nexusphp Project | 1 Nexusphp | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via some parameter to usersearch.php.
|
|||||
| CVE-2017-2528 | 1 Apple | 2 Iphone Os, Safari | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that improperly interacts with cached frames.
|
|||||
| CVE-2017-7666 | 1 Apache | 1 Openmeetings | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.
|
|||||
| CVE-2017-6561 | 1 Agora-project | 1 Agora-project | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=object&action=[XSS] attack.
|
|||||
| CVE-2017-14506 | 1 Geminabox Project | 1 Geminabox | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
geminabox (aka Gem in a Box) before 0.13.6 has XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.
|
|||||