Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9243 | 1 Aries Networks | 2 Qwr-1104 Wireless-n Router, Qwr-1104 Wireless-n Router Firmware | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Aries QWR-1104 Wireless-N Router with Firmware Version WRC.253.2.0913 has XSS on the Wireless Site Survey page, exploitable with the name of an access point.
|
|||||
| CVE-2016-5642 | 1 Opmantek | 1 Network Management Information System | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Opmantek NMIS before 8.5.12G has XSS via SNMP.
|
|||||
| CVE-2016-9979 | 1 Ibm | 1 Curam Social Program Management | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120255.
|
|||||
| CVE-2016-7981 | 1 Spip | 1 Spip | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
|
|||||
| CVE-2017-12980 | 1 Dokuwiki | 1 Dokuwiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element.
|
|||||
| CVE-2017-1000063 | 1 Kitto Project | 1 Kitto | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure
|
|||||
| CVE-2017-14717 | 1 Telaxius | 1 Epesi | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
|
|||||
| CVE-2017-2222 | 1 Butlerblog | 1 Wp-members | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in WP-Members prior to version 3.1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2017-2508 | 1 Apple | 2 Iphone Os, Safari | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that improperly interacts with container nodes.
|
|||||
| CVE-2017-8832 | 1 Allen Disk Project | 1 Allen Disk | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Allen Disk 1.6 has XSS in the id parameter to downfile.php.
|
|||||
| CVE-2017-15612 | 1 Mistune Project | 1 Mistune | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.
|
|||||
| CVE-2017-6560 | 1 Agora-project | 1 Agora-project | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=misc&action=[XSS]&editObjId=[XSS] attack.
|
|||||
| CVE-2017-7222 | 1 Mantisbt | 1 Mantisbt | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires privileged access to MantisBT configuration management pages (i.e., administrator access rights) or altering the system configuration file (config_inc.php).
|
|||||
| CVE-2017-1002017 | 1 Bobcares | 1 Gift-certificate-creator | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Vulnerability in wordpress plugin gift-certificate-creator v1.0, The code in gc-list.php doesn't sanitize user input to prevent a stored XSS vulnerability.
|
|||||
| CVE-2016-9316 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolved in Version 6.5 CP 1737.
|
|||||
| CVE-2017-15809 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a crafted tag.
|
|||||
| CVE-2017-12583 | 1 Dokuwiki | 1 Dokuwiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
|
|||||
| CVE-2017-1000103 | 1 Jenkins | 1 Dry | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.
|
|||||
| CVE-2017-8569 | 1 Microsoft | 1 Sharepoint Server | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
Microsoft SharePoint Server allows an elevation of privilege vulnerability due to the way that it sanitizes a specially crafted web request to an affected SharePoint server, aka "SharePoint Server XSS Vulnerability".
|
|||||
| CVE-2017-8384 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
|
|||||
| CVE-2017-11201 | 1 Finecms Project | 1 Finecms | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action.
|
|||||
| CVE-2017-15892 | 1 Synology | 1 Chat | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.
|
|||||
| CVE-2017-17868 | 1 Liferay | 1 Liferay Portal | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag.
|
|||||
| CVE-2017-14761 | 1 Genixcms | 1 Genixcms | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In GeniXCMS 1.1.4, /inc/lib/backend/menus.control.php has XSS via the id parameter.
|
|||||
| CVE-2017-7723 | 1 Wp-ecommerce | 1 Easy Wp Smtp | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS exists in Easy WP SMTP (before 1.2.5), a WordPress Plugin, via the e-mail subject or body.
|
|||||
| CVE-2017-5515 | 1 Metalgenix | 1 Genixcms | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the user prompt function in GeniXCMS through 0.0.8 allows remote authenticated users to inject arbitrary web script or HTML via tag names.
|
|||||
| CVE-2011-4333 | 1 Scilico | 1 Labwiki | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) from parameter to index.php or the (2) page_no parameter to recentchanges.php.
|
|||||
| CVE-2017-14093 | 1 Trendmicro | 1 Scanmail | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Log Query and Quarantine Query pages in Trend Micro ScanMail for Exchange 12.0 are vulnerable to cross site scripting (XSS) attacks.
|
|||||
| CVE-2016-0265 | 1 Ibm | 1 Campaign | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
IBM Campaign is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
|
|||||
| CVE-2017-17744 | 1 Webdesi9 | 1 Custom Map | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the custom-map plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter to view/advancedsettings.php.
|
|||||
| CVE-2017-2151 | 1 Booking Calendar Project | 1 Booking Calendar | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2017-5612 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.
|
|||||
| CVE-2017-1000138 | 1 Mahara | 1 Mahara | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title.
|
|||||
| CVE-2013-7451 | 1 Nodejs | 1 Node.js | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
|
|||||
| CVE-2017-11507 | 1 Check Mk Project | 1 Check Mk | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.2.8x prior to 1.2.8p25 and 1.4.0x prior to 1.4.0p9, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output_format parameter, and the username parameter of failed HTTP basic authentication attempts, which is returned unencoded in an internal server error page.
|
|||||
| CVE-2017-14615 | 1 Watchguard | 1 Fireware | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. When a failed login attempt is made to the login endpoint of the XML-RPC interface, if JavaScript code, properly encoded to be consumed by XML parsers, is embedded as value of the user element, the code will be rendered in the context of any logged in user in the Web UI visiting "Traffic Monitor" sections "Events" and "All." As a side effect, no further events will be visible in the Traffic Monitor until the device is restarted ...
Show More |
|||||
| CVE-2016-6519 | 2 Openstack, Redhat | 2 Manila, Openstack | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form.
|
|||||
| CVE-2015-7357 | 1 Udesign Project | 1 Udesign | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) theme 2.3.0 before 2.7.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via a fragment identifier, as demonstrated by #<svg onload=alert(1)>.
|
|||||
| CVE-2017-17994 | 1 Iwcnetwork | 1 Biometric Shift Employee Management System | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.
|
|||||
| CVE-2017-17988 | 1 Muslim Matrimonial Script Project | 1 Muslim Matrimonial Script | 2025-04-20 | 3.5 LOW | 4.8 MEDIUM |
|
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_add.php event_title parameter.
|
|||||