Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19306 | 1 Zoho | 1 Lead Magnet | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.
|
|||||
| CVE-2019-19294 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-11-21 | 3.5 LOW | 6.3 MEDIUM |
|
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains
multiple stored Cross-site Scripting (XSS) vulnerabilities in several input
fields.
This could allow an authenticated remote attacker to inject malicious
JavaScript code into the CCS web application that is later executed
in the browser context of any other user who views the relevant CCS
web content.
|
|||||
| CVE-2019-19293 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains a
reflected Cross-site Scripting (XSS) vulnerability
that could allow an unauthenticated remote attacker to steal sensitive data
or execute administrative actions on behalf of a legitimate administrator
of the CCS web interface.
|
|||||
| CVE-2019-19288 | 1 Siemens | 1 Xhq | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link.
|
|||||
| CVE-2019-19285 | 1 Siemens | 1 Xhq | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow injections that could lead to XSS attacks if unsuspecting users are tricked into accessing a malicious link.
|
|||||
| CVE-2019-19284 | 1 Siemens | 1 Xhq | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.
|
|||||
| CVE-2019-19266 | 1 Icewarp | 1 Mail Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects.
|
|||||
| CVE-2019-19265 | 1 Icewarp | 1 Mail Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 1 of 2) in notes for contacts.
|
|||||
| CVE-2019-19223 | 1 Dlink | 2 Dsl-2680, Dsl-2680 Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface.
|
|||||
| CVE-2019-19222 | 1 Dlink | 2 Dsl-2680, Dsl-2680 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request.
|
|||||
| CVE-2019-19212 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).
|
|||||
| CVE-2019-19211 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.
|
|||||
| CVE-2019-19210 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
|
|||||
| CVE-2019-19206 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
|
|||||
| CVE-2019-19198 | 1 Scoutnet | 1 Kalender | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.
|
|||||
| CVE-2019-19134 | 1 Heroplugins | 1 Hero Maps Premium | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.
|
|||||
| CVE-2019-19133 | 1 Csshero | 1 Csshero | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookies or launch other attacks.
|
|||||
| CVE-2019-19129 | 1 Afterlogic | 2 Aurora, Webmail Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.
|
|||||
| CVE-2019-19112 | 1 Gvectors | 1 Wpforo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw-td-value class of dashboard.php.
|
|||||
| CVE-2019-19111 | 1 Gvectors | 1 Wpforo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases langid parameter.
|
|||||
| CVE-2019-19110 | 1 Gvectors | 1 Wpforo | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.
|
|||||
| CVE-2019-19095 | 1 Hitachienergy | 1 Esoms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database.
|
|||||
| CVE-2019-19085 | 1 Octopus | 1 Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML.
|
|||||
| CVE-2019-19040 | 1 Kairosdb Project | 1 Kairosdb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
|
|||||
| CVE-2019-19003 | 1 Hitachienergy | 1 Esoms | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting.
|
|||||
| CVE-2019-19002 | 1 Hitachienergy | 1 Esoms | 2024-11-21 | 3.5 LOW | 6.3 MEDIUM |
|
For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.
|
|||||
| CVE-2019-18993 | 1 Openwrt | 1 Openwrt | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device).
|
|||||
| CVE-2019-18992 | 1 Openwrt | 1 Openwrt | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device).
|
|||||
| CVE-2019-18982 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
|
|||||
| CVE-2019-18957 | 1 Microstrategy | 1 Microstrategy Library | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
|
|||||
| CVE-2019-18955 | 1 Lansweeper | 1 Lansweeper | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The web console in Lansweeper 7.2.105.2 has XSS via the URL path. Product vulnerability has been fixed and disclosed within changelog as of 02 Dec 2019.
|
|||||
| CVE-2019-18944 | 1 Microfocus | 1 Solutions Business Manager | 2024-11-21 | 2.3 LOW | 4.9 MEDIUM |
|
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.
|
|||||
| CVE-2019-18942 | 1 Microfocus | 1 Solutions Business Manager | 2024-11-21 | 2.3 LOW | 5.5 MEDIUM |
|
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding.
|
|||||
| CVE-2019-18926 | 1 Systematicinc | 1 Iris Standards Management | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Systematic IRIS Standards Management (ISM) v2.1 SP1 89 is vulnerable to unauthenticated reflected Cross Site Scripting (XSS). A user input (related to dialog information) is reflected directly in the web page, allowing a malicious user to conduct a Cross Site Scripting attack against users of the application.
|
|||||
| CVE-2019-18923 | 1 Go-camo Project | 1 Go-camo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Insufficient content type validation of proxied resources in go-camo before 2.1.1 allows a remote attacker to serve arbitrary content from go-camo's origin.
|
|||||
| CVE-2019-18914 | 1 Hp | 755 Digital Sender Flow 8500 Fn2 Document Capture Workstation L2762a, Futuresmart 3, Futuresmart 4 and 752 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A potential security vulnerability has been identified for certain HP printers and MFPs that would allow redirection page Cross-Site Scripting in a client’s browser by clicking on a third-party malicious link.
|
|||||
| CVE-2019-18893 | 3 Avast, Avg, Video Downloader Project | 3 Secure Browser, Secure Browser, Video Downloader | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways.
|
|||||
| CVE-2019-18883 | 1 Lavalite | 1 Lavalite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.
|
|||||
| CVE-2019-18882 | 1 Wso2 | 1 Identity Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
|
|||||
| CVE-2019-18881 | 1 Wso2 | 1 Identity Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
|
|||||