Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18873 | 1 Fudforum | 1 Fudforum | 2024-11-21 | 8.5 HIGH | 9.0 CRITICAL |
|
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.
|
|||||
| CVE-2019-18859 | 1 Digi | 2 Anywhereusb\/14, Anywhereusb\/14 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.
|
|||||
| CVE-2019-18857 | 1 Svg-sanitizer Project | 1 Svg-sanitizer | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript	:alert substring.
|
|||||
| CVE-2019-18842 | 1 Usriot | 8 Usr-wifi232-g2, Usr-wifi232-g2 Firmware, Usr-wifi232-h and 5 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID.
|
|||||
| CVE-2019-18839 | 1 Fudforum | 1 Fudforum | 2024-11-21 | 8.5 HIGH | 9.0 CRITICAL |
|
FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter. This may result in remote code execution. An attacker can use a user account to fully compromise the system using a POST request. When the admin visits the user information, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
|
|||||
| CVE-2019-18834 | 1 Woocommerce | 1 Subscriptions | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php.
|
|||||
| CVE-2019-18816 | 1 Popojicms | 1 Popojicms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
po-admin/route.php?mod=post&act=edit in PopojiCMS 2.0.1 allows post[1][content]= stored XSS.
|
|||||
| CVE-2019-18793 | 1 Parallels | 1 Parallels Plesk Panel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter.
|
|||||
| CVE-2019-18791 | 1 Lexmark | 160 6500e, 6500e Firmware, C734 and 157 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server. The vulnerability can be exploited to expose session credentials and other information via the users web browser.
|
|||||
| CVE-2019-18667 | 1 Pfsense | 1 Pfsense-pkg-freeradius3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser.
|
|||||
| CVE-2019-18664 | 1 Secudos | 1 Domos | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Log module in SECUDOS DOMOS before 5.6 allows XSS.
|
|||||
| CVE-2019-18656 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Pimcore 6.2.3 has XSS in the translations grid because bundles/AdminBundle/Resources/public/js/pimcore/settings/translations.js mishandles certain HTML elements.
|
|||||
| CVE-2019-18654 | 2 Avg, Microsoft | 2 Anti-virus, Windows | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross Site Scripting (XSS) issue exists in AVG AntiVirus (Internet Security Edition) 19.3.3084 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name.
|
|||||
| CVE-2019-18653 | 2 Avast, Microsoft | 2 Antivirus, Windows | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross Site Scripting (XSS) issue exists in Avast AntiVirus (Free, Internet Security, and Premiere Edition) 19.3.2369 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name.
|
|||||
| CVE-2019-18652 | 1 Watchguard | 2 Xmt515, Xmt515 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A DOM based XSS vulnerability has been identified on the WatchGuard XMT515 through 12.1.3, allowing a remote attacker to execute JavaScript in the victim's browser by tricking the victim into clicking on a crafted link. The payload was tested in Microsoft Internet Explorer 11.418.18362.0 and Microsoft Edge 44.18362.387.0 (Microsoft EdgeHTML 18.18362).
|
|||||
| CVE-2019-18649 | 1 Untangle | 1 Ng Firewall | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
When logged in as an admin user, the Title input field (under Reports) within Untangle NG firewall 14.2.0 is vulnerable to stored XSS.
|
|||||
| CVE-2019-18648 | 1 Untangle | 1 Ng Firewall | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
When logged in as an admin user, the Untangle NG firewall 14.2.0 is vulnerable to reflected XSS at multiple places and specific user input fields.
|
|||||
| CVE-2019-18636 | 1 Jitbit | 1 .net Forum | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Jitbit .NET Forum (aka ASP.NET forum) 8.3.8 allows remote attackers to inject arbitrary web script or HTML via the gravatar URL parameter.
|
|||||
| CVE-2019-18588 | 1 Dell | 2 Emc Powermax, Emc Unisphere For Powermax | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users' sessions.
|
|||||
| CVE-2019-18578 | 1 Dell | 1 Xtremio Management Server | 2024-11-21 | 6.0 MEDIUM | 9.0 CRITICAL |
|
Dell EMC XtremIO XMS versions prior to 6.3.0 contain a stored cross-site scripting vulnerability. A low-privileged malicious remote user of XtremIO may exploit this vulnerability to store malicious HTML or JavaScript code in application fields. When victim users access the injected page through their browsers, the malicious code may be executed by the web browser in the context of the vulnerable web application.
|
|||||
| CVE-2019-18574 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
RSA Authentication Manager software versions prior to 8.4 P8 contain a stored cross-site scripting vulnerability in the Security Console. A malicious Security Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface which could then be included in a report. When other Security Console administrators open the affected report, the injected scripts could potentially be executed in their browser.
|
|||||
| CVE-2019-18571 | 1 Dell | 1 Rsa Identity Governance And Lifecycle | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a reflected cross-site scripting vulnerability in the My Access Live module [MAL]. An authenticated malicious local user could potentially exploit this vulnerability by sending crafted URL with scripts. When victim users access the module through their browsers, the malicious code gets injected and executed by the web browser in the context of the vulnerable web application.
|
|||||
| CVE-2019-18454 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. It has XSS.
|
|||||
| CVE-2019-18419 | 1 Clonos | 1 Clonos | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
|
|||||
| CVE-2019-18416 | 1 Restaurant Management System Project | 1 Restaurant Management System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Sourcecodester Restaurant Management System 1.0 allows XSS via the Last Name field of a member.
|
|||||
| CVE-2019-18415 | 1 Restaurant Management System Project | 1 Restaurant Management System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Sourcecodester Restaurant Management System 1.0 allows XSS via the "send a message" screen.
|
|||||
| CVE-2019-18413 | 1 Typestack Class-validator Project | 1 Typestack Class-validator | 2024-11-21 | 7.5 HIGH | 3.7 LOW |
|
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious i ...
Show More |
|||||
| CVE-2019-18378 | 1 Symantec | 1 Messaging Gateway | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.
|
|||||
| CVE-2019-18357 | 1 Thycotic | 1 Secret Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2).
|
|||||
| CVE-2019-18356 | 1 Thycotic | 1 Secret Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 1 of 2).
|
|||||
| CVE-2019-18350 | 1 Ant.design | 1 Ant Design Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET parameter affects the authorization component, leading to execution of JavaScript code in the login after-action script.
|
|||||
| CVE-2019-18347 | 1 Davical | 1 Davical | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.
|
|||||
| CVE-2019-18345 | 2 Davical, Debian | 2 Davical, Debian Linux | 2024-11-21 | 4.3 MEDIUM | 9.3 CRITICAL |
|
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
|
|||||
| CVE-2019-18273 | 1 Osisoft | 1 Pi Vision | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced.
|
|||||
| CVE-2019-18267 | 1 Ge | 4 S2020, S2020 Firmware, S2020g and 1 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution.
|
|||||
| CVE-2019-18265 | 1 Digitalalertsystems | 10 Dasdec I, Dasdec I Firmware, Dasdec Ii and 7 more | 2024-11-21 | N/A | 4.7 MEDIUM |
|
Digital Alert Systems’ DASDEC software prior to version 4.1 contains a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the SSH username, username field of the login page, or via the HTTP host header. The injected content is stored in logs and rendered when viewed in the web application.
|
|||||
| CVE-2019-18249 | 1 Reliablecontrols | 4 Mach-prowebcom, Mach-prowebcom Firmware, Mach-prowebsys and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Reliable Controls MACH-ProWebCom/Sys, all versions prior to 2.15 (Firmware versions prior to 8.26.4), may allow attacker to execute commands on behalf of the user when an authenticated user clicks on a malicious link.
|
|||||
| CVE-2019-18233 | 1 Advantech | 2 Spectre Rt Ert351, Spectre Rt Ert351 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Advantech Spectre RT Industrial Routers ERT351 5.1.3 and prior, the affected product does not neutralize special characters in the error response, allowing attackers to use a reflected XSS attack.
|
|||||
| CVE-2019-18223 | 1 Eleveo | 1 Call Recording | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config.
|
|||||
| CVE-2019-18221 | 1 Corehr | 1 Core Portal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
CoreHR Core Portal before 27.0.7 allows stored XSS.
|
|||||