Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16687 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
|
|||||
| CVE-2019-16686 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
|
|||||
| CVE-2019-16685 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
|
|||||
| CVE-2019-16684 | 1 Xoops | 1 Xoops | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.
|
|||||
| CVE-2019-16683 | 1 Xoops | 1 Xoops | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.
|
|||||
| CVE-2019-16681 | 1 Traveloka | 1 Traveloka | 2024-11-21 | 2.6 LOW | 4.7 MEDIUM |
|
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. (When in physical possession of the device, opening local files is also possible.) NOTE: As of 2019-09-23, the vendor has not agreed that this issue has serious impact. The vendor states that the issue is not critical because it does not allow Elevation of Privilege, Sensitive Data Leakage, or any cri ...
Show More |
|||||
| CVE-2019-16665 | 1 Thinksaas | 1 Thinksaas | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in ThinkSAAS 2.91. There is XSS via the content to the index.php?app=group&ac=comment&ts=do&js=1 URI, as demonstrated by a crafted SVG document in the SRC attribute of an EMBED element.
|
|||||
| CVE-2019-16664 | 1 Thinksaas | 1 Thinksaas | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter.
|
|||||
| CVE-2019-16661 | 1 Digimute | 1 Ogma Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Ogma CMS 0.5 has XSS via creation of a new blog.
|
|||||
| CVE-2019-16657 | 1 Tuzicms | 1 Tuzicms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/.
|
|||||
| CVE-2019-16643 | 1 Zrlog | 1 Zrlog | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerability in the article_edit area.
|
|||||
| CVE-2019-16564 | 1 Jenkins | 1 Pipeline Aggregator View | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.
|
|||||
| CVE-2019-16563 | 1 Jenkins | 1 Mission Control | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.
|
|||||
| CVE-2019-16562 | 1 Jenkins | 1 Buildgraph-view | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.
|
|||||
| CVE-2019-16534 | 1 Draytek | 8 Vigor2925 Firmware, Vigor2925ac, Vigor2925fn and 5 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen. NOTE: this is an end-of-life product.
|
|||||
| CVE-2019-16533 | 1 Draytek | 8 Vigor2925 Firmware, Vigor2925ac, Vigor2925fn and 5 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS. NOTE: this is an end-of-life product.
|
|||||
| CVE-2019-16525 | 1 Checklist | 1 Checklist | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.
|
|||||
| CVE-2019-16524 | 1 Status301 | 1 Easy Fancybox | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters. This occurs because there is no inline styles output filter.
|
|||||
| CVE-2019-16523 | 1 Pixelite | 1 Events Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.
|
|||||
| CVE-2019-16522 | 1 Eu Cookie Law Project | 1 Eu Cookie Law | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. An attacker with high privileges can attack other users.
|
|||||
| CVE-2019-16521 | 1 Managewp | 1 Broken Link Checker | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML. The filter function on the page listing all detected broken links can be exploited by providing an XSS payload in the s_filter GET parameter in a filter_id=search request. NOTE: this is an end-of-life product.
|
|||||
| CVE-2019-16520 | 1 Semperplugins | 1 All In One Seo Pack | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement.
|
|||||
| CVE-2019-16512 | 1 Connectwise | 1 Control | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier.
|
|||||
| CVE-2019-16467 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||
| CVE-2019-16466 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||
| CVE-2019-16417 | 1 Hrworks | 1 Hrworks | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
HRworks FLOW 3.36.9 allows XSS via the purpose of a travel-expense report.
|
|||||
| CVE-2019-16416 | 1 Hrworks | 1 Hrworks | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
HRworks 3.36.9 allows XSS via the purpose of a travel-expense report.
|
|||||
| CVE-2019-16414 | 1 Gfi | 1 Kerio Control | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI.
|
|||||
| CVE-2019-16392 | 3 Canonical, Debian, Spip | 3 Ubuntu Linux, Debian Linux, Spip | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
|
|||||
| CVE-2019-16385 | 1 Cybelesoft | 1 Thinfinity Virtualui | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed.
|
|||||
| CVE-2019-16375 | 1 Otrs | 1 Otrs | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.
|
|||||
| CVE-2019-16344 | 1 Scadabr | 1 Scadabr | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter.
|
|||||
| CVE-2019-16334 | 1 Bludit | 1 Bludit | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
|
|||||
| CVE-2019-16333 | 1 Get-simple | 1 Getsimple Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
|
|||||
| CVE-2019-16332 | 1 Api Bearer Auth Project | 1 Api Bearer Auth | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
|
|||||
| CVE-2019-16330 | 1 Nchsoftware | 1 Express Accounts Accounting | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript.
|
|||||
| CVE-2019-16321 | 1 Scadabr | 1 Scadabr | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO.
|
|||||
| CVE-2019-16312 | 1 S-cms | 1 S-cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
s-cms V3.0 has XSS in index.php?type=text via the S_id parameter.
|
|||||
| CVE-2019-16310 | 1 Niushop | 1 Niushop | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
NIUSHOP V1.11 has XSS via the index.php?s=/admin URI.
|
|||||
| CVE-2019-16307 | 1 Fujixerox | 1 Docushare | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKey parameter (deleteWebExMeetingCheck.jsp).
|
|||||