Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14546 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).
|
|||||
| CVE-2019-14518 | 1 Modx | 1 Evolution Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Evolution CMS 2.0.x allows XSS via a description and new category location in a template. NOTE: the vendor states that the behavior is consistent with the "access policy in the administration panel.
|
|||||
| CVE-2019-14517 | 1 Editor.md Project | 1 Editor.md | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
pandao Editor.md 1.5.0 allows XSS via the Javascript: string.
|
|||||
| CVE-2019-14512 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php.
|
|||||
| CVE-2019-14478 | 1 Adremsoft | 1 Netcrunch | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose "Display Name" contains an XSS payload.
|
|||||
| CVE-2019-14472 | 1 Zurmo | 1 Zurmo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO.
|
|||||
| CVE-2019-14471 | 1 Testlink | 1 Testlink | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
TestLink 1.9.19 has XSS via the error.php message parameter.
|
|||||
| CVE-2019-14470 | 2 Instagram-php-api Project, Userproplugin | 2 Instagram-php-api, User Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter.
|
|||||
| CVE-2019-14469 | 1 Sonatype | 1 Nexus Repository Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS.
|
|||||
| CVE-2019-14456 | 1 Opengear | 1 Opengear | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Opengear console server firmware releases prior to 4.5.0 have a stored XSS vulnerability related to serial port logging. If a malicious user of an external system (connected to a serial port on an Opengear console server) sends crafted text to a serial port (that has logging enabled), the text will be replayed when the logs are viewed. Exploiting this vulnerability requires access to the serial port and/or console server.
|
|||||
| CVE-2019-14449 | 1 Cloudera | 1 Cloudera Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in Cloudera Manager 5.x before 5.16.2, 6.0.x before 6.0.2, and 6.1.x before 6.1.1. Malicious impala queries can result in Cross Site Scripting (XSS) when viewed within this product.
|
|||||
| CVE-2019-14427 | 1 Webstudio | 1 Ultimate Loan Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.
|
|||||
| CVE-2019-14415 | 1 Veritas | 1 Resiliency Platform | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to.
|
|||||
| CVE-2019-14406 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493).
|
|||||
| CVE-2019-14390 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).
|
|||||
| CVE-2019-14387 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).
|
|||||
| CVE-2019-14386 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).
|
|||||
| CVE-2019-14364 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for WordPress allows an attacker to inject malicious JavaScript code through a publicly available subscription form using the esfpx_name wp-admin/admin-ajax.php POST parameter.
|
|||||
| CVE-2019-14350 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation.
|
|||||
| CVE-2019-14349 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be executed when a user opens a page of any profile with this.
|
|||||
| CVE-2019-14344 | 1 Vocabularyserver | 1 Tematres | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
TemaTres 3.0 has reflected XSS via the replace_string or search_string parameter to the vocab/admin.php?doAdmin=bulkReplace URI.
|
|||||
| CVE-2019-14343 | 1 Vocabularyserver | 1 Tematres | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin.php?vocabulario_id=list URI.
|
|||||
| CVE-2019-14338 | 1 Dlink | 4 6600-ap, 6600-ap Firmware, Dwl-3600ap and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface.
|
|||||
| CVE-2019-14331 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
|
|||||
| CVE-2019-14330 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
|
|||||
| CVE-2019-14329 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code.
|
|||||
| CVE-2019-14315 | 1 Sunhater | 1 Kcfinder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in upload.php in SunHater KCFinder 3.20-test1, 3.20-test2, 3.12, and earlier allows remote attackers to inject arbitrary web script or HTML via the CKEditorFuncNum parameter.
|
|||||
| CVE-2019-14298 | 1 Veeam | 1 One Reporter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Veeam ONE Reporter 9.5.0.3201 allows XSS via a crafted Description(config) field to addDashboard or editDashboard in CommonDataHandlerReadOnly.ashx.
|
|||||
| CVE-2019-14297 | 1 Veeam | 1 One Reporter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Veeam ONE Reporter 9.5.0.3201 allows XSS via the Add/Edit Widget with a crafted Caption field to setDashboardWidget in CommonDataHandlerReadOnly.ashx.
|
|||||
| CVE-2019-14286 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability.
|
|||||
| CVE-2019-14272 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
|
|||||
| CVE-2019-14228 | 1 Angry-frog | 1 Xavier | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based XSS via the username parameter when registering a new user at admin/includes/adminprocess.php. If there is an error when registering the user, the unsanitized username will reflect via the error page. Due to the lack of CSRF protection on the admin/includes/adminprocess.php endpoint, an attacker is able to chain the XSS with CSRF in order to cause remote exploitation.
|
|||||
| CVE-2019-14227 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
OX App Suite 7.10.1 and 7.10.2 allows XSS.
|
|||||
| CVE-2019-14221 | 1 1crm | 1 1crm On-premise | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation.
|
|||||
| CVE-2019-13977 | 1 Ovidentia | 1 Ovidentia | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=.
|
|||||
| CVE-2019-13975 | 1 Egain | 1 Chat | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
eGain Chat 15.0.3 allows HTML Injection.
|
|||||
| CVE-2019-13972 | 1 Layerbb | 1 Layerbb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
LayerBB 1.1.3 allows XSS via the application/commands/new.php pm_title variable, a related issue to CVE-2019-17997.
|
|||||
| CVE-2019-13971 | 1 Otcms | 1 Otcms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
OTCMS 3.81 allows XSS via the mode parameter in an apiRun.php?mudi=autoRun request.
|
|||||
| CVE-2019-13970 | 1 Antsword Project | 1 Antsword | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In antSword before 2.1.0, self-XSS in the database configuration leads to code execution via modules/database/asp/index.js, modules/database/custom/index.js, modules/database/index.js, or modules/database/php/index.js.
|
|||||
| CVE-2019-13966 | 1 Combodo | 1 Itop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
|
|||||