Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13374 | 2 Dlink, Microsoft | 2 Central Wifimanager, Windows | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter.
|
|||||
| CVE-2019-13364 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
|
|||||
| CVE-2019-13363 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
|
|||||
| CVE-2019-13346 | 1 Myt Project | 1 Myt | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In MyT 1.5.1, the User[username] parameter has XSS.
|
|||||
| CVE-2019-13345 | 2 Debian, Squid-cache | 2 Debian Linux, Squid | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
|
|||||
| CVE-2019-13341 | 1 1234n | 1 Minicms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.
|
|||||
| CVE-2019-13340 | 1 1234n | 1 Minicms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186.
|
|||||
| CVE-2019-13339 | 1 1234n | 1 Minicms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie.
|
|||||
| CVE-2019-13274 | 2 Debian, Xymon | 2 Debian Linux, Xymon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CGI script due to insufficient filtering of the db parameter.
|
|||||
| CVE-2019-13239 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
|
|||||
| CVE-2019-13236 | 1 Alkacon | 1 Opencms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.
|
|||||
| CVE-2019-13235 | 1 Alkacon | 1 Opencms Apollo Template | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.
|
|||||
| CVE-2019-13234 | 1 Alkacon | 1 Opencms Apollo Template | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.
|
|||||
| CVE-2019-13209 | 1 Suse | 1 Rancher | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.
|
|||||
| CVE-2019-13200 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The web application of several Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was affected by Reflected XSS. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.
|
|||||
| CVE-2019-13198 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The web application of several Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) was affected by Stored XSS. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.
|
|||||
| CVE-2019-13189 | 1 Eng | 1 Knowage | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page.
|
|||||
| CVE-2019-13186 | 1 1234n | 1 Minicms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520.
|
|||||
| CVE-2019-13182 | 1 Solarwinds | 1 Serv-u Ftp Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server 15.1.7.
|
|||||
| CVE-2019-13167 | 1 Xerox | 2 Phaser 3320, Phaser 3320 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple Stored XSS vulnerabilities were found in the Xerox Web Application, used by the Phaser 3320 V53.006.16.000 and other printers. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.
|
|||||
| CVE-2019-13127 | 2 Draw, Jgraph | 2 Draw.io Diagrams, Mxgraph | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in mxGraph through 4.0.0, related to the "draw.io Diagrams" plugin before 8.3.14 for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js.
|
|||||
| CVE-2019-13122 | 1 Ozlabs | 1 Patchwork | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.
|
|||||
| CVE-2019-13081 | 1 Quest | 1 Kace Systems Management Appliance | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user's browser.
|
|||||
| CVE-2019-13080 | 1 Quest | 1 Kace Systems Management Appliance | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator's browser.
|
|||||
| CVE-2019-13077 | 1 Quest | 1 Kace Systems Management Appliance | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users.
|
|||||
| CVE-2019-13072 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page.
|
|||||
| CVE-2019-13070 | 1 Cyberpowersystems | 1 Powerpanel | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim.
|
|||||
| CVE-2019-13068 | 1 Grafana | 1 Grafana | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).
|
|||||
| CVE-2019-13066 | 1 Sahipro | 1 Sahi Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Sahi Pro 8.0.0 has a script manager arena located at _s_/dyn/pro/DBReports with many different areas that are vulnerable to reflected XSS, by updating a script's Script Name, Suite Name, Base URL, Android, iOS, Scripts Run, Origin Machine, or Comment field. The sql parameter can be used to trigger reflected XSS.
|
|||||
| CVE-2019-12970 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.
|
|||||
| CVE-2019-12964 | 1 Livezilla | 1 Livezilla | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the ticket.php Subject.
|
|||||
| CVE-2019-12963 | 1 Livezilla | 1 Livezilla | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the chat.php Create Ticket Action.
|
|||||
| CVE-2019-12962 | 1 Livezilla | 1 Livezilla | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.
|
|||||
| CVE-2019-12954 | 1 Solarwinds | 2 Network Performance Monitor Orion Platform 2018 Netpath, Network Performance Monitor Orion Platform 2018 Npm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.
|
|||||
| CVE-2019-12950 | 1 Teampass | 1 Teampass | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.
|
|||||
| CVE-2019-12949 | 1 Netgate | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server.
|
|||||
| CVE-2019-12935 | 1 Shopware | 1 Shopware | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
|
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
|
|||||
| CVE-2019-12934 | 1 Wp-code-highlightjs Project | 1 Wp-code-highlightjs | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
|
|||||
| CVE-2019-12932 | 1 Seeddms | 1 Seeddms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly escaping the search result in the autocomplete search form placed in the header of out/out.Viewfolder.php.
|
|||||
| CVE-2019-12930 | 1 Wikindx Project | 1 Wikindx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in noMenu() and noSubMenu() in core/navigation/MENU.php in WIKINDX prior to version 5.8.1 allows remote attackers to inject arbitrary web script or HTML via the method parameter.
|
|||||