Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10634 | 1 Zyxel | 2 Nas326, Nas326 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields.
|
|||||
| CVE-2019-10475 | 1 Jenkins | 1 Build-metrics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
|
|||||
| CVE-2019-10432 | 1 Jenkins | 1 Html Publisher | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
|
|||||
| CVE-2019-10410 | 1 Jenkins | 1 Log Parser | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.
|
|||||
| CVE-2019-10406 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
|
|||||
| CVE-2019-10405 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
|
|||||
| CVE-2019-10404 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
|
|||||
| CVE-2019-10403 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.
|
|||||
| CVE-2019-10402 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.
|
|||||
| CVE-2019-10401 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).
|
|||||
| CVE-2019-10396 | 1 Jenkins | 1 Dashboard View | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions.
|
|||||
| CVE-2019-10395 | 1 Jenkins | 1 Build Environment | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties.
|
|||||
| CVE-2019-10383 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
|
|||||
| CVE-2019-10376 | 1 Jenkins | 1 Wall Display | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
|
|||||
| CVE-2019-10374 | 1 Jenkins | 1 Pegdown Formatter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.
|
|||||
| CVE-2019-10373 | 1 Jenkins | 1 Build Pipeline | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
|
|||||
| CVE-2019-10360 | 1 Jenkins | 1 M2 Release | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
|
|||||
| CVE-2019-10349 | 1 Jenkins | 1 Dependency Graph Viewer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
|
|||||
| CVE-2019-10346 | 1 Jenkins | 1 Embeddable Build Status | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.
|
|||||
| CVE-2019-10336 | 1 Jenkins | 1 Electricflow | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin.
|
|||||
| CVE-2019-10335 | 1 Jenkins | 1 Electricflow | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages.
|
|||||
| CVE-2019-10325 | 1 Jenkins | 1 Warnings Next Generation | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.
|
|||||
| CVE-2019-10263 | 1 Ahsay | 1 Cloud Backup Suite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When creating a trial account, it is possible to inject XSS in the Alias field, allowing the attacker to retrieve the admin's cookie and take over the account.
|
|||||
| CVE-2019-10261 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.
|
|||||
| CVE-2019-10260 | 1 Totaljs | 1 Total.js Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).
|
|||||
| CVE-2019-10254 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
|
|||||
| CVE-2019-10241 | 4 Apache, Debian, Eclipse and 1 more | 7 Activemq, Drill, Debian Linux and 4 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
|
|||||
| CVE-2019-10238 | 1 Sitemagic | 1 Sitemagic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Sitemagic CMS v4.4 has XSS in SMFiles/FrmUpload.class.php via the filename parameter.
|
|||||
| CVE-2019-10227 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component.
|
|||||
| CVE-2019-10226 | 1 Fatfreecrm | 1 Fat Free Crm | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
|
|||||
| CVE-2019-10221 | 2 Dogtagpki, Redhat | 2 Dogtagpki, Enterprise Linux | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.
|
|||||
| CVE-2019-10215 | 1 Bootstrap-3-typeahead Project | 1 Bootstrap-3-typeahead | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.
|
|||||
| CVE-2019-10180 | 2 Dogtagpki, Redhat | 2 Dogtagpki, Certificate System | 2024-11-21 | 3.5 LOW | 2.4 LOW |
|
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
|
|||||
| CVE-2019-10179 | 2 Dogtagpki, Redhat | 2 Dogtagpki, Enterprise Linux | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
|
|||||
| CVE-2019-10178 | 1 Dogtagpki | 1 Dogtagpki | 2024-11-21 | 4.3 MEDIUM | 4.6 MEDIUM |
|
It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable.
|
|||||
| CVE-2019-10177 | 1 Redhat | 1 Cloudforms Management Engine | 2024-11-21 | 6.0 MEDIUM | 6.5 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
|
|||||
| CVE-2019-10146 | 2 Dogtagpki, Redhat | 2 Dogtagpki, Enterprise Linux | 2024-11-21 | 2.6 LOW | 4.7 MEDIUM |
|
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
|
|||||
| CVE-2019-10118 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.
|
|||||
| CVE-2019-10111 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page.
|
|||||
| CVE-2019-10107 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.
|
|||||