Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10106 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.
|
|||||
| CVE-2019-10105 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.
|
|||||
| CVE-2019-10092 | 8 Apache, Canonical, Debian and 5 more | 10 Http Server, Ubuntu Linux, Debian Linux and 7 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
|
|||||
| CVE-2019-10090 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
|
|||||
| CVE-2019-10089 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
|
|||||
| CVE-2019-10087 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
|
|||||
| CVE-2019-10085 | 1 Apache | 1 Allura | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
|
|||||
| CVE-2019-10078 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
|
|||||
| CVE-2019-10077 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
|
|||||
| CVE-2019-10076 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
|
|||||
| CVE-2019-10073 | 1 Apache | 1 Ofbiz | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616
|
|||||
| CVE-2019-10070 | 1 Apache | 1 Atlas | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored Cross-Site Scripting in the search functionality
|
|||||
| CVE-2019-10067 | 1 Otrs | 1 Otrs | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.
|
|||||
| CVE-2019-10066 | 1 Otrs | 1 Otrs | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.
|
|||||
| CVE-2019-10062 | 1 Bluespire | 1 Aurelia Framework | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. An attacker might also exploit a bug in how the SCRIPT string is processed by splitting and nesting them for example.
|
|||||
| CVE-2019-10049 | 1 Pydio | 1 Pydio | 2024-11-21 | 4.9 MEDIUM | 7.3 HIGH |
|
It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the context of the victim user to obtain sensitive information such as session identifiers and perform actions on behalf of him/her).
|
|||||
| CVE-2019-10047 | 1 Pydio | 1 Pydio | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application, and tricks an authenticated victim into accessing a URL th ...
Show More |
|||||
| CVE-2019-10027 | 1 Phpcms | 1 Phpcms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field on the personal information screen.
|
|||||
| CVE-2019-10017 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.
|
|||||
| CVE-2019-10016 | 1 Gforge | 1 Advanced Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
GForge Advanced Server 6.4.4 allows XSS via the commonsearch.php words parameter, as demonstrated by a snippet/search/?words= substring.
|
|||||
| CVE-2019-10010 | 1 Thephpleague | 1 Commonmark | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583.
|
|||||
| CVE-2019-1020019 | 1 Inveniosoftware | 1 Invenio-previewer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
invenio-previewer before 1.0.0a12 allows XSS.
|
|||||
| CVE-2019-1020010 | 1 Misskey | 1 Misskey | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Misskey before 10.102.4 allows hijacking a user's token.
|
|||||
| CVE-2019-1020008 | 1 Stacktable.js Project | 1 Stacktable.js | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
stacktable.js before 1.0.4 allows XSS.
|
|||||
| CVE-2019-1020007 | 1 Owasp | 1 Dependency-track | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Dependency-Track before 3.5.1 allows XSS.
|
|||||
| CVE-2019-1020005 | 1 Inveniosoftware | 1 Invenio-communities | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
invenio-communities before 1.0.0a20 allows XSS.
|
|||||
| CVE-2019-1020003 | 1 Inveniosoftware | 1 Invenio-records | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
invenio-records before 1.2.2 allows XSS.
|
|||||
| CVE-2019-1010314 | 1 Gitea | 1 Gitea | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page.
|
|||||
| CVE-2019-1010307 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it.
|
|||||
| CVE-2019-1010287 | 1 Timesheet Next Gen Project | 1 Timesheet Next Gen | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url.
|
|||||
| CVE-2019-1010261 | 1 Gitea | 1 Gitea | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically crafted URL. The fixed version is: 1.7.1 and later.
|
|||||
| CVE-2019-1010247 | 1 Openidc | 1 Mod Auth Openidc | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.
|
|||||
| CVE-2019-1010237 | 1 Ilias | 1 Ilias | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections view (victim). The fixed version is: 5.3.12.
|
|||||
| CVE-2019-1010235 | 1 Frog Cms Project | 1 Frog Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
|
|||||
| CVE-2019-1010207 | 1 Genetechsolutions | 1 Pie Register | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Genetechsolutions Pie Register 3.0.15 is affected by: Cross Site Scripting (XSS). The impact is: Stealing of session cookies. The component is: File: Login. Parameters: interim-login, wp-lang, and supplied URL. The attack vector is: If a victim clicks a malicious link, the attacker can steal his/her account. The fixed version is: 3.0.16.
|
|||||
| CVE-2019-1010199 | 1 Servicestack | 1 Servicestack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0.
|
|||||
| CVE-2019-1010193 | 1 Hisiphp | 1 Hisiphp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS).
|
|||||
| CVE-2019-1010147 | 2 Bmc, Yellowfinbi | 2 Remedy Smart Reporting, Yellowfin Bi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.
|
|||||
| CVE-2019-1010124 | 1 Webappick | 1 Woocommerce Product Feed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.
|
|||||
| CVE-2019-1010113 | 1 Premiumsoftware | 1 Cleditor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site Scripting (XSS). The impact is: An attacker might be able to inject arbitrary html and script code into the web site. The component is: jQuery plug-in. The attack vector is: the victim must open a crafted href attribute of a link (A) element.
|
|||||