Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19465 | 1 Maccms | 1 Maccms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html.
|
|||||
| CVE-2018-19464 | 1 Dismall | 1 Discuz\! | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Discuz! X3.4 allows XSS via admin.php because admincp/admincp_setting.php and template\default\common\footer.htm mishandles statcode field from third-party stats code.
|
|||||
| CVE-2018-19461 | 1 Phome | 1 Empirecms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
admin\db\DoSql.php in EmpireCMS through 7.5 allows XSS via crafted SQL syntax to admin/admin.php.
|
|||||
| CVE-2018-19439 | 1 Oracle | 1 Secure Global Desktop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4). helpwindow.jsp has reflected XSS via all parameters, as demonstrated by the sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp windowTitle parameter.
|
|||||
| CVE-2018-19433 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ShowDoc 2.4.1 has XSS via the lang parameter because install/database.php mishandles the $cur_lang value.
|
|||||
| CVE-2018-19414 | 1 Plikli | 1 Plikli Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple cross-site scripting (XSS) vulnerabilities in Plikli CMS 4.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) keyword parameter to groups.php; (2) username parameter to login.php; or (3) date parameter to search.php.
|
|||||
| CVE-2018-19394 | 1 Cobham | 4 Satcom Sailor 800, Satcom Sailor 800 Firmware, Satcom Sailor 900 and 1 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Cobham Satcom Sailor 800 and 900 devices contained persistent XSS, which required administrative access to exploit. The vulnerability was exploitable by acquiring a copy of the device's configuration file, inserting an XSS payload into a relevant field (e.g., Satellite name), and then restoring the malicious configuration file.
|
|||||
| CVE-2018-19391 | 1 Cobham | 4 Satcom Sailor 250, Satcom Sailor 250 Firmware, Satcom Sailor 500 and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cobham Satcom Sailor 250 and 500 devices before 1.25 contained persistent XSS, which could be exploited by an unauthenticated threat actor via the /index.lua?pageID=Phone%20book name field.
|
|||||
| CVE-2018-19386 | 1 Solarwinds | 1 Database Performance Analyzer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI.
|
|||||
| CVE-2018-19352 | 1 Jupyter | 1 Notebook | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
|
|||||
| CVE-2018-19351 | 1 Jupyter | 1 Notebook | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
|
|||||
| CVE-2018-19350 | 1 Seacms | 1 Seacms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
|
|||||
| CVE-2018-19340 | 1 Guriddo | 1 Form Php | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default.php OrderID, ShipName, ShipAddress, ShipCity, ShipPostalCode, ShipCountry, Freight, or details parameter.
|
|||||
| CVE-2018-19324 | 1 Kimsq | 1 Rb | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
|
|||||
| CVE-2018-19311 | 1 Centreon | 1 Centreon | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
|
|||||
| CVE-2018-19301 | 1 Tp4a | 1 Teleport | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
|
|||||
| CVE-2018-19289 | 1 Valine.js | 1 Valine | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file.
|
|||||
| CVE-2018-19288 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
|
|||||
| CVE-2018-19287 | 1 Ninjaforma | 1 Ninja Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
|
|||||
| CVE-2018-19286 | 1 Mubu | 1 Curtain | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note.
|
|||||
| CVE-2018-19280 | 1 Centreon | 1 Centreon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro.
|
|||||
| CVE-2018-19229 | 1 Laobancms | 1 Laobancms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/art.php?typeid=1 biaoti parameter.
|
|||||
| CVE-2018-19227 | 1 Laobancms | 1 Laobancms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/liuyan.php neirong[] parameter.
|
|||||
| CVE-2018-19223 | 1 Laobancms | 1 Laobancms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
|
|||||
| CVE-2018-19222 | 1 Laobancms | 1 Laobancms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
|
|||||
| CVE-2018-19206 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
|
|||||
| CVE-2018-19202 | 1 Mybb | 1 Mybb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter.
|
|||||
| CVE-2018-19201 | 1 Mybb | 1 Mybb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter.
|
|||||
| CVE-2018-19195 | 1 Xiaocms | 1 Xiaocms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\show_product.html file.
|
|||||
| CVE-2018-19193 | 1 Xiaocms | 1 Xiaocms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen.
|
|||||
| CVE-2018-19191 | 1 Webmin | 1 Webmin | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlog/search.cgi uall or mall parameter.
|
|||||
| CVE-2018-19190 | 1 Amazon | 1 Payfort-php-sdk | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the error.php error_msg parameter.
|
|||||
| CVE-2018-19189 | 1 Amazon | 1 Payfort-php-sdk | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in an error.php echo statement.
|
|||||
| CVE-2018-19188 | 1 Amazon | 1 Payfort-php-sdk | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the success.php fort_id parameter.
|
|||||
| CVE-2018-19187 | 1 Amazon | 1 Payfort-php-sdk | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement.
|
|||||
| CVE-2018-19186 | 1 Amazon | 1 Payfort-php-sdk | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter.
|
|||||
| CVE-2018-19178 | 1 Jeesns | 1 Jeesns | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In JEESNS 1.3, com/lxinet/jeesns/core/utils/XssHttpServletRequestWrapper.java allows stored XSS via an HTML EMBED element, a different vulnerability than CVE-2018-17886.
|
|||||
| CVE-2018-19170 | 1 Jpress | 1 Jpress | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
In JPress v1.0-rc.5, there is stored XSS via each of the first three input fields to the starter-tomcat-1.0/admin/setting URI, as demonstrated by the web_name parameter.
|
|||||
| CVE-2018-19146 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a SCRIPT element.
|
|||||
| CVE-2018-19145 | 1 S-cms | 1 S-cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in S-CMS v1.5. There is an XSS vulnerability in search.php via the keyword parameter.
|
|||||