Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16285 | 1 Userproplugin | 1 Userpro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.
|
|||||
| CVE-2018-16277 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Image Import function in XWiki through 10.7 has XSS.
|
|||||
| CVE-2018-16259 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-settings large_feed_limit. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
|
|||||
| CVE-2018-16258 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import custom_type. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
|
|||||
| CVE-2018-16257 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
|
|||||
| CVE-2018-16256 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via Add Filtering Options(Add Rule). NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
|
|||||
| CVE-2018-16255 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
|
|||||
| CVE-2018-16254 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
|
|||||
| CVE-2018-16250 | 1 Creatiwity | 1 Witycms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The "utilisateur" menu in Creatiwity wityCMS 0.6.2 modifies the presence of XSS at two input points for user information, with the "first name" and "last name" parameters.
|
|||||
| CVE-2018-16249 | 1 B3log | 1 Symphony | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.
|
|||||
| CVE-2018-16248 | 1 B3log | 1 Solo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the "tag" JSON field, which allows remote attackers to inject arbitrary Web scripts or HTML via a carefully crafted site name in an admin-authenticated HTTP request.
|
|||||
| CVE-2018-16247 | 1 Yzmcms | 1 Yzmcms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html title parameter.
|
|||||
| CVE-2018-16243 | 1 Solarwinds | 1 Database Performance Analyzer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen.
|
|||||
| CVE-2018-16236 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.
|
|||||
| CVE-2018-16235 | 1 Telligent | 1 Community | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Telligent Community 6.x, 7.x, 8.x, 9.x before 9.2.10.11796, 10.1.x before 10.1.10.11792, and 10.2.x before 10.2.3.4725 has XSS via the Feed RSS widget.
|
|||||
| CVE-2018-16234 | 1 Morningstarsecurity | 1 Whatweb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
MorningStar WhatWeb 0.4.9 has XSS via JSON report files.
|
|||||
| CVE-2018-16233 | 1 1234n | 1 Minicms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php tags parameter.
|
|||||
| CVE-2018-16226 | 1 Mitel | 1 Mivoice Office 400 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A vulnerability in the web admin component of Mitel MiVoice Office 400, versions R5.0 HF3 (v8839a1) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack, due to insufficient validation for the start.asp page. A successful exploit could allow the attacker to execute arbitrary scripts to access sensitive browser-based information.
|
|||||
| CVE-2018-16220 | 1 Audiocodes | 2 405hd, 405hd Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting in different input fields (domain field and personal settings) in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an attacker (local or remote) to inject JavaScript into the web interface of the device by manipulating the phone book entries or manipulating the domain name sent to the device from the domain controller.
|
|||||
| CVE-2018-16206 | 1 Ohtanz | 1 Spam-byebye | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16205 | 1 Weseek | 1 Growi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal.
|
|||||
| CVE-2018-16204 | 1 Google Xml Sitemaps Project | 1 Google Xml Sitemaps | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Cross-site scripting vulnerability in Google XML Sitemaps Version 4.0.9 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16199 | 1 Toshiba | 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an remote attacker to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16193 | 1 Nec | 4 Aterm Wf1200cr, Aterm Wf1200cr Firmware, Aterm Wg1200cr and 1 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting vulnerability in Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16180 | 1 Daj | 1 I-filter | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16173 | 1 Thimpress | 1 Learnpress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16165 | 1 Jpcert | 1 Logontracer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting vulnerability in LogonTracer 1.2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16164 | 1 Web-dorado | 1 Event Calendar Wd | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2018-16148 | 1 Opsview | 1 Opsview | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting.
|
|||||
| CVE-2018-16147 | 1 Opsview | 1 Opsview | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting.
|
|||||
| CVE-2018-16142 | 1 Phpok | 1 Phpok | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login_control.php via the _back parameter to the ok_f function.
|
|||||
| CVE-2018-16139 | 1 Bibliosoft | 1 Bibliopac | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in BIBLIOsoft BIBLIOpac 2008 allows remote attackers to inject arbitrary web script or HTML via the db or action parameter to to bin/wxis.exe/bibliopac/.
|
|||||
| CVE-2018-16138 | 1 Ipbrick | 1 Ipbrick Os | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An issue was discovered in the administration page in IPBRICK OS 6.3. There are multiple XSS vulnerabilities.
|
|||||
| CVE-2018-16134 | 1 Cybrotech | 1 Cybrohttpserver | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cybrotech CyBroHttpServer 1.0.3 allows XSS via a URI.
|
|||||
| CVE-2018-16096 | 1 Lenovo | 8 System Management Module Firmware, Thinkagile Hx Enclosure 7x81, Thinkagile Hx Enclosure 7y87 and 5 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.
|
|||||
| CVE-2018-16084 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The default selected dialog button in CustomHandlers in Google Chrome prior to 69.0.3497.81 allowed a remote attacker who convinced the user to perform certain operations to open external programs via a crafted HTML page.
|
|||||
| CVE-2018-16061 | 1 Mitsubishielectric | 2 Smartrtu, Smartrtu Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Mitsubishi Electric Europe B.V. SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
|
|||||
| CVE-2018-16050 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View.
|
|||||
| CVE-2018-15973 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||
| CVE-2018-15972 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||