Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18089 | 1 Atlassian | 1 Crucible | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.
|
|||||
| CVE-2017-18086 | 1 Atlassian | 1 Confluence | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter.
|
|||||
| CVE-2017-18085 | 1 Atlassian | 1 Confluence | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter.
|
|||||
| CVE-2017-18084 | 1 Atlassian | 1 Confluence | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
|
|||||
| CVE-2017-18083 | 1 Atlassian | 1 Confluence | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
|
|||||
| CVE-2017-18082 | 1 Atlassian | 1 Bamboo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
|
|||||
| CVE-2017-18081 | 1 Atlassian | 1 Bamboo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
|
|||||
| CVE-2017-18041 | 1 Atlassian | 1 Bamboo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
|
|||||
| CVE-2017-18040 | 1 Atlassian | 1 Bamboo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
|
|||||
| CVE-2017-18039 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter.
|
|||||
| CVE-2017-18034 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
|
|||||
| CVE-2017-18024 | 1 Avantfax | 1 Avantfax | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.
|
|||||
| CVE-2017-18023 | 1 Officetracker | 1 Officetracker | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Office Tracker 11.2.5 has XSS via the logincount parameter to the /otweb/OTPClientLogin URI.
|
|||||
| CVE-2017-18015 | 1 Wp-unit | 1 Share This Image | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The ILLID Share This Image plugin before 1.04 for WordPress has XSS via the sharer.php url parameter.
|
|||||
| CVE-2017-18014 | 1 Sophos | 2 Sfos, Xg Firewall | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page (Control Center -> Log Viewer -> in the filter option "Web Server Protection") in the webadmin interface, and execute any action available to the webadmin of the firewall (e.g., creating a new user, enabling SSH, or adding an SSH authorized key). The WAF log page will execute the "User-Agent" para ...
Show More |
|||||
| CVE-2017-18012 | 1 Z-url Preview Project | 1 Z-url Preview | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Z-URL Preview plugin 1.6.1 for WordPress has XSS via the class.zlinkpreview.php url parameter.
|
|||||
| CVE-2017-18011 | 1 Clickbank | 1 Affiliate Ads For Clickbank Products | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The MyCBGenie Affiliate Ads for Clickbank Products plugin through 1.6 for WordPress has XSS via the text_ads_ajax.php border_color parameter.
|
|||||
| CVE-2017-18010 | 1 E-goi | 1 Smart Marketing Sms And Newsletters Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The E-goi Smart Marketing SMS and Newsletters Forms plugin before 2.0.0 for WordPress has XSS via the admin/partials/custom/egoi-for-wp-form_egoi.php url parameter.
|
|||||
| CVE-2017-17972 | 1 Archon Project | 1 Archon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?subjecttypeid=xxx request, aka Open Bug Bounty ID OBB-466362.
|
|||||
| CVE-2017-17947 | 1 Pulsesecure | 1 Pulse Connect Secure | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
|
|||||
| CVE-2017-17889 | 1 Kliqqi | 1 Kliqqi Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, a crafted Homepage string in a profile, or a crafted string in Tags or Description within pligg/submit.php.
|
|||||
| CVE-2017-17837 | 1 Apache | 1 Deltaspike | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1.
|
|||||
| CVE-2017-17750 | 1 Bose | 1 Soundtouch | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Bose SoundTouch devices allow XSS via a crafted public playlist from Spotify.
|
|||||
| CVE-2017-17749 | 1 Bose | 1 Soundtouch | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Bose SoundTouch devices allow XSS via crafted song data from a music service, as demonstrated by Pandora.
|
|||||
| CVE-2017-17703 | 1 Synacor | 1 Zimbra Collaboration Suite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent XSS.
|
|||||
| CVE-2017-17678 | 1 Bmc | 1 Remedy Mid-tier | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS). A DOM-based cross-site scripting vulnerability was discovered in a legacy utility.
|
|||||
| CVE-2017-17541 | 1 Fortinet | 2 Fortianalyzer Firmware, Fortimanager Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
|
|||||
| CVE-2017-17478 | 1 Pega | 1 Pega Platform | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages.
|
|||||
| CVE-2017-17477 | 1 Pexip | 1 Pexip Infinity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Pexip Infinity before 17 allows an unauthenticated remote attacker to achieve stored XSS via management web interface views.
|
|||||
| CVE-2017-17454 | 1 Mahara | 1 Mahara | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.
|
|||||
| CVE-2017-17442 | 1 Blackberry | 1 Unified Endpoint Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In BlackBerry UEM Management Console version 12.7.1 and earlier, a reflected cross-site scripting vulnerability that could allow an attacker to execute script commands in the context of the affected UEM Management Console account by crafting a malicious link and then persuading a user with legitimate access to the Management Console to click on the malicious link.
|
|||||
| CVE-2017-17062 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.
|
|||||
| CVE-2017-17061 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
|
|||||
| CVE-2017-16878 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the Captive Portal function in Palo Alto Networks PAN-OS before 8.0.7 allows remote attackers to inject arbitrary web script or HTML by leveraging an unspecified configuration.
|
|||||
| CVE-2017-16864 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter.
|
|||||
| CVE-2017-16863 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter.
|
|||||
| CVE-2017-16860 | 1 Atlassian | 1 Application Links | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.
|
|||||
| CVE-2017-16771 | 1 Synology | 1 Photo Station | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
|
|||||
| CVE-2017-16767 | 1 Synology | 1 Surveillance Station | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
|
|||||
| CVE-2017-16755 | 1 Userscape | 1 Helpspot | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Userscape HelpSpot before 4.7.2. A reflected cross-site scripting vulnerability exists in the "return" parameter of the "index.php?pg=moderated" endpoint. It executes when the return link is clicked.
|
|||||