Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16710 | 1 Crestron | 4 Airmedia Am-100, Airmedia Am-100 Firmware, Airmedia Am-101 and 1 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2017-16514 | 1 Websitebaker | 1 Websitebaker | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities in the files /wb/admin/admintools/tool.php (Droplet Description) and /install/index.php (Site Title) in WebsiteBaker 2.10.0 allow attackers to insert persistent JavaScript code that gets reflected back to users in multiple areas in the application.
|
|||||
| CVE-2017-16356 | 1 Kubik-rubik | 1 Simple Image Gallery Extended | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim's browser by having them visit a plugins/content/sige/plugin_sige/print.php link with a crafted img, name, or caption parameter.
|
|||||
| CVE-2017-16022 | 1 Morris.js Project | 1 Morris.js | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.
|
|||||
| CVE-2017-16019 | 1 Gitbook | 1 Gitbook | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
GitBook is a command line tool (and Node.js library) for building beautiful books using GitHub/Git and Markdown (or AsciiDoc). Stored Cross-Site-Scripting (XSS) is possible in GitBook before 3.2.2 by including code outside of backticks in any ebook. This code will be executed on the online reader.
|
|||||
| CVE-2017-16018 | 1 Restify | 1 Restify | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Restify is a framework for building REST APIs. Restify >=2.0.0 <=4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers.
|
|||||
| CVE-2017-16017 | 1 Punkave | 1 Sanitize-html | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.
|
|||||
| CVE-2017-16016 | 1 Punkave | 1 Sanitize-html | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.
|
|||||
| CVE-2017-16015 | 1 Forms Project | 1 Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Forms is a library for easily creating HTML forms. Versions before 1.3.0 did not have proper html escaping. This means that if the application did not sanitize html on behalf of forms, use of forms may be vulnerable to cross site scripting
|
|||||
| CVE-2017-16010 | 1 I18next | 1 I18next | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later.
|
|||||
| CVE-2017-16009 | 2 Ag-grid, Angularjs | 2 Ag-grid, Angularjs | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid.
|
|||||
| CVE-2017-16008 | 1 I18next | 1 I18next | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
i18next is a language translation framework. Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary keys to inject script into the browser. This affects i18next <=1.10.2.
|
|||||
| CVE-2017-16006 | 1 Remarkable Project | 1 Remarkable | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkable allows the use of `data:` URIs in links and can therefore execute javascript.
|
|||||
| CVE-2017-15941 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.7, when the GlobalProtect gateway or portal is configured, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2017-15869 | 1 Livezilla | 1 Livezilla | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla before 7.0.8.9 allows remote attackers to inject arbitrary web script or HTML via the search-for parameter.
|
|||||
| CVE-2017-15719 | 1 Wicket-jquery-ui Project | 1 Wicket-jquery-ui | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor.
|
|||||
| CVE-2017-15717 | 1 Apache | 2 Sling Xss Protection Api, Sling Xss Protection Api Compat | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
|
|||||
| CVE-2017-15686 | 1 Craftercms | 1 Crafter Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
|
|||||
| CVE-2017-15682 | 1 Craftercms | 1 Crafter Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
|
|||||
| CVE-2017-15640 | 1 Phpipam | 1 Phpipam | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
|
|||||
| CVE-2017-15515 | 1 Netapp | 1 Snapcenter Server | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scripting vulnerability that could allow a privileged user to inject arbitrary scripts into the custom secondary policy label field.
|
|||||
| CVE-2017-15429 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Inappropriate implementation in V8 WebAssembly JS bindings in Google Chrome prior to 63.0.3239.108 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
|
|||||
| CVE-2017-15427 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar.
|
|||||
| CVE-2017-15125 | 1 Redhat | 1 Cloudforms Management Engine | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
|
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
|
|||||
| CVE-2017-15092 | 1 Powerdns | 1 Recursor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content.
|
|||||
| CVE-2017-15030 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
|
|||||
| CVE-2017-14850 | 1 Orpak | 1 Siteomat | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper external user-input validation. An attacker with access to the web interface is able to hijack sessions or navigate victims outside of SiteOmat, to a malicious server owned by him.
|
|||||
| CVE-2017-14801 | 1 Netiq | 1 Access Manager | 2024-11-21 | 4.3 MEDIUM | 4.6 MEDIUM |
|
Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed attackers to reflect back xss into the called page using the url parameter.
|
|||||
| CVE-2017-14800 | 1 Netiq | 1 Access Manager | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
A reflected cross site scripting attack in the NetIQ Access Manager before 4.3.3 using the "typecontainerid" parameter of the policy editor could allowed code injection into pages of authenticated users.
|
|||||
| CVE-2017-14799 | 1 Netiq | 1 Access Manager | 2024-11-21 | 4.3 MEDIUM | 4.6 MEDIUM |
|
A cross site scripting attack in handling the ESP login parameter handling in NetIQ Access Manager before 4.3.3 could be used to inject javascript code into the login page.
|
|||||
| CVE-2017-14740 | 1 Genixcms | 1 Genixcms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in GeniXCMS 1.1.0 allows remote authenticated users to inject arbitrary web script or HTML via the Menu ID when adding a menu.
|
|||||
| CVE-2017-14594 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter.
|
|||||
| CVE-2017-14536 | 1 Netfortris | 1 Trixbox | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or /user/includes/language/langChooser.php.
|
|||||
| CVE-2017-14522 | 1 Wondercms | 1 Wondercms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In WonderCMS 2.3.1, the application's input fields accept arbitrary user input resulting in execution of malicious JavaScript. NOTE: the vendor disputes this issue stating that this is a feature that enables only a logged in administrator to write execute JavaScript anywhere on their website
|
|||||
| CVE-2017-14395 | 1 Forgerock | 2 Access Management, Openam | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS.
|
|||||
| CVE-2017-14383 | 1 Dell | 4 Emc Vnx1, Emc Vnx1 Firmware, Emc Vnx2 and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Dell EMC VNX2 versions prior to Operating Environment for File 8.1.9.217 and VNX1 versions prior to Operating Environment for File 7.1.80.8, a web server error page in VNX Control Station is impacted by a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary HTML code in the user's browser session in the context of the affected web application.
|
|||||
| CVE-2017-14190 | 1 Fortinet | 1 Fortios | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted "Host" header in user HTTP requests.
|
|||||
| CVE-2017-14096 | 1 Trendmicro | 1 Smart Protection Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A stored cross site scripting (XSS) vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to execute a malicious payload on vulnerable systems.
|
|||||
| CVE-2017-13678 | 1 Broadcom | 2 Advanced Secure Gateway, Symantec Proxysg | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Stored XSS vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can inject arbitrary JavaScript code in the management console web client application.
|
|||||
| CVE-2017-13668 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
|
|||||