Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1000427 | 1 Marked Project | 1 Marked | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
|
|||||
| CVE-2017-1000426 | 1 Omniscale | 1 Mapproxy | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
MapProxy version 1.10.3 and older is vulnerable to a Cross Site Scripting attack in the demo service resulting in possible information disclosure.
|
|||||
| CVE-2017-1000425 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the "movie" parameter.
|
|||||
| CVE-2017-1000404 | 1 Jenkins | 1 Delivery Pipeline | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs.
|
|||||
| CVE-2017-1000392 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
|
|||||
| CVE-2017-1000389 | 1 Jenkins | 1 Global-build-stats | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.
|
|||||
| CVE-2017-1000386 | 1 Jenkins | 1 Active Choices | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Active Choices now sanitizes the HTML inserted on the 'Build With Parameters' page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up t ...
Show More |
|||||
| CVE-2017-0931 | 1 Html-janitor Project | 1 Html-janitor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
html-janitor node module suffers from a Cross-Site Scripting (XSS) vulnerability via clean() accepting user-controlled values.
|
|||||
| CVE-2017-0924 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting.
|
|||||
| CVE-2017-0923 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting.
|
|||||
| CVE-2017-0917 | 2 Debian, Gitlab | 2 Debian Linux, Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting.
|
|||||
| CVE-2017-0912 | 1 Ui | 1 Ucrm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling".
|
|||||
| CVE-2017-0365 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 2.6 LOW | 4.7 MEDIUM |
|
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations.
|
|||||
| CVE-2016-9903 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context. This vulnerability affects Firefox < 50.1.
|
|||||
| CVE-2016-9605 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.
|
|||||
| CVE-2016-9500 | 1 Accellion | 1 Ftp Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.
|
|||||
| CVE-2016-9493 | 1 Jqueryform | 1 Php Formmail Generator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.
|
|||||
| CVE-2016-9490 | 1 Manageengine | 1 Applications Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from a Reflected Cross-Site Scripting vulnerability. Applications Manager is prone to a Cross-Site Scripting vulnerability in parameter LIMIT, in URL path /DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233. The URL is also available without authentication.
|
|||||
| CVE-2016-9271 | 1 Cloudera | 1 Cloudera Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cloudera Manager 5.7.x before 5.7.6, 5.8.x before 5.8.4, and 5.9.x before 5.9.1 allows XSS in the help search feature.
|
|||||
| CVE-2016-8639 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Foreman | 2024-11-21 | 3.5 LOW | 6.1 MEDIUM |
|
It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
|
|||||
| CVE-2016-8634 | 1 Theforeman | 1 Foreman | 2024-11-21 | 3.5 LOW | 6.1 MEDIUM |
|
A vulnerability was found in foreman 1.14.0. When creating an organization or location in Foreman, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML. This occurs in the alertbox on the page. The result is a stored XSS attack if an organization/location with HTML in the name is created, then a user is linked directly to this URL.
|
|||||
| CVE-2016-8613 | 1 Theforeman | 1 Foreman | 2024-11-21 | 4.3 MEDIUM | 6.4 MEDIUM |
|
A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS vulnerability.
|
|||||
| CVE-2016-8608 | 1 Redhat | 2 Jboss Bpm Suite, Jboss Business Rules Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.
|
|||||
| CVE-2016-8532 | 1 Hp | 1 Matrix Operating Environment | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross site scripting vulnerability in HPE Matrix Operating Environment version 7.6 was found.
|
|||||
| CVE-2016-8527 | 1 Hp | 1 Airwave | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave ...
Show More |
|||||
| CVE-2016-8522 | 1 Hp | 1 Diagnostics | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting vulnerability in HPE Diagnostics version 9.24 IP1, 9.26 , 9.26IP1 was found.
|
|||||
| CVE-2016-8517 | 1 Hp | 1 Systems Insight Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross site scripting vulnerability in HPE Systems Insight Manager in all versions prior to 7.6 was found.
|
|||||
| CVE-2016-7394 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie.
|
|||||
| CVE-2016-6810 | 1 Apache | 1 Activemq | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.
|
|||||
| CVE-2016-6588 | 1 Symantec | 1 It Management Suite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A Cross-Site Scripting (XSS) vulnerability exists in the ITMS workflow process manager console in Symantec IT Management Suite 8.0.
|
|||||
| CVE-2016-6556 | 1 Opennms | 1 Opennms | 2024-11-21 | 4.3 MEDIUM | 7.1 HIGH |
|
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This issue was fixed in version 18.0.2, released on September 20, 2016.
|
|||||
| CVE-2016-6555 | 1 Opennms | 1 Opennms | 2024-11-21 | 4.3 MEDIUM | 7.1 HIGH |
|
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016.
|
|||||
| CVE-2016-6343 | 1 Redhat | 1 Jboss Bpm Suite | 2024-11-21 | 3.5 LOW | 6.1 MEDIUM |
|
JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user.
|
|||||
| CVE-2016-6217 | 2 Linux, Sophos | 2 Linux Kernel, Puremessage | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Sophos PureMessage for UNIX before 6.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2016-6154 | 2 Microsoft, Watchguard | 2 Windows, Fireware | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
|
|||||
| CVE-2016-5819 | 1 Moxa | 10 Oncell G3100v2, Oncell G3100v2 Firmware, Oncell G3111 and 7 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Moxa G3100V2 Series, editions prior to Version 2.8, and OnCell G3111/G3151/G3211/G3251 Series, editions prior to Version 1.7 allows a reflected cross-site scripting attack which may allow an attacker to execute arbitrary script code in the user’s browser within the trust relationship between their browser and the server.
|
|||||
| CVE-2016-5236 | 1 F5 | 1 Websafe Alert Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9.5 and earlier, aka F5 WebSafe Alert Server, allow privileged authenticated users to inject arbitrary web script or HTML when creating a new user, account or signature.
|
|||||
| CVE-2016-5235 | 1 F5 | 1 Websafe Alert Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross Site Scripting (XSS) vulnerability in versions of F5 WebSafe Dashboard 3.9.x and earlier, aka F5 WebSafe Alert Server, allows an unauthenticated user to inject HTML via a crafted alert.
|
|||||
| CVE-2016-4406 | 1 Hp | 3 Integrated Lights-out, Integrated Lights-out 3 Firmware, Integrated Lights-out 4 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A remote cross site scripting vulnerability was identified in HPE iLO 3 all version prior to v1.88 and HPE iLO 4 all versions prior to v2.44.
|
|||||
| CVE-2016-4400 | 1 Hp | 1 Network Node Manager I | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).
|
|||||