Total
35377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12407 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-12404 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-12398 | 1 Apache | 1 Airflow | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected. | |||||
| CVE-2019-12397 | 1 Apache | 1 Ranger | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix. | |||||
| CVE-2019-12386 | 1 Ampache | 1 Ampache | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker. | |||||
| CVE-2019-12370 | 1 Readdle | 1 Spark | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12369 | 1 Typeapp | 1 Typeapp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12368 | 1 Edison | 1 Edison Mail | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Edison Mail application through 1.7.1 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12367 | 1 Blixhq | 1 Bluemail | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The BlueMail application through 1.9.5.36 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12366 | 1 9folders | 1 Nine | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12365 | 1 Cloudmagic | 1 Newton | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | |||||
| CVE-2019-12362 | 1 Phome | 1 Empirecms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php. | |||||
| CVE-2019-12361 | 1 Phome | 1 Empirecms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.php, as demonstrated by a CSRF payload that changes the dynamic page template. The attacker can choose to resend the e/template/member/regsend.php registered activation mail page. | |||||
| CVE-2019-12347 | 1 Netgate | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors. | |||||
| CVE-2019-12346 | 1 Miniorange | 1 Saml Sp Single Sign On | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post. | |||||
| CVE-2019-12345 | 1 Kibokolabs | 1 Hostel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the Kiboko Hostel plugin before 1.1.4 for WordPress. | |||||
| CVE-2019-12315 | 1 Samsung | 2 Scx-824, Scx-824 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Samsung SCX-824 printers allow a reflected Cross-Site-Scripting (XSS) vulnerability that can be triggered by using the "print from file" feature, as demonstrated by the sws/swsAlert.sws?popupid=successMsg msg parameter. | |||||
| CVE-2019-12313 | 1 Dollarshaveclub | 1 Shave | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Shave before 2.5.3 because output encoding is mishandled during the overwrite of an HTML element. | |||||
| CVE-2019-12311 | 1 Sandline | 1 Centraleyezer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sandline Centraleyezer (On Premises) allows Unrestricted File Upload leading to Stored XSS. An HTML page running a script could be uploaded to the server. When a victim tries to download a CISO Report template, the script is loaded. | |||||
| CVE-2019-12308 | 1 Djangoproject | 1 Django | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. | |||||