Total
35377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-3781 | 1 Nextcloud | 1 Talk | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. | |||||
| CVE-2018-3780 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. | |||||
| CVE-2018-3773 | 1 Metascraper Project | 1 Metascraper | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2. | |||||
| CVE-2018-3771 | 1 Statics-server Project | 1 Statics-server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser. | |||||
| CVE-2018-3769 | 1 Ruby-grape | 1 Grape | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ruby-grape ruby gem suffers from a cross-site scripting (XSS) vulnerability via "format" parameter. | |||||
| CVE-2018-3764 | 1 Nextcloud | 1 Contacts | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. | |||||
| CVE-2018-3763 | 1 Nextcloud | 1 Calendar | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. | |||||
| CVE-2018-3755 | 1 Sexstatic Project | 1 Sexstatic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name. | |||||
| CVE-2018-3748 | 1 Glance Project | 1 Glance | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name. | |||||
| CVE-2018-3747 | 1 Public.js Project | 1 Public.js | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The public node module versions <= 1.0.3 allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript. | |||||
| CVE-2018-3741 | 1 Rubyonrails | 1 Html Sanitizer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
| CVE-2018-3740 | 1 Sanitize Project | 1 Sanitize | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element. | |||||
| CVE-2018-3735 | 1 Bracket-template Project | 1 Bracket-template | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| bracket-template suffers from reflected XSS possible when variable passed via GET parameter is used in template | |||||
| CVE-2018-3726 | 1 Crud-file-server Project | 1 Crud-file-server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names. | |||||
| CVE-2018-3717 | 1 Sencha | 1 Connect | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware. | |||||
| CVE-2018-3716 | 1 Simplehttpserver Project | 1 Simplehttpserver | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| simplehttpserver node module suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names. | |||||
| CVE-2018-3699 | 1 Intel | 1 Raid Web Console 3 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the Intel RAID Web Console v3 for Windows may allow an unauthenticated user to elevate privilege via remote access. | |||||
| CVE-2018-2505 | 1 Sap | 1 Hybris | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7). | |||||
| CVE-2018-2504 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. | |||||
| CVE-2018-2502 | 1 Sap | 1 Business One On Hana | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3). | |||||