Total
35377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11501 | 1 Website Seller Script Project | 1 Website Seller Script | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant XSS. | |||||
| CVE-2018-11487 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php. | |||||
| CVE-2018-11486 | 1 Multidots | 1 Advance Search For Woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field, which will be loaded on every site page. | |||||
| CVE-2018-11485 | 1 Multidots | 1 Woocommerce Quick Reports | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce -> Orders admin page. The attack is possible by modifying the "referral_site" cookie to have an XSS payload, and placing an order. | |||||
| CVE-2018-11473 | 1 Monstra | 1 Monstra | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration). | |||||
| CVE-2018-11472 | 1 Monstra | 1 Monstra | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php). | |||||
| CVE-2018-11471 | 1 Getcockpit | 1 Cockpit | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cockpit 0.5.5 has XSS via a collection, form, or region. | |||||
| CVE-2018-11450 | 1 Siemens | 1 Teamcenter Product Lifecycle Management | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site-Scripting (XSS) vulnerability has been identified in Siemens PLM Software TEAMCENTER (V9.1.2.5). If a user visits the login portal through the URL crafted by the attacker, the attacker can insert html/javascript and thus alter/rewrite the login portal page. Siemens PLM Software TEAMCENTER V9.1.3 and newer are not affected. | |||||
| CVE-2018-11449 | 1 Siemens | 2 Scalance M875, Scalance M875 Firmware | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| A vulnerability has been identified in SCALANCE M875 (All versions). An attacker with access to the local file system might obtain passwords for administrative users. Successful exploitation requires read access to files on the local file system. A successful attack could allow an attacker to obtain administrative passwords. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2018-11448 | 1 Siemens | 2 Scalance M875, Scalance M875 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a stored Cross-Site Scripting (XSS) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires that the attacker has access to the web interface of an affected device. The attacker must be authenticated as administrative user on the web interface. Afterwards, a legitimate user must access the web interface. A successful attack could allow an attacker to execute malicious code in the browser of a legitimate user. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2018-11443 | 1 Easyservice Billing Project | 1 Easyservice Billing | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The parameter q is affected by Cross-site Scripting in jobcard-ongoing.php in EasyService Billing 1.0. | |||||
| CVE-2018-11430 | 1 Moderator Log Notes Project | 1 Moderator Log Notes | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. The XSS is located in the mod notes textarea. | |||||
| CVE-2018-11415 | 1 Sap | 1 Internet Transaction Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Internet Transaction Server (ITS) 6200.X.X has Reflected Cross Site Scripting (XSS) via certain wgate URIs. NOTE: the vendor has reportedly indicated that there will not be any further releases of this product. | |||||
| CVE-2018-11404 | 1 Domainmod | 1 Domainmod | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter. | |||||
| CVE-2018-11403 | 1 Domainmod | 1 Domainmod | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter. | |||||
| CVE-2018-11366 | 1 Loginizer | 1 Loginizer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| init.php in the Loginizer plugin 1.3.8 through 1.3.9 for WordPress has Unauthenticated Stored Cross-Site Scripting (XSS) because logging is mishandled. This is fixed in 1.4.0. | |||||
| CVE-2018-11352 | 1 Wallabag | 1 Wallabag | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
| The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions. | |||||
| CVE-2018-11351 | 1 Jirafeau | 1 Jirafeau | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| script.php in Jirafeau before 3.4.1 is affected by two stored Cross-Site Scripting (XSS) vulnerabilities. These are stored within the shared files description file and allow the execution of a JavaScript payload each time an administrator searches or lists uploaded files. These two injections could be triggered without authentication, and target the administrator. The attack vectors are the Content-Type field and the filename parameter. | |||||
| CVE-2018-11350 | 1 Jirafeau | 1 Jirafeau | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Jirafeau before 3.4.1. The file "search by name" form is affected by one Cross-Site Scripting vulnerability via the name parameter. | |||||
| CVE-2018-11348 | 1 Yunohost | 1 Yunohost | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Two XSS vulnerabilities are located in the profile edition page of the user panel of the YunoHost 2.7.2 through 2.7.14 web application. By injecting a JavaScript payload, these flaws could be used to manipulate a user's session. | |||||