Total
35377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11343 | 1 Asustor | 1 Soundsgood | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter. | |||||
| CVE-2018-11339 | 1 Frappe | 1 Erpnext | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment. | |||||
| CVE-2018-11332 | 1 Clippercms | 1 Clippercms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php file. | |||||
| CVE-2018-11330 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted. | |||||
| CVE-2018-11328 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 2.6 LOW | 4.7 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in an XSS vulnerability. | |||||
| CVE-2018-11326 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack. | |||||
| CVE-2018-11317 | 1 Intelliants | 1 Subrion | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Subrion CMS before 4.1.4 has XSS. | |||||
| CVE-2018-11245 | 1 Misp-project | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes. | |||||
| CVE-2018-11227 | 1 Monstra | 1 Monstra Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Monstra CMS 3.0.4 and earlier has XSS via index.php. | |||||
| CVE-2018-11223 | 1 Pandorafms | 1 Artica Pandora Fms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted "refr" parameter in a "/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=" call. | |||||
| CVE-2018-11208 | 1 Zblogcn | 1 Z-blogphp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege | |||||
| CVE-2018-11200 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field. | |||||
| CVE-2018-11198 | 1 Acquia | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json. | |||||
| CVE-2018-11133 | 1 Quest | 1 Kace System Management Appliance | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. | |||||
| CVE-2018-11124 | 1 Opmantek | 1 Open-audit | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of an Attribute. | |||||
| CVE-2018-11120 | 1 Ilias | 1 Ilias | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS. | |||||
| CVE-2018-11118 | 1 Ilias | 1 Ilias | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php. | |||||
| CVE-2018-11117 | 1 Ilias | 1 Ilias | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a link attribute. | |||||
| CVE-2018-11105 | 1 3cx | 1 Live Chat | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864. | |||||
| CVE-2018-11101 | 1 Signal | 1 Signal-desktop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability. The Signal-Desktop software fails to sanitize specific HTML elements that can be used to inject HTML code into remote chat windows when replying to an HTML message. Specifically the IMG and IFRAME elements can be used to include remote or local resources. For example, the use of an IFRAME element enables full code execution, allowing an attacker to download/upload files, information, etc. The SCRIPT element was also found to be injectable. On the Windows operating system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script on an SMB share within an IFRAME element, for example: <IFRAME src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it. The included JavaScript code is then executed automatically, without any interaction needed from the user. The vulnerability can be triggered in the Signal-Desktop client by sending a specially crafted message and then replying to it with any text or content in the reply (it doesn't matter). | |||||