Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10864 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request. | |||||
| CVE-2019-10846 | 1 Computrols | 1 Computrols Building Automation System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter. | |||||
| CVE-2019-10785 | 2 Debian, Linuxfoundation | 2 Debian Linux, Dojox | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. | |||||
| CVE-2019-10779 | 1 Gchq | 1 Stroom | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user. | |||||
| CVE-2019-10772 | 1 Svg-sanitizer Project | 1 Svg-sanitizer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. | |||||
| CVE-2019-10771 | 1 Iobroker | 1 Iobroker.web | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Characters in the GET url path are not properly escaped and can be reflected in the server response. | |||||
| CVE-2019-10770 | 1 Ratpack | 1 Ratpack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode. | |||||
| CVE-2019-10756 | 1 Nodered | 1 Node-red-dashboard | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default. | |||||
| CVE-2019-10715 | 1 Verodin | 1 Director | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages. | |||||
| CVE-2019-10685 | 1 Heidelberg | 1 Prinect Archiver | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0. | |||||
| CVE-2019-10677 | 1 Dasanzhone | 2 Znid Gpon 2426a Eu, Znid Gpon 2426a Eu Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues in the web interface on DASAN Zhone ZNID GPON 2426A EU version S3.1.285 devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg). | |||||
| CVE-2019-10670 | 1 Librenms | 1 Librenms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these contexts, leading to attacker controlled JavaScript executing in the browser. One example of this is the string parameter in html/pages/inventory.inc.php. | |||||
| CVE-2019-10646 | 1 Wolfcms | 1 Wolf Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wolf CMS v0.8.3.1 is affected by cross site scripting (XSS) in the module Add Snippet (/?/admin/snippet/add). This allows an attacker to insert arbitrary JavaScript as user input, which will be executed whenever the affected snippet is loaded. | |||||
| CVE-2019-10634 | 1 Zyxel | 2 Nas326, Nas326 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields. | |||||
| CVE-2019-10475 | 1 Jenkins | 1 Build-metrics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. | |||||
| CVE-2019-10432 | 1 Jenkins | 1 Html Publisher | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those. | |||||
| CVE-2019-10410 | 1 Jenkins | 1 Log Parser | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules. | |||||
| CVE-2019-10406 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2019-10405 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | |||||
| CVE-2019-10404 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | |||||