Total
41742 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20173 | 1 Auth0 | 1 Login By Auth0 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php. | |||||
| CVE-2019-20154 | 1 Determine | 1 Contract Lifecycle Management | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. A cross-site scripting (XSS) vulnerability in multiple getchart.jsp parameters allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2019-20152 | 1 Treasuryxpress | 1 Treasuryxpress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed throughout the application. A malicious payload can be injected within the Custom Workflow component and inserted via the Create New Workflow field. As a result, the payload is executed via the navigation bar throughout the application. | |||||
| CVE-2019-20151 | 1 Treasuryxpress | 1 Treasuryxpress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed by the application's administrator(s). A malicious payload can be injected within the Multi Approval security component and inserted via the Note field. As a result, the payload is executed by the application's administrator(s). | |||||
| CVE-2019-20141 | 1 Laborator | 1 Neon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter. | |||||
| CVE-2019-20139 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | |||||
| CVE-2019-20102 | 1 Atlassian | 1 Confluence Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter. | |||||
| CVE-2019-20076 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration). | |||||
| CVE-2019-20075 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic). | |||||
| CVE-2019-20073 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration). | |||||
| CVE-2019-20072 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration). | |||||
| CVE-2019-20070 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration). | |||||
| CVE-2019-20058 | 1 Boltcms | 1 Bolt | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in production. This is related to CVE-2018-12040 | |||||
| CVE-2019-20042 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. | |||||
| CVE-2019-20008 | 1 Archerysec | 1 Archery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page. | |||||
| CVE-2019-20003 | 1 Dicube | 1 Easescreen Crystal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored XSS via the Debug-Log and Display-Log components. This could be exploited when an attacker sends an crafted string for FTP authentication. | |||||
| CVE-2019-1973 | 1 Cisco | 1 Enterprise Network Function Virtualization Infrastructure | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web portal framework of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to improper input validation of log file content stored on the affected device. An attacker could exploit this vulnerability by modifying a log file with malicious code and getting a user to view the modified log file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. | |||||
| CVE-2019-1956 | 1 Cisco | 2 Spa112 2-port Phone Adapter, Spa112 2-port Phone Adapter Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based interface of the Cisco SPA112 2-Port Phone Adapter could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against another user of the device. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected device. An attacker could exploit this vulnerability by inserting malicious code in one of the configuration fields. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-1941 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. At the time of publication, this vulnerability affected Cisco ISE running software releases prior to 2.4.0 Patch 9 and 2.6.0. | |||||
| CVE-2019-1882 | 1 Cisco | 1 Industrial Network Director | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks. The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the affected system. A successful exploit could allow the attacker to conduct XSS attacks. | |||||