National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): XSS
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 13,783 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-13647

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.

Published: July 17, 2019; 11:15:10 PM -04:00
(not available)
CVE-2019-13646

Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.

Published: July 17, 2019; 11:15:10 PM -04:00
(not available)
CVE-2019-13645

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.

Published: July 17, 2019; 11:15:10 PM -04:00
(not available)
CVE-2019-13644

Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.

Published: July 17, 2019; 11:15:10 PM -04:00
(not available)
CVE-2019-13643

Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the Notifications page.

Published: July 17, 2019; 11:15:10 PM -04:00
(not available)
CVE-2019-1941

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. At the time of publication, this vulnerability affected Cisco ISE running software releases prior to 2.4.0 Patch 9 and 2.6.0.

Published: July 17, 2019; 05:15:12 PM -04:00
(not available)
CVE-2019-1010287

Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url.

Published: July 17, 2019; 05:15:11 PM -04:00
(not available)
CVE-2019-13493

In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript.

Published: July 17, 2019; 04:15:11 PM -04:00
(not available)
CVE-2019-13448

An issue was discovered in Sertek Xpare 3.67. The login form does not sanitize input data. Because of this, a malicious agent could exploit the vulnerable function in order to prepare an XSS payload to send to the product's clients.

Published: July 17, 2019; 04:15:11 PM -04:00
(not available)
CVE-2019-13346

In MyT 1.5.1, the User[username] parameter has XSS.

Published: July 17, 2019; 01:15:13 PM -04:00
(not available)
CVE-2019-12475

In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.

Published: July 17, 2019; 01:15:13 PM -04:00
(not available)
CVE-2019-1010018

Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.

Published: July 16, 2019; 09:15:10 AM -04:00
(not available)
CVE-2019-0234

A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of Roller, which is now Roller 5.2.3.

Published: July 15, 2019; 06:15:12 PM -04:00
(not available)
CVE-2019-1137

A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server, aka 'Microsoft Exchange Server Spoofing Vulnerability'.

Published: July 15, 2019; 03:15:21 PM -04:00
(not available)
CVE-2019-1134

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

Published: July 15, 2019; 03:15:21 PM -04:00
(not available)
CVE-2019-1076

A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka 'Team Foundation Server Cross-site Scripting Vulnerability'.

Published: July 15, 2019; 03:15:17 PM -04:00
(not available)
CVE-2019-1010307

GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it.

Published: July 15, 2019; 02:15:12 PM -04:00
(not available)
CVE-2019-1010028

phpscriptsmall.com School College Portal with ERP Script 2.6.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attack administrators and teachers, students and more. The component is: /pro-school/index.php?student/message/send_reply/. The attack vector is: <img src=x onerror=alert(document.domain) />.

Published: July 15, 2019; 12:15:13 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-1010016

Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.

Published: July 14, 2019; 11:15:10 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-1010008

OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scripting (XSS). The impact is: Theoretically low, but might potentially enable persistent XSS (user could embed mal. code). The component is: Javascript code execution in "Name", "Location", "Bio" and "Starting Page" fields in the "My Account" page. File: Lib/listjs/list.js, line 67. The attack vector is: unknown, victim must open profile page if persistent was possible.

Published: July 14, 2019; 10:15:10 PM -04:00
(not available)