Search Results (Refine Search)
- Keyword (text search): xss
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2017-17698 |
Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. Published: December 15, 2017; 2:29:00 PM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-17694 |
Techno - Portfolio Management Panel through 2017-11-16 allows XSS via the panel/search.php s parameter. Published: December 15, 2017; 4:29:00 AM -0500 |
V4.0:(not available) V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2017-17569 |
Scubez Posty Readymade Classifieds has XSS via the admin/user_activate_submit.php ID parameter. Published: December 13, 2017; 4:29:00 AM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-17451 |
The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php. Published: December 06, 2017; 7:29:00 PM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-17383 |
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. Published: December 06, 2017; 12:29:00 AM -0500 |
V4.0:(not available) V3.0: 4.7 MEDIUM V2.0: 3.5 LOW |
CVE-2017-17431 |
GeniXCMS 1.1.5 has XSS via the from, id, lang, menuid, mod, q, status, term, to, or token parameter. NOTE: this might overlap CVE-2017-14761, CVE-2017-14762, or CVE-2017-14765. Published: December 05, 2017; 4:29:00 PM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-17057 |
There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The vulnerability exists due to insufficient filtration of user-supplied data in the 'Range' field of the 'Department' module in a Personnel Advanced Query. A remote attacker can execute arbitrary HTML and script code in the browser in the context of the vulnerable application. Published: December 04, 2017; 9:29:00 AM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-17094 |
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. Published: December 02, 2017; 1:29:00 AM -0500 |
V4.0:(not available) V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2017-17093 |
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. Published: December 02, 2017; 1:29:00 AM -0500 |
V4.0:(not available) V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2017-17092 |
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. Published: December 02, 2017; 1:29:00 AM -0500 |
V4.0:(not available) V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2017-17059 |
XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb posts or wp-thumb-post) plugin 8.1.3 for WordPress via the query string to amtyThumbPostsAdminPg.php. Published: November 29, 2017; 12:29:00 PM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-17043 |
The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. Published: November 28, 2017; 5:29:00 PM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-15051 |
Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an administrator to modify its profile. From there, whenever the administrator accesses the log, it can be XSS'ed. Published: November 27, 2017; 2:29:00 PM -0500 |
V4.0:(not available) V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2017-15100 |
An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page. Published: November 27, 2017; 9:29:00 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-8044 |
In Pivotal Single Sign-On for PCF (1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3), certain pages allow code to be injected into the DOM environment through query parameters, leading to XSS attacks. Published: November 27, 2017; 5:29:00 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-16962 |
The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component. Published: November 27, 2017; 5:29:00 AM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-16956 |
b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. Published: November 27, 2017; 5:29:00 AM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-8127 |
The UMA product with software V200R001 has a cross-site scripting (XSS) vulnerability due to insufficient input validation. An attacker could craft malicious links or scripts to launch XSS attacks. Published: November 22, 2017; 2:29:02 PM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-8125 |
The UMA product with software V200R001 and V300R001 has a cross-site scripting (XSS) vulnerability due to insufficient input validation. An attacker could craft malicious links or scripts to launch XSS attacks. Published: November 22, 2017; 2:29:02 PM -0500 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-16908 |
In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed. Published: November 20, 2017; 3:29:00 PM -0500 |
V4.0:(not available) V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |