Total
36928 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19908 | 1 Ciprianmp | 1 Phpmychat-plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable. | |||||
| CVE-2019-19903 | 1 Backdropcms | 1 Backdrop Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer file types" permission. | |||||
| CVE-2019-19901 | 1 Backdropcms | 1 Backdrop Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout, aka XSS. This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task. | |||||
| CVE-2019-19900 | 1 Backdropcms | 1 Backdrop Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission. | |||||
| CVE-2019-19865 | 1 Atos | 1 Unify Openscape Uc Web Client | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Atos Unify OpenScape UC Application V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject arbitrary JavaScript code in the Profile Name field. A browser would execute this stored XSS payload. | |||||
| CVE-2019-19858 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/add_user/UID allows stored XSS via the author parameter. | |||||
| CVE-2019-19856 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The User Type on the admin/list_user page allows stored XSS via the type parameter. | |||||
| CVE-2019-19855 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/list_user allows stored XSS via the auth_type parameter. | |||||
| CVE-2019-19852 | 1 Sangoma | 1 Freepbx | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4. | |||||
| CVE-2019-19851 | 1 Sangoma | 1 Freepbx | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20. | |||||
| CVE-2019-19829 | 1 Solarwinds | 1 Serv-u Ftp Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U FTP Server 15.1.7 in the email parameter, a different vulnerability than CVE-2018-19934 and CVE-2019-13182. | |||||
| CVE-2019-19821 | 1 Combodo | 1 Itop | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0 | |||||
| CVE-2019-19773 | 1 Lexmark | 160 6500e, 6500e Firmware, C734 and 157 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Various Lexmark products have stored XSS in the embedded web server used in older generation Lexmark devices. Affected products are available in http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US. | |||||
| CVE-2019-19772 | 1 Lexmark | 160 6500e, 6500e Firmware, C734 and 157 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Various Lexmark products have reflected XSS in the embedded web server used in older generation Lexmark devices. Affected products are available in http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US. | |||||
| CVE-2019-19757 | 1 Lenovo | 1 Xclarity Administrator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself. | |||||
| CVE-2019-19748 | 1 Brizoit | 1 Work Time Calendar | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Work Time Calendar app before 4.7.1 for Jira allows XSS. | |||||
| CVE-2019-19742 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| On D-Link DIR-615 devices, the User Account Configuration page is vulnerable to blind XSS via the name field. | |||||
| CVE-2019-19738 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | |||||
| CVE-2019-19733 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| _get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | |||||
| CVE-2019-19719 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page. | |||||