Total
36925 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16956 | 1 Solarwinds | 1 Web Help Desk | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. | |||||
| CVE-2019-16955 | 1 Solarwinds | 1 Webhelpdesk | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request. | |||||
| CVE-2019-16954 | 1 Solarwinds | 1 Web Help Desk | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. | |||||
| CVE-2019-16950 | 1 Enghouse | 1 Web Chat | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. The QueueName parameter of a GET request allows for insertion of user-supplied JavaScript. | |||||
| CVE-2019-16935 | 3 Canonical, Debian, Python | 3 Ubuntu Linux, Debian Linux, Python | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. | |||||
| CVE-2019-16931 | 1 Themeisle | 1 Visualizer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because classes/Visualizer/Gutenberg/Block.php registers wp-json/visualizer/v1/update-chart with no access control, and classes/Visualizer/Render/Page/Data.php lacks output sanitization. | |||||
| CVE-2019-16926 | 1 Flower Project | 1 Flower | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Flower 0.9.3 has XSS via a crafted worker name. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access | |||||
| CVE-2019-16925 | 1 Flower Project | 1 Flower | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access | |||||
| CVE-2019-16923 | 1 Kkcms Project | 1 Kkcms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| kkcms 1.3 has jx.php?url= XSS. | |||||
| CVE-2019-16914 | 1 Netgate | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization. | |||||
| CVE-2019-16904 | 1 Teampass | 1 Teampass | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.) | |||||
| CVE-2019-16890 | 1 Halo | 1 Halo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments. | |||||
| CVE-2019-16878 | 1 Portainer | 1 Portainer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Portainer before 1.22.1 has XSS (issue 2 of 2). | |||||
| CVE-2019-16873 | 1 Portainer | 1 Portainer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Portainer before 1.22.1 has XSS (issue 1 of 2). | |||||
| CVE-2019-16862 | 1 Open-emr | 1 Openemr | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter. | |||||
| CVE-2019-16781 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 3.5 LOW | 5.8 MEDIUM |
| In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. | |||||
| CVE-2019-16780 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 3.5 LOW | 5.8 MEDIUM |
| WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. | |||||
| CVE-2019-16772 | 1 Serialize-to-js Project | 1 Serialize-to-js | 2024-11-21 | 4.3 MEDIUM | 3.1 LOW |
| The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability. | |||||
| CVE-2019-16769 | 1 Verizon | 1 Serialize-javascript | 2024-11-21 | 3.5 LOW | 4.2 MEDIUM |
| The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability. | |||||
| CVE-2019-16763 | 1 Pannellum | 1 Pannellum | 2024-11-21 | 4.3 MEDIUM | 4.8 MEDIUM |
| In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if pannellum.htm was hosted on a domain that shared cookies with the targeted site's user authentication; an <iframe> could then be embedded on the attacker's site using pannellum.htm from the targeted site, which would allow the attacker to potentially access information from the targeted site as the authenticated user (or worse if the targeted site did not have adequate CSRF protections) if the user clicked on a hot spot in the attacker's embedded panorama viewer. This was patched in version 2.5.5. | |||||