Total
36841 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11033 | 1 Applaudsolutions | 1 Applaud Hcm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. This leads to an XSS vulnerability with a payload starting with the <iframe./> substring. | |||||
| CVE-2019-11032 | 1 Hr-technologies | 1 Easytorecruit | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In EasyToRecruit (E2R) before 2.11, the upload feature and the Candidate Profile Management feature are prone to Cross Site Scripting (XSS) injection in multiple locations. | |||||
| CVE-2019-11025 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. | |||||
| CVE-2019-11017 | 1 Dlink | 2 Di-524, Di-524 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter. | |||||
| CVE-2019-11004 | 1 Materializecss | 1 Materialize | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Toast feature. | |||||
| CVE-2019-11003 | 1 Materializecss | 1 Materialize | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Autocomplete feature. | |||||
| CVE-2019-11002 | 1 Materializecss | 1 Materialize | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Tooltip feature. | |||||
| CVE-2019-10957 | 1 Geutebrueck | 22 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 19 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user’s browser. | |||||
| CVE-2019-10933 | 1 Siemens | 4 Spectrum Power 3, Spectrum Power 4, Spectrum Power 5 and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed.At the stage of publishing this security advisory no public exploitation is known. | |||||
| CVE-2019-10913 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. | |||||
| CVE-2019-10909 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. | |||||
| CVE-2019-10905 | 1 Parsedown | 1 Parsedown | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring. | |||||
| CVE-2019-10904 | 2 Debian, Roundup-tracker | 2 Debian Linux, Roundup | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. | |||||
| CVE-2019-10893 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute. | |||||
| CVE-2019-10887 | 1 Salicru | 1 Slc-20-cube3\(5\) | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected HTML injection vulnerability on Salicru SLC-20-cube3(5) devices running firmware version cs121-SNMP v4.54.82.130611 allows remote attackers to inject arbitrary HTML elements via a /DataLog.csv?log= or /AlarmLog.csv?log= or /waitlog.cgi?name= or /chart.shtml?data= or /createlog.cgi?name= request. | |||||
| CVE-2019-10864 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request. | |||||
| CVE-2019-10846 | 1 Computrols | 1 Computrols Building Automation System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter. | |||||
| CVE-2019-10785 | 2 Debian, Linuxfoundation | 2 Debian Linux, Dojox | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. | |||||
| CVE-2019-10779 | 1 Gchq | 1 Stroom | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user. | |||||
| CVE-2019-10772 | 1 Svg-sanitizer Project | 1 Svg-sanitizer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. | |||||