CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-79

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1000078 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Linux foundation ONOS 1.9 is vulnerable to XSS in the device registration
2 CVE-2017-1000065 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in OpenMediaVault release 2.1 in Access Rights Management(Users) functionality allows attackers to inject arbitrary web scripts and execute malicious scripts within an authenticated client's browser.
3 CVE-2017-1000063 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure
4 CVE-2017-1000059 79 Exec Code XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Live Helper Chat version 2.06v and older is vulnerable to Cross-Site Scripting in the HTTP Header handling resulting in the execution of any user provided Javascript code in the session of other users.
5 CVE-2017-1000058 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Stored XSS in chevereto CMS before version 3.8.11
6 CVE-2017-1000057 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting vulnerability in GetSimple CMS version 3.3.13 and earlier, allow remote attackers to inject arbitrary JavaScript in the URL-field for the administrative login page (/admin/index.php).
7 CVE-2017-1000054 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages.
8 CVE-2017-1000051 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content
9 CVE-2017-1000049 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Roundcube Webmail 1.1.5 is vulnerable to Persistent Xss
10 CVE-2017-1000043 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control
11 CVE-2017-1000042 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.
12 CVE-2017-1000038 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site
13 CVE-2017-1000036 79 Exec Code XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
All versions of Candy Chat are vulnerable to an XSS attack by message senders, permitting remote code execution within the page
14 CVE-2017-1000035 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack
15 CVE-2017-1000033 79 Exec Code XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a reflected cross site scripting in the form submission resulting in javascript code execution in the context on the current user.
16 CVE-2017-1000032 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php.
17 CVE-2017-1000023 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
LogicalDoc CommunityEdition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document
18 CVE-2017-1000015 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters
19 CVE-2017-1000012 79 XSS 2017-07-17 2017-08-15
4.3
None Remote Medium Not required None Partial None
MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user
20 CVE-2017-1000011 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information
21 CVE-2017-1000006 79 XSS 2017-07-17 2017-07-27
4.3
None Remote Medium Not required None Partial None
Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue.
22 CVE-2017-1000005 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data).
23 CVE-2017-12655 79 XSS 2017-08-07 2017-08-15
4.3
None Remote Medium Not required None Partial None
Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the query parameter to log.php in a dailylog action.
24 CVE-2017-12649 79 XSS 2017-08-07 2017-08-09
4.3
None Remote Medium Not required None Partial None
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or summary that is mishandled in the Web Content Display.
25 CVE-2017-12648 79 XSS 2017-08-07 2017-08-09
4.3
None Remote Medium Not required None Partial None
XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.
26 CVE-2017-12647 79 XSS 2017-08-07 2017-08-09
4.3
None Remote Medium Not required None Partial None
XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base article title.
27 CVE-2017-12646 79 XSS 2017-08-07 2017-08-09
4.3
None Remote Medium Not required None Partial None
XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.
28 CVE-2017-12645 79 XSS 2017-08-07 2017-08-09
4.3
None Remote Medium Not required None Partial None
XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.
29 CVE-2017-12583 79 XSS 2017-08-05 2017-08-15
4.3
None Remote Medium Not required None Partial None
DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
30 CVE-2017-12572 79 XSS 2017-08-05 2017-08-15
3.5
None Remote Medium Single system None Partial None
Persistent Cross Site Scripting (XSS) exists in Splunk Enterprise 6.5.x before 6.5.2, 6.4.x before 6.4.6, and 6.3.x before 6.3.9 and Splunk Light before 6.5.2, with exploitation requiring administrative access, aka SPL-134104.
31 CVE-2017-12413 79 XSS 2017-08-04 2017-08-15
4.3
None Remote Medium Not required None Partial None
AXIS 2100 devices 2.43 have XSS via the URI, possibly related to admin/admin.shtml.
32 CVE-2017-12200 79 XSS 2017-08-02 2017-08-08
4.3
None Remote Medium Not required None Partial None
The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has XSS in the Add Product Manually component.
33 CVE-2017-12139 79 XSS 2017-08-02 2017-08-04
4.3
None Remote Medium Not required None Partial None
XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php.
34 CVE-2017-12131 79 XSS 2017-08-01 2017-08-10
4.3
None Remote Medium Not required None Partial None
The Easy Testimonials plugin 3.0.4 for WordPress has XSS in include/settings/display.options.php, as demonstrated by the Default Testimonials Width, View More Testimonials Link, and Testimonial Excerpt Options screens.
35 CVE-2017-12068 79 XSS 2017-08-01 2017-08-10
4.3
None Remote Medium Not required None Partial None
The Event List plugin 0.7.9 for WordPress has XSS in the slug array parameter to wp-admin/admin.php in an el_admin_categories delete_bulk action.
36 CVE-2017-12066 79 XSS 2017-08-01 2017-08-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163.
37 CVE-2017-12062 79 Exec Code XSS 2017-08-01 2017-08-15
4.3
None Remote Medium Not required None Partial None
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
38 CVE-2017-12061 79 XSS 2017-08-01 2017-08-15
4.3
None Remote Medium Not required None Partial None
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.
39 CVE-2017-11744 79 XSS 2017-07-30 2017-08-02
4.3
None Remote Medium Not required None Partial None
In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module.
40 CVE-2017-11737 79 XSS 2017-07-29 2017-08-02
4.3
None Remote Medium Not required None Partial None
interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page.
41 CVE-2017-11727 79 Exec Code XSS 2017-07-31 2017-08-04
4.3
None Remote Medium Not required None Partial None
services/system_io/actionprocessor/Contact.rails in ConnectWise Manage 2017.5 allows arbitrary client-side JavaScript code execution (involving a ContactCommon field) on victims who click on a crafted link, aka XSS.
42 CVE-2017-11716 79 XSS 2017-07-28 2017-08-09
4.3
None Remote Medium Not required None Partial None
MetInfo through 5.3.17 allows stored XSS via HTML Edit Mode.
43 CVE-2017-11691 79 XSS 2017-07-27 2017-08-04
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.
44 CVE-2017-11687 79 XSS 2017-07-27 2017-08-02
4.3
None Remote Medium Not required None Partial None
Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog.
45 CVE-2017-11686 79 XSS 2017-07-27 2017-08-02
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method.
46 CVE-2017-11685 79 XSS 2017-07-27 2017-08-02
4.3
None Remote Medium Not required None Partial None
Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter.
47 CVE-2017-11682 79 XSS 2017-07-27 2017-08-02
4.3
None Remote Medium Not required None Partial None
Stored Cross-site scripting vulnerability in Hashtopussy 0.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) version, (2) url, or (3) rootdir parameter in hashcat.php.
48 CVE-2017-11677 79 XSS 2017-07-27 2017-08-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Hashtopus 1.5g allows remote attackers to inject arbitrary web script or HTML via the query string to admin.php.
49 CVE-2017-11666 79 XSS 2017-07-26 2017-08-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the file previewer plugin in Kopano WebApp versions 3.3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via a specially crafted previewable file.
50 CVE-2017-11651 79 XSS 2017-07-26 2017-07-31
4.3
None Remote Medium Not required None Partial None
NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url tag.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.