CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1000078 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Linux foundation ONOS 1.9 is vulnerable to XSS in the device registration
2 CVE-2017-1000065 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in OpenMediaVault release 2.1 in Access Rights Management(Users) functionality allows attackers to inject arbitrary web scripts and execute malicious scripts within an authenticated client's browser.
3 CVE-2017-1000063 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure
4 CVE-2017-1000059 79 Exec Code XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Live Helper Chat version 2.06v and older is vulnerable to Cross-Site Scripting in the HTTP Header handling resulting in the execution of any user provided Javascript code in the session of other users.
5 CVE-2017-1000058 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Stored XSS in chevereto CMS before version 3.8.11
6 CVE-2017-1000057 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting vulnerability in GetSimple CMS version 3.3.13 and earlier, allow remote attackers to inject arbitrary JavaScript in the URL-field for the administrative login page (/admin/index.php).
7 CVE-2017-1000054 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages.
8 CVE-2017-1000051 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content
9 CVE-2017-1000049 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Roundcube Webmail 1.1.5 is vulnerable to Persistent Xss
10 CVE-2017-1000043 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control
11 CVE-2017-1000042 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.
12 CVE-2017-1000038 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site
13 CVE-2017-1000036 79 Exec Code XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
All versions of Candy Chat are vulnerable to an XSS attack by message senders, permitting remote code execution within the page
14 CVE-2017-1000035 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack
15 CVE-2017-1000033 79 Exec Code XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a reflected cross site scripting in the form submission resulting in javascript code execution in the context on the current user.
16 CVE-2017-1000032 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php.
17 CVE-2017-1000023 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
LogicalDoc CommunityEdition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document
18 CVE-2017-1000015 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters
19 CVE-2017-1000012 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user
20 CVE-2017-1000011 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information
21 CVE-2017-1000006 XSS 2017-07-17 2017-07-17
0.0
None ??? ??? ??? ??? ??? ???
Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue.
22 CVE-2017-1000005 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data).
23 CVE-2017-11666 XSS 2017-07-26 2017-07-26
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the file previewer plugin in Kopano WebApp versions 3.3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via a specially crafted previewable file.
24 CVE-2017-11651 XSS 2017-07-26 2017-07-26
0.0
None ??? ??? ??? ??? ??? ???
NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url tag.
25 CVE-2017-11629 XSS 2017-07-26 2017-07-26
0.0
None ??? ??? ??? ??? ??? ???
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.
26 CVE-2017-11617 XSS 2017-07-25 2017-07-25
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in atmail prior to version 7.8.0.2 allows remote attackers to inject arbitrary web script or HTML within the body of an email via an IMG element with both single quotes and double quotes.
27 CVE-2017-11612 XSS 2017-07-26 2017-07-26
0.0
None ??? ??? ??? ??? ??? ???
In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.
28 CVE-2017-11594 XSS 2017-07-23 2017-07-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment.
29 CVE-2017-11593 XSS 2017-07-23 2017-07-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus extension before 0.5.7 for Chrome allows remote attackers to inject arbitrary web script or HTML into some web applications via the upload and display of crafted text, markdown, or rst files that are designed to be viewed in the browser as plain text, but that will be converted to HTML without proper sanitization.
30 CVE-2017-11581 XSS 2017-07-23 2017-07-23
0.0
None ??? ??? ??? ??? ??? ???
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.
31 CVE-2017-11516 79 XSS 2017-07-21 2017-07-25
4.3
None Remote Medium Not required None Partial None
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
32 CVE-2017-11503 79 XSS 2017-07-20 2017-07-25
4.3
None Remote Medium Not required None Partial None
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
33 CVE-2017-11460 XSS 2017-07-25 2017-07-25
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535.
34 CVE-2017-11458 XSS 2017-07-25 2017-07-25
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.
35 CVE-2017-11441 XSS 2017-07-19 2017-07-19
0.0
None ??? ??? ??? ??? ??? ???
The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297.
36 CVE-2017-11439 79 XSS 2017-07-19 2017-07-21
3.5
None Remote Medium Single system None Partial None
In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter.
37 CVE-2017-11202 79 XSS 2017-07-12 2017-07-16
4.3
None Remote Medium Not required None Partial None
FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than CVE-2017-11180.
38 CVE-2017-11201 79 XSS 2017-07-12 2017-07-16
3.5
None Remote Medium Single system None Partial None
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action.
39 CVE-2017-11198 79 XSS 2017-07-12 2017-07-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name parameter.
40 CVE-2017-11195 79 XSS 2017-07-12 2017-07-18
4.3
None Remote Medium Not required None Partial None
Pulse Connect Secure 8.3R1 has Reflected XSS in launchHelp.cgi. The helpLaunchPage parameter is reflected in an IFRAME element, if the value contains two quotes. It properly sanitizes quotes and tags, so one cannot simply close the src with a quote and inject after that. However, an attacker can use javascript: or data: to abuse this.
41 CVE-2017-11194 79 XSS 2017-07-12 2017-07-17
4.3
None Remote Medium Not required None Partial None
Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetails.cgi. In the admin panel, the certid parameter of adminservercacertdetails.cgi is reflected in the application's response and is not properly sanitized, allowing an attacker to inject tags. An attacker could come up with clever payloads to make the system run commands such as ping, ping6, traceroute, nslookup, arp, etc.
42 CVE-2017-11182 79 XSS 2017-07-11 2017-07-14
3.5
None Remote Medium Single system None Partial None
In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found in the My Profile section. All input fields are vulnerable.
43 CVE-2017-11181 79 XSS 2017-07-11 2017-07-14
3.5
None Remote Medium Single system None Partial None
In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found in the Messaging section. Subject and Message fields are vulnerable.
44 CVE-2017-11180 79 XSS 2017-07-11 2017-07-16
4.3
None Remote Medium Not required None Partial None
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen.
45 CVE-2017-11179 79 XSS 2017-07-11 2017-07-16
4.3
None Remote Medium Not required None Partial None
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account.
46 CVE-2017-11163 79 XSS 2017-07-10 2017-07-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.
47 CVE-2017-11128 79 XSS 2017-07-17 2017-07-19
3.5
None Remote Medium Single system None Partial None
Bolt CMS 3.2.14 allows stored XSS via text input, as demonstrated by the Title field of a New Entry.
48 CVE-2017-11127 79 XSS 2017-07-17 2017-07-19
3.5
None Remote Medium Single system None Partial None
Bolt CMS 3.2.14 allows stored XSS by uploading an SVG document with a "Content-Type: image/svg+xml" header.
49 CVE-2017-11107 79 XSS 2017-07-08 2017-07-13
4.3
None Remote Medium Not required None Partial None
phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter.
50 CVE-2017-10991 79 XSS 2017-07-07 2017-07-13
4.3
None Remote Medium Not required None Partial None
The WP Statistics plugin through 12.0.9 for WordPress has XSS in the rangestart and rangeend parameters on the wps_referrers_page page.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.