CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2017(Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1002017 79 XSS 2017-09-14 2017-09-21
4.3
None Remote Medium Not required None Partial None
Vulnerability in wordpress plugin gift-certificate-creator v1.0, The code in gc-list.php doesn't sanitize user input to prevent a stored XSS vulnerability.
2 CVE-2017-1002011 79 XSS 2017-09-14 2017-09-20
3.5
None Remote Medium Single system None Partial None
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to modify or add galleries/images and inject javascript into the database.
3 CVE-2017-1001001 79 XSS 2017-11-01 2017-11-18
3.5
None Remote Medium Single system None Partial None
PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges.
4 CVE-2017-1000240 XSS 2017-11-16 2017-11-16
0.0
None ??? ??? ??? ??? ??? ???
The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
5 CVE-2017-1000239 XSS 2017-11-16 2017-11-16
0.0
None ??? ??? ??? ??? ??? ???
InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of users if they visit the manipulated site.
6 CVE-2017-1000236 XSS 2017-11-16 2017-11-16
0.0
None ??? ??? ??? ??? ??? ???
I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacker being able to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site.
7 CVE-2017-1000227 XSS 2017-11-17 2017-11-17
0.0
None ??? ??? ??? ??? ??? ???
Stored XSS in Salutation Responsive WordPress + BuddyPress Theme version 3.0.15 could allow logged-in users to do almost anything an admin can
8 CVE-2017-1000225 XSS 2017-11-17 2017-11-17
0.0
None ??? ??? ??? ??? ??? ???
Reflected XSS in Relevanssi Premium version 1.14.8 when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can
9 CVE-2017-1000223 XSS 2017-11-17 2017-11-17
0.0
None ??? ??? ??? ??? ??? ???
A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.
10 CVE-2017-1000213 XSS 2017-11-16 2017-11-16
0.0
None ??? ??? ??? ??? ??? ???
WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search
11 CVE-2017-1000193 Exec Code XSS 2017-11-16 2017-11-16
0.0
None ??? ??? ??? ??? ??? ???
October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser.
12 CVE-2017-1000188 XSS 2017-11-16 2017-11-16
0.0
None ??? ??? ??? ??? ??? ???
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection
13 CVE-2017-1000164 Exec Code XSS 2017-11-17 2017-11-17
0.0
None ??? ??? ??? ??? ??? ???
Tine 2.0 version 2017.02.4 is vulnerable to XSS in the Addressbook resulting code execution and privilege escalation
14 CVE-2017-1000160 XSS 2017-11-17 2017-11-17
0.0
None ??? ??? ??? ??? ??? ???
EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection
15 CVE-2017-1000149 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before 15.10.2 are vulnerable to XSS due to window.opener (target="_blank" and window.open())
16 CVE-2017-1000146 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages.
17 CVE-2017-1000144 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being able to place HTML and Javascript into an institution display name, which will be displayed to other users unescaped on some Mahara system pages.
18 CVE-2017-1000140 79 Exec Code XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .xml file that can have its code executed when user tries to download the file.
19 CVE-2017-1000138 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title.
20 CVE-2017-1000137 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop).
21 CVE-2017-1000132 79 Exec Code XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file.
22 CVE-2017-1000114 200 XSS +Info 2017-10-04 2017-10-17
4.3
None Remote Medium Not required Partial None None
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form.
23 CVE-2017-1000109 79 XSS 2017-10-04 2017-10-19
4.3
None Remote Medium Not required None Partial None
The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.
24 CVE-2017-1000103 79 XSS 2017-10-04 2017-11-01
3.5
None Remote Medium Single system None Partial None
The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.
25 CVE-2017-1000102 79 XSS 2017-10-04 2017-11-01
3.5
None Remote Medium Single system None Partial None
The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view.
26 CVE-2017-1000088 79 XSS 2017-10-04 2017-11-02
3.5
None Remote Medium Single system None Partial None
The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.
27 CVE-2017-1000078 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Linux foundation ONOS 1.9 is vulnerable to XSS in the device registration
28 CVE-2017-1000065 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in OpenMediaVault release 2.1 in Access Rights Management(Users) functionality allows attackers to inject arbitrary web scripts and execute malicious scripts within an authenticated client's browser.
29 CVE-2017-1000063 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure
30 CVE-2017-1000059 79 Exec Code XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Live Helper Chat version 2.06v and older is vulnerable to Cross-Site Scripting in the HTTP Header handling resulting in the execution of any user provided Javascript code in the session of other users.
31 CVE-2017-1000058 79 XSS 2017-07-17 2017-10-30
4.3
None Remote Medium Not required None Partial None
Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one in the user profile and one in the Exif data parser.
32 CVE-2017-1000057 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting vulnerability in GetSimple CMS version 3.3.13 and earlier, allow remote attackers to inject arbitrary JavaScript in the URL-field for the administrative login page (/admin/index.php).
33 CVE-2017-1000054 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages.
34 CVE-2017-1000051 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content
35 CVE-2017-1000049 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Roundcube Webmail 1.1.5 is vulnerable to Persistent Xss
36 CVE-2017-1000043 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control
37 CVE-2017-1000042 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.
38 CVE-2017-1000038 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site
39 CVE-2017-1000036 79 Exec Code XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
All versions of Candy Chat are vulnerable to an XSS attack by message senders, permitting remote code execution within the page
40 CVE-2017-1000035 79 XSS 2017-07-17 2017-10-06
4.3
None Remote Medium Not required None Partial None
Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack
41 CVE-2017-1000033 79 Exec Code XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a reflected cross site scripting in the form submission resulting in javascript code execution in the context on the current user.
42 CVE-2017-1000032 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php.
43 CVE-2017-1000023 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
LogicalDoc CommunityEdition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document
44 CVE-2017-1000015 79 XSS 2017-07-17 2017-07-19
4.3
None Remote Medium Not required None Partial None
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters
45 CVE-2017-1000012 79 XSS 2017-07-17 2017-08-15
4.3
None Remote Medium Not required None Partial None
MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user
46 CVE-2017-1000011 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information
47 CVE-2017-1000006 79 XSS 2017-07-17 2017-07-27
4.3
None Remote Medium Not required None Partial None
Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue.
48 CVE-2017-1000005 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data).
49 CVE-2017-16881 XSS 2017-11-18 2017-11-18
0.0
None ??? ??? ??? ??? ??? ???
b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java, service/ArticleQueryService.java, service/AvatarQueryService.java, and service/CommentQueryService.java.
50 CVE-2017-16880 XSS 2017-11-17 2017-11-17
0.0
None ??? ??? ??? ??? ??? ???
The dump function in Util/TemplateHelper.php in filp whoops before 2.1.13 has XSS.
Total number of vulnerabilities : 1351   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.