| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-1999029 |
79 |
|
XSS |
2018-08-01 |
2018-10-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
2 |
CVE-2018-1999024 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later. |
|
3 |
CVE-2018-1999021 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. This attack appear to be exploitable via The victim must navigate to the attacker's profile page. |
|
4 |
CVE-2018-1999020 |
22 |
|
Dir. Trav. |
2018-07-23 |
2018-09-20 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Open Networking Foundation (ONF) ONOS version 1.13.2 and earlier version contains a Directory Traversal vulnerability in core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java line 35 that can result in arbitrary file deletion (overwrite). This attack appear to be exploitable via a specially crafted zip file should be uploaded. |
|
5 |
CVE-2018-1999016 |
79 |
|
Sql XSS |
2018-07-23 |
2018-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. This attack appear to be exploitable via the victim openning a specially crafted URL. This vulnerability appears to have been fixed in version 8.2.1. |
|
6 |
CVE-2018-1999008 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437. |
|
7 |
CVE-2018-1999007 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. |
|
8 |
CVE-2018-1999005 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
9 |
CVE-2018-1002209 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
QuaZIP before 0.7.6 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
10 |
CVE-2018-1002208 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
sharplibzip before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
11 |
CVE-2018-1002207 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
12 |
CVE-2018-1002206 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
SharpCompress before 0.21.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
13 |
CVE-2018-1002205 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
14 |
CVE-2018-1002204 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
15 |
CVE-2018-1002203 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
unzipper npm library before 0.8.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
16 |
CVE-2018-1002202 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
17 |
CVE-2018-1002201 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
zt-zip before 1.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
18 |
CVE-2018-1002200 |
22 |
|
Dir. Trav. |
2018-07-25 |
2018-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
|
19 |
CVE-2018-1000804 |
|
|
Exec Code Overflow Sql |
2018-10-08 |
2018-10-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be able to run malicious AQL code (e.g. via SQL-like Injection attack). |
|
20 |
CVE-2018-1000801 |
|
|
Dir. Trav. |
2018-09-06 |
2018-09-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user workstation. This attack appear to be exploitable via he victim must open a specially crafted Okular archive. This issue appears to have been corrected in version 18.08.1 |
|
21 |
CVE-2018-1000671 |
|
|
XSS |
2018-09-06 |
2018-09-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available. |
|
22 |
CVE-2018-1000670 |
|
|
XSS |
2018-09-06 |
2018-09-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11. |
|
23 |
CVE-2018-1000669 |
|
|
CSRF |
2018-09-06 |
2018-09-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11. |
|
24 |
CVE-2018-1000665 |
|
|
XSS Bypass |
2018-09-06 |
2018-09-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14. |
|
25 |
CVE-2018-1000659 |
|
|
Exec Code Dir. Trav. |
2018-09-06 |
2018-09-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user. This attack appear to be exploitable via An authenticated user can upload a specially crafted zip file to get remote code execution. This vulnerability appears to have been fixed in after commit 72a02ebaaf95a80e26127ee7ee2b123cccce05a7 / version 3.14.4. |
|
26 |
CVE-2018-1000653 |
89 |
|
Sql |
2018-08-20 |
2018-10-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. |
|
27 |
CVE-2018-1000650 |
89 |
|
Sql |
2018-08-20 |
2018-10-16 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions that can result in Ability to perform malicious database queries. This attack appear to be exploitable via User controlled parameters. |
|
28 |
CVE-2018-1000643 |
79 |
|
XSS |
2018-08-20 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OWASP OWASP ANTISAMY version 1.5.7 and earlier contains a Cross Site Scripting (XSS) vulnerability in AntiSamy.scan() - for both SAX & DOM that can result in Cross Site Scripting. |
|
29 |
CVE-2018-1000642 |
79 |
|
XSS |
2018-08-20 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
FlightAirMap version <=v1.0-beta.21 contains a Cross Site Scripting (XSS) vulnerability in GET variable used within registration sub menu page that can result in unauthorised actions and access to data, stealing session information. This vulnerability appears to have been fixed in after commit 22b09a3. |
|
30 |
CVE-2018-1000640 |
79 |
|
DoS XSS |
2018-08-20 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenCart-Overclocked version <=1.11.1 contains a Cross Site Scripting (XSS) vulnerability in User input entered unsanitised within JS function in the template that can result in Unauthorised actions and access to data, stealing session information, denial of service. This attack appear to be exploitable via Malicious input passed in GET parameter. |
|
31 |
CVE-2018-1000638 |
79 |
|
XSS |
2018-08-20 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection. |
|
32 |
CVE-2018-1000623 |
22 |
|
Exec Code Dir. Trav. |
2018-07-09 |
2018-09-11 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint (/ui/artifactimport/upload) that can result in Directory traversal / file overwrite and remote code execution. This attack appear to be exploitable via An attacker with Admin privileges may use the aforementioned UI endpoint and exploit the publicly known "Zip Slip" vulnerability, to add/overwrite files outside the target directory. This vulnerability appears to have been fixed in 6.0.3. |
|
33 |
CVE-2018-1000611 |
79 |
|
XSS |
2018-07-09 |
2018-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains a Cross Site Scripting (XSS) vulnerability that can result in Allows an attacker to inject arbitrary web scripts or HTML into help and login pages. This attack appear to be exploitable via the victim opening a specially crafted URL. |
|
34 |
CVE-2018-1000604 |
79 |
|
XSS |
2018-06-26 |
2018-08-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
35 |
CVE-2018-1000559 |
79 |
|
XSS |
2018-06-26 |
2018-08-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week). |
|
36 |
CVE-2018-1000558 |
89 |
|
Sql |
2018-06-26 |
2018-08-20 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1. |
|
37 |
CVE-2018-1000557 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form and search functionality that can result in An attacker is able to execute arbitrary (javascript) code within a victims' browser. This attack appear to be exploitable via Victim must open a crafted link to the application. This vulnerability appears to have been fixed in ocsreports 2.4.1. |
|
38 |
CVE-2018-1000556 |
79 |
|
XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . |
|
39 |
CVE-2018-1000552 |
89 |
|
Sql |
2018-06-26 |
2018-08-17 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Trovebox version <= 4.0.0-rc6 contains a SQL Injection vulnerability in album component that can result in SQL code injection. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed. |
|
40 |
CVE-2018-1000550 |
22 |
|
Dir. Trav. |
2018-06-26 |
2018-09-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Sympa Community Sympa version prior to version 6.2.32 contains a Directory Traversal vulnerability in wwsympa.fcgi template editing function that can result in Possibility to create or modify files on the server filesystem. This attack appear to be exploitable via HTTP GET/POST request. This vulnerability appears to have been fixed in 6.2.32. |
|
41 |
CVE-2018-1000544 |
434 |
|
Dir. Trav. |
2018-06-26 |
2018-08-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem.. |
|
42 |
CVE-2018-1000543 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Akiee version 0.0.3 contains a XSS leading to code execution due to the use of node integration vulnerability in "Details" of a task is not validated that can result in XSS leading to abritrary code execution. This attack appear to be exploitable via The attacker tricks the victim into opening a crafted markdown. |
|
43 |
CVE-2018-1000536 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key creation that can result in Unauthorized code execution in the victim's machine, within the rights of the running application. This attack appear to be exploitable via Victim is synchronizing data from the redis server which contains malicious key value. |
|
44 |
CVE-2018-1000534 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later. |
|
45 |
CVE-2018-1000532 |
22 |
|
Dir. Trav. |
2018-06-26 |
2018-08-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
beep version 1.3 and up contains a External Control of File Name or Path vulnerability in --device option that can result in Local unprivileged user can inhibit execution of arbitrary programs by other users, allowing DoS. This attack appear to be exploitable via The system must allow local users to run beep. |
|
46 |
CVE-2018-1000529 |
79 |
|
XSS |
2018-06-26 |
2018-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8. |
|
47 |
CVE-2018-1000528 |
79 |
|
XSS |
2018-06-26 |
2018-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001. |
|
48 |
CVE-2018-1000521 |
79 |
|
XSS |
2018-06-26 |
2018-08-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. This attack appear to be exploitable via no. This vulnerability appears to have been fixed in after commit b652cfdc14d0670c81ac4401ad5a04376745c279. |
|
49 |
CVE-2018-1000516 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user's input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code execution. This attack appear to be exploitable via The victim must interact with component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01. |
|
50 |
CVE-2018-1000514 |
352 |
|
CSRF |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x. |
