CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018(Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-19785 79 XSS 2018-11-30 2018-12-27
4.3
None Remote Medium Not required None Partial None
PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL field in index.php.
2 CVE-2018-19752 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar.
3 CVE-2018-19751 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields.
4 CVE-2018-19750 79 XSS 2018-11-29 2018-12-27
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Domain Fields.
5 CVE-2018-19749 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field.
6 CVE-2018-19693 79 XSS 2018-11-29 2018-12-27
4.3
None Remote Medium Not required None Partial None
An issue was discovered in tp5cms through 2017-05-25. admin.php/system/set.html has XSS via the title parameter.
7 CVE-2018-19630 79 XSS 2018-11-28 2018-12-31
4.3
None Remote Medium Not required None Partial None
cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?[XSS] URI.
8 CVE-2018-19564 79 XSS 2018-11-26 2018-12-18
4.3
None Remote Medium Not required None Partial None
Stored XSS was discovered in the Easy Testimonials plugin 3.2 for WordPress. Three wp-admin/post.php parameters (_ikcf_client and _ikcf_position and _ikcf_other) have Cross-Site Scripting.
9 CVE-2018-19554 79 XSS 2018-11-26 2018-12-18
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.
10 CVE-2018-19547 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
JTBC(PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&action=edit content parameter.
11 CVE-2018-19546 352 XSS CSRF 2018-11-26 2018-12-19
6.8
None Remote Medium Not required Partial Partial Partial
JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter.
12 CVE-2018-19527 79 XSS 2018-11-29 2018-12-26
4.3
None Remote Medium Not required None Partial None
i4 assistant 7.85 allows XSS via a crafted machine name field within iOS settings.
13 CVE-2018-19469 79 XSS 2018-11-23 2018-12-19
4.3
None Remote Medium Not required None Partial None
ArticleCMS through 2017-02-19 has XSS via the /update_personal_infomation realname or email parameter.
14 CVE-2018-19464 79 XSS 2018-11-22 2018-12-19
3.5
None Remote Medium Single system None Partial None
Discuz! X3.4 allows XSS via admin.php because admincp/admincp_setting.php and template\default\common\footer.htm mishandles statcode field from third-party stats code.
15 CVE-2018-19433 79 XSS 2018-11-22 2018-12-18
4.3
None Remote Medium Not required None Partial None
ShowDoc 2.4.1 has XSS via the lang parameter because install/database.php mishandles the $cur_lang value.
16 CVE-2018-19352 79 XSS 2018-11-18 2018-12-17
4.3
None Remote Medium Not required None Partial None
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
17 CVE-2018-19351 79 XSS 2018-11-18 2018-12-17
4.3
None Remote Medium Not required None Partial None
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
18 CVE-2018-19350 79 XSS 2018-11-17 2018-12-17
3.5
None Remote Medium Single system None Partial None
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
19 CVE-2018-19340 79 XSS 2018-11-17 2018-12-17
4.3
None Remote Medium Not required None Partial None
Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default.php OrderID, ShipName, ShipAddress, ShipCity, ShipPostalCode, ShipCountry, Freight, or details parameter.
20 CVE-2018-19324 79 XSS 2018-11-17 2018-12-17
3.5
None Remote Medium Single system None Partial None
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
21 CVE-2018-19311 79 XSS 2018-11-16 2019-07-30
3.5
None Remote Medium Single system None Partial None
Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
22 CVE-2018-19301 79 XSS 2018-11-15 2018-12-31
4.3
None Remote Medium Not required None Partial None
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
23 CVE-2018-19288 79 XSS 2018-11-15 2018-12-10
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
24 CVE-2018-19287 79 XSS 2018-11-15 2018-12-14
4.3
None Remote Medium Not required None Partial None
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
25 CVE-2018-19286 79 XSS 2018-11-15 2018-12-18
4.3
None Remote Medium Not required None Partial None
The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note.
26 CVE-2018-19280 79 XSS 2018-11-14 2019-07-30
4.3
None Remote Medium Not required None Partial None
Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro.
27 CVE-2018-19229 79 XSS 2018-11-12 2018-12-11
3.5
None Remote Medium Single system None Partial None
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/art.php?typeid=1 biaoti parameter.
28 CVE-2018-19227 79 XSS 2018-11-12 2018-12-11
3.5
None Remote Medium Single system None Partial None
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/liuyan.php neirong[] parameter.
29 CVE-2018-19223 79 XSS 2018-11-12 2018-12-11
3.5
None Remote Medium Single system None Partial None
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
30 CVE-2018-19222 79 XSS 2018-11-12 2019-10-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
31 CVE-2018-19206 79 XSS 2018-11-12 2018-12-13
4.3
None Remote Medium Not required None Partial None
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
32 CVE-2018-19195 79 XSS 2018-11-12 2018-12-13
4.3
None Remote Medium Not required None Partial None
An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\show_product.html file.
33 CVE-2018-19193 79 XSS 2018-11-12 2018-12-13
4.3
None Remote Medium Not required None Partial None
An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen.
34 CVE-2018-19190 79 XSS 2018-11-14 2018-12-17
4.3
None Remote Medium Not required None Partial None
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the error.php error_msg parameter.
35 CVE-2018-19189 79 XSS 2018-11-14 2018-12-17
4.3
None Remote Medium Not required None Partial None
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in an error.php echo statement.
36 CVE-2018-19188 79 XSS 2018-11-14 2018-12-17
4.3
None Remote Medium Not required None Partial None
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the success.php fort_id parameter.
37 CVE-2018-19187 79 XSS 2018-11-14 2018-12-17
4.3
None Remote Medium Not required None Partial None
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement.
38 CVE-2018-19186 79 XSS 2018-11-14 2018-12-17
4.3
None Remote Medium Not required None Partial None
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter.
39 CVE-2018-19178 79 XSS 2018-11-11 2018-12-13
3.5
None Remote Medium Single system None Partial None
In JEESNS 1.3, com/lxinet/jeesns/core/utils/XssHttpServletRequestWrapper.java allows stored XSS via an HTML EMBED element, a different vulnerability than CVE-2018-17886.
40 CVE-2018-19170 79 XSS 2018-11-11 2018-12-13
3.5
None Remote Medium Single system None Partial None
In JPress v1.0-rc.5, there is stored XSS via each of the first three input fields to the starter-tomcat-1.0/admin/setting URI, as demonstrated by the web_name parameter.
41 CVE-2018-19145 79 XSS 2018-11-09 2018-12-11
4.3
None Remote Medium Not required None Partial None
An issue was discovered in S-CMS v1.5. There is an XSS vulnerability in search.php via the keyword parameter.
42 CVE-2018-19142 79 XSS 2018-11-11 2018-12-12
3.5
None Remote Medium Single system None Partial None
Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an admin to conduct an XSS attack via a modified URL.
43 CVE-2018-19141 79 XSS 2018-11-11 2018-12-12
3.5
None Remote Medium Single system None Partial None
Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before 5.0.31 allows an admin to conduct an XSS attack via a modified URL because user and customer preferences are mishandled.
44 CVE-2018-19137 79 XSS 2018-11-09 2018-12-11
4.3
None Remote Medium Not required None Partial None
DomainMOD through 4.11.01 has XSS via the assets/edit/ip-address.php ipid parameter.
45 CVE-2018-19136 79 XSS 2018-11-09 2018-12-11
4.3
None Remote Medium Not required None Partial None
DomainMOD through 4.11.01 has XSS via the assets/edit/registrar-account.php raid parameter.
46 CVE-2018-19131 79 XSS 2018-11-09 2018-12-11
4.3
None Remote Medium Not required None Partial None
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
47 CVE-2018-19092 79 XSS 2018-11-07 2018-12-13
4.3
None Remote Medium Not required None Partial None
An issue was discovered in YzmCMS v5.2. It has XSS via a search/index/archives/pubtime/ query string, as demonstrated by the search/index/archives/pubtime/1526387722/page/1.html URI. NOTE: this does not obtain a user's cookie.
48 CVE-2018-19091 79 XSS 2018-11-07 2018-12-11
3.5
None Remote Medium Single system None Partial None
tianti 2.3 has reflected XSS in the user management module via the tianti-module-admin/user/list userName parameter.
49 CVE-2018-19090 79 XSS 2018-11-07 2018-12-11
3.5
None Remote Medium Single system None Partial None
tianti 2.3 has stored XSS in the article management module via an article title.
50 CVE-2018-19089 79 XSS 2018-11-07 2018-12-11
3.5
None Remote Medium Single system None Partial None
tianti 2.3 has stored XSS in the userlist module via the tianti-module-admin/user/ajax/save_role name parameter, which is mishandled in tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp.
Total number of vulnerabilities : 135   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.