| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1020019 |
79 |
|
XSS |
2019-07-29 |
2019-07-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
invenio-previewer before 1.0.0a12 allows XSS. |
|
2 |
CVE-2019-1020010 |
79 |
|
XSS |
2019-07-29 |
2019-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Misskey before 10.102.4 allows hijacking a user's token. |
|
3 |
CVE-2019-1020008 |
79 |
|
XSS |
2019-07-29 |
2019-07-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
stacktable.js before 1.0.4 allows XSS. |
|
4 |
CVE-2019-1020007 |
79 |
|
XSS |
2019-07-29 |
2019-07-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Dependency-Track before 3.5.1 allows XSS. |
|
5 |
CVE-2019-1020005 |
79 |
|
XSS |
2019-07-29 |
2019-08-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
invenio-communities before 1.0.0a20 allows XSS. |
|
6 |
CVE-2019-1020003 |
79 |
|
XSS |
2019-07-29 |
2019-08-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
invenio-records before 1.2.2 allows XSS. |
|
7 |
CVE-2019-1010314 |
79 |
|
XSS |
2019-07-11 |
2019-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page. |
|
8 |
CVE-2019-1010307 |
79 |
|
XSS |
2019-07-15 |
2019-07-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it. |
|
9 |
CVE-2019-1010287 |
79 |
|
Exec Code XSS |
2019-07-17 |
2019-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url. |
|
10 |
CVE-2019-1010261 |
79 |
|
XSS |
2019-07-18 |
2019-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically crafted URL. The fixed version is: 1.7.1 and later. |
|
11 |
CVE-2019-1010247 |
79 |
|
XSS |
2019-07-19 |
2019-08-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2. |
|
12 |
CVE-2019-1010237 |
79 |
|
Exec Code XSS |
2019-07-22 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections view (victim). The fixed version is: 5.3.12. |
|
13 |
CVE-2019-1010235 |
79 |
|
XSS |
2019-07-22 |
2019-07-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets. |
|
14 |
CVE-2019-1010207 |
79 |
|
XSS |
2019-07-23 |
2019-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Genetechsolutions Pie Register 3.0.15 is affected by: Cross Site Scripting (XSS). The impact is: Stealing of session cookies. The component is: File: Login. Parameters: interim-login, wp-lang, and supplied URL. The attack vector is: If a victim clicks a malicious link, the attacker can steal his/her account. The fixed version is: 3.0.16. |
|
15 |
CVE-2019-1010199 |
79 |
|
XSS Bypass |
2019-07-23 |
2019-07-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0. |
|
16 |
CVE-2019-1010193 |
79 |
|
XSS |
2019-07-24 |
2019-07-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS). |
|
17 |
CVE-2019-1010147 |
79 |
|
XSS |
2019-07-25 |
2019-08-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later. |
|
18 |
CVE-2019-1010124 |
79 |
|
XSS |
2019-07-23 |
2019-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in. |
|
19 |
CVE-2019-1010113 |
79 |
|
XSS |
2019-07-19 |
2019-07-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site Scripting (XSS). The impact is: An attacker might be able to inject arbitrary html and script code into the web site. The component is: jQuery plug-in. The attack vector is: the victim must open a crafted href attribute of a link (A) element. |
|
20 |
CVE-2019-1010091 |
79 |
|
Exec Code XSS |
2019-07-17 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab. |
|
21 |
CVE-2019-1010028 |
79 |
|
XSS |
2019-07-15 |
2019-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
phpscriptsmall.com School College Portal with ERP Script 2.6.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attack administrators and teachers, students and more. The component is: /pro-school/index.php?student/message/send_reply/. The attack vector is: <img src=x onerror=alert(document.domain) />. |
|
22 |
CVE-2019-1010018 |
79 |
|
Exec Code XSS |
2019-07-16 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3. |
|
23 |
CVE-2019-1010016 |
79 |
|
XSS |
2019-07-14 |
2019-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker. |
|
24 |
CVE-2019-1010008 |
79 |
|
Exec Code XSS |
2019-07-14 |
2019-07-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scripting (XSS). The impact is: Theoretically low, but might potentially enable persistent XSS (user could embed mal. code). The component is: Javascript code execution in "Name", "Location", "Bio" and "Starting Page" fields in the "My Account" page. File: Lib/listjs/list.js, line 67. The attack vector is: unknown, victim must open profile page if persistent was possible. |
|
25 |
CVE-2019-1010005 |
79 |
|
Exec Code XSS |
2019-07-14 |
2019-07-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
HexoEditor v1.1.8-beta is affected by: XSS to code execution. |
|
26 |
CVE-2019-1010003 |
79 |
|
XSS |
2019-07-11 |
2019-07-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS). |
|
27 |
CVE-2019-1003050 |
79 |
|
XSS |
2019-04-10 |
2019-04-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. |
|
28 |
CVE-2019-1003042 |
79 |
|
XSS |
2019-03-28 |
2019-06-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. |
|
29 |
CVE-2019-1003023 |
79 |
|
XSS |
2019-02-06 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML. |
|
30 |
CVE-2019-1003014 |
79 |
|
XSS |
2019-02-06 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. |
|
31 |
CVE-2019-1003013 |
79 |
|
XSS |
2019-02-06 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. |
|
32 |
CVE-2019-17496 |
79 |
|
XSS |
2019-10-10 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion. |
|
33 |
CVE-2019-17494 |
79 |
|
XSS |
2019-10-10 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
laravel-bjyblog 6.1.1 has XSS via a crafted URL. |
|
34 |
CVE-2019-17493 |
79 |
|
XSS |
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[sample_input] parameter to web/admin/problem/create or web/polygon/problem/update. |
|
35 |
CVE-2019-17491 |
79 |
|
XSS |
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[description] parameter to web/admin/problem/create or web/polygon/problem/update. |
|
36 |
CVE-2019-17489 |
79 |
|
XSS |
2019-10-10 |
2019-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[title] parameter to web/polygon/problem/create or web/polygon/problem/update or web/admin/problem/create. |
|
37 |
CVE-2019-17488 |
79 |
|
XSS |
2019-10-10 |
2019-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header. |
|
38 |
CVE-2019-17434 |
79 |
|
XSS |
2019-10-10 |
2019-10-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. |
|
39 |
CVE-2019-17433 |
79 |
|
XSS |
2019-10-10 |
2019-10-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen. |
|
40 |
CVE-2019-17430 |
79 |
|
XSS |
2019-10-10 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter. |
|
41 |
CVE-2019-17427 |
79 |
|
XSS |
2019-10-09 |
2019-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. |
|
42 |
CVE-2019-17417 |
79 |
|
XSS |
2019-10-09 |
2019-10-11 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs. |
|
43 |
CVE-2019-17385 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The animate-it plugin before 2.3.5 for WordPress has XSS. |
|
44 |
CVE-2019-17384 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The animate-it plugin before 2.3.4 for WordPress has XSS. |
|
45 |
CVE-2019-17380 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528). |
|
46 |
CVE-2019-17379 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527). |
|
47 |
CVE-2019-17378 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526). |
|
48 |
CVE-2019-17377 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524). |
|
49 |
CVE-2019-17376 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521). |
|
50 |
CVE-2019-17368 |
79 |
|
XSS |
2019-10-09 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter. |
