| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-6777 |
79 |
|
XSS |
2019-01-24 |
2019-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter. |
|
2 |
CVE-2019-6278 |
79 |
|
XSS |
2019-01-14 |
2019-01-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
XSS exists in JPress v1.0.4 via Markdown input, or Markdown input with the code input option. |
|
3 |
CVE-2019-6267 |
79 |
|
XSS |
2019-01-14 |
2019-01-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Premium WP Suite Easy Redirect Manager plugin 28.07-17 for WordPress has XSS via a crafted GET request that is mishandled during log viewing at the templates/admin/redirect-log.php URI. |
|
4 |
CVE-2019-6264 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability. |
|
5 |
CVE-2019-6263 |
79 |
|
XSS |
2019-01-16 |
2019-01-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS. |
|
6 |
CVE-2019-6262 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration helpurl settings allowed stored XSS. |
|
7 |
CVE-2019-6261 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability. |
|
8 |
CVE-2019-6248 |
79 |
|
XSS |
2019-01-12 |
2019-01-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php. |
|
9 |
CVE-2019-6243 |
79 |
|
XSS |
2019-01-11 |
2019-01-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin/?/login/forgot URI). |
|
10 |
CVE-2019-5311 |
79 |
|
XSS |
2019-01-04 |
2019-01-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in YUNUCMS V1.1.8. app/index/controller/Show.php has an XSS vulnerability via the index.php/index/show/index cw parameter. |
|
11 |
CVE-2019-5310 |
79 |
|
XSS |
2019-01-04 |
2019-01-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
YUNUCMS 1.1.8 has XSS in app/admin/controller/System.php because crafted data can be written to the sys.php file, as demonstrated by site_title in an admin/system/basic POST request. |
|
12 |
CVE-2019-3501 |
79 |
|
XSS |
2019-01-02 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile. |
|
13 |
CVE-2019-1643 |
79 |
|
Exec Code XSS |
2019-01-23 |
2019-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
|
14 |
CVE-2019-1642 |
79 |
|
Exec Code XSS |
2019-01-23 |
2019-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
|
15 |
CVE-2019-0646 |
79 |
|
XSS |
2019-01-17 |
2019-01-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team. |
|
16 |
CVE-2019-0558 |
79 |
|
XSS |
2019-01-08 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers. This CVE ID is unique from CVE-2019-0556, CVE-2019-0557. |
|
17 |
CVE-2019-0557 |
79 |
|
XSS |
2019-01-08 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0556, CVE-2019-0558. |
|
18 |
CVE-2019-0556 |
79 |
|
XSS |
2019-01-08 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0557, CVE-2019-0558. |
|
19 |
CVE-2019-0245 |
79 |
|
XSS |
2019-01-08 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
|
20 |
CVE-2019-0244 |
79 |
|
XSS |
2019-01-08 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
|
21 |
CVE-2019-0238 |
79 |
|
XSS |
2019-01-08 |
2019-01-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
|
22 |
CVE-2019-0027 |
79 |
|
XSS |
2019-01-15 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persistent cross-site scripting (XSS) vulnerability in the Snort Rules configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. |
|
23 |
CVE-2019-0026 |
79 |
|
XSS |
2019-01-15 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persistent cross-site scripting (XSS) vulnerability in the Zone configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. |
|
24 |
CVE-2019-0025 |
79 |
|
XSS |
2019-01-15 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persistent cross-site scripting (XSS) vulnerability in RADIUS configuration menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. |
|
25 |
CVE-2019-0024 |
79 |
|
XSS |
2019-01-15 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persistent cross-site scripting (XSS) vulnerability in the Email Collectors menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. |
|
26 |
CVE-2019-0023 |
79 |
|
XSS |
2019-01-15 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persistent cross-site scripting (XSS) vulnerability in the Golden VM menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. |
|
27 |
CVE-2019-0018 |
79 |
|
XSS |
2019-01-15 |
2019-01-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persistent cross-site scripting (XSS) vulnerability in the file upload menu of Juniper ATP may allow an authenticated user to inject arbitrary scripts and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. |
|
28 |
CVE-2018-1999029 |
79 |
|
XSS |
2018-08-01 |
2018-10-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
29 |
CVE-2018-1999024 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later. |
|
30 |
CVE-2018-1999021 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. This attack appear to be exploitable via The victim must navigate to the attacker's profile page. |
|
31 |
CVE-2018-1999016 |
79 |
|
Sql XSS |
2018-07-23 |
2018-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. This attack appear to be exploitable via the victim openning a specially crafted URL. This vulnerability appears to have been fixed in version 8.2.1. |
|
32 |
CVE-2018-1999008 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437. |
|
33 |
CVE-2018-1999007 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. |
|
34 |
CVE-2018-1999005 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
35 |
CVE-2018-1002009 |
79 |
|
XSS |
2018-12-03 |
2018-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable. |
|
36 |
CVE-2018-1002008 |
79 |
|
XSS |
2018-12-03 |
2018-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable. |
|
37 |
CVE-2018-1002007 |
79 |
|
XSS |
2018-12-03 |
2018-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST request variable html_id. |
|
38 |
CVE-2018-1002006 |
79 |
|
XSS |
2018-12-03 |
2018-12-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes |
|
39 |
CVE-2018-1002005 |
79 |
|
XSS |
2018-12-03 |
2018-12-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter. |
|
40 |
CVE-2018-1002004 |
79 |
|
XSS |
2018-12-03 |
2018-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
41 |
CVE-2018-1002003 |
79 |
|
XSS |
2018-12-03 |
2018-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
42 |
CVE-2018-1002002 |
79 |
|
XSS |
2018-12-03 |
2018-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
43 |
CVE-2018-1002001 |
79 |
|
XSS |
2018-12-03 |
2018-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
44 |
CVE-2018-1000887 |
79 |
|
XSS |
2018-12-28 |
2019-01-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Peel shopping peel-shopping_9_1_0 version contains a Cross Site Scripting (XSS) vulnerability that can result in an authenticated user injecting java script code in the "Site Name EN" parameter. This attack appears to be exploitable if the malicious user has access to the administration account. |
|
45 |
CVE-2018-1000874 |
79 |
|
XSS |
2018-12-20 |
2019-01-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```<script>alert();</script>```" |
|
46 |
CVE-2018-1000870 |
79 |
|
Exec Code XSS |
2018-12-20 |
2019-01-08 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4. |
|
47 |
CVE-2018-1000868 |
79 |
|
XSS |
2018-12-20 |
2019-01-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WeBid version up to current version 1.2.2 contains a Cross Site Scripting (XSS) vulnerability in user_login.php, register.php that can result in Javascript execution in the user's browser, injection of malicious markup into the page. This attack appear to be exploitable via The victim user must click a malicous link. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. |
|
48 |
CVE-2018-1000860 |
79 |
|
Exec Code XSS |
2018-12-20 |
2019-01-08 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'><script>alert(1)</script>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain.. |
|
49 |
CVE-2018-1000856 |
79 |
|
XSS |
2018-12-20 |
2019-01-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) vulnerability in Segment Name field in the segments page that can result in Arbitrary script can be executed on all users browsers who visit the affected page. This attack appear to be exploitable via Victim must visit the vulnerable page. This vulnerability appears to have been fixed in No fix yet. |
|
50 |
CVE-2018-1000855 |
79 |
|
XSS |
2018-12-20 |
2019-01-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
easymon version 1.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Endpoint where monitoring is mounted that can result in Reflected XSS that affects Firefox. Can be used to steal cookies, depending on the cookie settings.. This attack appear to be exploitable via The victim must click on a crafted URL that contains the XSS payload. This vulnerability appears to have been fixed in 1.4.1 and later. |
