CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-79

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1020019 79 XSS 2019-07-29 2019-07-31
4.3
None Remote Medium Not required None Partial None
invenio-previewer before 1.0.0a12 allows XSS.
2 CVE-2019-1020010 79 XSS 2019-07-29 2019-09-05
4.3
None Remote Medium Not required None Partial None
Misskey before 10.102.4 allows hijacking a user's token.
3 CVE-2019-1020008 79 XSS 2019-07-29 2019-07-31
4.3
None Remote Medium Not required None Partial None
stacktable.js before 1.0.4 allows XSS.
4 CVE-2019-1020007 79 XSS 2019-07-29 2019-07-30
3.5
None Remote Medium Single system None Partial None
Dependency-Track before 3.5.1 allows XSS.
5 CVE-2019-1020005 79 XSS 2019-07-29 2019-08-01
3.5
None Remote Medium Single system None Partial None
invenio-communities before 1.0.0a20 allows XSS.
6 CVE-2019-1020003 79 XSS 2019-07-29 2019-08-01
3.5
None Remote Medium Single system None Partial None
invenio-records before 1.2.2 allows XSS.
7 CVE-2019-1010314 79 XSS 2019-07-11 2019-07-12
4.3
None Remote Medium Not required None Partial None
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page.
8 CVE-2019-1010307 79 XSS 2019-07-15 2019-07-18
3.5
None Remote Medium Single system None Partial None
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it.
9 CVE-2019-1010287 79 Exec Code XSS 2019-07-17 2019-07-22
4.3
None Remote Medium Not required None Partial None
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url.
10 CVE-2019-1010261 79 XSS 2019-07-18 2019-07-19
4.3
None Remote Medium Not required None Partial None
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically crafted URL. The fixed version is: 1.7.1 and later.
11 CVE-2019-1010247 79 XSS 2019-07-19 2019-08-23
4.3
None Remote Medium Not required None Partial None
ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.
12 CVE-2019-1010237 79 Exec Code XSS 2019-07-22 2019-10-09
4.3
None Remote Medium Not required None Partial None
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections view (victim). The fixed version is: 5.3.12.
13 CVE-2019-1010235 79 XSS 2019-07-22 2019-07-23
3.5
None Remote Medium Single system None Partial None
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
14 CVE-2019-1010207 79 XSS 2019-07-23 2019-07-29
4.3
None Remote Medium Not required None Partial None
Genetechsolutions Pie Register 3.0.15 is affected by: Cross Site Scripting (XSS). The impact is: Stealing of session cookies. The component is: File: Login. Parameters: interim-login, wp-lang, and supplied URL. The attack vector is: If a victim clicks a malicious link, the attacker can steal his/her account. The fixed version is: 3.0.16.
15 CVE-2019-1010199 79 XSS Bypass 2019-07-23 2019-07-25
4.3
None Remote Medium Not required None Partial None
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0.
16 CVE-2019-1010193 79 XSS 2019-07-24 2019-07-26
4.3
None Remote Medium Not required None Partial None
hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS).
17 CVE-2019-1010147 79 XSS 2019-07-25 2019-08-05
3.5
None Remote Medium Single system None Partial None
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.
18 CVE-2019-1010124 79 XSS 2019-07-23 2019-08-30
4.3
None Remote Medium Not required None Partial None
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.
19 CVE-2019-1010113 79 XSS 2019-07-19 2019-07-25
4.3
None Remote Medium Not required None Partial None
Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site Scripting (XSS). The impact is: An attacker might be able to inject arbitrary html and script code into the web site. The component is: jQuery plug-in. The attack vector is: the victim must open a crafted href attribute of a link (A) element.
20 CVE-2019-1010091 79 Exec Code XSS 2019-07-17 2019-10-09
4.3
None Remote Medium Not required None Partial None
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
21 CVE-2019-1010028 79 XSS 2019-07-15 2019-07-15
4.3
None Remote Medium Not required None Partial None
phpscriptsmall.com School College Portal with ERP Script 2.6.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attack administrators and teachers, students and more. The component is: /pro-school/index.php?student/message/send_reply/. The attack vector is: <img src=x onerror=alert(document.domain) />.
22 CVE-2019-1010018 79 Exec Code XSS 2019-07-16 2019-10-09
4.3
None Remote Medium Not required None Partial None
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.
23 CVE-2019-1010016 79 XSS 2019-07-14 2019-07-15
4.3
None Remote Medium Not required None Partial None
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.
24 CVE-2019-1010008 79 Exec Code XSS 2019-07-14 2019-07-18
3.5
None Remote Medium Single system None Partial None
OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scripting (XSS). The impact is: Theoretically low, but might potentially enable persistent XSS (user could embed mal. code). The component is: Javascript code execution in "Name", "Location", "Bio" and "Starting Page" fields in the "My Account" page. File: Lib/listjs/list.js, line 67. The attack vector is: unknown, victim must open profile page if persistent was possible.
25 CVE-2019-1010005 79 Exec Code XSS 2019-07-14 2019-07-16
4.3
None Remote Medium Not required None Partial None
HexoEditor v1.1.8-beta is affected by: XSS to code execution.
26 CVE-2019-1010003 79 XSS 2019-07-11 2019-07-12
3.5
None Remote Medium Single system None Partial None
Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS).
27 CVE-2019-1003050 79 XSS 2019-04-10 2019-04-12
3.5
None Remote Medium Single system None Partial None
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
28 CVE-2019-1003042 79 XSS 2019-03-28 2019-06-10
3.5
None Remote Medium Single system None Partial None
A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.
29 CVE-2019-1003023 79 XSS 2019-02-06 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML.
30 CVE-2019-1003014 79 XSS 2019-02-06 2019-10-09
3.5
None Remote Medium Single system None Partial None
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
31 CVE-2019-1003013 79 XSS 2019-02-06 2019-10-09
3.5
None Remote Medium Single system None Partial None
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
32 CVE-2019-17496 79 XSS 2019-10-10 2019-10-15
4.3
None Remote Medium Not required None Partial None
Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
33 CVE-2019-17494 79 XSS 2019-10-10 2019-10-15
4.3
None Remote Medium Not required None Partial None
laravel-bjyblog 6.1.1 has XSS via a crafted URL.
34 CVE-2019-17493 79 XSS 2019-10-10 2019-10-11
4.3
None Remote Medium Not required None Partial None
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[sample_input] parameter to web/admin/problem/create or web/polygon/problem/update.
35 CVE-2019-17491 79 XSS 2019-10-10 2019-10-11
4.3
None Remote Medium Not required None Partial None
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[description] parameter to web/admin/problem/create or web/polygon/problem/update.
36 CVE-2019-17489 79 XSS 2019-10-10 2019-10-11
4.3
None Remote Medium Not required None Partial None
Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[title] parameter to web/polygon/problem/create or web/polygon/problem/update or web/admin/problem/create.
37 CVE-2019-17488 79 XSS 2019-10-10 2019-10-15
4.3
None Remote Medium Not required None Partial None
b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header.
38 CVE-2019-17434 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium Single system None Partial None
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
39 CVE-2019-17433 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium Single system None Partial None
z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen.
40 CVE-2019-17430 79 XSS 2019-10-10 2019-10-10
4.3
None Remote Medium Not required None Partial None
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter.
41 CVE-2019-17427 79 XSS 2019-10-09 2019-10-10
4.3
None Remote Medium Not required None Partial None
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
42 CVE-2019-17417 79 XSS 2019-10-09 2019-10-11
3.5
None Remote Medium Single system None Partial None
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs.
43 CVE-2019-17385 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
The animate-it plugin before 2.3.5 for WordPress has XSS.
44 CVE-2019-17384 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
The animate-it plugin before 2.3.4 for WordPress has XSS.
45 CVE-2019-17380 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
46 CVE-2019-17379 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
47 CVE-2019-17378 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).
48 CVE-2019-17377 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
49 CVE-2019-17376 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
50 CVE-2019-17368 79 XSS 2019-10-09 2019-10-09
4.3
None Remote Medium Not required None Partial None
S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.