| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-1999029 |
79 |
|
XSS |
2018-08-01 |
2018-10-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
2 |
CVE-2018-1999024 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later. |
|
3 |
CVE-2018-1999021 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. This attack appear to be exploitable via The victim must navigate to the attacker's profile page. |
|
4 |
CVE-2018-1999016 |
79 |
|
Sql XSS |
2018-07-23 |
2018-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. This attack appear to be exploitable via the victim openning a specially crafted URL. This vulnerability appears to have been fixed in version 8.2.1. |
|
5 |
CVE-2018-1999008 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437. |
|
6 |
CVE-2018-1999007 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. |
|
7 |
CVE-2018-1999005 |
79 |
|
XSS |
2018-07-23 |
2018-09-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
8 |
CVE-2018-1002009 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable. |
|
9 |
CVE-2018-1002008 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable. |
|
10 |
CVE-2018-1002007 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST request variable html_id. |
|
11 |
CVE-2018-1002006 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes |
|
12 |
CVE-2018-1002005 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter. |
|
13 |
CVE-2018-1002004 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
14 |
CVE-2018-1002003 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
15 |
CVE-2018-1002002 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
16 |
CVE-2018-1002001 |
|
|
XSS |
2018-12-03 |
2018-12-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. |
|
17 |
CVE-2018-1000671 |
601 |
|
XSS |
2018-09-06 |
2018-11-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available. |
|
18 |
CVE-2018-1000670 |
79 |
|
XSS |
2018-09-06 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11. |
|
19 |
CVE-2018-1000665 |
79 |
|
XSS Bypass |
2018-09-06 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14. |
|
20 |
CVE-2018-1000643 |
79 |
|
XSS |
2018-08-20 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OWASP OWASP ANTISAMY version 1.5.7 and earlier contains a Cross Site Scripting (XSS) vulnerability in AntiSamy.scan() - for both SAX & DOM that can result in Cross Site Scripting. |
|
21 |
CVE-2018-1000642 |
79 |
|
XSS |
2018-08-20 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
FlightAirMap version <=v1.0-beta.21 contains a Cross Site Scripting (XSS) vulnerability in GET variable used within registration sub menu page that can result in unauthorised actions and access to data, stealing session information. This vulnerability appears to have been fixed in after commit 22b09a3. |
|
22 |
CVE-2018-1000640 |
79 |
|
DoS XSS |
2018-08-20 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenCart-Overclocked version <=1.11.1 contains a Cross Site Scripting (XSS) vulnerability in User input entered unsanitised within JS function in the template that can result in Unauthorised actions and access to data, stealing session information, denial of service. This attack appear to be exploitable via Malicious input passed in GET parameter. |
|
23 |
CVE-2018-1000638 |
79 |
|
XSS |
2018-08-20 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection. |
|
24 |
CVE-2018-1000611 |
79 |
|
XSS |
2018-07-09 |
2018-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains a Cross Site Scripting (XSS) vulnerability that can result in Allows an attacker to inject arbitrary web scripts or HTML into help and login pages. This attack appear to be exploitable via the victim opening a specially crafted URL. |
|
25 |
CVE-2018-1000604 |
79 |
|
XSS |
2018-06-26 |
2018-08-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
26 |
CVE-2018-1000559 |
79 |
|
XSS |
2018-06-26 |
2018-08-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week). |
|
27 |
CVE-2018-1000557 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form and search functionality that can result in An attacker is able to execute arbitrary (javascript) code within a victims' browser. This attack appear to be exploitable via Victim must open a crafted link to the application. This vulnerability appears to have been fixed in ocsreports 2.4.1. |
|
28 |
CVE-2018-1000556 |
79 |
|
XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . |
|
29 |
CVE-2018-1000543 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Akiee version 0.0.3 contains a XSS leading to code execution due to the use of node integration vulnerability in "Details" of a task is not validated that can result in XSS leading to abritrary code execution. This attack appear to be exploitable via The attacker tricks the victim into opening a crafted markdown. |
|
30 |
CVE-2018-1000536 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key creation that can result in Unauthorized code execution in the victim's machine, within the rights of the running application. This attack appear to be exploitable via Victim is synchronizing data from the redis server which contains malicious key value. |
|
31 |
CVE-2018-1000534 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later. |
|
32 |
CVE-2018-1000529 |
79 |
|
XSS |
2018-06-26 |
2018-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8. |
|
33 |
CVE-2018-1000528 |
79 |
|
XSS |
2018-06-26 |
2018-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001. |
|
34 |
CVE-2018-1000521 |
79 |
|
XSS |
2018-06-26 |
2018-08-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. This attack appear to be exploitable via no. This vulnerability appears to have been fixed in after commit b652cfdc14d0670c81ac4401ad5a04376745c279. |
|
35 |
CVE-2018-1000516 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user's input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code execution. This attack appear to be exploitable via The victim must interact with component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01. |
|
36 |
CVE-2018-1000513 |
79 |
|
Exec Code XSS |
2018-06-26 |
2018-08-21 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x. |
|
37 |
CVE-2018-1000512 |
79 |
|
XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Tooltipy Tooltipy (tooltips for WP) version 5 contains a Cross Site Scripting (XSS) vulnerability in Glossary shortcode that can result in could allow anybody to do almost anything an admin can. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been fixed in 5.1. |
|
38 |
CVE-2018-1000508 |
79 |
|
XSS |
2018-06-26 |
2018-08-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WP ULike version 2.8.1, 3.1 contains a Cross Site Scripting (XSS) vulnerability in Settings screen that can result in allows unauthorised users to do almost anything an admin can. This attack appear to be exploitable via Admin must visit logs page. This vulnerability appears to have been fixed in 3.2. |
|
39 |
CVE-2018-1000225 |
79 |
|
XSS |
2018-08-20 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api). |
|
40 |
CVE-2018-1000219 |
79 |
|
XSS |
2018-08-20 |
2018-10-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL.. |
|
41 |
CVE-2018-1000218 |
79 |
|
XSS |
2018-08-20 |
2018-10-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL.. |
|
42 |
CVE-2018-1000202 |
79 |
|
XSS |
2018-06-05 |
2018-07-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
43 |
CVE-2018-1000177 |
79 |
|
XSS |
2018-05-08 |
2018-06-13 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions. |
|
44 |
CVE-2018-1000172 |
79 |
|
XSS |
2018-04-30 |
2018-06-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Imagely NextGEN Gallery version 2.2.30 and earlier contains a Cross Site Scripting (XSS) vulnerability in Image Alt & Title Text. This attack appears to be exploitable via a victim viewing the image in the administrator page. This vulnerability appears to have been fixed in 2.2.45. |
|
45 |
CVE-2018-1000170 |
79 |
|
XSS |
2018-04-16 |
2018-05-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
46 |
CVE-2018-1000163 |
79 |
|
XSS |
2018-04-18 |
2018-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Floodlight version 1.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in the web console that can result in javascript injections into the web page. This attack appears to be exploitable via the victim browsing the web console. |
|
47 |
CVE-2018-1000162 |
79 |
|
Exec Code XSS |
2018-04-18 |
2018-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST boundaries. This vulnerability appears to have been fixed in 1.7.0 and later. |
|
48 |
CVE-2018-1000160 |
79 |
|
XSS |
2018-04-18 |
2018-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
RisingStack protect version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in isXss() function in lib/rules/xss.js that can result in dangerous XSS strings being validated as safe. This attack appears to be exploitable via A number of XSS strings(26) detailed in the GitHub issue #16. |
|
49 |
CVE-2018-1000154 |
79 |
|
Exec Code XSS |
2018-04-05 |
2018-05-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) vulnerability in the subject of emails which are not html quoted in certain cases. This can result in the embedding and execution of java script code on users browser. This attack appear to be exploitable via the victim openning a ticket. This vulnerability appears to have been fixed in 2.3.1, 2.2.2 and 2.1.3. |
|
50 |
CVE-2018-1000144 |
79 |
|
XSS |
2018-04-05 |
2018-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. |
