| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-1002017 |
79 |
|
XSS |
2017-09-14 |
2017-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Vulnerability in wordpress plugin gift-certificate-creator v1.0, The code in gc-list.php doesn't sanitize user input to prevent a stored XSS vulnerability. |
|
2 |
CVE-2017-1002011 |
79 |
|
XSS |
2017-09-14 |
2017-09-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to modify or add galleries/images and inject javascript into the database. |
|
3 |
CVE-2017-1001001 |
79 |
|
XSS |
2017-11-01 |
2017-11-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. |
|
4 |
CVE-2017-1000240 |
79 |
|
XSS |
2017-11-17 |
2017-11-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. |
|
5 |
CVE-2017-1000239 |
79 |
|
XSS |
2017-11-17 |
2017-11-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of users if they visit the manipulated site. |
|
6 |
CVE-2017-1000236 |
79 |
|
XSS |
2017-11-17 |
2017-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacker being able to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. |
|
7 |
CVE-2017-1000227 |
79 |
|
XSS |
2017-11-17 |
2019-08-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Stored XSS in Salutation Responsive WordPress + BuddyPress Theme version 3.0.15 could allow logged-in users to do almost anything an admin can |
|
8 |
CVE-2017-1000225 |
79 |
|
XSS |
2017-11-17 |
2017-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Reflected XSS in Relevanssi Premium version 1.14.8 when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can |
|
9 |
CVE-2017-1000223 |
79 |
|
XSS |
2017-11-17 |
2017-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS. |
|
10 |
CVE-2017-1000213 |
79 |
|
XSS |
2017-11-17 |
2017-11-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search |
|
11 |
CVE-2017-1000193 |
79 |
|
Exec Code XSS |
2017-11-17 |
2020-08-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser. |
|
12 |
CVE-2017-1000188 |
79 |
|
XSS |
2017-11-17 |
2017-11-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection |
|
13 |
CVE-2017-1000164 |
79 |
|
Exec Code XSS |
2017-11-17 |
2017-11-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Tine 2.0 version 2017.02.4 is vulnerable to XSS in the Addressbook resulting code execution and privilege escalation |
|
14 |
CVE-2017-1000160 |
79 |
|
XSS |
2017-11-17 |
2020-07-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection |
|
15 |
CVE-2017-1000149 |
79 |
|
XSS |
2017-11-03 |
2017-11-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before 15.10.2 are vulnerable to XSS due to window.opener (target="_blank" and window.open()) |
|
16 |
CVE-2017-1000146 |
79 |
|
XSS |
2017-11-03 |
2017-11-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages. |
|
17 |
CVE-2017-1000144 |
79 |
|
XSS |
2017-11-03 |
2017-11-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being able to place HTML and Javascript into an institution display name, which will be displayed to other users unescaped on some Mahara system pages. |
|
18 |
CVE-2017-1000140 |
79 |
|
Exec Code XSS |
2017-11-03 |
2017-11-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .xml file that can have its code executed when user tries to download the file. |
|
19 |
CVE-2017-1000138 |
79 |
|
XSS |
2017-11-03 |
2017-11-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title. |
|
20 |
CVE-2017-1000137 |
79 |
|
XSS |
2017-11-03 |
2017-11-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop). |
|
21 |
CVE-2017-1000132 |
79 |
|
Exec Code XSS |
2017-11-03 |
2017-11-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file. |
|
22 |
CVE-2017-1000114 |
200 |
|
XSS +Info |
2017-10-05 |
2017-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form. |
|
23 |
CVE-2017-1000109 |
79 |
|
XSS |
2017-10-05 |
2017-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The custom Details view of the Static Analysis Utilities based OWASP Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view. |
|
24 |
CVE-2017-1000103 |
79 |
|
XSS |
2017-10-05 |
2017-11-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view. |
|
25 |
CVE-2017-1000102 |
79 |
|
XSS |
2017-10-05 |
2017-11-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view. |
|
26 |
CVE-2017-1000088 |
79 |
|
XSS |
2017-10-05 |
2017-11-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links. |
|
27 |
CVE-2017-1000078 |
79 |
|
XSS |
2017-07-17 |
2020-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration |
|
28 |
CVE-2017-1000065 |
79 |
|
XSS |
2017-07-17 |
2017-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in OpenMediaVault release 2.1 in Access Rights Management(Users) functionality allows attackers to inject arbitrary web scripts and execute malicious scripts within an authenticated client's browser. |
|
29 |
CVE-2017-1000063 |
79 |
|
XSS |
2017-07-17 |
2017-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure |
|
30 |
CVE-2017-1000059 |
79 |
|
Exec Code XSS |
2017-07-17 |
2017-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Live Helper Chat version 2.06v and older is vulnerable to Cross-Site Scripting in the HTTP Header handling resulting in the execution of any user provided Javascript code in the session of other users. |
|
31 |
CVE-2017-1000058 |
79 |
|
XSS |
2017-07-17 |
2017-10-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one in the user profile and one in the Exif data parser. |
|
32 |
CVE-2017-1000057 |
79 |
|
XSS |
2017-07-17 |
2017-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A reflected cross-site scripting vulnerability in GetSimple CMS version 3.3.13 and earlier, allow remote attackers to inject arbitrary JavaScript in the URL-field for the administrative login page (/admin/index.php). |
|
33 |
CVE-2017-1000054 |
79 |
|
XSS |
2017-07-17 |
2017-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages. |
|
34 |
CVE-2017-1000051 |
79 |
|
XSS |
2017-07-17 |
2017-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content |
|
35 |
CVE-2017-1000049 |
79 |
|
XSS |
2017-07-17 |
2017-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Roundcube Webmail 1.1.5 is vulnerable to Persistent Xss |
|
36 |
CVE-2017-1000043 |
79 |
|
XSS |
2017-07-17 |
2019-10-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control |
|
37 |
CVE-2017-1000042 |
79 |
|
XSS |
2017-07-17 |
2017-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name. |
|
38 |
CVE-2017-1000038 |
79 |
|
XSS |
2017-07-17 |
2017-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site |
|
39 |
CVE-2017-1000036 |
79 |
|
Exec Code XSS |
2017-07-17 |
2017-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
All versions of Candy Chat are vulnerable to an XSS attack by message senders, permitting remote code execution within the page |
|
40 |
CVE-2017-1000035 |
79 |
|
XSS |
2017-07-17 |
2017-10-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack |
|
41 |
CVE-2017-1000033 |
79 |
|
Exec Code XSS |
2017-07-17 |
2017-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a reflected cross site scripting in the form submission resulting in javascript code execution in the context on the current user. |
|
42 |
CVE-2017-1000032 |
79 |
|
XSS |
2017-07-17 |
2017-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php. |
|
43 |
CVE-2017-1000023 |
79 |
|
XSS |
2017-07-17 |
2019-03-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document. |
|
44 |
CVE-2017-1000015 |
79 |
|
XSS |
2017-07-17 |
2019-03-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters |
|
45 |
CVE-2017-1000012 |
79 |
|
XSS |
2017-07-17 |
2017-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user |
|
46 |
CVE-2017-1000011 |
79 |
|
XSS |
2017-07-17 |
2017-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information |
|
47 |
CVE-2017-1000006 |
79 |
|
XSS |
2017-07-17 |
2017-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue. |
|
48 |
CVE-2017-1000005 |
79 |
|
XSS |
2017-07-17 |
2017-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data). |
|
49 |
CVE-2017-18004 |
79 |
|
XSS |
2017-12-31 |
2018-01-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint. |
|
50 |
CVE-2017-17995 |
79 |
|
XSS |
2017-12-30 |
2018-01-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request. |
