Total
37491 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11200 | 1 Acquia | 1 Mautic | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field. | ||||
| CVE-2018-11198 | 1 Acquia | 1 Mautic | 2024-11-21 | N/A |
| An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json. | ||||
| CVE-2018-11133 | 1 Quest | 1 Kace System Management Appliance | 2024-11-21 | N/A |
| The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. | ||||
| CVE-2018-11124 | 1 Opmantek | 1 Open-audit | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of an Attribute. | ||||
| CVE-2018-11120 | 1 Ilias | 1 Ilias | 2024-11-21 | N/A |
| Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS. | ||||
| CVE-2018-11118 | 1 Ilias | 1 Ilias | 2024-11-21 | N/A |
| The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php. | ||||
| CVE-2018-11117 | 1 Ilias | 1 Ilias | 2024-11-21 | N/A |
| Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a link attribute. | ||||
| CVE-2018-11105 | 1 3cx | 1 Live Chat | 2024-11-21 | N/A |
| There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864. | ||||
| CVE-2018-11101 | 1 Signal | 1 Signal-desktop | 2024-11-21 | N/A |
| Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability. The Signal-Desktop software fails to sanitize specific HTML elements that can be used to inject HTML code into remote chat windows when replying to an HTML message. Specifically the IMG and IFRAME elements can be used to include remote or local resources. For example, the use of an IFRAME element enables full code execution, allowing an attacker to download/upload files, information, etc. The SCRIPT element was also found to be injectable. On the Windows operating system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script on an SMB share within an IFRAME element, for example: <IFRAME src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it. The included JavaScript code is then executed automatically, without any interaction needed from the user. The vulnerability can be triggered in the Signal-Desktop client by sending a specially crafted message and then replying to it with any text or content in the reply (it doesn't matter). | ||||
| CVE-2018-11093 | 1 Ckeditor | 1 Ckeditor 5-link | 2024-11-21 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the Link package for CKEditor 5 before 10.0.1 allows remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element. | ||||
| CVE-2018-11090 | 1 Mybiz | 1 Myprocurenet | 2024-11-21 | N/A |
| An XSS issue was discovered in MyBiz MyProcureNet 5.0.0. This vulnerability within "ProxyPage.aspx" allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. | ||||
| CVE-2018-11075 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2024-11-21 | N/A |
| RSA Authentication Manager versions prior to 8.3 P3 contain a reflected cross-site scripting vulnerability in a Security Console page. A remote, unauthenticated malicious user, with the knowledge of a target user's anti-CSRF token, could potentially exploit this vulnerability by tricking a victim Security Console user to supply malicious HTML or JavaScript code to the vulnerable web application, which code is then executed by the victim's web browser in the context of the vulnerable web application. | ||||
| CVE-2018-11074 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2024-11-21 | N/A |
| RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application. | ||||
| CVE-2018-11073 | 2 Emc, Rsa | 2 Rsa Authentication Manager, Authentication Manager | 2024-11-21 | N/A |
| RSA Authentication Manager versions prior to 8.3 P3 contain a stored cross-site scripting vulnerability in the Operations Console. A malicious Operations Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser. | ||||
| CVE-2018-11059 | 1 Rsa | 1 Archer | 2024-11-21 | N/A |
| RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. | ||||
| CVE-2018-11040 | 3 Debian, Oracle, Vmware | 28 Debian Linux, Agile Product Lifecycle Management, Application Testing Suite and 25 more | 2024-11-21 | 7.5 High |
| Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. | ||||
| CVE-2018-11027 | 1 Ruckussecurity | 2 Icx7450-48, Icx7450-48 Firmware | 2024-11-21 | N/A |
| A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remote attackers to inject arbitrary web script or HTML. | ||||
| CVE-2018-11012 | 1 Halo | 1 Halo | 2024-11-21 | N/A |
| ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java. | ||||
| CVE-2018-11011 | 1 Halo | 1 Halo | 2024-11-21 | N/A |
| ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java. | ||||
| CVE-2018-10994 | 1 Signal | 1 Signal-desktop | 2024-11-21 | N/A |
| js/views/message_view.js in Open Whisper Signal (aka Signal-Desktop) before 1.10.1 allows XSS via a URL. | ||||