Total
36968 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14338 | 1 Dlink | 4 6600-ap, 6600-ap Firmware, Dwl-3600ap and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface. | |||||
| CVE-2019-14331 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code. | |||||
| CVE-2019-14330 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript code. | |||||
| CVE-2019-14329 | 1 Espocrm | 1 Espocrm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code. | |||||
| CVE-2019-14315 | 1 Sunhater | 1 Kcfinder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in upload.php in SunHater KCFinder 3.20-test1, 3.20-test2, 3.12, and earlier allows remote attackers to inject arbitrary web script or HTML via the CKEditorFuncNum parameter. | |||||
| CVE-2019-14298 | 1 Veeam | 1 One Reporter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Veeam ONE Reporter 9.5.0.3201 allows XSS via a crafted Description(config) field to addDashboard or editDashboard in CommonDataHandlerReadOnly.ashx. | |||||
| CVE-2019-14297 | 1 Veeam | 1 One Reporter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Veeam ONE Reporter 9.5.0.3201 allows XSS via the Add/Edit Widget with a crafted Caption field to setDashboardWidget in CommonDataHandlerReadOnly.ashx. | |||||
| CVE-2019-14286 | 1 Misp | 1 Misp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability. | |||||
| CVE-2019-14272 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. | |||||
| CVE-2019-14228 | 1 Angry-frog | 1 Xavier | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based XSS via the username parameter when registering a new user at admin/includes/adminprocess.php. If there is an error when registering the user, the unsanitized username will reflect via the error page. Due to the lack of CSRF protection on the admin/includes/adminprocess.php endpoint, an attacker is able to chain the XSS with CSRF in order to cause remote exploitation. | |||||
| CVE-2019-14227 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.1 and 7.10.2 allows XSS. | |||||
| CVE-2019-14221 | 1 1crm | 1 1crm On-premise | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| 1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation. | |||||
| CVE-2019-13977 | 1 Ovidentia | 1 Ovidentia | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=. | |||||
| CVE-2019-13975 | 1 Egain | 1 Chat | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| eGain Chat 15.0.3 allows HTML Injection. | |||||
| CVE-2019-13972 | 1 Layerbb | 1 Layerbb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| LayerBB 1.1.3 allows XSS via the application/commands/new.php pm_title variable, a related issue to CVE-2019-17997. | |||||
| CVE-2019-13971 | 1 Otcms | 1 Otcms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| OTCMS 3.81 allows XSS via the mode parameter in an apiRun.php?mudi=autoRun request. | |||||
| CVE-2019-13970 | 1 Antsword Project | 1 Antsword | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In antSword before 2.1.0, self-XSS in the database configuration leads to code execution via modules/database/asp/index.js, modules/database/custom/index.js, modules/database/index.js, or modules/database/php/index.js. | |||||
| CVE-2019-13966 | 1 Combodo | 1 Itop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title). | |||||
| CVE-2019-13965 | 1 Combodo | 1 Itop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability. | |||||
| CVE-2019-13950 | 1 Syguestbook A5 Project | 1 Syguestbook A5 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| index.php?c=admin&a=index in SyGuestBook A5 Version 1.2 has stored XSS via a reply to a comment. | |||||