Total
36961 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11207 | 1 Tibco | 42 Loglogic Enterprise Virtual Appliance, Loglogic Log Management Intelligence, Loglogic Lx1025 and 39 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site scripting (XSS) attacks, as well as cross-site request forgery (CSRF) attacks. This issue affects: TIBCO Software Inc. TIBCO LogLogic Enterprise Virtual Appliance version 6.2.1 and prior versions. TIBCO Software Inc. TIBCO LogLogic Log Management Intelligence 6.2.1. TIBCO LogLogic LX825 Appliance 0.0.004, TIBCO LogLogic LX1025 Appliance 0.0.004, TIBCO LogLogic LX4025 Appliance 0.0.004, TIBCO LogLogic MX3025 Appliance 0.0.004, TIBCO LogLogic MX4025 Appliance 0.0.004, TIBCO LogLogic ST1025 Appliance 0.0.004, TIBCO LogLogic ST2025-SAN Appliance 0.0.004, and TIBCO LogLogic ST4025 Appliance 0.0.004 using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below. TIBCO LogLogic LX1035 Appliance 0.0.005, TIBCO LogLogic LX1025R1 Appliance 0.0.004, TIBCO LogLogic LX1025R2 Appliance 0.0.004, TIBCO LogLogic LX4025R1 Appliance 0.0.004, TIBCO LogLogic LX4025R2 Appliance 0.0.004, TIBCO LogLogic LX4035 Appliance 0.0.005, TIBCO LogLogic ST2025-SANR1 Appliance 0.0.004, TIBCO LogLogic ST2025-SANR2 Appliance 0.0.004, TIBCO LogLogic ST2035-SAN Appliance 0.0.005, TIBCO LogLogic ST4025R1 Appliance 0.0.004, TIBCO LogLogic ST4025R2 Appliance 0.0.004, and TIBCO LogLogic ST4035 Appliance 0.0.005 using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below. | |||||
| CVE-2019-11205 | 1 Tibco | 2 Spotfire Analytics Platform For Aws, Spotfire Server | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| The web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains vulnerabilities that theoretically allow reflected cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: 7.14.0; 7.14.1; 10.0.0; 10.0.1; 10.1.0; 10.2.0, and TIBCO Spotfire Server: 7.14.0; 10.0.0; 10.0.1; 10.1.0; 10.2.0. | |||||
| CVE-2019-11203 | 1 Tibco | 2 Activematrix Business Process Management, Silver Fabric Enabler | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The workspace client, openspace client, app development client, and REST API of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain cross site scripting (XSS) and cross-site request forgery vulnerabilities. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1. | |||||
| CVE-2019-11199 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type. | |||||
| CVE-2019-11198 | 1 Sitecore | 1 Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. | |||||
| CVE-2019-11193 | 1 Infinitumit | 1 Directadmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel. | |||||
| CVE-2019-11132 | 1 Intel | 1 Active Management Technology Firmware | 2024-11-21 | 6.8 MEDIUM | 8.4 HIGH |
| Cross site scripting in subsystem in Intel(R) AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow a privileged user to potentially enable escalation of privilege via network access. | |||||
| CVE-2019-11084 | 1 Gbraad | 1 Gauth | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| GAuth 0.9.9 beta has stored XSS that shows a popup repeatedly and discloses cookies. | |||||
| CVE-2019-11033 | 1 Applaudsolutions | 1 Applaud Hcm | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. This leads to an XSS vulnerability with a payload starting with the <iframe./> substring. | |||||
| CVE-2019-11032 | 1 Hr-technologies | 1 Easytorecruit | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In EasyToRecruit (E2R) before 2.11, the upload feature and the Candidate Profile Management feature are prone to Cross Site Scripting (XSS) injection in multiple locations. | |||||
| CVE-2019-11025 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. | |||||
| CVE-2019-11017 | 1 Dlink | 2 Di-524, Di-524 Firmware | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter. | |||||
| CVE-2019-11004 | 1 Materializecss | 1 Materialize | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Toast feature. | |||||
| CVE-2019-11003 | 1 Materializecss | 1 Materialize | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Autocomplete feature. | |||||
| CVE-2019-11002 | 1 Materializecss | 1 Materialize | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Materialize through 1.0.0, XSS is possible via the Tooltip feature. | |||||
| CVE-2019-10957 | 1 Geutebrueck | 22 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 19 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user’s browser. | |||||
| CVE-2019-10933 | 1 Siemens | 4 Spectrum Power 3, Spectrum Power 4, Spectrum Power 5 and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed.At the stage of publishing this security advisory no public exploitation is known. | |||||
| CVE-2019-10913 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. | |||||
| CVE-2019-10909 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. | |||||
| CVE-2019-10905 | 1 Parsedown | 1 Parsedown | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring. | |||||