Total
36961 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-9328 | 1 Redbus Clone Script Project | 1 Redbus Clone Script | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall Redbus Clone Script 3.0.6 has XSS via the ter_from or tag parameter to results.php. | |||||
| CVE-2018-9307 | 1 Dsmall Project | 1 Dsmall | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| dsmall v20180320 allows XSS via the pdr_sn parameter to public/index.php/home/predeposit/index.html. | |||||
| CVE-2018-9283 | 1 Cremecrm | 1 Cremecrm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in CremeCRM 1.6.12. It is affected by 10 stored Cross-Site Scripting (XSS) vulnerabilities in the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters in the contact creation and modification page. The payload is stored within the application database and allows the execution of JavaScript code each time a client visit an infected page. | |||||
| CVE-2018-9282 | 1 Subsonic | 1 Subsonic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript payload, this flaw could be used to manipulate a user's session, or elevate privileges by targeting an administrative user. | |||||
| CVE-2018-9281 | 1 Eaton | 2 9px Ups, 9px Ups Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently. | |||||
| CVE-2018-9244 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3, 10.5.7, and 10.4.7. | |||||
| CVE-2018-9243 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7. | |||||
| CVE-2018-9238 | 1 Yahei | 1 Yahei Php Prober | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter. | |||||
| CVE-2018-9237 | 1 Iscripts | 1 Easycreate | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" field. | |||||
| CVE-2018-9236 | 1 Iscripts | 1 Easycreate | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field. | |||||
| CVE-2018-9235 | 1 Iscripts | 1 Sonicbb | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query parameter to search.php. | |||||
| CVE-2018-9186 | 1 Fortinet | 1 Fortiauthenticator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. | |||||
| CVE-2018-9183 | 1 Joomsky | 1 Js Jobs | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS. | |||||
| CVE-2018-9182 | 1 Lynxtechnology | 1 Twonky Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Twonky Server before 8.5.1 has XSS via a modified "language" parameter in the Language section. | |||||
| CVE-2018-9177 | 1 Lynxtechnology | 1 Twonky Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Twonky Server before 8.5.1 has XSS via a folder name on the Shared Folders screen. | |||||
| CVE-2018-9173 | 1 Get-simple | 1 Getsimple Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter. | |||||
| CVE-2018-9172 | 1 Iptanus | 1 Wordpress File Upload | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes. | |||||
| CVE-2018-9169 | 1 Zblogcn | 1 Z-blogphp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF. | |||||
| CVE-2018-9163 | 1 Zohocorp | 1 Manageengine Recovery Manager Plus | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do. | |||||
| CVE-2018-9155 | 1 Open-audit | 1 Open-audit | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Open-AudIT Professional 2.1.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the Admin->Logs section (with a logs?logs.type= URI) and the Manage->Attributes section (via the "Name (display)" field to the attributes/create URI). | |||||