The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-18019 | XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-slides&method=save Slide[title], Slide[media_file], or Slide[image_url] parameter. | MEDIUM | Oct 6, 2018 |
| CVE-2020-12635 | XSS exists in the WebForms Pro M2 extension before 2.9.17 for Magento 2 via the textarea field. | MEDIUM | Jul 6, 2020 |
| CVE-2018-18460 | XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.php wplivechat-menu-gdpr-page request. | MEDIUM | Oct 18, 2018 |
| CVE-2018-18082 | XSS exists in Waimai Super Cms 20150505 via the fname parameter to the admin.php?m=Food&a=addsave or admin.php?m=Food&a=editsave URI. | MEDIUM | Oct 9, 2018 |
| CVE-2019-14427 | XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code. | MEDIUM | Aug 26, 2019 |
| CVE-2020-12670 | XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. | MEDIUM | Oct 16, 2020 |
| CVE-2018-17832 | XSS exists in WUZHI CMS 2.0 via the index.php v or f parameter. | MEDIUM | Oct 3, 2018 |
| CVE-2019-9107 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=attachment&f=imagecut&v=init&imgurl=[XSS] to coreframe/app/attachment/imagecut.php. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9110 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=content&f=postinfo&v=listing&set_iframe=[XSS] to coreframe/app/content/postinfo.php. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9108 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=core&f=map&v=baidumap&x=[XSS]&y=[XSS] to coreframe/app/core/map.php. | MEDIUM | Mar 20, 2019 |
| CVE-2019-9109 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=message&f=message&v=add&username=[XSS] to coreframe/app/message/message.php. | MEDIUM | Mar 20, 2019 |
| CVE-2019-7422 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/addMailSettings.jsp\" file in the gF parameter. | MEDIUM | Mar 25, 2019 |
| CVE-2019-7423 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/editProfile.jsp\" file in the userName parameter. | MEDIUM | Mar 25, 2019 |
| CVE-2019-7424 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/index.jsp\" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is related to CVE-2009-3903. | MEDIUM | Mar 25, 2019 |
| CVE-2019-7427 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/linkdownalertConfig.jsp\" file in the autorefTime or graphTypes parameter. | MEDIUM | May 8, 2019 |
| CVE-2019-7426 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/linkdownalertConfig.jsp\" file in the groupDesc, groupName, groupID, or task parameter. | MEDIUM | May 8, 2019 |
| CVE-2019-7425 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/linkdownalertConfig.jsp\" file in the task parameter. | MEDIUM | Oct 30, 2019 |
| CVE-2018-17413 | XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter. | MEDIUM | Mar 22, 2019 |
| CVE-2017-16765 | XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. | MEDIUM | Nov 10, 2017 |
| CVE-2021-41317 | XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths. | HIGH | Sep 17, 2021 |
| CVE-2022-30120 | XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting | MEDIUM | Jun 24, 2022 |
| CVE-2022-30119 | XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting. | MEDIUM | Jun 24, 2022 |
| CVE-2022-1504 | XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks. | MEDIUM | May 5, 2022 |
| CVE-2017-6562 | XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=file&targetObjId=fileFolder-2&targetObjIdChild=[XSS] attack. | MEDIUM | Mar 9, 2017 |
| CVE-2017-6560 | XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=misc&action=[XSS]&editObjId=[XSS] attack. | MEDIUM | Mar 9, 2017 |
| CVE-2017-6561 | XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=object&action=[XSS] attack. | MEDIUM | Mar 9, 2017 |
| CVE-2017-6559 | XSS in Agora-Project 3.2.2 exists with an index.php?disconnect=1&msgNotif[]=[XSS] attack. | MEDIUM | Mar 9, 2017 |
| CVE-2019-11408 | XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX. | MEDIUM | Jun 18, 2019 |
| CVE-2018-11223 | XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted refr parameter in a /pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr= call. | LOW | Jun 15, 2018 |
| CVE-2019-5422 | XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim\'s browser when an attacker creates an arbitrary file on the server. | MEDIUM | Apr 4, 2019 |
| CVE-2022-28586 | XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars. | MEDIUM | Apr 25, 2022 |
| CVE-2022-1234 | XSS in livehelperchat in GitHub repository livehelperchat/livehelperchat prior to 3.97. This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device. | MEDIUM | Apr 6, 2022 |
| CVE-2015-0787 | XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote attackers to inject arbitrary HTML code via the accessMgrDN value of the forgotUser.do CGI. | Medium | Oct 28, 2016 |
| CVE-2016-1592 | XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote attackers to inject arbitrary HTML code via the nrfEntitlementReport.do CGI. | MEDIUM | Oct 28, 2016 |
| CVE-2016-1598 | XSS in NetIQ IDM 4.5 Identity Applications before 4.5.4 allows attackers able to change their username to inject arbitrary HTML code into the Role Assignment administrator HTML pages. | LOW | Oct 28, 2016 |
| CVE-2018-3755 | XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name. | MEDIUM | Jun 1, 2018 |
| CVE-2022-30519 | XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field. | -- | Dec 30, 2022 |
| CVE-2020-29205 | XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field | MEDIUM | May 17, 2021 |
| CVE-2012-1903 | XSS in Telligent Community 5.6.583.20496 via a flash file and related to the allowScriptAccess parameter. | LOW | Feb 13, 2020 |
| CVE-2020-35395 | XSS in the Add Expense Component of EGavilan Media Expense Management System 1.0 allows an attacker to permanently store malicious JavaScript code via the \'description\' field | MEDIUM | Dec 16, 2020 |
| CVE-2020-12685 | XSS in the admin help system admin/help.html and admin/quicklinks.html in Interchange 4.7.0 through 5.11.x allows remote attackers to steal credentials or data via browser JavaScript. | MEDIUM | May 15, 2020 |
| CVE-2021-31792 | XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field | LOW | May 3, 2021 |
| CVE-2019-14918 | XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an attacker to inject arbitrary HTML/JavaScript code to achieve client-side code execution via crafted DHCP request packets to etc_ro/web/internet/dhcpcliinfo.asp. | LOW | Jan 9, 2020 |
| CVE-2018-19287 | XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. | MEDIUM | Nov 15, 2018 |
| CVE-2019-18893 | XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways. | MEDIUM | Jan 13, 2020 |
| CVE-2016-8505 | XSS in Yandex Browser BookReader in Yandex browser for desktop for versions before 16.6. could be used by remote attacker for evaluation arbitrary javascript code. | MEDIUM | Oct 28, 2016 |
| CVE-2016-8506 | XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code. | MEDIUM | Oct 28, 2016 |
| CVE-2016-6615 | XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the Tracking feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. | MEDIUM | Dec 12, 2016 |
| CVE-2016-6608 | XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the Remove partitioning functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. | MEDIUM | Dec 12, 2016 |
| CVE-2016-6607 | XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | MEDIUM | Dec 12, 2016 |
