The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-7422 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/addMailSettings.jsp\" file in the gF parameter. | MEDIUM | Mar 25, 2019 | n/a |
| CVE-2019-7423 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/editProfile.jsp\" file in the userName parameter. | MEDIUM | Mar 25, 2019 | n/a |
| CVE-2019-7424 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/index.jsp\" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is related to CVE-2009-3903. | MEDIUM | Mar 25, 2019 | n/a |
| CVE-2019-7427 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/linkdownalertConfig.jsp\" file in the autorefTime or graphTypes parameter. | MEDIUM | May 8, 2019 | n/a |
| CVE-2019-7426 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/linkdownalertConfig.jsp\" file in the groupDesc, groupName, groupID, or task parameter. | MEDIUM | May 8, 2019 | n/a |
| CVE-2019-7425 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone \"/netflow/jspui/linkdownalertConfig.jsp\" file in the task parameter. | MEDIUM | Oct 30, 2019 | n/a |
| CVE-2018-17413 | XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter. | MEDIUM | Mar 22, 2019 | n/a |
| CVE-2017-16765 | XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. | MEDIUM | Nov 10, 2017 | n/a |
| CVE-2021-41317 | XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths. | HIGH | Sep 17, 2021 | n/a |
| CVE-2022-30120 | XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting | MEDIUM | Jun 24, 2022 | n/a |
| CVE-2022-30119 | XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting. | MEDIUM | Jun 24, 2022 | n/a |
| CVE-2022-1504 | XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks. | MEDIUM | May 5, 2022 | n/a |
| CVE-2017-6562 | XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=file&targetObjId=fileFolder-2&targetObjIdChild=[XSS] attack. | MEDIUM | Mar 9, 2017 | n/a |
| CVE-2017-6560 | XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=misc&action=[XSS]&editObjId=[XSS] attack. | MEDIUM | Mar 9, 2017 | n/a |
| CVE-2017-6561 | XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=object&action=[XSS] attack. | MEDIUM | Mar 9, 2017 | n/a |
| CVE-2017-6559 | XSS in Agora-Project 3.2.2 exists with an index.php?disconnect=1&msgNotif[]=[XSS] attack. | MEDIUM | Mar 9, 2017 | n/a |
| CVE-2019-11408 | XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX. | MEDIUM | Jun 18, 2019 | n/a |
| CVE-2018-11223 | XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted refr parameter in a /pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr= call. | LOW | Jun 15, 2018 | n/a |
| CVE-2019-5422 | XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim\'s browser when an attacker creates an arbitrary file on the server. | MEDIUM | Apr 4, 2019 | n/a |
| CVE-2022-28586 | XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars. | MEDIUM | Apr 25, 2022 | n/a |
| CVE-2022-1234 | XSS in livehelperchat in GitHub repository livehelperchat/livehelperchat prior to 3.97. This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device. | MEDIUM | Apr 6, 2022 | n/a |
| CVE-2015-0787 | XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote attackers to inject arbitrary HTML code via the accessMgrDN value of the forgotUser.do CGI. | Medium | Oct 28, 2016 | n/a |
| CVE-2016-1592 | XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote attackers to inject arbitrary HTML code via the nrfEntitlementReport.do CGI. | MEDIUM | Oct 28, 2016 | n/a |
| CVE-2016-1598 | XSS in NetIQ IDM 4.5 Identity Applications before 4.5.4 allows attackers able to change their username to inject arbitrary HTML code into the Role Assignment administrator HTML pages. | LOW | Oct 28, 2016 | n/a |
| CVE-2018-3755 | XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name. | MEDIUM | Jun 1, 2018 | n/a |
| CVE-2022-30519 | XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field. | -- | Dec 30, 2022 | n/a |
| CVE-2020-29205 | XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field | MEDIUM | May 17, 2021 | n/a |
| CVE-2012-1903 | XSS in Telligent Community 5.6.583.20496 via a flash file and related to the allowScriptAccess parameter. | LOW | Feb 13, 2020 | n/a |
| CVE-2020-35395 | XSS in the Add Expense Component of EGavilan Media Expense Management System 1.0 allows an attacker to permanently store malicious JavaScript code via the \'description\' field | MEDIUM | Dec 16, 2020 | n/a |
| CVE-2020-12685 | XSS in the admin help system admin/help.html and admin/quicklinks.html in Interchange 4.7.0 through 5.11.x allows remote attackers to steal credentials or data via browser JavaScript. | MEDIUM | May 15, 2020 | n/a |
| CVE-2021-31792 | XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field | LOW | May 3, 2021 | n/a |
| CVE-2019-14918 | XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an attacker to inject arbitrary HTML/JavaScript code to achieve client-side code execution via crafted DHCP request packets to etc_ro/web/internet/dhcpcliinfo.asp. | LOW | Jan 9, 2020 | n/a |
| CVE-2018-19287 | XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. | MEDIUM | Nov 15, 2018 | n/a |
| CVE-2019-18893 | XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways. | MEDIUM | Jan 13, 2020 | n/a |
| CVE-2016-8505 | XSS in Yandex Browser BookReader in Yandex browser for desktop for versions before 16.6. could be used by remote attacker for evaluation arbitrary javascript code. | MEDIUM | Oct 28, 2016 | n/a |
| CVE-2016-8506 | XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code. | MEDIUM | Oct 28, 2016 | n/a |
| CVE-2016-6615 | XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the Tracking feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. | MEDIUM | Dec 12, 2016 | n/a |
| CVE-2016-6608 | XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the Remove partitioning functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. | MEDIUM | Dec 12, 2016 | n/a |
| CVE-2016-6607 | XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | MEDIUM | Dec 12, 2016 | n/a |
| CVE-2022-0929 | XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11. | MEDIUM | Mar 14, 2022 | n/a |
| CVE-2020-24104 | XSS on the PIX-Link Repeater/Router LV-WR07 with firmware v28K.Router.20170904 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID, as demonstrated by the wireless.htm SET2 parameter. | MEDIUM | Aug 30, 2020 | n/a |
| CVE-2019-11877 | XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID. | MEDIUM | Jun 11, 2019 | n/a |
| CVE-2022-1231 | XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running). | MEDIUM | Apr 15, 2022 | n/a |
| CVE-2017-8839 | XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi. | MEDIUM | Jun 5, 2017 | n/a |
| CVE-2017-8838 | XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is cgi-bin/HASync/hasync.cgi. | MEDIUM | Jun 5, 2017 | n/a |
| CVE-2018-6081 | XSS vulnerabilities in Interstitials in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension or open Developer Console to inject arbitrary scripts or HTML via a crafted HTML page. | MEDIUM | Nov 14, 2018 | n/a |
| CVE-2023-21516 | XSS vulnerability from InstantPlay in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store. | -- | May 28, 2023 | n/a |
| CVE-2024-21727 | XSS vulnerability in DP Calendar component for Joomla. | -- | Feb 15, 2024 | n/a |
| CVE-2024-0314 | XSS vulnerability in FireEye Central Management affecting version 9.1.1.956704, which could allow an attacker to modify special HTML elements in the application and cause a reflected XSS, leading to a session hijacking. | -- | Jan 16, 2024 | n/a |
| CVE-2018-6528 | XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted receiver parameter to soap.cgi. | MEDIUM | Mar 6, 2018 | n/a |
