The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2017-9556 | Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter. | Low | Aug 17, 2017 | n/a |
| CVE-2014-9469 | Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3. | Medium | Sep 1, 2017 | n/a |
| CVE-2012-6667 | Cross-site scripting (XSS) vulnerability in vbshout.php in DragonByte Technologies vBShout module for vBulletin allows remote attackers to inject arbitrary web script or HTML via the shout parameter in a shout action. | MEDIUM | Jan 11, 2018 | n/a |
| CVE-2016-7981 | Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action. | MEDIUM | Jan 23, 2017 | n/a |
| CVE-2017-16767 | Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter. | LOW | Feb 27, 2018 | n/a |
| CVE-2017-16768 | Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter. | LOW | Dec 27, 2017 | n/a |
| CVE-2017-15279 | Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the page name (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs. | LOW | Oct 12, 2017 | n/a |
| CVE-2018-19794 | Cross-site scripting (XSS) vulnerability in UiV2Public.index in Internet2 Grouper 2.2 and 2.3 allows remote attackers to inject arbitrary web script or HTML via the code parameter. | MEDIUM | Dec 3, 2018 | n/a |
| CVE-2014-1238 | Cross-site scripting (XSS) vulnerability in ui/common/managedlistdialog.aspx in Gael Q-Pulse 0.6 and earlier. | MEDIUM | Nov 25, 2019 | n/a |
| CVE-2018-7203 | Cross-site scripting (XSS) vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to inject arbitrary web script or HTML via the friendlyname parameter to rpc/set_all. | MEDIUM | Mar 31, 2018 | n/a |
| CVE-2018-10231 | Cross-site scripting (XSS) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | MEDIUM | Jul 11, 2018 | n/a |
| CVE-2021-41463 | Cross-site scripting (XSS) vulnerability in toos/permissions/dialogs/access/entity/types/group_combination.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the cID parameter. | MEDIUM | Oct 4, 2021 | n/a |
| CVE-2018-8924 | Cross-site scripting (XSS) vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name. | LOW | Jun 5, 2018 | n/a |
| CVE-2014-4548 | Cross-site scripting (XSS) vulnerability in tinymce/popup.php in the Ruven Toolkit plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the popup parameter. | MEDIUM | Jan 8, 2020 | n/a |
| CVE-2014-8707 | Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web script or HTML via the edit HTML source option. | Medium | Mar 20, 2017 | n/a |
| CVE-2022-29923 | Cross-site Scripting (XSS) vulnerability in ThingsForRestaurants Quick Restaurant Reservations (WordPress plugin) allows Reflected XSS.This issue affects Quick Restaurant Reservations (WordPress plugin): from n/a through 1.4.1. | -- | Jul 21, 2022 | n/a |
| CVE-2023-48197 | Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to obtain victim\'s cookies when the victim clicks on the see QR code function. | -- | Nov 16, 2023 | n/a |
| CVE-2017-16876 | Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the key argument. | MEDIUM | Dec 29, 2017 | n/a |
| CVE-2018-15511 | Cross-site scripting (XSS) vulnerability in the \'Notification template\' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML. | -- | Aug 30, 2019 | n/a |
| CVE-2020-7355 | Cross-site Scripting (XSS) vulnerability in the \'notes\' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7354, which describes a similar issue, but involving the generated \'host\' field of a discovered scan asset. | MEDIUM | Jun 25, 2020 | n/a |
| CVE-2020-7354 | Cross-site Scripting (XSS) vulnerability in the \'host\' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7355, which describes a similar issue, but involving the generated \'notes\' field of a discovered scan asset. | MEDIUM | Jun 25, 2020 | n/a |
| CVE-2018-15510 | Cross-site scripting (XSS) vulnerability in the \'Certificate\' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML. | -- | Aug 30, 2019 | n/a |
| CVE-2018-15512 | Cross-site scripting (XSS) vulnerability in the \'Authorisation Service\' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML. | -- | Aug 30, 2019 | n/a |
| CVE-2018-6882 | Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. | MEDIUM | Mar 27, 2018 | n/a |
| CVE-2013-4275 | Cross-site scripting (XSS) vulnerability in the zen_breadcrumb function in template.php in the Zen theme 6.x-1.x, 7.x-3.x before 7.x-3.2, and 7.x-5.x before 7.x-5.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via the breadcrumb separator field. | LOW | Nov 13, 2019 | n/a |
| CVE-2014-9310 | Cross-site scripting (XSS) vulnerability in the WordPress Backup to Dropbox plugin before 4.1 for WordPress. | MEDIUM | Jun 7, 2017 | n/a |
| CVE-2014-4932 | Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php. | MEDIUM | Aug 28, 2018 | n/a |
| CVE-2016-10112 | Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | LOW | Jan 6, 2017 | n/a |
| CVE-2015-2329 | Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order. | MEDIUM | Feb 8, 2018 | n/a |
| CVE-2017-15291 | Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering page in TP-LINK TL-MR3220 wireless routers allows remote attackers to inject arbitrary web script or HTML via the Description field. | MEDIUM | Oct 23, 2017 | n/a |
| CVE-2016-4585 | Cross-site scripting (XSS) vulnerability in the WebKit Page Loading implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to inject arbitrary web script or HTML via an HTTP response specifying redirection that is mishandled by Safari. | MEDIUM | Jul 26, 2016 | n/a |
| CVE-2017-9419 | Cross-site scripting (XSS) vulnerability in the Webhammer WP Custom Fields Search plugin 0.3.28 for WordPress allows remote attackers to inject arbitrary JavaScript via the cs-all-0 parameter. | MEDIUM | Jun 15, 2017 | n/a |
| CVE-2016-0223 | Cross-site scripting (XSS) vulnerability in the Webform Framework API in IBM Forms Server 4.0.x, 8.0.x, 8.1, and 8.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110006. | MEDIUM | Mar 15, 2018 | n/a |
| CVE-2018-10301 | Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 Premium for WordPress allows remote attackers to inject arbitrary web script or HTML by passing payloads in a comment on an Instagram post. | MEDIUM | Apr 23, 2018 | n/a |
| CVE-2018-10300 | Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML by passing payloads in an Instagram profile's bio. | MEDIUM | Apr 23, 2018 | n/a |
| CVE-2017-6225 | Cross-site scripting (XSS) vulnerability in the web-based management interface of Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow remote attackers to execute arbitrary code or access sensitive browser-based information. | MEDIUM | Feb 8, 2018 | n/a |
| CVE-2017-3902 | Cross-site scripting (XSS) vulnerability in the Web user interface (UI) in Intel Security ePO 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows authenticated users to inject malicious Java scripts via bypassing input validation. | LOW | Feb 15, 2017 | n/a |
| CVE-2022-43706 | Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users. | -- | Dec 6, 2022 | n/a |
| CVE-2018-5950 | Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. | MEDIUM | Jan 23, 2018 | n/a |
| CVE-2016-5920 | Cross-site scripting (XSS) vulnerability in the Web UI in IBM Financial Transaction Manager (FTM) for ACH Services 3.0.0.x before fp0015 and 3.0.1.0 before iFix0002 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | LOW | Nov 1, 2016 | n/a |
| CVE-2017-3961 | Cross-Site Scripting (XSS) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows authenticated users to allow arbitrary HTML code to be reflected in the response web page via crafted user input of attributes. | LOW | May 25, 2018 | n/a |
| CVE-2023-33942 | Cross-site scripting (XSS) vulnerability in the Web Content Display widget\'s article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article\'s `Title` field. | -- | May 25, 2023 | n/a |
| CVE-2016-9421 | Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | MEDIUM | Feb 3, 2017 | n/a |
| CVE-2017-5515 | Cross-site scripting (XSS) vulnerability in the user prompt function in GeniXCMS through 0.0.8 allows remote authenticated users to inject arbitrary web script or HTML via tag names. | LOW | Jan 17, 2017 | n/a |
| CVE-2016-1215 | Cross-site scripting (XSS) vulnerability in the User details function in Cybozu Garoon before 4.2.2. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-9406 | Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | MEDIUM | Feb 3, 2017 | n/a |
| CVE-2016-7138 | Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | MEDIUM | Mar 8, 2017 | n/a |
| CVE-2015-8354 | Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPress plugin before 1.3.29 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _refer parameter to wp-admin/users.php. | MEDIUM | Sep 11, 2017 | n/a |
| CVE-2015-7357 | Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) theme 2.3.0 before 2.7.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via a fragment identifier, as demonstrated by #<svg onload=alert(1)>. | MEDIUM | Oct 2, 2017 | n/a |
| CVE-2017-9244 | Cross-site scripting (XSS) vulnerability in the Trello app before 4.0.8 for iOS might allow remote attackers to inject arbitrary web script or HTML by uploading and attaching a crafted photo to a Card. | Medium | Aug 7, 2017 | n/a |
