The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2021-28417 | A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the search_name parameter. | LOW | Mar 18, 2021 | n/a |
| CVE-2021-28420 | A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the from_time parameter. | LOW | Mar 18, 2021 | n/a |
| CVE-2020-27359 | A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages. | LOW | Nov 4, 2020 | n/a |
| CVE-2022-35630 | A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2. | -- | Jul 29, 2022 | n/a |
| CVE-2021-27519 | A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the srch parameter. | MEDIUM | Mar 19, 2021 | n/a |
| CVE-2021-27520 | A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the author parameter. | MEDIUM | Mar 19, 2021 | n/a |
| CVE-2020-36011 | A cross-site scripting (XSS) issue in Add Patient Form in QDOCS Smart Hospital Management System 3.1 allows a remote attacker to inject arbitrary code via the Name, Guardian Name, Email, Address, Remarks, or Any Known Allergies field. | LOW | Jan 26, 2021 | n/a |
| CVE-2024-31652 | A cross-site scripting (XSS) in Cosmetics and Beauty Product Online Store v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search parameter. | -- | Apr 16, 2024 | n/a |
| CVE-2024-31649 | A cross-site scripting (XSS) in Cosmetics and Beauty Product Online Store v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter. | -- | Apr 16, 2024 | n/a |
| CVE-2024-31650 | A cross-site scripting (XSS) in Cosmetics and Beauty Product Online Store v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Last Name parameter. | -- | Apr 16, 2024 | n/a |
| CVE-2024-31651 | A cross-site scripting (XSS) in Cosmetics and Beauty Product Online Store v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter. | -- | Apr 16, 2024 | n/a |
| CVE-2018-16887 | A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable. | LOW | Jan 12, 2019 | n/a |
| CVE-2018-16861 | A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable. | LOW | Dec 7, 2018 | n/a |
| CVE-2020-10688 | A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. | MEDIUM | May 27, 2021 | n/a |
| CVE-2017-7514 | A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users. | LOW | Jul 30, 2018 | n/a |
| CVE-2017-7538 | A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users. | LOW | Jul 26, 2018 | n/a |
| CVE-2017-3798 | A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to mount XSS attacks against a user of an affected device. More Information: CSCvb97237. Known Affected Releases: 11.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 11.5(1.12029.1) 11.5(1.12900.11) 12.0(0.98000.369) 12.0(0.98000.370) 12.0(0.98000.398) 12.0(0.98000.457). | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2017-3872 | A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct XSS attacks against a user of an affected device. More Information: CSCvc21620. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.641) 12.0(0.98000.500) 12.0(0.98000.219). | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2019-6835 | A Cross-Site Scripting (XSS) CWE-79 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow an attacker to inject client-side script when a user visits a web page. | LOW | Oct 9, 2019 | n/a |
| CVE-2021-33849 | A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application\'s users and not the application itself while using your application as the attack\'s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4. | LOW | Oct 6, 2021 | n/a |
| CVE-2021-33853 | A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM. | LOW | Mar 16, 2022 | n/a |
| CVE-2021-33852 | A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\'s browser and can use an application as the vehicle for the attack. The XSS payload given in the Duplicate Title text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts. | LOW | Mar 12, 2022 | n/a |
| CVE-2021-33851 | A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\'s browser and can use an application as the vehicle for the attack. The XSS payload given in the Custom logo link executes whenever the user opens the Settings Page of the Customize Login Image Plugin. | LOW | Mar 12, 2022 | n/a |
| CVE-2020-29072 | A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js. | MEDIUM | Nov 25, 2020 | n/a |
| CVE-2018-6391 | A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings. | MEDIUM | Jan 29, 2018 | n/a |
| CVE-2021-4030 | A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts. | MEDIUM | Feb 24, 2022 | n/a |
| CVE-2021-22224 | A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim | MEDIUM | Jul 9, 2021 | n/a |
| CVE-2019-7851 | A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages. | MEDIUM | Aug 6, 2019 | n/a |
| CVE-2019-7857 | A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper\'s cart due to an insufficiently robust anti-CSRF token implementation. | MEDIUM | Aug 6, 2019 | n/a |
| CVE-2016-8229 | A cross-site request forgery vulnerability in Lenovo Service Bridge before version 4 could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed. | MEDIUM | Jun 9, 2017 | n/a |
| CVE-2020-2215 | A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password. | MEDIUM | Jul 2, 2020 | n/a |
| CVE-2019-1003084 | A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | MEDIUM | Apr 15, 2019 | n/a |
| CVE-2019-10386 | A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | MEDIUM | Aug 14, 2019 | n/a |
| CVE-2019-10304 | A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server. | MEDIUM | Apr 24, 2019 | n/a |
| CVE-2019-16560 | A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. | MEDIUM | Dec 17, 2019 | n/a |
| CVE-2019-10326 | A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds. | MEDIUM | Jun 3, 2019 | n/a |
| CVE-2019-1003078 | A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | MEDIUM | Apr 8, 2019 | n/a |
| CVE-2019-16565 | A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | MEDIUM | Dec 18, 2019 | n/a |
| CVE-2019-10307 | A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users. | MEDIUM | May 6, 2019 | n/a |
| CVE-2020-2098 | A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins. | HIGH | Jan 15, 2020 | n/a |
| CVE-2019-1003090 | A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | MEDIUM | Apr 15, 2019 | n/a |
| CVE-2019-1003044 | A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | LOW | Mar 28, 2019 | n/a |
| CVE-2019-1003044 | A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | LOW | Apr 2, 2019 | n/a |
| CVE-2020-2192 | A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels. | MEDIUM | Jun 3, 2020 | n/a |
| CVE-2019-10454 | A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | MEDIUM | Oct 18, 2019 | n/a |
| CVE-2019-10388 | A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | MEDIUM | Aug 13, 2019 | n/a |
| CVE-2019-16570 | A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server. | MEDIUM | Dec 18, 2019 | n/a |
| CVE-2019-10408 | A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates. | MEDIUM | Oct 9, 2019 | n/a |
| CVE-2020-2116 | A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | MEDIUM | Feb 14, 2020 | n/a |
| CVE-2020-2141 | A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce. | MEDIUM | Mar 9, 2020 | n/a |
