Total
28754 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17861 | 1 Sap | 1 J2ee Engine | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Portal/EPP allows remote attackers to inject arbitrary web script via the wsdlLib parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2018-16259 | 1 Soflyy | 1 Wp All Import | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-settings large_feed_limit. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator. | |||||
| CVE-2018-16258 | 1 Soflyy | 1 Wp All Import | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import custom_type. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator. | |||||
| CVE-2018-16257 | 1 Soflyy | 1 Wp All Import | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator. | |||||
| CVE-2018-16256 | 1 Soflyy | 1 Wp All Import | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via Add Filtering Options(Add Rule). NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator. | |||||
| CVE-2018-16255 | 1 Soflyy | 1 Wp All Import | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator. | |||||
| CVE-2018-16254 | 1 Soflyy | 1 Wp All Import | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator. | |||||
| CVE-2018-15574 | 1 Reprisesoftware | 1 Reprise License Manager | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability." | |||||
| CVE-2018-13065 | 1 Trustwave | 1 Modsecurity | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply to environments without a Core Rule Set configured. | |||||
| CVE-2018-12040 | 1 Sensiolabs | 1 Symfony | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues)." | |||||
| CVE-2018-11208 | 1 Zblogcn | 1 Z-blogphp | 2024-08-05 | 3.5 LOW | 4.8 MEDIUM |
| ** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege. | |||||
| CVE-2018-10726 | 1 Datenstrom | 1 Yellow | 2024-08-05 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** A stored XSS vulnerability was found in Datenstrom Yellow 0.7.3 via an "Edit page" action. NOTE: the vendor disputes the relevance of this report because an installation accessible to untrusted users is supposed to have parserSafeMode=1 in system/config/config.ini to prevent XSS. | |||||
| CVE-2018-10680 | 1 Zblogcn | 1 Z-blogphp | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug." | |||||
| CVE-2018-7736 | 1 Zblogcn | 1 Z-blogphp | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability. | |||||
| CVE-2018-7447 | 1 Mojoportal | 1 Mojoportal | 2024-08-05 | 3.5 LOW | 4.8 MEDIUM |
| ** DISPUTED ** mojoPortal through 2.6.0.0 is prone to multiple persistent cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. The 'Title' and 'Subtitle' fields of the 'Blog' page are vulnerable. NOTE: The software maintainer disputes this as a vulnerability because the fields claimed to be vulnerable to XSS are only available to administrators who are supposed to have access to add scripts. | |||||
| CVE-2018-7205 | 1 Kentico | 1 Kentico Cms | 2024-08-05 | 3.5 LOW | 4.8 MEDIUM |
| ** DISPUTED ** Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout. | |||||
| CVE-2019-20058 | 1 Boltcms | 1 Bolt | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in production. This is related to CVE-2018-12040. | |||||
| CVE-2019-16926 | 1 Flower Project | 1 Flower | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Flower 0.9.3 has XSS via a crafted worker name. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access. | |||||
| CVE-2019-16925 | 1 Flower Project | 1 Flower | 2024-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access. | |||||
| CVE-2019-14518 | 1 Modx | 1 Evolution Cms | 2024-08-05 | 3.5 LOW | 5.4 MEDIUM |
| ** DISPUTED ** Evolution CMS 2.0.x allows XSS via a description and new category location in a template. NOTE: the vendor states that the behavior is consistent with the "access policy in the administration panel." | |||||