Total
41059 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-20212 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2024-11-21 | 6.1 Medium |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form. | ||||
| CVE-2019-20211 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2024-11-21 | 6.1 Medium |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website. | ||||
| CVE-2019-20210 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2024-11-21 | 6.1 Medium |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query. | ||||
| CVE-2019-20209 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2024-11-21 | 7.5 High |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing. | ||||
| CVE-2019-20204 | 1 Postieplugin | 1 Postie | 2024-11-21 | 5.4 Medium |
| The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element. | ||||
| CVE-2019-20182 | 1 Fooplugins | 1 Foogallery | 2024-11-21 | 4.8 Medium |
| The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter. | ||||
| CVE-2019-20181 | 1 Getawesomesupport | 1 Awesome Support | 2024-11-21 | 4.8 Medium |
| The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter. | ||||
| CVE-2019-20174 | 1 Auth0 | 1 Lock | 2024-11-21 | 6.1 Medium |
| Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder. | ||||
| CVE-2019-20173 | 1 Auth0 | 1 Login By Auth0 | 2024-11-21 | 6.1 Medium |
| The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php. | ||||
| CVE-2019-20154 | 1 Determine | 1 Contract Lifecycle Management | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. A cross-site scripting (XSS) vulnerability in multiple getchart.jsp parameters allows remote attackers to inject arbitrary web script or HTML. | ||||
| CVE-2019-20152 | 1 Treasuryxpress | 1 Treasuryxpress | 2024-11-21 | 6.1 Medium |
| An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed throughout the application. A malicious payload can be injected within the Custom Workflow component and inserted via the Create New Workflow field. As a result, the payload is executed via the navigation bar throughout the application. | ||||
| CVE-2019-20151 | 1 Treasuryxpress | 1 Treasuryxpress | 2024-11-21 | 6.1 Medium |
| An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed by the application's administrator(s). A malicious payload can be injected within the Multi Approval security component and inserted via the Note field. As a result, the payload is executed by the application's administrator(s). | ||||
| CVE-2019-20141 | 1 Laborator | 1 Neon | 2024-11-21 | 6.1 Medium |
| An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter. | ||||
| CVE-2019-20139 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 5.4 Medium |
| In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | ||||
| CVE-2019-20102 | 1 Atlassian | 1 Confluence Server | 2024-11-21 | 6.1 Medium |
| The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter. | ||||
| CVE-2019-20076 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 6.1 Medium |
| On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration). | ||||
| CVE-2019-20075 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 6.1 Medium |
| On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic). | ||||
| CVE-2019-20073 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 6.1 Medium |
| On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration). | ||||
| CVE-2019-20072 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 6.1 Medium |
| On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration). | ||||
| CVE-2019-20070 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2024-11-21 | 6.1 Medium |
| On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration). | ||||