Total
40904 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16780 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 5.8 Medium |
| WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. | ||||
| CVE-2019-16772 | 1 Serialize-to-js Project | 1 Serialize-to-js | 2024-11-21 | 3.1 Low |
| The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability. | ||||
| CVE-2019-16769 | 2 Redhat, Verizon | 3 Openshift, Service Mesh, Serialize-javascript | 2024-11-21 | 4.2 Medium |
| The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability. | ||||
| CVE-2019-16763 | 1 Pannellum | 1 Pannellum | 2024-11-21 | 4.8 Medium |
| In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if pannellum.htm was hosted on a domain that shared cookies with the targeted site's user authentication; an <iframe> could then be embedded on the attacker's site using pannellum.htm from the targeted site, which would allow the attacker to potentially access information from the targeted site as the authenticated user (or worse if the targeted site did not have adequate CSRF protections) if the user clicked on a hot spot in the attacker's embedded panorama viewer. This was patched in version 2.5.5. | ||||
| CVE-2019-16751 | 1 Devise Token Auth Project | 1 Devise Token Auth | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller. | ||||
| CVE-2019-16728 | 2 Cure53, Debian | 2 Dompurify, Debian Linux | 2024-11-21 | 6.1 Medium |
| DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari. | ||||
| CVE-2019-16725 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 6.1 Medium |
| In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. | ||||
| CVE-2019-16719 | 1 Wtcms Project | 1 Wtcms | 2024-11-21 | 6.5 Medium |
| WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with resultant XSS. | ||||
| CVE-2019-16717 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.2 has XSS. | ||||
| CVE-2019-16704 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | 4.8 Medium |
| admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. | ||||
| CVE-2019-16703 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | 6.1 Medium |
| admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. | ||||
| CVE-2019-16688 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 5.4 Medium |
| Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.) | ||||
| CVE-2019-16687 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 5.4 Medium |
| Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. | ||||
| CVE-2019-16686 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 5.4 Medium |
| Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin. | ||||
| CVE-2019-16685 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 5.4 Medium |
| Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation. | ||||
| CVE-2019-16684 | 1 Xoops | 1 Xoops | 2024-11-21 | 4.8 Medium |
| An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes. | ||||
| CVE-2019-16683 | 1 Xoops | 1 Xoops | 2024-11-21 | 4.8 Medium |
| An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes. | ||||
| CVE-2019-16681 | 1 Traveloka | 1 Traveloka | 2024-11-21 | 4.7 Medium |
| The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. (When in physical possession of the device, opening local files is also possible.) NOTE: As of 2019-09-23, the vendor has not agreed that this issue has serious impact. The vendor states that the issue is not critical because it does not allow Elevation of Privilege, Sensitive Data Leakage, or any critical unauthorized activity from a malicious user. The vendor also states that a victim must first install a malicious APK to their application. | ||||
| CVE-2019-16665 | 1 Thinksaas | 1 Thinksaas | 2024-11-21 | 6.1 Medium |
| An issue was discovered in ThinkSAAS 2.91. There is XSS via the content to the index.php?app=group&ac=comment&ts=do&js=1 URI, as demonstrated by a crafted SVG document in the SRC attribute of an EMBED element. | ||||
| CVE-2019-16664 | 1 Thinksaas | 1 Thinksaas | 2024-11-21 | 4.8 Medium |
| An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter. | ||||