Total
40662 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-10549 | 1 Sailsjs | 1 Sails | 2024-11-21 | N/A |
| Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided. At that point authenticated cross domain requests are possible. | ||||
| CVE-2016-10548 | 1 Reduce-css-calc Project | 1 Reduce-css-calc | 2024-11-21 | N/A |
| Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on the server and user input is passed to the `calc` function. | ||||
| CVE-2016-10547 | 1 Mozilla | 1 Nunjucks | 2024-11-21 | N/A |
| Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as `name[]=<script>alert(1)</script>`, it is possible to bypass autoescaping and inject content into the DOM. | ||||
| CVE-2016-10537 | 1 Backbone Project | 1 Backbone | 2024-11-21 | N/A |
| backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input. This is due to the regex that's replacing things to miss the conversion of things such as `<` to `<`. | ||||
| CVE-2016-10531 | 1 Marked Project | 1 Marked | 2024-11-21 | N/A |
| marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left. | ||||
| CVE-2016-10257 | 1 Broadcom | 2 Advanced Secure Gateway, Symantec Proxysg | 2024-11-21 | N/A |
| The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7.2.1), ProxySG 6.5 (prior to 6.5.10.6), ProxySG 6.6, and ProxySG 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10256. | ||||
| CVE-2016-10256 | 1 Broadcom | 1 Symantec Proxysg | 2024-11-21 | N/A |
| The Symantec ProxySG 6.5 (prior to 6.5.10.6), 6.6, and 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10257. | ||||
| CVE-2016-10245 | 2 Doxygen, Redhat | 2 Doxygen, Enterprise Linux | 2024-11-21 | N/A |
| Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection. | ||||
| CVE-2016-1000237 | 1 Apostrophecms | 1 Sanitize-html | 2024-11-21 | 6.1 Medium |
| sanitize-html before 1.4.3 has XSS. | ||||
| CVE-2016-1000229 | 2 Redhat, Smartbear | 4 Jboss Amq, Jboss Fuse, Openshift and 1 more | 2024-11-21 | 6.1 Medium |
| swagger-ui has XSS in key names | ||||
| CVE-2016-1000037 | 2 Fedoraproject, Redhat | 3 Fedora, Enterprise Linux, Pagure | 2024-11-21 | 6.1 Medium |
| Pagure: XSS possible in file attachment endpoint | ||||
| CVE-2016-1000029 | 1 Tenable | 1 Nessus | 2024-11-21 | 4.8 Medium |
| Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would potentially impact other admins (Tenable IDs 5218 and 5269). | ||||
| CVE-2016-1000028 | 1 Tenable | 1 Nessus | 2024-11-21 | 4.8 Medium |
| Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would only potentially impact other admins. (Tenable ID 5198). | ||||
| CVE-2016-0344 | 1 Ibm | 1 Tririga Application Platform | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in the My Reports component in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111785. | ||||
| CVE-2016-0336 | 1 Ibm | 1 Security Identity Manager | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111737. | ||||
| CVE-2016-0311 | 1 Ibm | 1 Tivoli Business Service Manager | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in IBM Tivoli Business Service Manager 6.1.0 before 6.1.0-TIV-BSM-FP0004 and 6.1.1 before 6.1.1-TIV-BSM-FP0004 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111480. | ||||
| CVE-2016-0303 | 1 Ibm | 1 Tivoli Integrated Portal | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in IBM Tivoli Integrated Portal 2.2.0.0 through 2.2.0.15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2016-0261 | 1 Ibm | 2 Care Management, Curam Social Program Management | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0.0 before SP2 EP29, 6.0.4 before 6.0.4.6 iFix3, 6.0.5 before 6.0.5.9 iFix2, 6.1.0 before 6.1.0.1 iFix1, and 6.1.1 before 6.1.1.1 iFix1; and IBM Care Management 6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110604. | ||||
| CVE-2016-0253 | 1 Ibm | 1 Financial Transaction Manager | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110562. | ||||
| CVE-2016-0223 | 1 Ibm | 1 Forms Server | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in the Webform Framework API in IBM Forms Server 4.0.x, 8.0.x, 8.1, and 8.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110006. | ||||