| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. |
| openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. |
| laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XSS. |
| Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. |
| DfE School Experience before v16333-GA has XSS via a teacher training URL. |
| django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. |
| Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php. |
| Bolt before 3.6.10 has XSS via an image's alt or title field. |
| Bolt before 3.6.10 has XSS via a title that is mishandled in the system log. |
| selectize-plugin-a11y before 1.1.0 has XSS via the msg field. |
| Kimai v2 before 1.1 has XSS via a timesheet description. |
| Domoticz 4.10717 has XSS via item.Name. |
| Status Board 1.1.81 has reflected XSS via dashboard.ts. |
| Status Board 1.1.81 has reflected XSS via logic.ts. |
| Jooby before 1.6.4 has XSS via the default error handler. |
| Former before 4.2.1 has XSS via a checkbox value. |
| The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. |
| The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. |
| The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. |
| The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. |
