Search Results (83251 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-19134 1 Heroplugins 1 Hero Maps Premium 2024-11-21 6.1 Medium
The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.
CVE-2019-19133 1 Csshero 1 Csshero 2024-11-21 6.1 Medium
The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookies or launch other attacks.
CVE-2019-19129 1 Afterlogic 2 Aurora, Webmail Pro 2024-11-21 6.1 Medium
Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.
CVE-2019-19117 1 Phicomm 2 K2\(psg1218\), K2\(psg1218\) Firmware 2024-11-21 8.8 High
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.
CVE-2019-19112 1 Gvectors 1 Wpforo 2024-11-21 6.1 Medium
The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw-td-value class of dashboard.php.
CVE-2019-19111 1 Gvectors 1 Wpforo 2024-11-21 6.1 Medium
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases langid parameter.
CVE-2019-19110 1 Gvectors 1 Wpforo 2024-11-21 4.8 Medium
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.
CVE-2019-19108 1 Br-automation 2 Automation Runtime, Automation Studio 2024-11-21 9.4 Critical
An authentication weakness in the SNMP service in B&R Automation Runtime versions 2.96, 3.00, 3.01, 3.06 to 3.10, 4.00 to 4.63, 4.72 and above allows unauthenticated users to modify the configuration of B&R products via SNMP.
CVE-2019-19095 1 Hitachienergy 1 Esoms 2024-11-21 5.4 Medium
Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database.
CVE-2019-19087 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2).
CVE-2019-19086 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2).
CVE-2019-19085 1 Octopus 1 Server 2024-11-21 5.4 Medium
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML.
CVE-2019-19041 1 Xorur 3 Lpar2rrd, Stor2rrd, Xorur 2024-11-21 7.2 High
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by the underlying system. It is possible to achieve this by modifying the values in the files.SUM file (which are used for integrity control) and injecting malicious code into the upgrade.sh file.
CVE-2019-19040 1 Kairosdb Project 1 Kairosdb 2024-11-21 6.1 Medium
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19034 1 Zohocorp 1 Manageengine Assetexplorer 2024-11-21 7.2 High
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.
CVE-2019-19033 1 Jalios 1 Jcms 2024-11-21 9.8 Critical
Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password.
CVE-2019-19021 1 Titanhq 1 Webtitan 2024-11-21 9.8 Critical
An issue was discovered in TitanHQ WebTitan before 5.18. It has a hidden support account (with a hard-coded password) in the web administration interface, with administrator privileges. Anybody can log in with this account.
CVE-2019-19017 1 Titanhq 1 Webtitan 2024-11-21 8.1 High
An issue was discovered in TitanHQ WebTitan before 5.18. The appliance has a hard-coded root password set during installation. An attacker could utilize this to gain root privileges on the system.
CVE-2019-19003 1 Hitachienergy 1 Esoms 2024-11-21 5.3 Medium
For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting.
CVE-2019-19002 1 Hitachienergy 1 Esoms 2024-11-21 6.3 Medium
For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.