| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs (SEC-181). |
| cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180). |
| cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-180). |
| cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179). |
| cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178). |
| cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177). |
| cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174). |
| cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172). |
| cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159). |
| The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body. |
| In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data. |
| Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter. |
| The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter. |
| In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. |
| TP-Link Archer CR-700 1.0.6 devices have an XSS vulnerability that can be introduced into the admin account through a DHCP request, allowing the attacker to steal the cookie information, which contains the base64 encoded username and password. |
| The Mail.ru Calendar plugin before 2.5.0.61 for Atlassian Jira has XSS via the Name field in a Create Calender action, related to a MailRuCalendar.jspa#period/month URI. |
| The Artezio Kanban Board plugin 1.4 revision 1914 for Atlassian Jira has XSS via the Board Name in a Create New Board action, related to an artezioboard/mainPage.jspa?kanbanId=7#/kanban-view URI. |
| The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link. |
| The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module. |
| Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided. At that point authenticated cross domain requests are possible. |
