CVEs from 2017
Total
11,665
critical
critical 1,647
high
high 5,041
medium
medium 4,168
low
low 159
% Critical
14.1%
% with KEV
0.7%
% with exploit
9.8%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-14762 | medium | 6.1 | 6.1 | 9y ago | GeniXCMS Cross-site Scripting (XSS) via id parameter | |||
| CVE-2017-14761 | medium | 6.1 | 6.1 | 9y ago | GeniXCMS Cross-site Scripting (XSS) vulnerability via id parameter | |||
| CVE-2017-14751 | medium | 6.1 | 6.1 | 9y ago | The Intense WP "WP Jobs" plugin 1.5 for WordPress has XSS, related to the Job Qualification field. | |||
| CVE-2017-14744 | medium | 6.1 | 6.1 | 9y ago | UEditor 1.4.3.3 has XSS via the SRC attribute of an IFRAME element. | |||
| CVE-2017-14735 | medium | 6.1 | 6.1 | 9y ago | OWASP AntiSamy Cross-site Scripting vulnerability | |||
| CVE-2017-9551 | medium | 6.1 | 6.1 | 9y ago | Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before 16.10.5 and 17.04 before 17.04.3 are vulnerable to a user submitting potential dangerous payload, e.g. XSS code, to be saved as … | |||
| CVE-2017-1551 | medium | 6.1 | 6.1 | 9y ago | IBM API Connect 5.0.0.0 through 5.0.7.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploi… | |||
| CVE-2017-14726 | medium | 6.1 | 6.1 | 9y ago | Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. | |||
| CVE-2017-14724 | medium | 6.1 | 6.1 | 9y ago | Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. | |||
| CVE-2017-14721 | medium | 6.1 | 6.1 | 9y ago | Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | |||
| CVE-2017-14720 | medium | 6.1 | 6.1 | 9y ago | Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | |||
| CVE-2017-14718 | medium | 6.1 | 6.1 | 9y ago | Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. | |||
| CVE-2017-12254 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to perform a Document Object Model (DOM)-based cross-site scripting attack. T… | |||
| CVE-2017-12248 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web framework code of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user o… | |||
| CVE-2017-14615 | medium | 6.1 | 6.1 | 9y ago | An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. When a failed login attempt is made to the login endpoint of the XML-RPC interface, if JavaScript code, properly encoded to be con… | |||
| CVE-2017-14142 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before 13.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) partnerId or (2) playerVersion parameter to serv… | |||
| CVE-2017-14534 | medium | 6.1 | 6.1 | 9y ago | Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via the PATH_INFO to location.php, related to PHP_SELF. | |||
| CVE-2017-12156 | medium | 6.1 | 6.1 | 9y ago | Moodle XSS Vulnerability | |||
| CVE-2017-14510 | medium | 6.1 | 6.1 | 9y ago | An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unau… | |||
| CVE-2017-14498 | medium | 6.1 | 6.1 | 9y ago | Silverstripe CMS XSS Vulnerability | |||
| CVE-2017-1002150 | medium | 6.1 | 6.1 | 9y ago | python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection | |||
| CVE-2017-1002017 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in wordpress plugin gift-certificate-creator v1.0, The code in gc-list.php doesn't sanitize user input to prevent a stored XSS vulnerability. | |||
| CVE-2017-14416 | medium | 6.1 | 6.1 | 9y ago | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wandetect.php. | |||
| CVE-2017-14415 | medium | 6.1 | 6.1 | 9y ago | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/sitesurvey.php. | |||
| CVE-2017-14414 | medium | 6.1 | 6.1 | 9y ago | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/shareport.php. | |||
| CVE-2017-14413 | medium | 6.1 | 6.1 | 9y ago | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wpsacts.php. | |||
| CVE-2017-8758 | medium | 6.1 | 6.1 | 9y ago | Microsoft Exchange Server 2016 allows an elevation of privilege vulnerability when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Cross-Sit… | |||
| CVE-2017-14347 | medium | 6.1 | 6.1 | 9y ago | NexusPHP 1.5.beta5.20120707 has XSS in the returnto parameter to fun.php in a delete action. | |||
| CVE-2017-14313 | medium | 6.1 | 6.1 | 9y ago | The shibboleth_login_form function in shibboleth.php in the Shibboleth plugin before 1.8 for WordPress is prone to an XSS vulnerability due to improper use of add_query_arg(). | |||
| CVE-2017-14268 | medium | 6.1 | 6.1 | 9y ago | EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have XSS in the sms_content parameter in a getSMSlist request. | |||
| CVE-2017-8041 | medium | 6.1 | 6.1 | 9y ago | In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, a user can execute a XSS attack on certain Single Sign-On service UI pages by inputt… | |||
| CVE-2017-6789 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the Cisco Unified Intelligence Center web interface could allow an unauthenticated, remote attacker to impact the integrity of the system by executing a Document Object Model (DOM)… | |||
| CVE-2017-12220 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack aga… | |||
| CVE-2017-12212 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web inter… | |||
| CVE-2017-14195 | medium | 6.1 | 6.1 | 9y ago | The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet Explorer. | |||
| CVE-2017-14194 | medium | 6.1 | 6.1 | 9y ago | The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. | |||
| CVE-2017-14193 | medium | 6.1 | 6.1 | 9y ago | The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. | |||
| CVE-2017-14192 | medium | 6.1 | 6.1 | 9y ago | The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module field. | |||
| CVE-2017-1189 | medium | 6.1 | 6.1 | 9y ago | IBM WebSphere Portal and Web Content Manager 6.1, 7.0, and 8.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering th… | |||
| CVE-2017-12906 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in NexusPHP allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) cheaters.php or (2) confirm_resend.php. | |||
| CVE-2017-12794 | medium | 6.1 | 6.1 | 9y ago | In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cr… | |||
| CVE-2017-12416 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x b… | |||
| CVE-2017-1457 | medium | 6.1 | 6.1 | 9y ago | IBM QRadar Network Security 5.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potent… | |||
| CVE-2017-7855 | medium | 6.1 | 6.1 | 9y ago | In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter. | |||
| CVE-2017-14070 | medium | 6.1 | 6.1 | 9y ago | Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via the PATH_INFO to ipsearch.php, related to PHP_SELF. | |||
| CVE-2017-1450 | medium | 6.1 | 6.1 | 9y ago | IBM Emptoris Sourcing 9.5 - 10.1.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote att… | |||
| CVE-2017-1443 | medium | 6.1 | 6.1 | 9y ago | IBM Emptoris Services Procurement 10.0.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functiona… | |||
| CVE-2017-14038 | medium | 6.1 | 6.1 | 9y ago | CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerability. | |||
| CVE-2017-14037 | medium | 6.1 | 6.1 | 9y ago | CrushFTP before 7.8.0 and 8.x before 8.2.0 has an HTTP header vulnerability. | |||
| CVE-2017-14036 | medium | 6.1 | 6.1 | 9y ago | CrushFTP before 7.8.0 and 8.x before 8.2.0 has XSS. | |||
| CVE-2017-13778 | medium | 6.1 | 6.1 | 9y ago | Fiyo CMS 2.0.7 has XSS in dapur\apps\app_config\sys_config.php via the site_name parameter. | |||
| CVE-2017-13762 | medium | 6.1 | 6.1 | 9y ago | ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS. | |||
| CVE-2017-1428 | medium | 6.1 | 6.1 | 9y ago | IBM Cognos Analytics 11.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnera… | |||
| CVE-2017-1427 | medium | 6.1 | 6.1 | 9y ago | IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially … | |||
| CVE-2017-1195 | medium | 6.1 | 6.1 | 9y ago | IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafte… | |||
| CVE-2017-3155 | medium | 6.1 | 6.1 | 9y ago | Cross-site Scripting in Apache Atlas | |||
| CVE-2017-3153 | medium | 6.1 | 6.1 | 9y ago | Cross-site Scripting in Apache Atlas | |||
| CVE-2017-3152 | medium | 6.1 | 6.1 | 9y ago | Cross-site Scripting in Apache Atlas | |||
| CVE-2017-3151 | medium | 6.1 | 6.1 | 9y ago | Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality. | |||
| CVE-2017-3150 | medium | 6.1 | 6.1 | 9y ago | Insecure cookie storage in Apache Atlas | |||
| CVE-2017-12856 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in C.P.Sub 5.2 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter to index.php. | |||
| CVE-2017-2257 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.5 allows an attacker to inject arbitrary web script or HTML via mail function. | |||
| CVE-2017-1489 | medium | 6.1 | 6.1 | 9y ago | IBM Security Access Manager 6.1, 7.0, 8.0, and 9.0 e-community configurations may be affected by a redirect vulnerability. ECSSO Master Authentication can redirect to a server not participating in an… | |||
| CVE-2017-10840 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in WebCalendar 1.2.7 and earlier allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-10838 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in SEO Panel prior to version 3.11.0 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-10837 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in BackupGuard prior to version 1.1.47 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-13697 | medium | 6.1 | 6.1 | 9y ago | controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable. | |||
| CVE-2017-13671 | medium | 6.1 | 6.1 | 9y ago | app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisati… | |||
| CVE-2017-9506 | medium | 6.1 | 6.1 | 9y ago | The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network… | |||
| CVE-2017-13138 | medium | 6.1 | 6.1 | 9y ago | DOM based Cross-site scripting (XSS) vulnerability in the Bridge theme before 11.2 for WordPress allows remote attackers to inject arbitrary JavaScript. | |||
| CVE-2017-7421 | medium | 6.1 | 6.1 | 9y ago | Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in Directory Server (aka Enterprise Server Administration web UI) and ESMAC (aka Enterprise Server Monitor and Control) in Micr… | |||
| CVE-2017-12980 | medium | 6.1 | 6.1 | 9y ago | DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-co… | |||
| CVE-2017-12979 | medium | 6.1 | 6.1 | 9y ago | DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger Ja… | |||
| CVE-2017-12948 | medium | 6.1 | 6.1 | 9y ago | Core\Admin\PFTemplater.php in the PressForward plugin 4.3.0 and earlier for WordPress has XSS in the PATH_INFO to wp-admin/admin.php, related to PHP_SELF. | |||
| CVE-2017-9816 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Paessler PRTG Network Monitor before 17.2.32.2279 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-12680 | medium | 6.1 | 6.1 | 9y ago | Cross-Site Scripting (XSS) exists in NexusPHP 1.5 via the type parameter to shoutbox.php. | |||
| CVE-2017-12927 | medium | 6.1 | 6.1 | 9y ago | A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. | |||
| CVE-2017-6788 | medium | 6.1 | 6.1 | 9y ago | The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) a… | |||
| CVE-2017-6776 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the we… | |||
| CVE-2017-12907 | medium | 6.1 | 6.1 | 9y ago | Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the url path to usersearch.php. | |||
| CVE-2017-9802 | medium | 6.1 | 6.1 | 9y ago | Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post | |||
| CVE-2017-12798 | medium | 6.1 | 6.1 | 9y ago | Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the q parameter to searchsuggest.php. | |||
| CVE-2017-12777 | medium | 6.1 | 6.1 | 9y ago | Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via some parameter to usersearch.php. | |||
| CVE-2017-8642 | medium | 6.1 | 6.1 | 9y ago | Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to elevate privileges due to the way that Microsoft Edge validates JavaScript under specific conditions, aka "Microsoft Edge Elevation o… | |||
| CVE-2017-10258 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: Add New Image). The supported version that is affected is 9.1.0. Easily exploita… | |||
| CVE-2017-10257 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: Browse Folder Hierarchy). The supported version that is affected is 9.1.0. Easil… | |||
| CVE-2017-10256 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: EPPCM_HIER_TOP). The supported version that is affected is 9.1.0. Easily exploit… | |||
| CVE-2017-10255 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: EPPCM_HIER_TOP). The supported version that is affected is 9.1.0. Easily exploit… | |||
| CVE-2017-10253 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Pivot Grid). Supported versions that are affected are 8.54 and 8.55. Easily exploitable v… | |||
| CVE-2017-10249 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily explo… | |||
| CVE-2017-10248 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: EPPCM_HIER_TOP). The supported version that is affected is 9.1.0. Easily exploit… | |||
| CVE-2017-10247 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: HTML Area). The supported version that is affected is 9.1.0. Easily exploitable … | |||
| CVE-2017-10215 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: EPPCM_DEFN_CATG). The supported version that is affected is 9.1.0. Easily exploi… | |||
| CVE-2017-10211 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Hospitality Suite8 component of Oracle Hospitality Applications (subcomponent: WebConnect). The supported version that is affected is 8.10.x. Easily exploitable vulnerability all… | |||
| CVE-2017-10178 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Container). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.1 and 12.2.1.2. Ea… | |||
| CVE-2017-10172 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Framework). Supported versions that are affected are 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.… | |||
| CVE-2017-10128 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Hospitality WebSuite8 Cloud Service component of Oracle Hospitality Applications (subcomponent: General). Supported versions that are affected are 8.9.6 and 8.10.x. Easily exploi… | |||
| CVE-2017-10126 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: HTML Area). The supported version that is affected is 9.1.0. Easily exploitable … | |||
| CVE-2017-10121 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Java Advanced Management Console component of Oracle Java SE (subcomponent: Server). The supported version that is affected is Java Advanced Management Console: 2.6. Easily explo… | |||
| CVE-2017-10106 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Portal). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulne… |