CVEs from 2017
Total
11,615
critical
critical 1,650
high
high 5,043
medium
medium 4,169
low
low 159
% Critical
14.2%
% with KEV
0.7%
% with exploit
9.9%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-11666 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the file previewer plugin in Kopano WebApp versions 3.3.0 and earlier allows remote attackers to inject arbitrary web script or HTML v… | |||
| CVE-2017-11612 | medium | 6.1 | 6.1 | 9y ago | In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. | |||
| CVE-2017-11651 | medium | 6.1 | 6.1 | 9y ago | NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url tag. | |||
| CVE-2017-11629 | medium | 6.1 | 6.1 | 9y ago | dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request. | |||
| CVE-2017-6755 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning (PCP) Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a use… | |||
| CVE-2017-11460 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter … | |||
| CVE-2017-11458 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, a… | |||
| CVE-2017-11617 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in atmail prior to version 7.8.0.2 allows remote attackers to inject arbitrary web script or HTML within the body of an email via an IMG element with both sin… | |||
| CVE-2017-10711 | medium | 6.1 | 6.1 | 9y ago | In SimpleRisk 20170614-001, a CSRF attack on reset.php (aka the Send Password Reset Email form) can insert XSS sequences via the user parameter. | |||
| CVE-2017-11593 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus extension before 0.5.7 for Chrome allows remote attackers to inject arbitrary web script or HTML into some web applications via t… | |||
| CVE-2017-11586 | medium | 6.1 | 6.1 | 9y ago | dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php. | |||
| CVE-2017-11581 | medium | 6.1 | 6.1 | 9y ago | dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character. | |||
| CVE-2017-2274 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vect… | |||
| CVE-2017-11516 | medium | 6.1 | 6.1 | 9y ago | Yii Cross-site Scripting Framework vulnerability | |||
| CVE-2017-9931 | medium | 6.1 | 6.1 | 9y ago | Cross-Site Scripting (XSS) exists in Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, as demonstrated by the action parameter to ajax.cgi. | |||
| CVE-2017-11503 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting in PHPMailer | |||
| CVE-2017-0378 | medium | 6.1 | 6.1 | 9y ago | XSS exists in the login_form function in views/helpers.php in Phamm before 0.6.7, exploitable via the PATH_INFO to main.php. | |||
| CVE-2017-7059 | medium | 6.1 | 6.1 | 9y ago | A DOMParser XSS issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" compon… | |||
| CVE-2017-7038 | medium | 6.1 | 6.1 | 9y ago | A DOMParser XSS issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" compon… | |||
| CVE-2017-10676 | medium | 6.1 | 6.1 | 9y ago | On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter. | |||
| CVE-2017-1223 | medium | 6.1 | 6.1 | 9y ago | IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker c… | |||
| CVE-2017-1203 | medium | 6.1 | 6.1 | 9y ago | IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web … | |||
| CVE-2017-9764 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remote attackers to inject arbitrary web script or HTML via the Client-IP or X-Forwarded-For HTTP header to /include/stat/stat.php in… | |||
| CVE-2017-10801 | medium | 6.1 | 6.1 | 9y ago | phpSocial (formerly phpDolphin) before 3.0.1 has XSS in the PATH_INFO to the search/tag/ URI. | |||
| CVE-2017-10962 | medium | 6.1 | 6.1 | 9y ago | REDCap before 7.5.1 has XSS via the query string. | |||
| CVE-2017-9934 | medium | 6.1 | 6.1 | 9y ago | Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability. | |||
| CVE-2017-8896 | medium | 6.1 | 6.1 | 9y ago | ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters. | |||
| CVE-2017-7663 | medium | 6.1 | 6.1 | 9y ago | Apache OpenMeetings Cross-site Scripting vulnerability | |||
| CVE-2017-3103 | medium | 6.1 | 6.1 | 9y ago | Adobe Connect versions 9.6.1 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to a stored cross-site scripting attack. | |||
| CVE-2017-3102 | medium | 6.1 | 6.1 | 9y ago | Adobe Connect versions 9.6.1 and earlier have a reflected cross-site scripting vulnerability. Successful exploitation could lead to a reflected cross-site scripting attack. | |||
| CVE-2017-1000078 | medium | 6.1 | 6.1 | 9y ago | Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration | |||
| CVE-2017-1000070 | medium | 6.1 | 6.1 | 9y ago | Open Redirect in oauth2_proxy | |||
| CVE-2017-1000065 | medium | 6.1 | 6.1 | 9y ago | Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in OpenMediaVault release 2.1 in Access Rights Management(Users) functionality allows attackers to inject arbitrary web scripts and exec… | |||
| CVE-2017-1000063 | medium | 6.1 | 6.1 | 9y ago | kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure | |||
| CVE-2017-1000059 | medium | 6.1 | 6.1 | 9y ago | Live Helper Chat version 2.06v and older is vulnerable to Cross-Site Scripting in the HTTP Header handling resulting in the execution of any user provided Javascript code in the session of other user… | |||
| CVE-2017-1000058 | medium | 6.1 | 6.1 | 9y ago | Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one in the user profile and one in the Exif data parser. | |||
| CVE-2017-1000054 | medium | 6.1 | 6.1 | 9y ago | Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages. | |||
| CVE-2017-1000051 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content | |||
| CVE-2017-1000038 | medium | 6.1 | 6.1 | 9y ago | WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site | |||
| CVE-2017-1000035 | medium | 6.1 | 6.1 | 9y ago | Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack | |||
| CVE-2017-1000033 | medium | 6.1 | 6.1 | 9y ago | Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a reflected cross site scripting in the form submission resulting in javascript code execution in the context on the current user. | |||
| CVE-2017-1000032 | medium | 6.1 | 6.1 | 9y ago | Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sourc… | |||
| CVE-2017-1000027 | medium | 6.1 | 6.1 | 9y ago | Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access. | |||
| CVE-2017-1000015 | medium | 6.1 | 6.1 | 9y ago | phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters | |||
| CVE-2017-1000013 | medium | 6.1 | 6.1 | 9y ago | phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness | |||
| CVE-2017-1000012 | medium | 6.1 | 6.1 | 9y ago | MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user | |||
| CVE-2017-1000011 | medium | 6.1 | 6.1 | 9y ago | MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information | |||
| CVE-2017-1000006 | medium | 6.1 | 6.1 | 9y ago | Cross Site Scripting (XSS) in plotly.js | |||
| CVE-2017-1000005 | medium | 6.1 | 6.1 | 9y ago | PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data). | |||
| CVE-2017-11202 | medium | 6.1 | 6.1 | 9y ago | FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than CVE-2017… | |||
| CVE-2017-11198 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or nam… | |||
| CVE-2017-11195 | medium | 6.1 | 6.1 | 9y ago | Pulse Connect Secure 8.3R1 has Reflected XSS in launchHelp.cgi. The helpLaunchPage parameter is reflected in an IFRAME element, if the value contains two quotes. It properly sanitizes quotes and tags… | |||
| CVE-2017-11194 | medium | 6.1 | 6.1 | 9y ago | Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetails.cgi. In the admin panel, the certid parameter of adminservercacertdetails.cgi is reflected in the application's response and i… | |||
| CVE-2017-1321 | medium | 6.1 | 6.1 | 9y ago | IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intende… | |||
| CVE-2017-7678 | medium | 6.1 | 6.1 | 9y ago | Moderate severity vulnerability that affects org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11 | |||
| CVE-2017-11180 | medium | 6.1 | 6.1 | 9y ago | FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login scre… | |||
| CVE-2017-11179 | medium | 6.1 | 6.1 | 9y ago | FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account. | |||
| CVE-2017-8621 | medium | 6.1 | 6.1 | 9y ago | Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange Server 2013 CU16, and Exchange Server 2016 CU5 allows an open redirect vulnerability that could lead to spoofing, aka "Microsoft… | |||
| CVE-2017-8560 | medium | 6.1 | 6.1 | 9y ago | Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange Server 2013 CU16, and Exchange Server 2016 CU5 allows an elevation of privilege vulnerability due to the way that Exchange Outlo… | |||
| CVE-2017-8559 | medium | 6.1 | 6.1 | 9y ago | Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange Server 2013 CU16, and Exchange Server 2016 CU5 allows an elevation of privilege vulnerability due to the way that Exchange Outlo… | |||
| CVE-2017-16833 | medium | 6.1 | 6.1 | 9y ago | Gemirro Stored XSS in Gemspec "homepage" value | |||
| CVE-2017-6733 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web-based application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS… | |||
| CVE-2017-1398 | medium | 6.1 | 6.1 | 9y ago | IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 6.0, 7.0, and 8.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a vic… | |||
| CVE-2017-11107 | medium | 6.1 | 6.1 | 9y ago | phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter. | |||
| CVE-2017-10991 | medium | 6.1 | 6.1 | 9y ago | The WP Statistics plugin through 12.0.9 for WordPress has XSS in the rangestart and rangeend parameters on the wps_referrers_page page. | |||
| CVE-2017-2243 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in Responsive Lightbox prior to version 1.7.2 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-2224 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in Event Calendar WD prior to version 1.0.94 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-2222 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in WP-Members prior to version 3.1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-2217 | medium | 6.1 | 6.1 | 9y ago | Open redirect vulnerability in WordPress Download Manager prior to version 2.9.51 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||
| CVE-2017-2216 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-2194 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in Source code security studying tool iCodeChecker allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-2172 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in Cybozu KUNAI for Android 3.0.0 to 3.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-5002 | medium | 6.1 | 6.1 | 9y ago | EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrar… | |||
| CVE-2017-10967 | medium | 6.1 | 6.1 | 9y ago | In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters. | |||
| CVE-2017-10975 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Lutim before 0.8 might allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in an upload notification an… | |||
| CVE-2017-1256 | medium | 6.1 | 6.1 | 9y ago | IBM Security Guardium 10.0, 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality poten… | |||
| CVE-2017-1217 | medium | 6.1 | 6.1 | 9y ago | IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality poten… | |||
| CVE-2017-7276 | medium | 6.1 | 6.1 | 9y ago | There is reflected XSS in TOPdesk before 5.7.6 and 6.x and 7.x before 7.03.019. | |||
| CVE-2017-9313 | medium | 6.1 | 6.1 | 9y ago | Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script or HTML via the sec parameter to view_man.cgi, the referers parameter … | |||
| CVE-2017-7316 | medium | 6.1 | 6.1 | 9y ago | An issue was discovered on Humax Digital HG100R 2.0.6 devices. There is XSS on the 404 page. | |||
| CVE-2017-6725 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interf… | |||
| CVE-2017-6724 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interf… | |||
| CVE-2017-6722 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legi… | |||
| CVE-2017-6702 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web framework of Cisco SocialMiner could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affe… | |||
| CVE-2017-6701 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) atta… | |||
| CVE-2017-6700 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a D… | |||
| CVE-2017-6699 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a r… | |||
| CVE-2017-10798 | medium | 6.1 | 6.1 | 9y ago | In ObjectPlanet Opinio before 7.6.4, there is XSS. | |||
| CVE-2017-10795 | medium | 6.1 | 6.1 | 9y ago | Subrion Cross-site scripting (XSS) vulnerability | |||
| CVE-2017-6018 | medium | 6.1 | 6.1 | 9y ago | An open redirect issue was discovered in B. Braun Medical SpaceCom module, which is integrated into the SpaceStation docking station: SpaceStation with SpaceCom module (integrated as part number 8713… | |||
| CVE-2017-10673 | medium | 6.1 | 6.1 | 9y ago | admin/profile.php in GetSimple CMS 3.x has XSS in a name field. | |||
| CVE-2017-10667 | medium | 6.1 | 6.1 | 9y ago | In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS. | |||
| CVE-2017-9145 | medium | 6.1 | 6.1 | 9y ago | TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not properly validate the imgsize or lang parameter to prevent XSS. | |||
| CVE-2017-7416 | medium | 6.1 | 6.1 | 9y ago | ntopng before 3.0 allows XSS because GET and POST parameters are improperly validated. | |||
| CVE-2017-9356 | medium | 6.1 | 6.1 | 9y ago | Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability via the searchStr parameter to the /Search-Results URI. | |||
| CVE-2017-6053 | medium | 6.1 | 6.1 | 9y ago | A Cross-Site Scripting issue was discovered in Trihedral VTScada Versions prior to 11.2.26. A cross-site scripting vulnerability may allow JavaScript code supplied by the attacker to execute within t… | |||
| CVE-2017-9781 | medium | 6.1 | 6.1 | 9y ago | A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username pa… | |||
| CVE-2017-9668 | medium | 6.1 | 6.1 | 9y ago | In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action. | |||
| CVE-2017-8451 | medium | 6.1 | 6.1 | 9y ago | With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | |||
| CVE-2017-9419 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the Webhammer WP Custom Fields Search plugin 0.3.28 for WordPress allows remote attackers to inject arbitrary JavaScript via the cs-all-0 parameter. |