CVE-2019-14756

An issue was discovered in KaiOS 1.0, 2.5, and 2.5.12.5. The pre-installed Email application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a specially crafted email to the victim that will inject HTML into the email application's UI as soon as the email is opened. A...

CVE-2019-14548

An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside...

CVE-2019-14549

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible...

CVE-2019-7944

A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Retur...

CVE-2019-10756

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

CVE-2019-12844

A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3...

CVE-2018-16625

index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element...

CVE-2017-15682

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel...

CVE-2017-7990

The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp...

CVE-2018-15891

An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name...

CVE-2018-7277

An issue was discovered on RLE Wi-MGR/FDS-Wi 6.2 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP...

CVE-2019-14331

An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code...

CVE-2019-10634

An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields...

CVE-2019-8227

In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML...

CVE-2019-19908

phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmcusername parameter to passreset.php is vulnerable...

CVE-2019-10336

A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin...

CVE-2019-10346

A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin...

CVE-2019-18267

An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site...

CVE-2019-18210

Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users Teacher and above to inject JavaScript into the session of another user e.g., enrolled student or site administrator via the introeditortext parameter. NOTE: the discoverer and vendor disagree on whether Mood...

CVE-2019-14350

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation...