Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-5232

Summary
Assigner-atlassian
Assigner Org ID-f08a6ab8-ed46-4c22-8884-d911ccfe3c66
Published At-18 Jul, 2018 | 14:00
Updated At-16 Sep, 2024 | 17:37
Rejected At-
Credits

The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:atlassian
Assigner Org ID:f08a6ab8-ed46-4c22-8884-d911ccfe3c66
Published At:18 Jul, 2018 | 14:00
Updated At:16 Sep, 2024 | 17:37
Rejected At:
▼CVE Numbering Authority (CNA)

The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.

Affected Products
Vendor
AtlassianAtlassian
Product
Jira
Versions
Affected
  • From unspecified before 7.6.7 (custom)
  • From 7.7.0 before unspecified (custom)
  • From unspecified before 7.10.1 (custom)
Problem Types
TypeCWE IDDescription
textN/ACross Site Scripting (XSS)
Type: text
CWE ID: N/A
Description: Cross Site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://jira.atlassian.com/browse/JRASERVER-67410
x_refsource_CONFIRM
Hyperlink: https://jira.atlassian.com/browse/JRASERVER-67410
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://jira.atlassian.com/browse/JRASERVER-67410
x_refsource_CONFIRM
x_transferred
Hyperlink: https://jira.atlassian.com/browse/JRASERVER-67410
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@atlassian.com
Published At:18 Jul, 2018 | 14:29
Updated At:25 Mar, 2022 | 17:22

The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.06.1MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
Atlassian
atlassian
>>jira>>Versions before 7.6.7(exclusive)
cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>jira_server>>Versions from 7.7.0(inclusive) to 7.10.1(exclusive)
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://jira.atlassian.com/browse/JRASERVER-67410security@atlassian.com
Issue Tracking
Vendor Advisory
Hyperlink: https://jira.atlassian.com/browse/JRASERVER-67410
Source: security@atlassian.com
Resource:
Issue Tracking
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12380Records found
CVE-2019-20900
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.34% / 55.69%
||
7 Day CHG~0.00%
Published-13 Jul, 2020 | 01:05
Updated-17 Sep, 2024 | 02:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerJira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20416
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.41%
||
7 Day CHG~0.00%
Published-30 Jun, 2020 | 03:00
Updated-17 Sep, 2024 | 04:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.

Action-Not Available
Vendor-Atlassian
Product-jira_software_data_centerjiraJira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-20414
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.40% / 59.90%
||
7 Day CHG~0.00%
Published-29 Jun, 2020 | 06:15
Updated-16 Sep, 2024 | 22:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-15053
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.85% / 82.25%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 16:05
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.

Action-Not Available
Vendor-n/aAtlassian
Product-html_include_and_replace_macron/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-15007
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 44.62%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 14:41
Updated-16 Sep, 2024 | 23:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheyeCrucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4024
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 54.93%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 01:35
Updated-16 Sep, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server and Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5229
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.34%
||
7 Day CHG~0.00%
Published-16 Jul, 2018 | 13:00
Updated-17 Sep, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.

Action-Not Available
Vendor-Atlassian
Product-universal_plugin_managerUniversal Plugin Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5227
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.16% / 37.21%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 13:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.

Action-Not Available
Vendor-Atlassian
Product-application_linksAtlassian Application Links
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20827
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.34%
||
7 Day CHG~0.00%
Published-09 Aug, 2019 | 19:31
Updated-16 Sep, 2024 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.

Action-Not Available
Vendor-Atlassian
Product-jiraJira
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20239
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.40% / 59.81%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 15:28
Updated-16 Sep, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerfisheyejira_serverapplication_linksjira_data_centercruciblecrowdconfluence_serverAtlassian Application Links
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20240
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.76%
||
7 Day CHG~0.00%
Published-20 Feb, 2019 | 15:00
Updated-17 Sep, 2024 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheye and Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20241
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.31%
||
7 Day CHG~0.00%
Published-20 Feb, 2019 | 15:00
Updated-17 Sep, 2024 | 00:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheye and Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-36290
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 63.12%
||
7 Day CHG~0.00%
Published-26 Jul, 2022 | 04:05
Updated-03 Oct, 2024 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerconfluence_serverConfluence ServerConfluence Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-36234
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.23% / 45.67%
||
7 Day CHG~0.00%
Published-15 Feb, 2021 | 00:00
Updated-16 Sep, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.

Action-Not Available
Vendor-Atlassian
Product-data_centerjira_serverjira_data_centerjiraJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-29444
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 46.05%
||
7 Day CHG~0.00%
Published-07 May, 2021 | 06:10
Updated-12 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters.

Action-Not Available
Vendor-Atlassian
Product-confluence_serverconfluence_data_centerConfluence Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4021
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.21%
||
7 Day CHG~0.00%
Published-01 Jun, 2020 | 06:35
Updated-16 Sep, 2024 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server and Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4013
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.24%
||
7 Day CHG~0.00%
Published-01 Jun, 2020 | 06:35
Updated-16 Sep, 2024 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheyeCrucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-21686
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-7.3||HIGH
EPSS-1.03% / 76.38%
||
7 Day CHG+0.74%
Published-16 Jul, 2024 | 20:00
Updated-19 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerconfluence_serverConfluence Data CenterConfluence Serverconfluence_data_centerconfluence_server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4318
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 38.44%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 03:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.

Action-Not Available
Vendor-n/aAtlassian
Product-jiraAtlassian JIRA Server before 7.1.9
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-13403
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 39.05%
||
7 Day CHG~0.00%
Published-13 Feb, 2019 | 18:00
Updated-16 Sep, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-14175
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.83%
||
7 Day CHG~0.00%
Published-24 Jul, 2020 | 07:05
Updated-16 Sep, 2024 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerconfluence_serverConfluence Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-36801
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-2.79% / 85.53%
||
7 Day CHG~0.00%
Published-10 Aug, 2022 | 02:20
Updated-29 Oct, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20232
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.88%
||
7 Day CHG~0.00%
Published-13 Feb, 2019 | 18:00
Updated-16 Sep, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-8450
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.29% / 51.76%
||
7 Day CHG~0.00%
Published-11 Sep, 2019 | 13:56
Updated-16 Sep, 2024 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.

Action-Not Available
Vendor-Atlassian
Product-jira_serverJira
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-8444
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 55.90%
||
7 Day CHG~0.00%
Published-23 Aug, 2019 | 13:49
Updated-16 Sep, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.

Action-Not Available
Vendor-Atlassian
Product-jira_serverJira
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-13388
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 40.21%
||
7 Day CHG~0.00%
Published-10 Jul, 2018 | 13:00
Updated-17 Sep, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheye and Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9507
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 48.83%
||
7 Day CHG~0.00%
Published-24 Aug, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleAtlassian Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4317
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.21%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 03:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.

Action-Not Available
Vendor-n/aAtlassian
Product-confluenceAtlassian Confluence Server before 5.9.11
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-14184
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.47%
||
7 Day CHG~0.00%
Published-12 Oct, 2020 | 03:15
Updated-17 Sep, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-14166
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.65% / 69.97%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 01:35
Updated-16 Sep, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.

Action-Not Available
Vendor-Atlassian
Product-jira_service_deskJira Service Desk Server and Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-14173
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 50.94%
||
7 Day CHG~0.00%
Published-03 Jul, 2020 | 01:50
Updated-16 Sep, 2024 | 21:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-21678
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-8.5||HIGH
EPSS-1.54% / 80.62%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:00
Updated-06 May, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: ||Affected versions||Fixed versions|| |from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2| |from 8.6.0 to 8.6.1|8.8.0 recommended| |from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS| |from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS| |from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS| |from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS| |from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS| |from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS| |from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS| |from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| Server Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:   ||Affected versions||Fixed versions|| |from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended | |from 8.4.0 to 8.4.5|8.5.6 LTS recommended| |from 8.3.0 to 8.3.4|8.5.6 LTS recommended| |from 8.2.0 to 8.2.3|8.5.6 LTS recommended| |from 8.1.0 to 8.1.4|8.5.6 LTS recommended| |from 8.0.0 to 8.0.4|8.5.6 LTS recommended| |from 7.20.0 to 7.20.3|8.5.6 LTS recommended| |from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS| |Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS| See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]). This vulnerability was reported via our Bug Bounty program.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerconfluence_serverConfluence Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43943
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.52% / 65.80%
||
7 Day CHG~0.00%
Published-24 Feb, 2022 | 04:40
Updated-04 Oct, 2024 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. The affected versions are before version 4.21.0.

Action-Not Available
Vendor-Atlassian
Product-jira_service_managementJira Service Management Data CenterJira Service Management Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39117
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 44.05%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 06:30
Updated-11 Oct, 2024 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.

Action-Not Available
Vendor-Atlassian
Product-data_centerjiraJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4025
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.34% / 55.69%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 01:35
Updated-16 Sep, 2024 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server and Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9523
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 31.42%
||
7 Day CHG~0.00%
Published-09 Jun, 2017 | 00:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page, aka NSWA-1342.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-web_appliancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45815
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.16%
||
7 Day CHG~0.00%
Published-30 Dec, 2021 | 12:53
Updated-04 Aug, 2024 | 04:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-quecteln/a
Product-uc20_firmwareuc20n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-7400
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-7.38% / 91.34%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 05:00
Updated-04 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Rukovoditel before 2.4.1 allows XSS.

Action-Not Available
Vendor-rukovoditeln/a
Product-rukovoditeln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-7324
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.30% / 53.04%
||
7 Day CHG~0.00%
Published-04 Feb, 2019 | 19:00
Updated-04 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.

Action-Not Available
Vendor-kanboardn/a
Product-kanboardn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1856
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.70% / 71.08%
||
7 Day CHG~0.00%
Published-16 May, 2011 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 8.06 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aHP Inc.
Product-business_availability_centern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-8758
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 72.94%
||
7 Day CHG~0.00%
Published-13 Sep, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Microsoft Exchange Server 2016 allows an elevation of privilege vulnerability when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Cross-Site Scripting Vulnerability."

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2016
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-2706
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 45.23%
||
7 Day CHG~0.00%
Published-14 Jan, 2020 | 20:58
Updated-06 Aug, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71.

Action-Not Available
Vendor-snewscmssNews
Product-snewssNews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-2645
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 53.25%
||
7 Day CHG~0.00%
Published-26 Mar, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodleMoodle 3.x
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9420
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 60.48%
||
7 Day CHG~0.00%
Published-05 Jun, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin before 3.3.0 for WordPress allows remote attackers to inject arbitrary JavaScript via the yr parameter.

Action-Not Available
Vendor-sunnythemesn/a
Product-spiffy_calendarn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-1726
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.20% / 78.05%
||
7 Day CHG~0.00%
Published-03 May, 2011 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in HP SiteScope 9.54, 10.13, 11.01, and 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aHP Inc.
Product-sitescopen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9244
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.95%
||
7 Day CHG~0.00%
Published-02 Aug, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Trello app before 4.0.8 for iOS might allow remote attackers to inject arbitrary web script or HTML by uploading and attaching a crafted photo to a Card.

Action-Not Available
Vendor-trellon/a
Product-trellon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-8839
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.05% / 83.12%
||
7 Day CHG~0.00%
Published-05 Jun, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi.

Action-Not Available
Vendor-peplinkn/a
Product-balance_1350balance_305balance_580balance_3801350hw2_firmware580hw2_firmwareb305hw2_firmware710hw3_firmware380hw6_firmwarebalance_7102500_firmwarebalance_2500n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5711
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 46.85%
||
7 Day CHG~0.00%
Published-17 Sep, 2013 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in admin/walkthrough/walkthrough.php in the Design Approval System plugin before 3.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter.

Action-Not Available
Vendor-slickremixn/a
Product-design_approval_system_pluginn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5500
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 52.54%
||
7 Day CHG~0.00%
Published-20 Sep, 2013 | 16:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the oraadmin service page in Cisco MediaSense allow remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug IDs CSCuj23320, CSCuj23324, CSCuj23333, and CSCuj23338.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-mediasensen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-8560
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 72.94%
||
7 Day CHG~0.00%
Published-11 Jul, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange Server 2013 CU16, and Exchange Server 2016 CU5 allows an elevation of privilege vulnerability due to the way that Exchange Outlook Web Access (OWA) handles web requests, aka "Microsoft Exchange Cross-Site Scripting Vulnerability". This CVE ID is unique from CVE-2017-8559.

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange Server 2013 CU16, and Exchange Server 2016 CU5.
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 247
  • 248
  • Next
Details not found