Total
43965 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-5175 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | N/A |
| A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This vulnerability affects Firefox < 60. | ||||
| CVE-2018-5172 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | N/A |
| The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either page but does not allow for privilege escalation. This vulnerability affects Firefox < 60. | ||||
| CVE-2018-5167 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | N/A |
| The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display "chrome:" links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display "javascript:" links, which users could be tricked into clicking by malicious sites. This vulnerability affects Firefox < 60. | ||||
| CVE-2018-5164 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | N/A |
| Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60. | ||||
| CVE-2018-5143 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | N/A |
| URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59. | ||||
| CVE-2018-5124 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A |
| Unsanitized output in the browser UI leaves HTML tags in place and can result in arbitrary code execution in Firefox before version 58.0.1. | ||||
| CVE-2018-5078 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2024-11-21 | N/A |
| Online Ticket Booking has XSS via the admin/eventlist.php cast parameter. | ||||
| CVE-2018-5077 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2024-11-21 | N/A |
| Online Ticket Booking has XSS via the admin/movieedit.php moviename parameter. | ||||
| CVE-2018-5076 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2024-11-21 | N/A |
| Online Ticket Booking has XSS via the admin/newsedit.php newstitle parameter. | ||||
| CVE-2018-5075 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2024-11-21 | N/A |
| Online Ticket Booking has XSS via the admin/snacks_edit.php snacks_name parameter. | ||||
| CVE-2018-5074 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2024-11-21 | N/A |
| Online Ticket Booking has XSS via the admin/manageownerlist.php contact parameter. | ||||
| CVE-2018-5072 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2024-11-21 | N/A |
| Online Ticket Booking has XSS via the admin/sitesettings.php keyword parameter. | ||||
| CVE-2018-5071 | 1 Cobham | 2 Sea Tel 116, Sea Tel 116 Firmware | 2024-11-21 | N/A |
| Persistent XSS exists in the web server on Cobham Sea Tel 116 build 222429 satellite communication system devices: remote attackers can inject malicious JavaScript code using the device's TELNET shell built-in commands, as demonstrated by the "set ship name" command. This is similar to a Cross Protocol Injection with SNMP. | ||||
| CVE-2018-5005 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A |
| Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a Cross-site Scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2018-4941 | 1 Adobe | 1 Coldfusion | 2024-11-21 | 6.1 Medium |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure. | ||||
| CVE-2018-4940 | 1 Adobe | 1 Coldfusion | 2024-11-21 | 6.1 Medium |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure. | ||||
| CVE-2018-4931 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A |
| Adobe Experience Manager versions 6.1 and earlier have an exploitable stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2018-4930 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A |
| Adobe Experience Manager versions 6.3 and earlier have an exploitable Cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2018-4929 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A |
| Adobe Experience Manager versions 6.2 and earlier have an exploitable stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2018-4876 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A |
| Adobe Experience Manager versions 6.3, 6.2, and 6.1 are vulnerable to cross-site scripting via a bypass of the Sling XSSAPI#getValidHref function. | ||||