Vulnerabilities > Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-25 | CVE-2019-10406 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. | 4.8 |
| 2019-09-25 | CVE-2019-10405 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | 5.4 |
| 2019-09-25 | CVE-2019-10404 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | 5.4 |
| 2019-09-25 | CVE-2019-10403 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. | 5.4 |
| 2019-09-25 | CVE-2019-10402 | Cross-site Scripting vulnerability in Jenkins In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. | 5.4 |
| 2019-09-25 | CVE-2019-10401 | Cross-site Scripting vulnerability in Jenkins In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). | 5.4 |
| 2019-09-24 | CVE-2019-16725 | Cross-site Scripting vulnerability in Joomla Joomla! In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. | 4.3 |
| 2019-09-24 | CVE-2019-16751 | Cross-site Scripting vulnerability in Devise Token Auth Project Devise Token Auth An issue was discovered in Devise Token Auth through 1.1.2. | 4.3 |
| 2019-09-24 | CVE-2018-9090 | Cross-site Scripting vulnerability in Redhat Tectonic CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. | 4.3 |
| 2019-09-24 | CVE-2019-16728 | Cross-site Scripting vulnerability in multiple products DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari. | 4.3 |