** DISPUTED ** Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the “file” parameter, aka an _profiler/open?file= URI. NOTE: The vendor states “The XSS … is in the web profiler, a tool that should never be deployed in production (so, we don’t handle those issues as security issues).”
CWE-79
CVE-2018-12043
content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page.
CVE-2018-12047
xfind/search in Ximdex 4.0 has XSS via the filter[n][value] parameters for non-negative values of n, as demonstrated by n equal to 0 through 12.
CVE-2018-12073
An issue was discovered on Eminent EM4544 9.10 devices. The device does not require the user’s current password to set a new one within the web interface. Therefore, it is possible to exploit this issue (e.g., in combination with a successful XSS, or at an unattended workstation) to change the admin password to an attacker-chosen value without knowing the current password.
CVE-2018-1201
Dell EMC Isilon versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Job Operations Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user’s browser session in the context of the OneFS website.
CVE-2018-1202
Dell EMC Isilon versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the NDMP Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user’s browser session in the context of the OneFS website.
