** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to “Web site settings –> Basic setting –> Website title” and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is “just a functional bug.”
CWE-79
CVE-2018-10686
An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $_REQUEST[‘path’] to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a file_put_contents call in web/upload/UploadHandler.php.
CVE-2018-10692
An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie “Password508” does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
CVE-2018-10700
An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter “iw_board_deviceName” is susceptible to this injection.
CVE-2018-10704
yidashi yii2cmf 2.0 has XSS via the /search q parameter.
CVE-2018-10726
** DISPUTED ** A stored XSS vulnerability was found in Datenstrom Yellow 0.7.3 via an “Edit page” action. NOTE: the vendor disputes the relevance of this report because an installation accessible to untrusted users is supposed to have parserSafeMode=1 in system/config/config.ini to prevent XSS.
