CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1002011 79 XSS 2017-09-14 2017-09-20
3.5
None Remote Medium Single system None Partial None
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to modify or add galleries/images and inject javascript into the database.
2 CVE-2017-1000250 200 +Info 2017-09-12 2017-09-23
3.3
None Local Network Low Not required Partial None None
All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.
3 CVE-2017-15008 79 XSS 2017-10-03 2017-10-12
3.5
None Remote Medium Single system None Partial None
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all sensor titles, related to incorrect error handling for a %00 in the SRC attribute of an IMG element.
4 CVE-2017-14985 79 XSS 2017-10-02 2017-10-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the url parameter to module/module_frame/index.php.
5 CVE-2017-14984 79 XSS 2017-10-02 2017-10-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the bp_name parameter to /module/admin_bp/add_services.php.
6 CVE-2017-14983 79 XSS 2017-10-02 2017-10-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the object parameter to module/admin_conf/index.php.
7 CVE-2017-14981 79 XSS 2017-10-02 2017-10-11
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website.
8 CVE-2017-14923 79 XSS 2017-09-29 2017-10-05
3.5
None Remote Medium Single system None Partial None
Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
9 CVE-2017-14922 79 XSS 2017-09-29 2017-10-05
3.5
None Remote Medium Single system None Partial None
Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
10 CVE-2017-14921 79 XSS 2017-09-29 2017-10-05
3.5
None Remote Medium Single system None Partial None
Stored XSS vulnerability via IMG element at "Filename" of Filemanager in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
11 CVE-2017-14771 20 2017-10-02 2017-10-11
3.6
None Local Low Not required None Partial Partial
Skybox Manager Client Application prior to 8.5.501 is prone to an arbitrary file upload vulnerability due to insufficient input validation of user-supplied files path when uploading files via the application. During a debugger-pause state, a local authenticated attacker can upload an arbitrary file and overwrite existing files within the scope of the affected application.
12 CVE-2017-14753 79 XSS 2017-09-26 2017-10-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the filter parameter to module/module_filters/index.php.
13 CVE-2017-14748 362 DoS 2017-09-26 2017-10-06
3.5
None Remote Medium Single system None None Partial
Race condition in Blizzard Overwatch 1.15.0.2 allows remote authenticated users to cause a denial of service (season bans and SR losses for other users) by leaving a competitive match at a specific time during the initial loading of that match.
14 CVE-2017-14717 79 XSS 2017-09-22 2017-10-05
3.5
None Remote Medium Single system None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
15 CVE-2017-14716 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium Single system None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title parameter.
16 CVE-2017-14715 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium Single system None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Title parameter.
17 CVE-2017-14714 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium Single system None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subject parameter.
18 CVE-2017-14713 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium Single system None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Description parameter.
19 CVE-2017-14712 79 XSS 2017-09-22 2017-10-05
3.5
None Remote Medium Single system None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
20 CVE-2017-14651 79 XSS 2017-09-21 2017-09-28
3.5
None Remote Medium Single system None Partial None
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
21 CVE-2017-14621 79 XSS 2017-09-20 2017-09-28
3.5
None Remote Medium Single system None Partial None
Portus 2.2.0 has XSS via the Team field, related to typeahead.
22 CVE-2017-14618 79 XSS 2017-09-20 2017-10-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
23 CVE-2017-14597 79 XSS 2017-09-19 2017-09-22
3.5
None Remote Medium Single system None Partial None
AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the txtDomainName field to adminpanel/modules/pro/inc/ajax.php during addition of a domain.
24 CVE-2017-14506 79 XSS 2017-09-25 2017-09-28
3.5
None Remote Medium Single system None Partial None
geminabox (aka Gem in a Box) before 0.13.6 has XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.
25 CVE-2017-14321 79 XSS 2017-09-21 2017-10-04
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the administrative interface in Mirasvit Helpdesk MX before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) customer name or (2) subject in a ticket.
26 CVE-2017-14241 79 XSS 2017-09-11 2017-09-18
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php.
27 CVE-2017-14239 79 XSS 2017-09-11 2017-09-19
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14) ProfId4, (15) ProfId5, or (16) ProfId6 parameter to htdocs/admin/company.php.
28 CVE-2017-14124 264 2017-09-13 2017-09-29
3.3
None Local Medium Not required Partial Partial None
In eLux RP 5.x before 5.5.1000 LTSR and 5.6.x before 5.6.2 CR when classic desktop mode is used, it is possible to start applications other than defined, even if the user does not have permissions to change application definitions.
29 CVE-2017-14049 79 XSS 2017-08-31 2017-09-01
3.5
None Remote Medium Single system None Partial None
In BlackCat CMS 1.2, backend/settings/ajax_save_settings.php allows remote authenticated users to conduct XSS attacks via the Website header or Website footer field.
30 CVE-2017-13754 79 XSS 2017-09-07 2017-09-13
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the "advanced settings - time server" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the "server name" field in actions/ChangeConfiguration.html.
31 CVE-2017-13724 79 XSS 2017-09-13 2017-09-21
3.5
None Remote Medium Single system None Partial None
On the Axesstel MU553S MU55XS-V1.14, there is a Stored Cross Site Scripting vulnerability in the APN parameter under the "Basic Settings" page.
32 CVE-2017-12978 79 XSS 2017-08-21 2017-08-26
3.5
None Remote Medium Single system None Partial None
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
33 CVE-2017-12882 79 XSS 2017-08-18 2017-08-24
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality.
34 CVE-2017-12879 79 XSS 2017-08-24 2017-09-11
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS-STORED) vulnerability in the DEVICES OR SENSORS functionality in Paessler PRTG Network Monitor before 17.3.33.2654 allows authenticated remote attackers to inject arbitrary web script or HTML.
35 CVE-2017-12844 79 XSS 2017-08-23 2017-08-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name.
36 CVE-2017-12699 275 2017-09-08 2017-09-19
3.6
None Local Low Not required Partial Partial None
An Incorrect Default Permissions issue was discovered in AzeoTech DAQFactory versions prior to 17.1. Local, non-administrative users may be able to replace or modify original application files with malicious ones.
37 CVE-2017-12591 79 XSS 2017-08-18 2017-08-24
3.5
None Remote Medium Single system None Partial None
ASUS DSL-N10S V2.1.16_APAC devices have reflected and stored cross site scripting, as demonstrated by the snmpSysName parameter.
38 CVE-2017-12572 79 XSS 2017-08-05 2017-08-15
3.5
None Remote Medium Single system None Partial None
Persistent Cross Site Scripting (XSS) exists in Splunk Enterprise 6.5.x before 6.5.2, 6.4.x before 6.4.6, and 6.3.x before 6.3.9 and Splunk Light before 6.5.2, with exploitation requiring administrative access, aka SPL-134104.
39 CVE-2017-12269 79 Exec Code XSS 2017-10-05 2017-10-12
3.5
None Remote Medium Single system None Partial None
A vulnerability in the web UI of Cisco Spark Messaging Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web UI of the affected software. An attacker could exploit this vulnerability by injecting XSS content into the web UI of the affected software. A successful exploit could allow the attacker to force a user to execute code of the attacker's choosing or allow the attacker to retrieve sensitive information from the user. Cisco Bug IDs: CSCvf70587, CSCvf70592.
40 CVE-2017-12238 399 DoS 2017-09-28 2017-10-06
3.3
None Local Network Low Not required None None Partial
A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisco IOS 15.0 through 15.4 for Cisco Catalyst 6800 Series Switches could allow an unauthenticated, adjacent attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a denial of service (DoS) condition. The vulnerability is due to a memory management issue in the affected software. An attacker could exploit this vulnerability by creating a large number of VPLS-generated MAC entries in the MAC address table of an affected device. A successful exploit could allow the attacker to cause a C6800-16P10G or C6800-16P10G-XL type line card to crash, resulting in a DoS condition. This vulnerability affects Cisco Catalyst 6800 Series Switches that are running a vulnerable release of Cisco IOS Software and have a Cisco C6800-16P10G or C6800-16P10G-XL line card in use with Supervisor Engine 6T. To be vulnerable, the device must also be configured with VPLS and the C6800-16P10G or C6800-16P10G-XL line card needs to be the core-facing MPLS interfaces. Cisco Bug IDs: CSCva61927.
41 CVE-2017-12221 79 Exec Code XSS 2017-09-07 2017-09-14
3.5
None Remote Medium Single system None Partial None
A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the affected software. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code in the context of the affected system. Cisco Bug IDs: CSCvc38983.
42 CVE-2017-12213 287 Bypass 2017-09-07 2017-09-21
3.3
None Local Network Low Not required None Partial None
A vulnerability in the dynamic access control list (ACL) feature of Cisco IOS XE Software running on Cisco Catalyst 4000 Series Switches could allow an unauthenticated, adjacent attacker to cause dynamic ACL assignment to fail and the port to fail open. This could allow the attacker to pass traffic to the default VLAN of the affected port. The vulnerability is due to an uncaught error condition that may occur during the reassignment of the auth-default-ACL dynamic ACL to a switch port after 802.1x authentication fails. A successful exploit of this issue could allow a physically adjacent attacker to bypass 802.1x authentication and cause the affected port to fail open, allowing the attacker to pass traffic to the default VLAN of the affected switch port. Cisco Bug IDs: CSCvc72751.
43 CVE-2017-12154 284 2017-09-26 2017-09-28
3.6
None Local Low Not required Partial Partial None
The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.
44 CVE-2017-12066 79 XSS 2017-08-01 2017-08-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163.
45 CVE-2017-11691 79 XSS 2017-07-27 2017-08-04
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.
46 CVE-2017-11647 79 XSS 2017-07-28 2017-08-04
3.5
None Remote Medium Single system None Partial None
NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 are vulnerable to stored cross-site scripting attacks. Creating an SSID with an XSS payload results in successful exploitation.
47 CVE-2017-11611 79 XSS 2017-09-08 2017-09-14
3.5
None Remote Medium Single system None Partial None
Wolf CMS 0.8.3.1 allows Cross-Site Scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of the file name in a "create-file-popup" action, and the directory name in a "create-directory-popup" action, in the HTTP POST method to the "/plugin/file_manager/" script (aka an /admin/plugin/file_manager/browse// URI).
48 CVE-2017-11594 79 XSS 2017-07-23 2017-08-08
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment.
49 CVE-2017-11472 284 Bypass +Info 2017-07-20 2017-07-25
3.6
None Local Low Not required Partial Partial None
The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
50 CVE-2017-11458 79 XSS 2017-07-25 2017-08-26
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783.
Total number of vulnerabilities : 2538   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.