CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-9674 79 XSS 2017-06-15 2017-06-22
3.5
None Remote Medium Single system None Partial None
In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on index.php/content/text/1?return_url=[XSS] exploitable as a regular or admin user.
2 CVE-2017-9548 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change).
3 CVE-2017-9547 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change).
4 CVE-2017-9546 79 DoS XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None None Partial
admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name.
5 CVE-2017-9516 79 XSS 2017-06-08 2017-06-14
3.5
None Remote Medium Single system None Partial None
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
6 CVE-2017-9452 79 XSS 2017-06-06 2017-06-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
7 CVE-2017-9448 79 XSS 2017-06-06 2017-06-12
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users.
8 CVE-2017-9441 79 XSS 2017-06-05 2017-06-12
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
9 CVE-2017-9366 79 XSS 2017-06-02 2017-06-09
3.5
None Remote Medium Single system None Partial None
Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter.
10 CVE-2017-9331 79 XSS 2017-06-01 2017-06-09
3.5
None Remote Medium Single system None Partial None
The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Utils/RecordBrowser/RecordBrowserCommon_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted meeting description parameter.
11 CVE-2017-9298 79 Exec Code XSS 2017-05-29 2017-06-08
3.5
None Remote Medium Single system None Partial None
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code.
12 CVE-2017-9263 20 2017-05-29 2017-06-07
3.3
None Local Network Low Not required None None Partial
In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message, there is a call to the abort() function for undefined role status reasons in the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a malicious switch.
13 CVE-2017-9249 79 XSS 2017-05-28 2017-06-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php.
14 CVE-2017-9070 79 XSS 2017-05-18 2017-05-30
3.5
None Remote Medium Single system None Partial None
In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.
15 CVE-2017-8780 79 XSS 2017-05-04 2017-05-12
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by a comment that is mishandled during a publish operation by an administrator, as demonstrated by a malformed P element.
16 CVE-2017-8762 79 XSS 2017-05-03 2017-05-12
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by an authenticated user who submits a page, as demonstrated by a crafted oncut attribute in a B element.
17 CVE-2017-8514 79 XSS 2017-06-14 2017-06-21
3.5
None Remote Medium Single system None Partial None
An information disclosure vulnerability exists when Microsoft SharePoint software fails to properly sanitize a specially crafted requests, aka "Microsoft SharePoint Reflective XSS Vulnerability".
18 CVE-2017-8382 352 CSRF 2017-05-16 2017-06-04
3.5
None Remote Medium Single system None None Partial
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
19 CVE-2017-8376 79 XSS 2017-05-01 2017-05-10
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by an authenticated comment that is mishandled during a mouse operation by an administrator.
20 CVE-2017-8302 79 XSS 2017-04-27 2017-05-09
3.5
None Remote Medium Single system None Partial None
Mura CMS 7.0.6967 allows admin/?muraAction= XSS attacks, related to admin/core/views/carch/list.cfm, admin/core/views/carch/loadsiteflat.cfm, admin/core/views/cusers/inc/dsp_nextn.cfm, admin/core/views/cusers/inc/dsp_search_form.cfm, admin/core/views/cusers/inc/dsp_users_list.cfm, admin/core/views/cusers/list.cfm, and admin/core/views/cusers/listusers.cfm.
21 CVE-2017-8298 79 XSS 2017-04-27 2017-05-03
3.5
None Remote Medium Single system None Partial None
cnvs.io Canvas 3.3.0 has XSS in the title and content fields of a "Posts > Add New" action, and during creation of new tags and users.
22 CVE-2017-8102 79 XSS 2017-04-24 2017-04-28
3.5
None Remote Medium Single system None Partial None
Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin.
23 CVE-2017-7999 264 DoS 2017-06-01 2017-06-09
3.5
None Remote Medium Single system None None Partial
Atlassian Eucalyptus before 4.4.1, when in EDGE mode, allows remote authenticated users with certain privileges to cause a denial of service (E2 service outage) via unspecified vectors.
24 CVE-2017-7953 79 XSS 2017-05-16 2017-05-24
3.5
None Remote Medium Single system None Partial None
INFOR EAM V11.0 Build 201410 has XSS via comment fields.
25 CVE-2017-7907 611 DoS 2017-05-18 2017-06-01
3.3
None Local Medium Not required Partial None Partial
An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network.
26 CVE-2017-7400 79 XSS 2017-04-03 2017-04-11
3.5
None Remote Medium Single system None Partial None
OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.
27 CVE-2017-7309 79 XSS 2017-03-31 2017-04-04
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3.
28 CVE-2017-7298 79 XSS 2017-03-29 2017-03-30
3.5
None Remote Medium Single system None Partial None
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.
29 CVE-2017-7257 79 XSS 2017-03-24 2017-03-30
3.5
None Remote Medium Single system None Partial None
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack.
30 CVE-2017-7256 79 XSS 2017-03-24 2017-03-30
3.5
None Remote Medium Single system None Partial None
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack.
31 CVE-2017-7255 79 XSS 2017-03-24 2017-04-04
3.5
None Remote Medium Single system None Partial None
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack.
32 CVE-2017-7241 79 XSS 2017-03-31 2017-04-04
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page.
33 CVE-2017-7188 79 XSS 2017-04-14 2017-04-21
3.5
None Remote Medium Single system None Partial None
Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.
34 CVE-2017-6973 79 XSS 2017-03-31 2017-04-04
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.
35 CVE-2017-6878 79 XSS 2017-03-27 2017-03-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in MetInfo 5.3.15 allows remote authenticated users to inject arbitrary web script or HTML via the name_2 parameter to admin/column/delete.php.
36 CVE-2017-6864 79 XSS 2017-03-28 2017-04-11
3.5
None Remote Medium Single system None Partial None
The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow an authenticated user to perform stored Cross-Site Scripting attacks.
37 CVE-2017-6817 79 XSS 2017-03-11 2017-03-14
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
38 CVE-2017-6814 79 XSS 2017-03-11 2017-03-14
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.
39 CVE-2017-6618 79 Exec Code XSS 2017-04-20 2017-04-26
3.5
None Remote Medium Single system None Partial None
A vulnerability in the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an authenticated, remote attacker to perform a cross-site scripting (XSS) attack. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by persuading an authenticated user of the web-based GUI on an affected system to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary code in the context of the web-based GUI on the affected system. Cisco Bug IDs: CSCvd14587.
40 CVE-2017-6602 77 2017-04-07 2017-04-13
3.6
None Local Low Not required Partial Partial None
A vulnerability in the CLI of Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb66189 CSCvb86775. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1742) 92.1(1.1658) 2.1(1.38) 2.0(1.107) 2.0(1.87) 1.1(4.148) 1.1(4.138).
41 CVE-2017-6601 77 2017-04-07 2017-04-13
3.6
None Local Low Not required Partial Partial None
A vulnerability in the CLI of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61384 CSCvb86764. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1647).
42 CVE-2017-6556 79 XSS 2017-03-09 2017-03-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field.
43 CVE-2017-6555 79 XSS 2017-03-09 2017-03-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php in CMS Made Simple 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the m1_description parameter (aka "Design Manager > Categories > Category Description").
44 CVE-2017-6340 79 XSS 2017-04-05 2017-04-11
3.5
None Remote Medium Single system None Partial None
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.
45 CVE-2017-6029 79 Exec Code XSS 2017-05-05 2017-05-17
3.5
None Remote Medium Single system None Partial None
A Cross-Site Scripting issue was discovered in Certec EDV GmbH atvise scada prior to Version 3.0. This may allow remote code execution.
46 CVE-2017-5998 79 XSS 2017-02-17 2017-02-23
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in InterSect Alliance SNARE Epilog for UNIX version 1.5 allows remote authenticated users to inject arbitrary web script or HTML via the str_log_name parameter in a "Web Admin Portal > Log Configuration > Add" action.
47 CVE-2017-5930 275 2017-03-20 2017-03-23
3.5
None Remote Medium Single system None Partial None
The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
48 CVE-2017-5900 79 XSS 2017-03-29 2017-03-31
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the NetComm NB16WV-02 router with firmware NB16WV_R0.09 allows remote authenticated users to inject arbitrary web script or HTML via the S801F0334 parameter to hdd.htm.
49 CVE-2017-5875 79 XSS 2017-02-06 2017-02-09
3.5
None Remote Medium Single system None Partial None
XSS was discovered in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter.
50 CVE-2017-5870 79 XSS 2017-05-23 2017-06-01
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ViMbAdmin 3.0.15 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) transport parameter to domain/add; the (3) name parameter to mailbox/add/did/<domain id>; the (4) goto parameter to alias/add/did/<domain id>; or the (5) captchatext parameter to auth/lost-password.
Total number of vulnerabilities : 2300   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.