CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1020007 79 XSS 2019-07-29 2019-07-30
3.5
None Remote Medium Single system None Partial None
Dependency-Track before 3.5.1 allows XSS.
2 CVE-2019-1020005 79 XSS 2019-07-29 2019-08-01
3.5
None Remote Medium Single system None Partial None
invenio-communities before 1.0.0a20 allows XSS.
3 CVE-2019-1020003 79 XSS 2019-07-29 2019-08-01
3.5
None Remote Medium Single system None Partial None
invenio-records before 1.2.2 allows XSS.
4 CVE-2019-1010310 255 2019-07-12 2019-07-18
3.5
None Remote Medium Single system None Partial None
GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1.
5 CVE-2019-1010307 79 XSS 2019-07-15 2019-07-18
3.5
None Remote Medium Single system None Partial None
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it.
6 CVE-2019-1010235 79 XSS 2019-07-22 2019-07-23
3.5
None Remote Medium Single system None Partial None
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
7 CVE-2019-1010147 79 XSS 2019-07-25 2019-08-05
3.5
None Remote Medium Single system None Partial None
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.
8 CVE-2019-1010008 79 Exec Code XSS 2019-07-14 2019-07-18
3.5
None Remote Medium Single system None Partial None
OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scripting (XSS). The impact is: Theoretically low, but might potentially enable persistent XSS (user could embed mal. code). The component is: Javascript code execution in "Name", "Location", "Bio" and "Starting Page" fields in the "My Account" page. File: Lib/listjs/list.js, line 67. The attack vector is: unknown, victim must open profile page if persistent was possible.
9 CVE-2019-1010003 79 XSS 2019-07-11 2019-07-12
3.5
None Remote Medium Single system None Partial None
Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS).
10 CVE-2019-1003050 79 XSS 2019-04-10 2019-04-12
3.5
None Remote Medium Single system None Partial None
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
11 CVE-2019-1003043 255 2019-03-28 2019-10-09
3.5
None Remote Medium Single system Partial None None
A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
12 CVE-2019-1003042 79 XSS 2019-03-28 2019-06-10
3.5
None Remote Medium Single system None Partial None
A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.
13 CVE-2019-1003014 79 XSS 2019-02-06 2019-10-09
3.5
None Remote Medium Single system None Partial None
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
14 CVE-2019-1003013 79 XSS 2019-02-06 2019-10-09
3.5
None Remote Medium Single system None Partial None
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
15 CVE-2019-17434 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium Single system None Partial None
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
16 CVE-2019-17433 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium Single system None Partial None
z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen.
17 CVE-2019-17417 79 XSS 2019-10-09 2019-10-11
3.5
None Remote Medium Single system None Partial None
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs.
18 CVE-2019-17226 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field.
19 CVE-2019-17225 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium Single system None Partial None
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue.
20 CVE-2019-17204 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium Single system None Partial None
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.
21 CVE-2019-17203 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium Single system None Partial None
TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder.
22 CVE-2019-17121 79 XSS 2019-10-03 2019-10-08
3.5
None Remote Medium Single system None Partial None
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
23 CVE-2019-17074 79 XSS 2019-10-01 2019-10-07
3.5
None Remote Medium Single system None Partial None
An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in the module_category area.
24 CVE-2019-17045 79 XSS 2019-09-30 2019-10-03
3.5
None Remote Medium Single system None Partial None
Ilch 2.1.22 allows stored XSS via the title, text, or email id to the Jobs Tab.
25 CVE-2019-16924 319 2019-09-27 2019-10-04
3.3
None Local Network Low Not required Partial None None
The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock.
26 CVE-2019-16904 79 XSS 2019-09-26 2019-09-27
3.5
None Remote Medium Single system None Partial None
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.)
27 CVE-2019-16890 79 XSS 2019-09-25 2019-09-26
3.5
None Remote Medium Single system None Partial None
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
28 CVE-2019-16704 79 XSS 2019-09-23 2019-09-23
3.5
None Remote Medium Single system None Partial None
admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.
29 CVE-2019-16688 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium Single system None Partial None
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)
30 CVE-2019-16687 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium Single system None Partial None
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
31 CVE-2019-16686 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium Single system None Partial None
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
32 CVE-2019-16685 79 XSS 2019-09-27 2019-10-01
3.5
None Remote Medium Single system None Partial None
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
33 CVE-2019-16684 79 XSS 2019-09-30 2019-10-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.
34 CVE-2019-16683 79 XSS 2019-09-30 2019-10-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.
35 CVE-2019-16664 79 XSS 2019-09-21 2019-09-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter.
36 CVE-2019-16661 79 XSS 2019-09-21 2019-09-23
3.5
None Remote Medium Single system None Partial None
Ogma CMS 0.5 has XSS via creation of a new blog.
37 CVE-2019-16643 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium Single system None Partial None
An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerability in the article_edit area.
38 CVE-2019-16524 79 XSS 2019-09-26 2019-10-01
3.5
None Remote Medium Single system None Partial None
The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters. This occurs because there is no inline styles output filter.
39 CVE-2019-16518 668 2019-09-23 2019-09-23
3.3
None Local Network Low Not required None Partial None
An issue was discovered on Swell Kit Mod devices that use the Vandy Vape platform. An attacker may be able to trigger an unintended temperature in the victim's mouth and throat via Bluetooth Low Energy (BLE) packets that specify large power or voltage values.
40 CVE-2019-16417 79 XSS 2019-10-08 2019-10-09
3.5
None Remote Medium Single system None Partial None
HRworks FLOW 3.36.9 allows XSS via the purpose of a travel-expense report.
41 CVE-2019-16416 79 XSS 2019-10-08 2019-10-09
3.5
None Remote Medium Single system None Partial None
HRworks 3.36.9 allows XSS via the purpose of a travel-expense report.
42 CVE-2019-16334 79 XSS 2019-09-15 2019-09-16
3.5
None Remote Medium Single system None Partial None
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
43 CVE-2019-16333 79 XSS 2019-09-15 2019-09-19
3.5
None Remote Medium Single system None Partial None
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
44 CVE-2019-16310 79 XSS 2019-09-14 2019-09-16
3.5
None Remote Medium Single system None Partial None
NIUSHOP V1.11 has XSS via the index.php?s=/admin URI.
45 CVE-2019-16289 79 XSS 2019-09-13 2019-09-16
3.5
None Remote Medium Single system None Partial None
The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
46 CVE-2019-16275 20 DoS 2019-09-12 2019-09-16
3.3
None Local Network Low Not required None None Partial
hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.
47 CVE-2019-16223 79 XSS 2019-09-11 2019-09-12
3.5
None Remote Medium Single system None Partial None
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
48 CVE-2019-16216 79 XSS 2019-09-18 2019-09-18
3.5
None Remote Medium Single system None Partial None
Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself.
49 CVE-2019-16214 20 Exec Code 2019-09-11 2019-09-11
3.5
None Remote Medium Single system None Partial None
Libra Core before 2019-09-03 has an erroneous regular expression for inline comments, which makes it easier for attackers to interfere with code auditing by using a nonstandard line-break character for a comment. For example, a Move module author can enter the // sequence (which introduces a single-line comment), followed by very brief comment text, the \r character, and code that has security-critical functionality. In many popular environments, this code is displayed on a separate line, and thus a reader may infer that the code is executed. However, the code is NOT executed, because language/compiler/ir_to_bytecode/src/parser.rs allows the comment to continue after the \r character.
50 CVE-2019-16193 79 XSS 2019-09-11 2019-09-12
3.5
None Remote Medium Single system None Partial None
In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to trigger a Cross Frame Scripting (XFS) attack through the EDIT MY PROFILE feature.
Total number of vulnerabilities : 4540   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.