CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5051 CVE-2016-0313 79 XSS 2016-07-08 2016-07-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016 and 6.x before 6.0.1 ifix005 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-2888 and CVE-2016-0350.
5052 CVE-2016-0311 79 XSS 2018-02-02 2018-02-14
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Tivoli Business Service Manager 6.1.0 before 6.1.0-TIV-BSM-FP0004 and 6.1.1 before 6.1.1-TIV-BSM-FP0004 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111480.
5053 CVE-2016-0310 79 XSS 2017-02-08 2017-02-10
3.5
None Remote Medium ??? None Partial None
IBM Connections 5.5 and earlier is vulnerable to possible host header injection attack that could cause navigation to the attacker's domain.
5054 CVE-2016-0305 79 XSS 2017-02-08 2017-02-10
3.5
None Remote Medium ??? None Partial None
IBM Connections is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
5055 CVE-2016-0303 79 XSS 2018-02-02 2018-02-15
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Tivoli Integrated Portal 2.2.0.0 through 2.2.0.15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
5056 CVE-2016-0285 79 XSS 2016-11-24 2016-11-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted field.
5057 CVE-2016-0282 79 XSS 2016-11-24 2017-07-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM iNotes before 8.5.3 FP6 IF2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka SPR KLYHAAHNUS.
5058 CVE-2016-0280 79 XSS 2016-08-08 2017-09-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Information Server Framework 8.5, Information Server Framework and InfoSphere Information Server Business Glossary 8.7 before FP2, Information Server Framework and InfoSphere Information Server Business Glossary 9.1 before 9.1.2.0, Information Server Framework and InfoSphere Information Governance Catalog 11.3 before 11.3.1.2, and Information Server Framework and InfoSphere Information Governance Catalog 11.5 before 11.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5059 CVE-2016-0274 254 2018-03-09 2018-03-26
3.5
None Remote Medium ??? None Partial None
IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote attackers to conduct clickjacking attacks via a crafted web site. IBM X-Force ID: 111076.
5060 CVE-2016-0273 79 XSS 2016-11-24 2016-11-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5061 CVE-2016-0269 79 XSS 2016-07-15 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM BigFix Platform 9.x before 9.1.8 and 9.2.x before 9.2.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5062 CVE-2016-0265 79 XSS 2017-02-01 2017-02-05
3.5
None Remote Medium ??? None Partial None
IBM Campaign is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
5063 CVE-2016-0262 79 XSS 2016-03-14 2016-03-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.1.1 through 7.1.1.3, 7.5.0 before 7.5.0.9 IFIX004, and 7.6.0 before 7.6.0.3 IFIX001 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5064 CVE-2016-0261 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0.0 before SP2 EP29, 6.0.4 before 6.0.4.6 iFix3, 6.0.5 before 6.0.5.9 iFix2, 6.1.0 before 6.1.0.1 iFix1, and 6.1.1 before 6.1.1.1 iFix1; and IBM Care Management 6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110604.
5065 CVE-2016-0253 79 XSS 2018-03-09 2018-03-26
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110562.
5066 CVE-2016-0227 79 XSS 2016-03-03 2016-12-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the document-list control implementation in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, and 8.5.5 and 8.5.6 through 8.5.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5067 CVE-2016-0221 79 XSS 2016-07-03 2017-09-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Cognos TM1, as used in IBM Cognos Business Intelligence 10.2 before IF20, 10.2.1 before IF17, 10.2.1.1 before IF16, 10.2.2 before IF12, and 10.1.1 before IF19, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5068 CVE-2016-0218 79 XSS 2017-02-01 2017-04-06
3.5
None Remote Medium ??? None Partial None
IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
5069 CVE-2016-0217 79 XSS 2017-02-01 2019-09-30
3.5
None Remote Medium ??? None Partial None
IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
5070 CVE-2016-0207 20 2018-01-16 2018-02-01
3.5
None Remote Medium ??? None Partial None
IBM Algorithmics One-Algo Risk Application (ARA) 4.9.1 through 5.1.0 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors. IBM X-Force ID: 109399.
5071 CVE-2016-0011 79 XSS Bypass 2016-01-13 2018-10-12
3.5
None Remote Medium ??? None Partial None
Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP1 allow remote authenticated users to bypass intended Access Control Policy restrictions and conduct cross-site scripting (XSS) attacks by modifying a webpart, aka "Microsoft SharePoint Security Feature Bypass," a different vulnerability than CVE-2015-6117.
5072 CVE-2015-9537 79 XSS 2019-11-26 2020-11-10
3.5
None Remote Medium ??? None Partial None
The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XSS issues involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template.
5073 CVE-2015-9469 79 XSS 2019-10-10 2019-10-16
3.5
None Remote Medium ??? None Partial None
The content-grabber plugin 1.0 for WordPress has XSS via obj_field_name or obj_field_id.
5074 CVE-2015-9439 79 XSS CSRF 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter.
5075 CVE-2015-9438 79 XSS 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter.
5076 CVE-2015-9436 79 XSS 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter.
5077 CVE-2015-9426 79 XSS CSRF 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter.
5078 CVE-2015-9423 79 XSS 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters.
5079 CVE-2015-9410 79 XSS 2019-09-26 2020-11-10
3.5
None Remote Medium ??? None Partial None
The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.
5080 CVE-2015-9401 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS.
5081 CVE-2015-9397 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.
5082 CVE-2015-9393 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.
5083 CVE-2015-9392 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.
5084 CVE-2015-9389 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name.
5085 CVE-2015-9354 79 XSS 2019-08-28 2019-08-29
3.5
None Remote Medium ??? None Partial None
The gigpress plugin before 2.3.11 for WordPress has XSS.
5086 CVE-2015-9267 269 2018-10-01 2021-03-15
3.6
None Local Low Not required None Partial Partial
Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which either a plugin or the uninstaller can be replaced by a Trojan horse program.
5087 CVE-2015-9260 79 XSS 2018-07-05 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in BEdita before 3.7.0. A cross-site scripting (XSS) attack occurs via a crafted pages/showObjects URI, as demonstrated by appending a payload to a pages/showObjects/2/0/0/leafs URI.
5088 CVE-2015-9248 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Skybox Platform before 7.5.201. Stored cross-site scripting vulnerabilities exist in the title, Comments, or Description field to /skyboxview/webskybox/tickets in Change Manager.
5089 CVE-2015-9247 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Skybox Platform before 7.5.401. Reflected cross-site scripting vulnerabilities exist in /skyboxview/webservice/services/VersionRepositoryWebService via a soapenv:Body element, or in the status parameter to login.html.
5090 CVE-2015-9230 79 XSS 2017-09-12 2020-11-10
3.5
None Remote Medium ??? None Partial None
In the admin/db-backup-security/db-backup-security.php page in the BulletProof Security plugin before .52.5 for WordPress, XSS is possible for remote authenticated administrators via the DBTablePrefix parameter.
5091 CVE-2015-9229 79 XSS 2017-09-12 2020-11-10
3.5
None Remote Medium ??? None Partial None
In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress, XSS is possible for remote authenticated administrators via the images[1][alttext] parameter.
5092 CVE-2015-9105 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.
5093 CVE-2015-9104 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title.
5094 CVE-2015-9103 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.
5095 CVE-2015-9102 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
5096 CVE-2015-8987 284 2017-03-14 2017-03-23
3.5
None Remote Medium ??? None Partial None
Man-in-the-middle (MitM) attack vulnerability in non-Mac OS agents in McAfee (now Intel Security) Agent (MA) 4.8.0 patch 2 and earlier allows attackers to make a McAfee Agent talk with another, possibly rogue, ePO server via McAfee Agent migration to another ePO server.
5097 CVE-2015-8956 476 DoS +Info 2016-10-10 2018-01-05
3.6
None Local Low Not required Partial None Partial
The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.
5098 CVE-2015-8801 254 Bypass 2016-06-30 2017-09-01
3.3
None Local Medium Not required Partial Partial None
Race condition in the client in Symantec Endpoint Protection (SEP) 12.1 before RU6 MP5 allows local users to bypass intended restrictions on USB file transfer by conducting filesystem operations before the SEP device manager recognizes a new USB device.
5099 CVE-2015-8759 79 XSS 2016-01-08 2016-01-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field.
5100 CVE-2015-8758 79 XSS 2016-01-08 2016-01-12
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in unspecified frontend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.