CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5151 CVE-2015-7409 79 XSS 2016-01-01 2016-01-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM 7.2.x before 7.2.6 allows remote authenticated users to inject arbitrary web script or HTML via an unspecified field.
5152 CVE-2015-7402 79 XSS 2016-01-02 2016-01-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.1 before 6.1.1.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5153 CVE-2015-7398 79 XSS 2016-02-15 2016-02-26
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Emptoris Contract Management 9.5.0.x before 9.5.0.6 iFix15, 10.0.0.x and 10.0.1.x before 10.0.1.5 iFix5, 10.0.2.x before 10.0.2.7 iFix4, and 10.0.4.x before 10.0.4.0 iFix3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
5154 CVE-2015-7386 79 XSS 2015-09-28 2015-09-29
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in includes/metaboxes.php in the Gallery - Photo Albums - Portfolio plugin 1.3.47 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) Media Title or (2) Media Subtitle fields.
5155 CVE-2015-7363 79 XSS 2016-10-07 2017-07-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the advanced settings page in Fortinet FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.3, in hardware models with a hard disk, and FortiAnalyzer 5.x before 5.0.13 and 5.2.x before 5.2.3 allows remote administrators to inject arbitrary web script or HTML via vectors related to report filters.
5156 CVE-2015-7347 79 XSS 2017-09-20 2017-09-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1.
5157 CVE-2015-7344 79 XSS 2020-03-09 2020-03-09
3.5
None Remote Medium ??? None Partial None
HikaShop Joomla Component before 2.6.0 has XSS via an injected payload[/caption].
5158 CVE-2015-7343 79 XSS 2020-03-09 2020-03-10
3.5
None Remote Medium ??? None Partial None
JNews Joomla Component before 8.5.0 has XSS via the mailingsearch parameter.
5159 CVE-2015-7323 264 Bypass 2015-10-05 2016-12-08
3.5
None Remote Medium ??? Partial None None
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 allows remote authenticated users to bypass intended access restrictions and log into arbitrary meetings by leveraging a meeting id and meetingAppSun.jar.
5160 CVE-2015-7311 17 2015-10-01 2018-10-30
3.6
None Local Low Not required None Partial Partial
libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image.
5161 CVE-2015-7230 264 Bypass 2015-09-17 2015-09-22
3.5
None Remote Medium ??? None Partial None
The Workbench Email module 7.x-3.x before 7.x-3.4 for Drupal allows remote authenticated users with certain permissions to bypass node and field validation by saving a node.
5162 CVE-2015-7229 264 2015-09-17 2015-09-22
3.5
None Remote Medium ??? None Partial None
The Twitter module 6.x-5.x before 6.x-5.2, 7.x-5.x before 7.x-5.9, and 7.x-6.x before 7.x-6.0 for Drupal does not properly check access permissions, which allows remote authenticated users to post tweets to arbitrary accounts by leveraging the (1) "post to twitter" permission or change the options for arbitrary attached accounts by leveraging the (2) "add twitter accounts" or (3) "add authenticated twitter accounts" permission.
5163 CVE-2015-7227 264 2015-09-17 2015-09-22
3.5
None Remote Medium ??? None Partial None
The Fieldable Panels Panes module 7.x-1.x before 7.x-1.7 for Drupal does not properly check permissions to edit Fieldable Panels Panes entities, which allows remote authenticated users to edit panes by leveraging permissions to edit panels.
5164 CVE-2015-7225 254 2017-09-06 2017-09-21
3.5
None Remote Medium ??? Partial None None
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
5165 CVE-2015-6959 79 XSS 2017-06-07 2017-06-14
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Vindula 1.9.
5166 CVE-2015-6927 59 2015-09-28 2017-07-01
3.6
None Local Low Not required None Partial Partial
vzctl before 4.9.4 determines the virtual environment (VE) layout based on the presence of root.hdd/DiskDescriptor.xml in the VE private directory, which allows local simfs container (CT) root users to change the root password for arbitrary ploop containers, as demonstrated by a symlink attack on the ploop container root.hdd file and then access a control panel.
5167 CVE-2015-6918 200 +Info 2017-10-10 2017-11-05
3.5
None Remote Medium ??? Partial None None
salt before 2015.5.5 leaks git usernames and passwords to the log.
5168 CVE-2015-6810 79 XSS 2015-09-04 2015-09-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_location[address] array parameter to calendar/submit/.
5169 CVE-2015-6808 79 XSS 2015-09-04 2019-06-24
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title.
5170 CVE-2015-6805 79 XSS 2015-09-02 2016-12-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.
5171 CVE-2015-6753 79 XSS 2015-08-31 2015-09-01
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Quick Edit module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) entity title, related to in-place editing, or a (2) node title.
5172 CVE-2015-6751 79 XSS 2015-08-31 2015-09-11
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Time Tracker module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) note added to a time entry or an (2) activity used to categorize time tracker entries.
5173 CVE-2015-6549 79 XSS 2015-10-06 2016-12-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in an application console in the server in Symantec NetBackup OpsCenter before 7.7.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
5174 CVE-2015-6535 79 XSS 2015-08-31 2018-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in includes/options-profiles.php in the YouTube Embed plugin before 3.3.3 for WordPress allows remote administrators to inject arbitrary web script or HTML via the Profile name field (youtube_embed_name parameter).
5175 CVE-2015-6521 79 XSS 2017-10-10 2017-10-27
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2.
5176 CVE-2015-6494 79 XSS 2015-10-28 2015-10-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
5177 CVE-2015-6462 79 XSS 2019-03-21 2019-10-09
3.5
None Remote Medium ??? None Partial None
Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC client browser.
5178 CVE-2015-6423 264 Bypass 2016-01-15 2016-12-07
3.5
None Remote Medium ??? Partial None None
The DCERPC Inspection implementation in Cisco Adaptive Security Appliance (ASA) Software 9.4.1 through 9.5.1 allows remote authenticated users to bypass an intended DCERPC-only ACL by sending arbitrary network traffic, aka Bug ID CSCuu67782.
5179 CVE-2015-6363 79 XSS 2015-11-12 2016-12-07
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco FireSIGHT Management Center (MC) 5.4.1.4 and 6.0.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuw88396.
5180 CVE-2015-6354 79 XSS 2015-10-31 2016-12-07
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight Management Center (MC) 5.4.1.3 and 6.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuv73338.
5181 CVE-2015-6353 79 XSS 2015-10-31 2016-12-07
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight Management Center (MC) 5.3.1.5 and 5.4.x through 5.4.1.3 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuu28922.
5182 CVE-2015-6253 79 XSS 2019-07-29 2020-01-07
3.5
None Remote Medium ??? None Partial None
edx-platform before 2015-08-17 allows XSS in the Studio listing of courses.
5183 CVE-2015-6039 79 XSS Bypass 2015-10-14 2018-10-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP1 allows remote authenticated users to inject arbitrary web script or HTML via crafted content in an Office Marketplace instance, aka "Microsoft SharePoint Security Feature Bypass Vulnerability."
5184 CVE-2015-6037 79 XSS 2015-10-14 2018-10-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Microsoft Excel Services on SharePoint Server 2010 SP2 and 2013 SP1, Office Web Apps 2010 SP2, Excel Web App 2010 SP2, Office Web Apps Server 2013 SP1, and SharePoint Foundation 2013 SP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka "Microsoft Office Web Apps XSS Spoofing Vulnerability."
5185 CVE-2015-6005 79 XSS 2015-12-27 2016-12-06
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names field, (5) the Flow Monitor Credentials field, (6) the Flow Monitor Threshold Name field, (7) the Task Library Name field, (8) the Task Library Description field, (9) the Policy Library Name field, (10) the Policy Library Description field, (11) the Template Library Name field, (12) the Template Library Description field, (13) the System Script Library Name field, (14) the System Script Library Description field, or (15) the CLI Settings Library Description field.
5186 CVE-2015-5961 264 Bypass 2015-08-08 2015-08-21
3.3
None Local Network Low Not required None Partial None
The COPPA error page in the Accounts setup dialog in Mozilla Firefox OS before 2.2 embeds content from an external web server URL into the System process, which allows man-in-the-middle attackers to bypass intended access restrictions by spoofing that server.
5187 CVE-2015-5956 79 XSS Bypass 2015-09-16 2018-10-09
3.5
None Remote Medium ??? None Partial None
The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier allows remote authenticated users to bypass the XSS filter and conduct cross-site scripting (XSS) attacks via a base64 encoded data URI, as demonstrated by the (1) returnUrl parameter to show_rechis.php and the (2) redirect_url parameter to index.php.
5188 CVE-2015-5953 79 XSS 2015-10-21 2017-11-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.
5189 CVE-2015-5910 200 +Info 2015-09-18 2016-12-22
3.3
None Local Network Low Not required Partial None None
IDE Xcode Server in Apple Xcode before 7.0 does not ensure that server traffic is encrypted, which allows remote attackers to obtain sensitive information by sniffing the network.
5190 CVE-2015-5884 200 +Info 2015-10-09 2016-12-08
3.3
None Local Network Low Not required Partial None None
The Mail Drop feature in Mail in Apple OS X before 10.11 mishandles encryption parameters for attachments, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during transmission of an S/MIME e-mail message with a large attachment.
5191 CVE-2015-5869 20 2015-09-18 2016-12-22
3.3
None Local Network Low Not required None Partial None
The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Apple iOS before 9 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.
5192 CVE-2015-5853 200 +Info 2015-10-09 2016-12-09
3.3
None Local Network Low Not required Partial None None
AirScan in Apple OS X before 10.11 allows man-in-the-middle attackers to obtain eSCL packet payload data via unspecified vectors.
5193 CVE-2015-5663 264 +Priv 2015-12-30 2016-12-06
3.7
None Local High Not required Partial Partial Partial
The file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extensionless filename that was selected by the user.
5194 CVE-2015-5622 79 XSS 2015-08-03 2017-11-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.
5195 CVE-2015-5613 79 XSS 2017-09-28 2017-10-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different vulnerability than CVE-2015-5612.
5196 CVE-2015-5500 79 XSS 2015-08-18 2015-08-20
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Navigate module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
5197 CVE-2015-5497 79 XSS 2015-08-18 2015-08-20
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
5198 CVE-2015-5494 79 XSS 2015-08-18 2019-06-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Webform Matrix Component module 7.x-4.x before 7.x-4.13 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
5199 CVE-2015-5491 200 Bypass +Info 2015-08-18 2015-08-20
3.5
None Remote Medium ??? Partial None None
The Dynamic display block module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users to bypass intended access restrictions and read sensitive titles by leveraging the "administer ddblock" permission.
5200 CVE-2015-5489 79 XSS 2015-08-18 2015-08-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Smart Trim module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors involving the field settings form.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.