CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2018-20448 79 XSS 2018-12-25 2019-01-03
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the Database name field to the /install/index.php URI.
502 CVE-2018-20418 79 XSS 2018-12-23 2019-01-07
3.5
None Remote Medium Single system None Partial None
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
503 CVE-2018-20373 79 XSS 2018-12-22 2019-01-14
3.5
None Remote Medium Single system None Partial None
Tenda ADSL modem routers 1.0.1 allow XSS via the hostname of a DHCP client.
504 CVE-2018-20372 79 XSS 2018-12-22 2019-01-11
3.5
None Remote Medium Single system None Partial None
TP-Link TD-W8961ND devices allow XSS via the hostname of a DHCP client.
505 CVE-2018-20370 79 XSS 2018-12-22 2019-01-09
3.5
None Remote Medium Single system None Partial None
SZ NetChat before 7.9 has XSS in the MyName input field of the Options module. Attackers are able to inject commands to compromise the enabled HTTP server web frontend.
506 CVE-2018-20368 79 XSS 2018-12-22 2019-01-15
3.5
None Remote Medium Single system None Partial None
The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the MSPanel.Settings value on Callback.
507 CVE-2018-20328 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium Single system None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
508 CVE-2018-20327 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium Single system None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
509 CVE-2018-20306 79 XSS 2018-12-20 2019-01-08
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1.
510 CVE-2018-20244 79 XSS 2019-02-27 2019-04-12
3.5
None Remote Medium Single system None Partial None
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
511 CVE-2018-20239 79 XSS 2019-04-30 2019-05-29
3.5
None Remote Medium Single system None Partial None
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.
512 CVE-2018-20217 20 2018-12-26 2019-04-16
3.5
None Remote Medium Single system None None Partial
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
513 CVE-2018-20153 79 XSS 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
514 CVE-2018-20149 79 XSS Bypass 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
515 CVE-2018-20138 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
516 CVE-2018-20137 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium Single system None Partial None
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
517 CVE-2018-20136 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium Single system None Partial None
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
518 CVE-2018-20017 79 XSS 2018-12-10 2018-12-28
3.5
None Remote Medium Single system None Partial None
SEMCMS 3.5 has XSS via the first text box to the SEMCMS_Main.php URI.
519 CVE-2018-20012 79 XSS 2018-12-10 2018-12-31
3.5
None Remote Medium Single system None Partial None
PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI.
520 CVE-2018-20011 79 XSS 2018-12-10 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
521 CVE-2018-20010 79 XSS 2018-12-10 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
522 CVE-2018-20009 79 XSS 2018-12-10 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field.
523 CVE-2018-19995 79 XSS 2019-01-03 2019-01-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
524 CVE-2018-19992 79 XSS 2019-01-03 2019-01-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
525 CVE-2018-19927 79 XSS 2018-12-06 2019-01-02
3.5
None Remote Medium Single system None Partial None
Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zForm_save_changes sip_nick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases.
526 CVE-2018-19919 79 XSS 2018-12-06 2018-12-31
3.5
None Remote Medium Single system None Partial None
Pixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[title] parameter, as demonstrated by a crafted onload attribute of an SVG element.
527 CVE-2018-19918 79 XSS 2018-12-31 2019-01-10
3.5
None Remote Medium Single system None Partial None
CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI.
528 CVE-2018-19915 79 XSS 2018-12-06 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
529 CVE-2018-19914 79 XSS 2018-12-06 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
530 CVE-2018-19913 79 XSS 2018-12-06 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field.
531 CVE-2018-19906 79 XSS 2018-12-31 2019-01-10
3.5
None Remote Medium Single system None Partial None
Stored XSS exists in razorCMS 3.4.8 via the /#/page description parameter.
532 CVE-2018-19905 79 XSS 2018-12-31 2019-01-10
3.5
None Remote Medium Single system None Partial None
HTML injection exists in razorCMS 3.4.8 via the /#/page keywords parameter.
533 CVE-2018-19902 79 XSS 2018-12-31 2019-01-10
3.5
None Remote Medium Single system None Partial None
No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article "keyword" parameter.
534 CVE-2018-19901 79 XSS 2018-12-31 2019-01-10
3.5
None Remote Medium Single system None Partial None
No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article/index/ "article_title" parameter.
535 CVE-2018-19892 79 XSS 2018-12-05 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the admin/dw/add-server.php DisplayName, HostName, or UserName field.
536 CVE-2018-19849 79 XSS 2018-12-04 2018-12-31
3.5
None Remote Medium Single system None Partial None
An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter.
537 CVE-2018-19845 79 XSS 2018-12-31 2019-01-10
3.5
None Remote Medium Single system None Partial None
There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.
538 CVE-2018-19844 79 XSS 2018-12-31 2019-01-10
3.5
None Remote Medium Single system None Partial None
FROG CMS 0.9.5 has XSS via the admin/?/snippet/add name parameter, which is mishandled during an edit action, a related issue to CVE-2018-10319.
539 CVE-2018-19752 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar.
540 CVE-2018-19751 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields.
541 CVE-2018-19750 79 XSS 2018-11-29 2018-12-27
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Domain Fields.
542 CVE-2018-19749 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field.
543 CVE-2018-19638 59 2019-03-05 2019-05-08
3.3
None Local Medium Not required None Partial Partial
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files.
544 CVE-2018-19637 59 2019-03-05 2019-05-08
3.6
None Local Low Not required None Partial Partial
Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection
545 CVE-2018-19600 79 XSS 2019-01-03 2019-01-10
3.5
None Remote Medium Single system None Partial None
Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload.
546 CVE-2018-19598 79 XSS 2018-12-19 2019-01-04
3.5
None Remote Medium Single system None Partial None
Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request.
547 CVE-2018-19597 79 XSS 2018-12-19 2019-01-04
3.5
None Remote Medium Single system None Partial None
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.
548 CVE-2018-19596 79 XSS 2018-12-19 2019-01-04
3.5
None Remote Medium Single system None Partial None
Zurmo 3.2.4 allows HTML Injection via an admin's use of HTML in the report section, a related issue to CVE-2018-19506.
549 CVE-2018-19579 79 XSS 2019-07-10 2019-07-11
3.5
None Remote Medium Single system None Partial None
GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1.
550 CVE-2018-19574 79 XSS 2019-07-10 2019-07-16
3.5
None Remote Medium Single system None Partial None
GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page.
Total number of vulnerabilities : 4400   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.