CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
601 CVE-2018-6655 79 XSS 2018-02-07 2018-02-26
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an arbitrary profile field.
602 CVE-2018-6622 254 2018-08-17 2018-10-29
3.6
None Local Low Not required None Partial Partial
An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.
603 CVE-2018-6550 79 XSS 2018-02-02 2018-02-14
3.5
None Remote Medium Single system None Partial None
Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php.
604 CVE-2018-6518 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium Single system None Partial None
Composr CMS 10.0.13 has XSS via the site_name parameter in a page=admin-setupwizard&type=step3 request to /adminzone/index.php.
605 CVE-2018-6511 79 XSS 2018-05-08 2018-06-13
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.
606 CVE-2018-6510 79 XSS 2018-05-08 2018-06-13
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.
607 CVE-2018-6506 79 XSS 2018-02-11 2018-03-06
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting (XSS) exists in the Add Forum feature in the Administrative Panel in miniBB 3.2.2 via crafted use of an onload attribute of an SVG element in the supertitle field.
608 CVE-2018-6495 79 XSS 2018-05-23 2018-06-26
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, version 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0, CMS, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1 and Micro Focus UCMDB Browser, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1. This vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS).
609 CVE-2018-6313 79 XSS 2018-01-25 2018-02-08
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) in WBCE CMS 1.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the Modify Page screen, a different issue than CVE-2017-2118.
610 CVE-2018-6227 79 XSS 2018-03-15 2018-04-04
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting (XSS) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject client-side scripts into vulnerable systems.
611 CVE-2018-6226 79 XSS 2018-03-15 2018-04-04
3.5
None Remote Medium Single system None Partial None
Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micro Email Encryption Gateway 5.5 configuration files could allow an attacker to inject client-side scripts into vulnerable systems.
612 CVE-2018-6198 19 2018-01-24 2018-03-21
3.3
None Local Medium Not required None Partial Partial
w3m through 0.5.3 does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files.
613 CVE-2018-6194 79 XSS 2018-01-30 2018-02-14
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability in admin/partials/wp-splashing-admin-sidebar.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search parameter to wp-admin/upload.php.
614 CVE-2018-6190 79 XSS 2018-01-24 2018-02-09
3.5
None Remote Medium Single system None Partial None
Netis WF2419 V3.2.41381 devices allow XSS via the Description field on the MAC Filtering page.
615 CVE-2018-6013 79 XSS 2018-01-22 2018-02-07
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. This issue exists in core/admin/ajax/developer/extensions/file-browser.php.
616 CVE-2018-5967 79 XSS 2018-01-25 2018-02-12
3.5
None Remote Medium Single system None Partial None
Netis WF2419 V2.2.36123 devices allow XSS via the Description parameter on the Bandwidth Control Rule Settings page.
617 CVE-2018-5965 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter.
618 CVE-2018-5964 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter.
619 CVE-2018-5963 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter.
620 CVE-2018-5871 310 2018-09-20 2018-11-23
3.3
None Local Network Low Not required None Partial None
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests (for privacy reasons) is not done properly due to a flawed RNG which produces repeating output much earlier than expected.
621 CVE-2018-5797 255 2018-02-04 2018-02-22
3.3
None Local Network Low Not required Partial None None
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is an Smint_encrypt Hardcoded AES Key that can be used for packet decryption (obtaining cleartext credentials) by an attacker who has access to a wired port.
622 CVE-2018-5754 79 XSS 2018-06-15 2018-08-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.
623 CVE-2018-5691 79 XSS 2018-01-13 2018-10-17
3.5
None Remote Medium Single system None Partial None
SonicWall Global Management System (GMS) 8.1 has XSS via the `newName` and `Name` values of the `/sgms/TreeControl` module.
624 CVE-2018-5690 79 XSS 2018-01-13 2018-01-31
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit number).
625 CVE-2018-5689 79 XSS 2018-01-13 2018-01-31
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user's email.
626 CVE-2018-5687 79 XSS 2018-01-13 2018-02-02
3.5
None Remote Medium Single system None Partial None
NewsBee allows XSS via the Company Name field in the Settings under admin/admin.php.
627 CVE-2018-5681 79 XSS 2018-01-13 2018-01-31
3.5
None Remote Medium Single system None Partial None
PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen.
628 CVE-2018-5672 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.
629 CVE-2018-5671 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.
630 CVE-2018-5670 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.
631 CVE-2018-5668 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_title parameter.
632 CVE-2018-5667 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_pattern parameter.
633 CVE-2018-5666 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php bg_color parameter.
634 CVE-2018-5665 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_height parameter.
635 CVE-2018-5664 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php social_icon_1 parameter.
636 CVE-2018-5663 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php button_text_link parameter.
637 CVE-2018-5662 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title parameter.
638 CVE-2018-5661 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_width parameter.
639 CVE-2018-5660 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_sub_title parameter.
640 CVE-2018-5659 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_title parameter.
641 CVE-2018-5657 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title_icon parameter.
642 CVE-2018-5652 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_end parameter.
643 CVE-2018-5651 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_start parameter.
644 CVE-2018-5528 20 2018-06-27 2018-08-31
3.5
None Remote Medium Single system None None Partial
Under certain conditions, TMM may restart and produce a core file while processing APM data on BIG-IP 13.0.1 or 13.1.0.4-13.1.0.7.
645 CVE-2018-5520 284 2018-05-02 2018-06-13
3.5
None Remote Medium Single system Partial None None
On an F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.2.1-11.6.3.1 system configured in Appliance mode, the TMOS Shell (tmsh) may allow an administrative user to use the dig utility to gain unauthorized access to file system resources.
646 CVE-2018-5449 476 DoS 2018-03-05 2018-03-26
3.3
None Local Network Low Not required None None Partial
A NULL Pointer Dereference issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application does not check for a NULL value, allowing for an attacker to perform a denial of service attack.
647 CVE-2018-5438 613 2018-03-20 2018-04-20
3.3
None Local Medium Not required Partial Partial None
Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.
648 CVE-2018-5432 79 XSS 2018-06-13 2018-08-11
3.5
None Remote Medium Single system None Partial None
The TIBCO Administrator server component of of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains multiple vulnerabilities wherein a malicious user could theoretically perform cross-site scripting (XSS) attacks by way of manipulating artifacts prior to uploading them. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions up to and including 5.10.0, and TIBCO Administrator - Enterprise Edition for z/Linux: versions up to and including 5.9.1.
649 CVE-2018-5431 79 XSS 2018-04-17 2018-05-24
3.5
None Remote Medium Single system None Partial None
The domain designer component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which may allow, in the context of a non-default permissions configuration, persisted cross-site scripting (XSS) attacks. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
650 CVE-2018-5369 79 XSS 2018-01-12 2018-01-29
3.5
None Remote Medium Single system None Partial None
The SrbTransLatin plugin 1.46 for WordPress has XSS via an srbtranslatoptions action to wp-admin/options-general.php with a lang_identificator parameter.
Total number of vulnerabilities : 3882   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 (This Page)14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.