CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
651 CVE-2018-10624 388 +Info 2018-08-01 2018-10-15
3.3
None Local Network Low Not required Partial None None
In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.
652 CVE-2018-10593 89 Sql 2018-05-24 2018-06-26
3.8
None Local Network Medium Single system None Partial Partial
A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corruption.
653 CVE-2018-10586 79 XSS 2018-11-01 2018-12-12
3.5
None Remote Medium Single system None Partial None
NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12.
654 CVE-2018-10580 79 XSS 2018-05-11 2018-06-14
3.5
None Remote Medium Single system None Partial None
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
655 CVE-2018-10570 79 XSS 2018-04-30 2018-06-07
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS in /install/index.php via the ['config']['admin_username'] field.
656 CVE-2018-10554 79 XSS CSRF 2018-04-29 2018-06-05
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter.
657 CVE-2018-10527 79 XSS 2018-04-28 2018-06-05
3.5
None Remote Medium Single system None Partial None
EasyCMS 1.3 is prone to Stored XSS when posting an article; four fields are affected: title, keyword, abstract, and content, as demonstrated by the /admin/index/index.html#listarticle URI.
658 CVE-2018-10430 79 XSS 2018-04-26 2018-06-06
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DiliCMS (aka DiligentCMS) 2.4.0. There is a Stored XSS Vulnerability in the fourth textbox of "System setting->site setting" of admin/index.php.
659 CVE-2018-10422 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
660 CVE-2018-10391 79 XSS 2018-04-26 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI.
661 CVE-2018-10382 79 XSS 2018-06-01 2018-06-27
3.5
None Remote Medium Single system None Partial None
MODX Revolution 2.6.3 has XSS.
662 CVE-2018-10368 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.
663 CVE-2018-10367 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
664 CVE-2018-10365 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
665 CVE-2018-10364 79 XSS 2018-04-30 2018-06-05
3.5
None Remote Medium Single system None Partial None
BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
666 CVE-2018-10328 798 2018-04-24 2018-08-30
3.3
None Local Network Low Not required Partial None None
Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream.
667 CVE-2018-10326 79 XSS 2018-05-17 2018-06-19
3.5
None Remote Medium Single system None Partial None
PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities via the (1) department field in the printer configuration, (2) description field in the print server configuration, and (3) username field for authentication to print as guest.
668 CVE-2018-10321 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
669 CVE-2018-10320 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit layout[name] parameter, aka Edit Layout.
670 CVE-2018-10319 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit snippet[name] parameter, aka Edit Snippet.
671 CVE-2018-10318 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/page/edit page[keywords] parameter, aka Edit Page Metadata.
672 CVE-2018-10314 79 XSS 2018-05-09 2018-06-13
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List Scripts -> Download section.
673 CVE-2018-10313 79 XSS 2018-04-23 2018-05-23
3.5
None Remote Medium Single system None Partial None
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
674 CVE-2018-10310 79 Exec Code XSS 2018-04-25 2018-06-13
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser.
675 CVE-2018-10309 79 XSS 2018-04-23 2018-06-06
3.5
None Remote Medium Single system None Partial None
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
676 CVE-2018-10298 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.
677 CVE-2018-10297 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.
678 CVE-2018-10268 79 XSS 2018-04-21 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in FastAdmin V1.0.0.20180417_beta. There is XSS via the application\api\controller\User.php avatar parameter.
679 CVE-2018-10259 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
680 CVE-2018-10250 79 XSS 2018-04-20 2018-05-21
3.5
None Remote Medium Single system None Partial None
iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search.
681 CVE-2018-10234 79 XSS 2018-04-23 2018-05-24
3.5
None Remote Medium Single system None Partial None
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.
682 CVE-2018-10227 79 XSS 2018-04-19 2018-10-30
3.5
None Remote Medium Single system None Partial None
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter.
683 CVE-2018-10221 79 XSS 2018-04-19 2018-05-21
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload.
684 CVE-2018-10213 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is XSS in invitation mail received from a different user, who can modify the HTML in that mail before sending it.
685 CVE-2018-10209 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS on the file or folder download pop-up via a crafted file or folder name.
686 CVE-2018-10206 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS via the optional message field of a file request.
687 CVE-2018-10165 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.
688 CVE-2018-10164 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.
689 CVE-2018-10121 79 XSS 2018-04-16 2018-05-16
3.5
None Remote Medium Single system None Partial None
plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action.
690 CVE-2018-10118 79 XSS 2018-04-16 2018-06-09
3.5
None Remote Medium Single system None Partial None
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
691 CVE-2018-10110 79 XSS 2018-04-18 2018-05-21
3.5
None Remote Medium Single system None Partial None
D-Link DIR-615 T1 devices allow XSS via the Add User feature.
692 CVE-2018-10109 79 XSS 2018-04-16 2018-05-16
3.5
None Remote Medium Single system None Partial None
Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog.
693 CVE-2018-10096 79 XSS 2018-04-13 2018-05-11
3.5
None Remote Medium Single system None Partial None
joyplus-cms 1.6.0 has XSS via the device_name parameter in a manager/admin_ajax.php?action=save flag=add request.
694 CVE-2018-10078 79 XSS 2018-04-20 2018-05-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via a server description.
695 CVE-2018-10073 79 XSS 2018-04-12 2018-05-14
3.5
None Remote Medium Single system None Partial None
joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword parameter.
696 CVE-2018-10061 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
697 CVE-2018-10060 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
698 CVE-2018-10059 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
699 CVE-2018-10052 79 XSS 2018-04-11 2018-05-09
3.5
None Remote Medium Single system None Partial None
iScripts SupportDesk v4.3 has XSS via the admin/inteligentsearchresult.php txtinteligentsearch parameter.
700 CVE-2018-10051 79 XSS 2018-04-11 2018-05-09
3.5
None Remote Medium Single system None Partial None
iScripts SupportDesk v4.3 has XSS via the staff/inteligentsearchresult.php txtinteligentsearch parameter.
Total number of vulnerabilities : 4150   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 (This Page)15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.