CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
751 CVE-2017-18092 79 XSS 2018-02-19 2018-03-12
3.5
None Remote Medium Single system None Partial None
The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet.
752 CVE-2017-18091 79 XSS 2018-02-16 2018-03-06
3.5
None Remote Medium Single system None Partial None
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup.
753 CVE-2017-18089 79 XSS 2018-02-16 2018-03-06
3.5
None Remote Medium Single system None Partial None
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.
754 CVE-2017-18084 79 XSS 2018-02-02 2018-02-20
3.5
None Remote Medium Single system None Partial None
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
755 CVE-2017-18083 79 XSS 2018-02-02 2018-02-15
3.5
None Remote Medium Single system None Partial None
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
756 CVE-2017-18082 79 XSS 2018-02-02 2018-02-13
3.5
None Remote Medium Single system None Partial None
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
757 CVE-2017-18041 79 XSS 2018-02-02 2018-02-20
3.5
None Remote Medium Single system None Partial None
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
758 CVE-2017-18040 79 XSS 2018-02-02 2018-10-17
3.5
None Remote Medium Single system None Partial None
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
759 CVE-2017-18034 79 XSS 2018-02-02 2018-02-15
3.5
None Remote Medium Single system None Partial None
The source browse resource in Atlassian FishEye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
760 CVE-2017-18019 20 2018-01-03 2018-01-19
3.6
None Local Low Not required Partial None Partial
In K7 Total Security before 15.1.0.305, user-controlled input to the K7Sentry device is not sufficiently sanitized: the user-controlled input can be used to compare an arbitrary memory address with a fixed value, which in turn can be used to read the contents of arbitrary memory. Similarly, the product crashes upon a \\.\K7Sentry DeviceIoControl call with an invalid kernel pointer.
761 CVE-2017-18004 79 XSS 2017-12-31 2018-01-11
3.5
None Remote Medium Single system None Partial None
Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint.
762 CVE-2017-17995 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request.
763 CVE-2017-17994 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.
764 CVE-2017-17993 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the amount parameter in an index.php?user=addition_deduction request.
765 CVE-2017-17991 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the expense_name parameter in an index.php?user=expenses request.
766 CVE-2017-17989 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action.
767 CVE-2017-17988 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_add.php event_title parameter.
768 CVE-2017-17986 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/caste_view.php comm_id parameter.
769 CVE-2017-17985 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/state_view.php cou_id parameter.
770 CVE-2017-17984 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_edit.php edit_id parameter.
771 CVE-2017-17981 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/slider_edit.php edit_id parameter.
772 CVE-2017-17947 79 XSS 2018-01-16 2018-02-06
3.5
None Remote Medium Single system None Partial None
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
773 CVE-2017-17940 79 XSS 2017-12-28 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Single Theater Booking has XSS via the title parameter to admin/sitesettings.php.
774 CVE-2017-17938 79 XSS 2017-12-28 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Single Theater Booking has XSS via the admin/viewtheatre.php theatreid parameter.
775 CVE-2017-17929 79 XSS 2017-12-27 2018-01-10
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Professional Service Script has XSS via the admin/bannerview.php view parameter.
776 CVE-2017-17925 79 XSS 2017-12-27 2018-01-10
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Professional Service Script has XSS via the admin/general_settingupd.php website_title parameter.
777 CVE-2017-17910 310 +Info 2017-12-29 2018-01-16
3.3
None Local Network Low Not required None None Partial
On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur transmitter and a receiver to obtain the encrypted packet and the 32-bit serial number. The interception of the one-time pairing process is specifically not required. Due to use of AES-128 with an initial static random value and static data vector (all of this static information is the same across different customers' installations), the attacker can easily derive the utilized encryption key and decrypt the intercepted packet. The key can be verified by decrypting the intercepted packet and checking for known plaintext. Subsequently, an attacker can create arbitrary radio frames with the correct encryption key to control BiSecur garage and entrance gate operators and possibly other BiSecur systems as well ("wireless cloning"). To conduct the attack, a low cost Software Defined Radio (SDR) is sufficient. This affects Hoermann Hand Transmitter HS5-868-BS, HSE1-868-BS, and HSE2-868-BS devices.
778 CVE-2017-17909 79 XSS 2017-12-27 2018-01-10
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Responsive Realestate Script has XSS via the admin/general.php gplus parameter.
779 CVE-2017-17904 79 XSS 2017-12-27 2018-01-09
3.5
None Remote Medium Single system None Partial None
FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the edit_profile_first_name parameter to user/edit_profile.
780 CVE-2017-17889 79 XSS 2018-04-22 2018-05-24
3.5
None Remote Medium Single system None Partial None
Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, a crafted Homepage string in a profile, or a crafted string in Tags or Description within pligg/submit.php.
781 CVE-2017-17832 79 XSS 2017-12-27 2018-01-17
3.5
None Remote Medium Single system None Partial None
ServersCheck Monitoring Software before 14.2.3 is prone to a cross-site scripting vulnerability as user supplied-data is not validated/sanitized when passed in the settings_SMS_ALERT_TYPE parameter, and JavaScript can be executed on settings-save.html (the Settings - SMS Alerts page).
782 CVE-2017-17828 79 XSS 2017-12-21 2018-01-03
3.5
None Remote Medium Single system None Partial None
Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter.
783 CVE-2017-17825 79 XSS 2017-12-20 2018-01-03
3.5
None Remote Medium Single system None Partial None
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
784 CVE-2017-17778 79 XSS 2017-12-19 2018-01-03
3.5
None Remote Medium Single system None Partial None
Paid To Read Script 2.0.5 has XSS via the referrals.php tier parameter or the admin/userview.php uid parameter.
785 CVE-2017-17750 79 XSS 2018-03-24 2018-04-19
3.5
None Remote Medium Single system None Partial None
Bose SoundTouch devices allow XSS via a crafted public playlist from Spotify.
786 CVE-2017-17749 79 XSS 2018-03-24 2018-04-19
3.5
None Remote Medium Single system None Partial None
Bose SoundTouch devices allow XSS via crafted song data from a music service, as demonstrated by Pandora.
787 CVE-2017-17745 79 XSS 2017-12-20 2018-01-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in system_name_set.cgi in TP-Link TL-SG108E 1.0.0 allows authenticated remote attackers to submit arbitrary java script via the 'sysName' parameter.
788 CVE-2017-17694 79 XSS 2017-12-15 2017-12-21
3.5
None Remote Medium Single system None Partial None
Techno - Portfolio Management Panel through 2017-11-16 allows XSS via the panel/search.php s parameter.
789 CVE-2017-17556 200 +Info 2017-12-15 2018-01-05
3.6
None Local Low Not required Partial Partial None
A debug tool in Synaptics TouchPad drivers allows local users with administrative access to obtain sensitive information about keyboard scan codes by modifying registry keys.
790 CVE-2017-17478 79 Exec Code XSS 2018-02-27 2018-03-12
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages.
791 CVE-2017-17454 79 XSS 2018-02-20 2018-03-16
3.5
None Remote Medium Single system None Partial None
Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.
792 CVE-2017-17436 326 2017-12-06 2017-12-22
3.3
None Local Network Low Not required Partial None None
An issue was discovered in the software on Vaultek Gun Safe VT20i products. There is no encryption of the session between the Android application and the safe. The website and marketing materials advertise that this communication channel is encrypted with "Highest Level Bluetooth Encryption" and "Data transmissions are secure via AES256 bit encryption." These claims, however, are not true. Moreover, AES256 bit encryption is not supported in the Bluetooth Low Energy (BLE) standard, so it would have to be at the application level. This lack of encryption allows an individual to learn the passcode by eavesdropping on the communications between the application and the safe.
793 CVE-2017-17383 79 XSS 2017-12-06 2017-12-22
3.5
None Remote Medium Single system None Partial None
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
794 CVE-2017-17175 20 DoS 2018-07-02 2018-09-08
3.3
None Local Network Low Not required None None Partial
Short Message Service (SMS) module of Mate 9 Pro Huawei smart phones with the versions before LON-AL00B 8.0.0.354(C00) has a Denial of Service (DoS) vulnerability. An unauthenticated attacker may set up a pseudo base station, and send special malware text message to the phone, causing the mobile phone to fail to make calls and send and receive text messages.
795 CVE-2017-17094 79 XSS 2017-12-02 2018-02-03
3.5
None Remote Medium Single system None Partial None
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
796 CVE-2017-17093 79 XSS 2017-12-02 2018-02-03
3.5
None Remote Medium Single system None Partial None
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
797 CVE-2017-17092 79 XSS 2017-12-02 2018-02-03
3.5
None Remote Medium Single system None Partial None
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
798 CVE-2017-17089 79 XSS 2017-12-30 2018-01-12
3.5
None Remote Medium Single system None Partial None
custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality.
799 CVE-2017-16936 22 Dir. Trav. 2017-11-24 2017-12-12
3.3
None Local Network Low Not required Partial None None
Directory Traversal vulnerability in app_data_center on Shenzhen Tenda Ac9 US_AC9V1.0BR_V15.03.05.14_multi_TD01, Ac9 ac9_kf_V15.03.05.19(6318_)_cn, Ac15 US_AC15V1.0BR_V15.03.05.18_multi_TD01, Ac15 US_AC15V1.0BR_V15.03.05.19_multi_TD01, Ac18 US_AC18V1.0BR_V15.03.05.05_multi_TD01, and Ac18 ac18_kf_V15.03.05.19(6318_)_cn devices allows remote unauthenticated attackers to read arbitrary files via a cgi-bin/luci/request?op=1&path= URI that uses directory traversal sequences after a /usb/ substring.
800 CVE-2017-16919 79 XSS 2017-11-21 2017-12-05
3.5
None Remote Medium Single system None Partial None
MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in /clientes/visualizar, which allows remote attackers to inject arbitrary web script or HTML via a crafted description parameter.
Total number of vulnerabilities : 3652   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 (This Page)17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.