CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2018-18723 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in index.php/admin/area/editarea/id/110000 in YUNUCMS 1.1.5.
52 CVE-2018-18722 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in admin/content/editcontent?id=29&gopage=1 in YUNUCMS 1.1.5.
53 CVE-2018-18721 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in admin/link/editlink?id=5 in YUNUCMS 1.1.5.
54 CVE-2018-18720 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5.
55 CVE-2018-18717 79 XSS 2018-10-29 2018-12-10
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Eleanor CMS through 2015-03-19. XSS exists via the ajax.php?direct=admin&file=autocomplete&query=[XSS] URI.
56 CVE-2018-18694 79 XSS 2018-10-29 2018-12-06
3.5
None Remote Medium Single system None Partial None
admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases.
57 CVE-2018-18517 79 XSS 2018-10-24 2018-12-06
3.5
None Remote Medium Single system None Partial None
Citrix NetScaler Gateway 10.5.x before 10.5.69.003, 11.1.x before 11.1.59.004, 12.0.x before 12.0.58.7, and 12.1.x before 12.1.49.1 has XSS.
58 CVE-2018-18433 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DESTOON B2B 7.0. admin/category.inc.php has XSS via the category[catname] parameter to the admin.php URI.
59 CVE-2018-18431 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DESTOON B2B 7.0. XSS exists via certain text boxes to the admin.php?moduleid=2&action=add URI.
60 CVE-2018-18430 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DESTOON B2B 7.0. admin\setting.inc.php has XSS via the first text box to the admin.php URI.
61 CVE-2018-18419 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium Single system None Partial None
Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.
62 CVE-2018-18417 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium Single system None Partial None
In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.
63 CVE-2018-18416 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium Single system None Partial None
LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI.
64 CVE-2018-18381 79 XSS 2018-10-16 2018-11-30
3.5
None Remote Medium Single system None Partial None
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
65 CVE-2018-18374 79 XSS 2018-10-15 2018-11-27
3.5
None Remote Medium Single system None Partial None
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
66 CVE-2018-18373 79 XSS 2018-10-17 2018-11-30
3.5
None Remote Medium Single system None Partial None
In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action.
67 CVE-2018-18290 79 XSS 2018-10-14 2018-12-04
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html&name=home_content allows XSS via the HTML Source Editor. NOTE: the vendor disputes this because the form requires administrator privileges, and entering JavaScript is supported functionality.
68 CVE-2018-18087 79 XSS 2018-10-09 2018-11-23
3.5
None Remote Medium Single system None Partial None
The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the "Manage portfolio" privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor. The vulnerability is triggered by visiting /portfolio/${project_title}.
69 CVE-2018-18029 79 XSS 2018-10-09 2018-11-23
3.5
None Remote Medium Single system None Partial None
Navigate CMS has Stored XSS via the navigate.php Title field in an edit action.
70 CVE-2018-18021 20 DoS 2018-10-07 2018-11-27
3.6
None Local Low Not required None Partial Partial
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
71 CVE-2018-17886 79 XSS Bypass 2018-10-02 2018-11-16
3.5
None Remote Medium Single system None Partial None
An issue was discovered in JEESNS 1.3. The XSS filter in com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper.java could be bypassed, as demonstrated by a <svg/onLoad=confirm substring. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-12429.
72 CVE-2018-17868 79 XSS 2018-10-01 2018-11-16
3.5
None Remote Medium Single system None Partial None
DASAN H660GW devices have Stored XSS in the Port Forwarding functionality.
73 CVE-2018-17849 79 XSS 2018-10-04 2018-11-19
3.5
None Remote Medium Single system None Partial None
Navigate CMS 2.8 has Stored XSS via a navigate_upload.php (aka File Upload) request with a multipart/form-data JavaScript payload.
74 CVE-2018-17835 79 XSS 2018-10-01 2018-11-15
3.5
None Remote Medium Single system None Partial None
An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI.
75 CVE-2018-17830 79 XSS 2018-10-01 2018-11-15
3.5
None Remote Medium Single system None Partial None
The $args variable in addons/mediapool/pages/index.php in REDAXO 5.6.2 is not effectively filtered, because names are not restricted (only values are restricted). The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=&args[ substring.
76 CVE-2018-17783 79 XSS 2018-10-30 2018-12-07
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability in the Edit Filter page (manage_filter_edit page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name.
77 CVE-2018-17782 79 XSS 2018-10-30 2018-12-07
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability in the Manage Filters page (manage_filter_page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name.
78 CVE-2018-17574 79 XSS 2018-09-28 2018-11-14
3.5
None Remote Medium Single system None Partial None
An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project.
79 CVE-2018-17556 79 XSS 2018-09-26 2018-11-15
3.5
None Remote Medium Single system None Partial None
MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Source action.
80 CVE-2018-17369 79 XSS 2018-09-23 2018-11-15
3.5
None Remote Medium Single system None Partial None
An issue was discovered in springboot_authority through 2017-03-06. There is stored XSS via the admin/role/edit roleKey, name, or description parameter.
81 CVE-2018-17302 79 XSS 2018-09-21 2018-11-08
3.5
None Remote Medium Single system None Partial None
Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.
82 CVE-2018-17301 79 XSS 2018-09-21 2018-11-08
3.5
None Remote Medium Single system None Partial None
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.
83 CVE-2018-17300 79 XSS 2018-09-21 2018-12-10
3.5
None Remote Medium Single system None Partial None
Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name.
84 CVE-2018-17140 79 XSS 2018-09-17 2018-11-09
3.5
None Remote Medium Single system None Partial None
The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php.
85 CVE-2018-17138 79 XSS 2018-09-17 2018-11-08
3.5
None Remote Medium Single system None Partial None
The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS via the wp-content/plugins/jibu-pro/quiz_action.php name (aka Quiz Name) field.
86 CVE-2018-17130 79 XSS 2018-09-17 2018-11-01
3.5
None Remote Medium Single system None Partial None
PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header,
87 CVE-2018-17128 79 XSS 2018-09-17 2018-11-07
3.5
None Remote Medium Single system None Partial None
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
88 CVE-2018-17090 79 XSS 2018-09-16 2018-11-01
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DonLinkage 6.6.8. The modules /pages/bazy/bazy_adresow.php and /pages/proxy/add.php are vulnerable to stored XSS that can be triggered by closing <textarea> followed by <script></script> tags.
89 CVE-2018-17044 79 XSS 2018-09-14 2018-11-09
3.5
None Remote Medium Single system None Partial None
In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_config_add.html title parameter.
90 CVE-2018-17026 79 XSS 2018-09-13 2018-10-30
3.5
None Remote Medium Single system None Partial None
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.
91 CVE-2018-17024 79 XSS 2018-09-13 2018-10-30
3.5
None Remote Medium Single system None Partial None
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.
92 CVE-2018-16968 22 Dir. Trav. 2018-09-26 2018-11-23
3.5
None Remote Medium Single system None Partial None
Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal.
93 CVE-2018-16950 20 DoS 2018-09-11 2018-11-27
3.3
None Local Network Low Not required None None Partial
Inteno DG400 WU7U_ELION3.11.6-170614_1328 devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses, as demonstrated by macof.
94 CVE-2018-16805 79 XSS 2018-09-10 2018-11-09
3.5
None Remote Medium Single system None Partial None
In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field, allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator.
95 CVE-2018-16780 79 XSS 2018-09-10 2018-10-29
3.5
None Remote Medium Single system None Partial None
Complete Responsive CMS Blog through 2018-05-20 has XSS via a comment.
96 CVE-2018-16776 79 XSS 2018-09-10 2018-11-02
3.5
None Remote Medium Single system None Partial None
wityCMS 0.6.2 has XSS via the "Site Name" field found in the "Contact" "Configuration" page.
97 CVE-2018-16775 79 XSS 2018-09-10 2018-11-09
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the site name in the "Categories" menu.
98 CVE-2018-16773 79 XSS 2018-09-10 2018-09-24
3.5
None Remote Medium Single system None Partial None
EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field.
99 CVE-2018-16772 79 XSS 2018-09-10 2018-09-24
3.5
None Remote Medium Single system None Partial None
Hoosk v1.7.0 allows XSS via the Navigation Title of a new page entered at admin/pages/new.
100 CVE-2018-16736 79 XSS 2018-09-09 2018-11-06
3.5
None Remote Medium Single system None Partial None
In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings).
Total number of vulnerabilities : 3652   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.