CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2019-15030 20 2019-09-13 2019-09-18
3.6
None Local Low Not required Partial None Partial
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.
52 CVE-2019-14987 79 XSS 2019-08-13 2019-08-15
3.5
None Remote Medium Single system None Partial None
Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions.
53 CVE-2019-14948 79 XSS 2019-08-12 2019-08-21
3.5
None Remote Medium Single system None Partial None
The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.
54 CVE-2019-14947 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium Single system None Partial None
The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.
55 CVE-2019-14946 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium Single system None Partial None
The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.
56 CVE-2019-14945 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium Single system None Partial None
The ultimate-member plugin before 2.0.54 for WordPress has XSS.
57 CVE-2019-14805 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium Single system None Partial None
studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing.
58 CVE-2019-14804 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium Single system None Partial None
studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing.
59 CVE-2019-14797 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium Single system None Partial None
The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS.
60 CVE-2019-14796 79 XSS 2019-08-09 2019-08-20
3.5
None Remote Medium Single system None Partial None
The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter.
61 CVE-2019-14795 79 XSS 2019-08-15 2019-08-21
3.5
None Remote Medium Single system None Partial None
The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.
62 CVE-2019-14792 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium Single system None Partial None
The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter.
63 CVE-2019-14787 79 XSS 2019-08-09 2019-08-22
3.5
None Remote Medium Single system None Partial None
The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.
64 CVE-2019-14785 79 XSS 2019-08-09 2019-08-15
3.5
None Remote Medium Single system None Partial None
The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.
65 CVE-2019-14748 434 XSS 2019-08-07 2019-08-14
3.5
None Remote Medium Single system None Partial None
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
66 CVE-2019-14731 79 XSS 2019-08-06 2019-08-15
3.5
None Remote Medium Single system None Partial None
An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vulnerability that leads to the capture of other people's cookies via the Rich Text Box.
67 CVE-2019-14680 352 CSRF 2019-08-08 2019-08-21
3.5
None Remote Medium Single system None Partial None
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
68 CVE-2019-14672 79 Exec Code XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show page.
69 CVE-2019-14670 79 Exec Code XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation.
70 CVE-2019-14669 79 Exec Code XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name. The JavaScript code is executed during a visit to the audit account statistics page.
71 CVE-2019-14668 79 Exec Code XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction link.
72 CVE-2019-14550 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus helping him steal victims' cookies (hence compromising their accounts).
73 CVE-2019-14549 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.
74 CVE-2019-14548 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).
75 CVE-2019-14547 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the JavaScript inside the filename and send it to users, thus helping him steal victims' cookies (hence compromising their accounts).
76 CVE-2019-14546 79 XSS 2019-08-05 2019-08-14
3.5
None Remote Medium Single system None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).
77 CVE-2019-14518 79 XSS 2019-08-15 2019-08-21
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** Evolution CMS 2.0.x allows XSS via a description and new category location in a template. NOTE: the vendor states that the behavior is consistent with the "access policy in the administration panel."
78 CVE-2019-14469 79 XSS 2019-08-22 2019-08-26
3.5
None Remote Medium Single system None Partial None
In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS.
79 CVE-2019-14456 79 XSS 2019-07-31 2019-08-07
3.5
None Remote Medium Single system None Partial None
Opengear console server firmware releases prior to 4.5.0 have a stored XSS vulnerability related to serial port logging. If a malicious user of an external system (connected to a serial port on an Opengear console server) sends crafted text to a serial port (that has logging enabled), the text will be replayed when the logs are viewed. Exploiting this vulnerability requires access to the serial port and/or console server.
80 CVE-2019-14415 79 XSS 2019-07-29 2019-08-02
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to.
81 CVE-2019-14390 79 XSS 2019-07-30 2019-07-30
3.5
None Remote Medium Single system None Partial None
cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).
82 CVE-2019-14386 79 XSS 2019-07-30 2019-07-30
3.5
None Remote Medium Single system None Partial None
cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).
83 CVE-2019-14319 200 +Info 2019-09-04 2019-09-04
3.3
None Local Network Low Not required Partial None None
The TikTok (formerly Musical.ly) application 12.2.0 for Android and iOS performs unencrypted transmission of images, videos, and likes. This allows an attacker to extract private sensitive information by sniffing network traffic.
84 CVE-2019-14298 79 XSS 2019-07-27 2019-07-29
3.5
None Remote Medium Single system None Partial None
Veeam ONE Reporter 9.5.0.3201 allows XSS via a crafted Description(config) field to addDashboard or editDashboard in CommonDataHandlerReadOnly.ashx.
85 CVE-2019-14297 79 XSS 2019-07-27 2019-07-29
3.5
None Remote Medium Single system None Partial None
Veeam ONE Reporter 9.5.0.3201 allows XSS via the Add/Edit Widget with a crafted Caption field to setDashboardWidget in CommonDataHandlerReadOnly.ashx.
86 CVE-2019-14221 79 XSS 2019-08-08 2019-08-27
3.5
None Remote Medium Single system None Partial None
1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation.
87 CVE-2019-13991 74 2019-07-19 2019-08-02
3.3
None Local Network Low Not required None Partial None
Embedded systems based on Arduino before Rev3 allow remote attackers to send data to LEDs (directly connected to GPIO pins) via a laser, because of LED photosensitivity.
88 CVE-2019-13977 79 XSS 2019-07-19 2019-07-27
3.5
None Remote Medium Single system None Partial None
index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=.
89 CVE-2019-13950 79 XSS 2019-07-18 2019-07-18
3.5
None Remote Medium Single system None Partial None
index.php?c=admin&a=index in SyGuestBook A5 Version 1.2 has stored XSS via a reply to a comment.
90 CVE-2019-13948 79 XSS 2019-07-18 2019-07-18
3.5
None Remote Medium Single system None Partial None
SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of an IMG element.
91 CVE-2019-13647 79 Exec Code XSS 2019-07-17 2019-07-18
3.5
None Remote Medium Single system None Partial None
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.
92 CVE-2019-13646 79 XSS 2019-07-17 2019-07-18
3.5
None Remote Medium Single system None Partial None
Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.
93 CVE-2019-13645 79 Exec Code XSS 2019-07-17 2019-07-18
3.5
None Remote Medium Single system None Partial None
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.
94 CVE-2019-13644 79 Exec Code XSS 2019-07-17 2019-07-18
3.5
None Remote Medium Single system None Partial None
Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.
95 CVE-2019-13493 79 XSS 2019-07-17 2019-07-18
3.5
None Remote Medium Single system None Partial None
In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript.
96 CVE-2019-13476 79 XSS 2019-08-21 2019-08-27
3.5
None Remote Medium Single system None Partial None
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.
97 CVE-2019-13416 285 2019-08-13 2019-08-19
3.5
None Remote Medium Single system Partial None None
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).
98 CVE-2019-13415 285 2019-08-13 2019-08-19
3.5
None Remote Medium Single system Partial None None
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.
99 CVE-2019-13361 275 2019-09-05 2019-09-06
3.3
None Local Network Low Not required None Partial None
Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network.
100 CVE-2019-13341 79 XSS 2019-07-05 2019-07-07
3.5
None Remote Medium Single system None Partial None
In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.
Total number of vulnerabilities : 4400   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.