CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1001 CVE-2017-9836 79 XSS 2017-06-24 2017-06-27
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
1002 CVE-2017-9796 200 +Info 2018-01-09 2018-02-02
3.5
None Remote Medium Single system Partial None None
When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions.
1003 CVE-2017-9767 79 XSS 2017-08-18 2018-10-09
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Quali CloudShell before 8 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Name or (2) Description parameter to RM/Reservation/ReserveNew; the (3) Description parameter to RM/Topology/Update; the (4) Name, (5) Description, (6) ExecutionBatches[0].Name, (7) ExecutionBatches[0].Description, or (8) Labels parameter to SnQ/JobTemplate/Edit; or (9) Alias or (10) Description parameter to RM/AbstractTemplate/AddOrUpdateAbstractTemplate.
1004 CVE-2017-9674 79 XSS 2017-06-15 2017-06-22
3.5
None Remote Medium Single system None Partial None
In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on index.php/content/text/1?return_url=[XSS] exploitable as a regular or admin user.
1005 CVE-2017-9657 19 2018-04-30 2018-06-12
3.3
None Local Network Low Not required None None Partial
Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.
1006 CVE-2017-9655 79 XSS 2017-08-14 2017-08-23
3.5
None Remote Medium Single system None Partial None
A Cross-Site Scripting issue was discovered in OSIsoft PI Integrator for Business Analytics before 2016 R2, PI Integrator for Microsoft Azure before 2016 R2 SP1, and PI Integrator for SAP HANA before 2017. An attacker may be able to upload a malicious script that attempts to redirect users to a malicious web site.
1007 CVE-2017-9645 326 2017-09-20 2017-10-05
3.3
None Local Network Low Not required Partial None None
An Inadequate Encryption Strength issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). Decryption of data is possible at the hardware level.
1008 CVE-2017-9613 79 XSS 2017-06-15 2018-10-09
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality.
1009 CVE-2017-9609 79 XSS 2017-07-17 2017-07-21
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.
1010 CVE-2017-9556 79 XSS 2017-08-11 2017-08-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
1011 CVE-2017-9555 79 XSS 2017-08-24 2017-08-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
1012 CVE-2017-9548 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change).
1013 CVE-2017-9547 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change).
1014 CVE-2017-9546 79 DoS XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None None Partial
admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name.
1015 CVE-2017-9537 79 XSS 2017-10-02 2018-10-09
3.5
None Remote Medium Single system None Partial None
Persistent cross-site scripting (XSS) in the Add Node function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to introduce arbitrary JavaScript into various vulnerable parameters.
1016 CVE-2017-9516 79 XSS 2017-06-08 2017-08-12
3.5
None Remote Medium Single system None Partial None
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
1017 CVE-2017-9510 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The repository changelog resource in Atlassian FishEye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.
1018 CVE-2017-9509 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
1019 CVE-2017-9508 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file.
1020 CVE-2017-9507 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter.
1021 CVE-2017-9477 200 +Info 2017-07-30 2017-08-03
3.3
None Local Network Low Not required Partial None None
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST) and DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) devices allows remote attackers to discover the CM MAC address by connecting to the device's xfinitywifi hotspot.
1022 CVE-2017-9476 200 +Info 2017-07-30 2017-08-03
3.3
None Local Network Low Not required Partial None None
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices makes it easy for remote attackers to determine the hidden SSID and passphrase for a Home Security Wi-Fi network.
1023 CVE-2017-9452 79 XSS 2017-06-06 2017-06-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
1024 CVE-2017-9448 79 XSS 2017-06-06 2017-06-12
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users.
1025 CVE-2017-9441 79 XSS 2017-06-05 2017-06-12
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
1026 CVE-2017-9394 79 XSS 2017-11-14 2017-11-30
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in CA Identity Governance 12.6 allows remote authenticated attackers to display HTML or execute script in the context of another user.
1027 CVE-2017-9366 79 XSS 2017-06-02 2017-06-09
3.5
None Remote Medium Single system None Partial None
Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter.
1028 CVE-2017-9338 79 XSS 2017-07-17 2017-07-24
3.5
None Remote Medium Single system None Partial None
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.
1029 CVE-2017-9331 79 XSS 2017-06-01 2017-06-09
3.5
None Remote Medium Single system None Partial None
The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Utils/RecordBrowser/RecordBrowserCommon_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted meeting description parameter.
1030 CVE-2017-9298 79 Exec Code XSS 2017-05-29 2017-06-08
3.5
None Remote Medium Single system None Partial None
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code.
1031 CVE-2017-9263 20 2017-05-29 2018-01-04
3.3
None Local Network Low Not required None None Partial
In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message, there is a call to the abort() function for undefined role status reasons in the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a malicious switch.
1032 CVE-2017-9249 79 XSS 2017-05-28 2017-06-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php.
1033 CVE-2017-9070 79 XSS 2017-05-18 2017-05-30
3.5
None Remote Medium Single system None Partial None
In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.
1034 CVE-2017-8993 79 XSS 2018-02-15 2018-03-12
3.5
None Remote Medium Single system None Partial None
A Remote Cross-Site Scripting vulnerability in HPE Project and Portfolio Management (PPM) version v9.30, v9.31, v9.32, v9.40 was found.
1035 CVE-2017-8991 79 XSS 2018-08-06 2018-10-05
3.5
None Remote Medium Single system None Partial None
HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.
1036 CVE-2017-8974 264 Bypass 2018-02-15 2018-03-15
3.6
None Local Low Not required Partial Partial None
A Local Authentication Restriction Bypass vulnerability in HPE NonStop Server version L-Series: T6533L01 through T6533L01^ADN; J-Series and H-series: T6533H02 through T6533H04^ADF and T6533H05 through T6533H05^ADL was found.
1037 CVE-2017-8969 20 2018-02-15 2018-03-15
3.5
None Remote Medium Single system None Partial None
An improper input validation vulnerability in HPE Insight Control version 7.6 LR1 was found.
1038 CVE-2017-8953 79 XSS 2018-02-15 2018-03-07
3.5
None Remote Medium Single system None Partial None
A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found.
1039 CVE-2017-8806 59 DoS 2017-11-13 2017-12-08
3.6
None Local Low Not required None Partial Partial
The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.
1040 CVE-2017-8802 79 XSS 2018-01-16 2018-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.8.0 Beta2 might allow remote attackers to inject arbitrary web script or HTML via vectors related to the "Show Snippet" functionality.
1041 CVE-2017-8783 79 XSS 2018-02-03 2018-02-23
3.5
None Remote Medium Single system None Partial None
Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.
1042 CVE-2017-8780 79 XSS 2017-05-04 2017-05-12
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by a comment that is mishandled during a publish operation by an administrator, as demonstrated by a malformed P element.
1043 CVE-2017-8762 79 XSS 2017-05-03 2017-05-12
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by an authenticated user who submits a page, as demonstrated by a crafted oncut attribute in a B element.
1044 CVE-2017-8745 79 XSS 2017-09-12 2017-09-21
3.5
None Remote Medium Single system None Partial None
An elevation of privilege vulnerability exists in Microsoft SharePoint Foundation 2013 Service Pack 1 when it does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Cross Site Scripting Vulnerability".
1045 CVE-2017-8654 79 XSS 2017-08-08 2017-08-15
3.5
None Remote Medium Single system None Partial None
Microsoft SharePoint Server 2010 Service Pack 2 allows a cross-site scripting (XSS) vulnerability when it does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability".
1046 CVE-2017-8629 79 XSS 2017-09-12 2017-09-20
3.5
None Remote Medium Single system None Partial None
Microsoft SharePoint Server 2013 Service Pack 1 allows an elevation of privilege vulnerability when it fails to properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint XSS Vulnerability".
1047 CVE-2017-8581 264 2017-07-11 2017-07-14
3.7
None Local High Not required Partial Partial Partial
Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8577, and CVE-2017-8467.
1048 CVE-2017-8514 79 XSS 2017-06-14 2017-07-07
3.5
None Remote Medium Single system None Partial None
An information disclosure vulnerability exists when Microsoft SharePoint software fails to properly sanitize a specially crafted requests, aka "Microsoft SharePoint Reflective XSS Vulnerability".
1049 CVE-2017-8382 352 CSRF 2017-05-16 2017-06-04
3.5
None Remote Medium Single system None None Partial
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
1050 CVE-2017-8376 79 XSS 2017-05-01 2017-05-10
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by an authenticated comment that is mishandled during a mouse operation by an administrator.
Total number of vulnerabilities : 3652   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 (This Page)22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.