CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1001 CVE-2017-16907 79 XSS 2017-11-20 2018-10-03
3.5
None Remote Medium Single system None Partial None
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
1002 CVE-2017-16906 79 XSS 2017-11-20 2018-10-03
3.5
None Remote Medium Single system None Partial None
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
1003 CVE-2017-16867 19 2017-11-16 2017-12-07
3.3
None Local Network Low Not required None None Partial
Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 deauthentication frames during the delivery process, which makes it easier for (1) delivery drivers to freeze a camera and re-enter a house for unfilmed activities or (2) attackers to freeze a camera and enter a house if a delivery driver failed to ensure a locked door before leaving.
1004 CVE-2017-16865 918 2018-01-17 2018-02-02
3.5
None Remote Medium Single system Partial None None
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
1005 CVE-2017-16843 79 XSS 2017-11-16 2017-12-02
3.5
None Remote Medium Single system None Partial None
Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKeyword or NewDomain field to /goform/RgParentalBasic.
1006 CVE-2017-16842 79 XSS 2017-11-15 2017-12-03
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML.
1007 CVE-2017-16821 79 XSS 2017-11-14 2017-12-03
3.5
None Remote Medium Single system None Partial None
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
1008 CVE-2017-16819 79 XSS 2017-11-17 2017-12-04
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges.
1009 CVE-2017-16814 22 Dir. Trav. Bypass 2018-02-26 2018-03-16
3.3
None Local Network Low Not required Partial None None
A Directory Traversal issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs by abusing the URL + escape character during a Wi-Fi transfer, which could be exploited by attackers to bypass intended restrictions on local application files.
1010 CVE-2017-16810 79 XSS 2017-11-13 2017-11-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter.
1011 CVE-2017-16807 79 XSS 2017-11-13 2017-11-28
3.5
None Remote Medium Single system None Partial None
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
1012 CVE-2017-16802 79 XSS 2017-11-13 2017-11-29
3.5
None Remote Medium Single system None Partial None
In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.
1013 CVE-2017-16801 79 XSS 2017-11-13 2017-12-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter.
1014 CVE-2017-16799 79 XSS 2017-11-12 2017-11-27
3.5
None Remote Medium Single system None Partial None
In CMS Made Simple 2.2.3.1, in modules/New/action.addcategory.php, stored XSS is possible via the m1_name parameter to admin/moduleinterface.php during addition of a category, a related issue to CVE-2010-3882.
1015 CVE-2017-16798 79 XSS Bypass 2017-11-12 2017-11-27
3.5
None Remote Medium Single system None Partial None
In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg.
1016 CVE-2017-16792 79 XSS 2017-11-13 2017-11-28
3.5
None Remote Medium Single system None Partial None
Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb.
1017 CVE-2017-16789 79 XSS 2017-12-10 2018-03-15
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS 3 before 3.2.0 Hotfix 7, as used in TIBCO BusinessWorks Process Monitor through 3.0.1.3 and other products, allows remote authenticated administrators to inject arbitrary web script or HTML via the users management panel of the web interface.
1018 CVE-2017-16781 79 XSS 2017-11-10 2017-11-27
3.5
None Remote Medium Single system None Partial None
The installer in MyBB before 1.8.13 has XSS.
1019 CVE-2017-16768 79 XSS 2017-12-27 2018-01-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.
1020 CVE-2017-16767 79 XSS 2018-02-27 2018-03-23
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
1021 CVE-2017-16758 79 XSS 2017-11-09 2017-12-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "access_token" parameter.
1022 CVE-2017-16710 79 XSS 2018-07-11 2018-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1023 CVE-2017-16636 79 +Priv XSS Bypass 2017-11-06 2017-11-29
3.5
None Remote Medium Single system None Partial None
In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context. Remote attackers are able to bypass the basic editor validation to trigger cross site scripting. The XSS is persistent and the request method to inject via editor is GET. To save the editor context, the followup POST method request must be processed to perform the attack via the application side. The basic validation of the editor does not allow injecting script codes and blocks the context. Attackers can inject the code by using an editor tag that is not recognized by the basic validation. Thus allows a restricted user account to inject malicious script code to perform a persistent attack against higher privilege web-application user accounts.
1024 CVE-2017-16635 79 Exec Code XSS 2017-11-06 2017-11-29
3.5
None Remote Medium Single system None Partial None
In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.
1025 CVE-2017-16568 79 XSS 2017-11-09 2017-11-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a radio URL.
1026 CVE-2017-16567 79 XSS 2017-11-09 2017-11-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a "favorite."
1027 CVE-2017-16564 79 XSS 2017-11-06 2017-11-27
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148).
1028 CVE-2017-16230 79 XSS 2017-10-30 2017-11-17
3.5
None Remote Medium Single system None Partial None
In admin/write-post.php in Typecho through 1.1, one can log in to the background page, write a new article, and add payload in the article content, resulting in XSS via index.php/action/contents-post-edit.
1029 CVE-2017-15948 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium Single system None Partial None
Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. This is exploitable with a Limited Admin account.
1030 CVE-2017-15947 79 XSS 2017-10-27 2017-11-15
3.5
None Remote Medium Single system None Partial None
Simple ASC Content Management System v1.2 has XSS in the location field in the sign function, related to guestbook.asp, formgb.asp, and msggb.asp.
1031 CVE-2017-15936 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium Single system None Partial None
In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.
1032 CVE-2017-15934 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium Single system None Partial None
Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.
1033 CVE-2017-15911 79 Exec Code XSS Bypass CSRF 2017-10-26 2017-11-17
3.5
None Remote Medium Single system None Partial None
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
1034 CVE-2017-15892 79 XSS 2017-12-28 2018-01-17
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.
1035 CVE-2017-15890 79 XSS 2017-12-15 2017-12-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
1036 CVE-2017-15888 79 XSS 2017-10-30 2017-11-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.
1037 CVE-2017-15881 79 XSS 2017-10-24 2017-11-14
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.
1038 CVE-2017-15872 79 XSS 2017-10-24 2017-10-31
3.5
None Remote Medium Single system None Partial None
phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.
1039 CVE-2017-15835 400 DoS 2018-12-07 2019-01-02
3.3
None Local Network Low Not required None None Partial
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.
1040 CVE-2017-15811 79 XSS 2017-10-23 2017-11-14
3.5
None Remote Medium Single system None Partial None
The Pootle Button plugin before 1.2.0 for WordPress has XSS via the assets_url parameter in assets/dialog.php, exploitable via wp-admin/admin-ajax.php.
1041 CVE-2017-15728 79 XSS 2017-10-22 2017-10-24
3.5
None Remote Medium Single system None Partial None
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via metaDescription or metaKeywords.
1042 CVE-2017-15703 502 DoS 2018-01-25 2018-02-12
3.5
None Remote Medium Single system None None Partial
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
1043 CVE-2017-15640 79 XSS 2018-04-21 2018-05-24
3.5
None Remote Medium Single system None Partial None
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
1044 CVE-2017-15538 79 +Priv XSS 2017-10-17 2018-06-19
3.5
None Remote Medium Single system None Partial None
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
1045 CVE-2017-15360 79 XSS 2017-10-15 2017-11-01
3.5
None Remote Medium Single system None Partial None
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all group names created, related to incorrect error handling for an HTML encoded script.
1046 CVE-2017-15322 20 2017-12-22 2018-01-09
3.3
None Local Network Low Not required None None Partial
Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 and BGO-L03C331B009CUSTC331D001 have a DoS vulnerability due to insufficient input validation. An attacker could exploit this vulnerability by sending specially crafted NFC messages to the target device. Successful exploit could make a service crash.
1047 CVE-2017-15312 79 XSS 2017-12-22 2018-01-04
3.5
None Remote Medium Single system None Partial None
Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) vulnerability in the dashboard module. A remote authenticated attacker could exploit this vulnerability to inject malicious scripts in the affected device.
1048 CVE-2017-15284 79 Exec Code XSS 2017-10-12 2017-10-26
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
1049 CVE-2017-15279 79 XSS 2017-10-12 2017-10-25
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.
1050 CVE-2017-15278 79 Exec Code XSS 2017-10-12 2017-10-26
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Total number of vulnerabilities : 3882   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 (This Page)22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.