CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1201 CVE-2017-16906 79 XSS 2017-11-20 2019-05-03
3.5
None Remote Medium Single system None Partial None
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
1202 CVE-2017-16867 19 2017-11-16 2017-12-07
3.3
None Local Network Low Not required None None Partial
Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 deauthentication frames during the delivery process, which makes it easier for (1) delivery drivers to freeze a camera and re-enter a house for unfilmed activities or (2) attackers to freeze a camera and enter a house if a delivery driver failed to ensure a locked door before leaving.
1203 CVE-2017-16865 918 2018-01-17 2018-02-02
3.5
None Remote Medium Single system Partial None None
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
1204 CVE-2017-16843 79 XSS 2017-11-16 2017-12-02
3.5
None Remote Medium Single system None Partial None
Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKeyword or NewDomain field to /goform/RgParentalBasic.
1205 CVE-2017-16842 79 XSS 2017-11-15 2017-12-03
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML.
1206 CVE-2017-16821 79 XSS 2017-11-14 2017-12-03
3.5
None Remote Medium Single system None Partial None
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
1207 CVE-2017-16819 79 XSS 2017-11-17 2017-12-04
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges.
1208 CVE-2017-16814 22 Dir. Trav. Bypass 2018-02-26 2018-03-16
3.3
None Local Network Low Not required Partial None None
A Directory Traversal issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs by abusing the URL + escape character during a Wi-Fi transfer, which could be exploited by attackers to bypass intended restrictions on local application files.
1209 CVE-2017-16810 79 XSS 2017-11-13 2017-11-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter.
1210 CVE-2017-16807 79 XSS 2017-11-13 2017-11-28
3.5
None Remote Medium Single system None Partial None
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
1211 CVE-2017-16802 79 XSS 2017-11-13 2017-11-29
3.5
None Remote Medium Single system None Partial None
In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.
1212 CVE-2017-16801 79 XSS 2017-11-13 2017-12-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter.
1213 CVE-2017-16799 79 XSS 2017-11-12 2017-11-27
3.5
None Remote Medium Single system None Partial None
In CMS Made Simple 2.2.3.1, in modules/New/action.addcategory.php, stored XSS is possible via the m1_name parameter to admin/moduleinterface.php during addition of a category, a related issue to CVE-2010-3882.
1214 CVE-2017-16798 79 XSS Bypass 2017-11-12 2017-11-27
3.5
None Remote Medium Single system None Partial None
In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules/FileManager/action.upload.php only blocks file extensions that begin or end with a "php" substring, which allows remote attackers to bypass intended access restrictions or trigger XSS via other extensions, as demonstrated by .phtml, .pht, .html, or .svg.
1215 CVE-2017-16792 79 XSS 2017-11-13 2017-11-28
3.5
None Remote Medium Single system None Partial None
Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb.
1216 CVE-2017-16789 79 XSS 2017-12-10 2018-03-15
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS 3 before 3.2.0 Hotfix 7, as used in TIBCO BusinessWorks Process Monitor through 3.0.1.3 and other products, allows remote authenticated administrators to inject arbitrary web script or HTML via the users management panel of the web interface.
1217 CVE-2017-16781 79 XSS 2017-11-10 2017-11-27
3.5
None Remote Medium Single system None Partial None
The installer in MyBB before 1.8.13 has XSS.
1218 CVE-2017-16774 79 XSS 2019-04-01 2019-04-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
1219 CVE-2017-16768 79 XSS 2017-12-27 2018-01-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.
1220 CVE-2017-16767 79 XSS 2018-02-27 2018-03-23
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
1221 CVE-2017-16758 79 XSS 2017-11-09 2017-12-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "access_token" parameter.
1222 CVE-2017-16710 79 XSS 2018-07-11 2018-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1223 CVE-2017-16636 79 +Priv XSS Bypass 2017-11-06 2017-11-29
3.5
None Remote Medium Single system None Partial None
In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context. Remote attackers are able to bypass the basic editor validation to trigger cross site scripting. The XSS is persistent and the request method to inject via editor is GET. To save the editor context, the followup POST method request must be processed to perform the attack via the application side. The basic validation of the editor does not allow injecting script codes and blocks the context. Attackers can inject the code by using an editor tag that is not recognized by the basic validation. Thus allows a restricted user account to inject malicious script code to perform a persistent attack against higher privilege web-application user accounts.
1224 CVE-2017-16635 79 Exec Code XSS 2017-11-06 2017-11-29
3.5
None Remote Medium Single system None Partial None
In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.
1225 CVE-2017-16568 79 XSS 2017-11-09 2017-11-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a radio URL.
1226 CVE-2017-16567 79 XSS 2017-11-09 2017-11-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a "favorite."
1227 CVE-2017-16564 79 XSS 2017-11-06 2017-11-27
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148).
1228 CVE-2017-16230 79 XSS 2017-10-30 2017-11-17
3.5
None Remote Medium Single system None Partial None
In admin/write-post.php in Typecho through 1.1, one can log in to the background page, write a new article, and add payload in the article content, resulting in XSS via index.php/action/contents-post-edit.
1229 CVE-2017-15948 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium Single system None Partial None
Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. This is exploitable with a Limited Admin account.
1230 CVE-2017-15947 79 XSS 2017-10-27 2017-11-15
3.5
None Remote Medium Single system None Partial None
Simple ASC Content Management System v1.2 has XSS in the location field in the sign function, related to guestbook.asp, formgb.asp, and msggb.asp.
1231 CVE-2017-15936 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium Single system None Partial None
In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.
1232 CVE-2017-15934 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium Single system None Partial None
Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.
1233 CVE-2017-15911 79 Exec Code XSS Bypass CSRF 2017-10-26 2017-11-17
3.5
None Remote Medium Single system None Partial None
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
1234 CVE-2017-15892 79 XSS 2017-12-28 2018-01-17
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.
1235 CVE-2017-15890 79 XSS 2017-12-15 2017-12-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
1236 CVE-2017-15888 79 XSS 2017-10-30 2017-11-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.
1237 CVE-2017-15881 79 XSS 2017-10-24 2017-11-14
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.
1238 CVE-2017-15872 79 XSS 2017-10-24 2017-10-31
3.5
None Remote Medium Single system None Partial None
phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.
1239 CVE-2017-15835 400 DoS 2018-12-07 2019-01-02
3.3
None Local Network Low Not required None None Partial
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.
1240 CVE-2017-15811 79 XSS 2017-10-23 2017-11-14
3.5
None Remote Medium Single system None Partial None
The Pootle Button plugin before 1.2.0 for WordPress has XSS via the assets_url parameter in assets/dialog.php, exploitable via wp-admin/admin-ajax.php.
1241 CVE-2017-15728 79 XSS 2017-10-22 2017-10-24
3.5
None Remote Medium Single system None Partial None
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via metaDescription or metaKeywords.
1242 CVE-2017-15703 502 DoS 2018-01-25 2018-02-12
3.5
None Remote Medium Single system None None Partial
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
1243 CVE-2017-15640 79 XSS 2018-04-21 2018-05-24
3.5
None Remote Medium Single system None Partial None
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
1244 CVE-2017-15538 79 +Priv XSS 2017-10-17 2018-06-19
3.5
None Remote Medium Single system None Partial None
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
1245 CVE-2017-15360 79 XSS 2017-10-15 2017-11-01
3.5
None Remote Medium Single system None Partial None
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all group names created, related to incorrect error handling for an HTML encoded script.
1246 CVE-2017-15322 20 2017-12-22 2018-01-09
3.3
None Local Network Low Not required None None Partial
Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 and BGO-L03C331B009CUSTC331D001 have a DoS vulnerability due to insufficient input validation. An attacker could exploit this vulnerability by sending specially crafted NFC messages to the target device. Successful exploit could make a service crash.
1247 CVE-2017-15312 79 XSS 2017-12-22 2018-01-04
3.5
None Remote Medium Single system None Partial None
Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) vulnerability in the dashboard module. A remote authenticated attacker could exploit this vulnerability to inject malicious scripts in the affected device.
1248 CVE-2017-15284 79 Exec Code XSS 2017-10-12 2017-10-26
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
1249 CVE-2017-15279 79 XSS 2017-10-12 2017-10-25
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.
1250 CVE-2017-15278 79 Exec Code XSS 2017-10-12 2017-10-26
3.5
None Remote Medium Single system None Partial None
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Total number of vulnerabilities : 4066   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 (This Page)26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.