CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1201 CVE-2017-1000213 79 XSS 2017-11-16 2017-11-29
3.5
None Remote Medium Single system None Partial None
WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search
1202 CVE-2017-1000164 79 Exec Code XSS 2017-11-17 2017-11-29
3.5
None Remote Medium Single system None Partial None
Tine 2.0 version 2017.02.4 is vulnerable to XSS in the Addressbook resulting code execution and privilege escalation
1203 CVE-2017-1000160 79 XSS 2017-11-17 2017-12-01
3.5
None Remote Medium Single system None Partial None
EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection
1204 CVE-2017-1000157 200 +Info 2017-11-03 2017-11-13
3.5
None Remote Medium Single system Partial None None
Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before 16.10.4 and 17.04 before 17.04.2 are vulnerable to recording plain text passwords in the event_log table during the user creation process if full event logging was turned on.
1205 CVE-2017-1000149 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before 15.10.2 are vulnerable to XSS due to window.opener (target="_blank" and window.open())
1206 CVE-2017-1000146 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages.
1207 CVE-2017-1000144 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being able to place HTML and Javascript into an institution display name, which will be displayed to other users unescaped on some Mahara system pages.
1208 CVE-2017-1000140 79 Exec Code XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .xml file that can have its code executed when user tries to download the file.
1209 CVE-2017-1000138 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title.
1210 CVE-2017-1000137 79 XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop).
1211 CVE-2017-1000132 79 Exec Code XSS 2017-11-03 2017-11-15
3.5
None Remote Medium Single system None Partial None
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file.
1212 CVE-2017-1000103 79 XSS 2017-10-04 2017-11-01
3.5
None Remote Medium Single system None Partial None
The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.
1213 CVE-2017-1000102 79 XSS 2017-10-04 2017-11-01
3.5
None Remote Medium Single system None Partial None
The Details view of some Static Analysis Utilities based plugins, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to these plugins, for example the console output which is parsed to extract build warnings (Warnings Plugin), could insert arbitrary HTML into this view.
1214 CVE-2017-1000088 79 XSS 2017-10-04 2017-11-02
3.5
None Remote Medium Single system None Partial None
The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.
1215 CVE-2017-18286 79 XSS 2018-06-05 2018-07-31
3.5
None Remote Medium Single system None Partial None
nZEDb v0.7.3.3 has XSS in the 404 error page.
1216 CVE-2017-18285 264 2018-06-04 2019-04-02
3.6
None Local Low Not required Partial Partial None
The Gentoo app-backup/burp package before 2.1.32 has incorrect group ownership of the /etc/burp directory, which might allow local users to obtain read and write access to arbitrary files by leveraging access to a certain account for a burp-server.conf change.
1217 CVE-2017-18284 264 2018-06-04 2019-03-29
3.6
None Local Low Not required None Partial Partial
The Gentoo app-backup/burp package before 2.1.32 sets the ownership of the PID file directory to the burp account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL.
1218 CVE-2017-18270 255 DoS 2018-05-18 2018-08-24
3.6
None Local Low Not required None Partial Partial
In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.
1219 CVE-2017-18259 79 XSS 2018-04-10 2018-05-16
3.5
None Remote Medium Single system None Partial None
Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0.
1220 CVE-2017-18248 20 2018-03-26 2018-07-12
3.5
None Remote Medium Single system None None Partial
The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.
1221 CVE-2017-18228 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium Single system None Partial None
Remedy Mid Tier in BMC Remedy AR System 9.1 allows XSS via the ATTKey parameter in an arsys/servlet/AttachServlet request.
1222 CVE-2017-18177 79 XSS 2018-02-12 2018-03-05
3.5
None Remote Medium Single system None Partial None
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
1223 CVE-2017-18176 79 XSS 2018-02-12 2018-03-05
3.5
None Remote Medium Single system None Partial None
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
1224 CVE-2017-18175 79 XSS 2018-02-12 2018-03-05
3.5
None Remote Medium Single system None Partial None
Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.
1225 CVE-2017-18102 79 XSS 2018-04-17 2018-05-21
3.5
None Remote Medium Single system None Partial None
The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup.
1226 CVE-2017-18097 79 XSS 2018-04-06 2018-05-09
3.5
None Remote Medium Single system None Partial None
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.
1227 CVE-2017-18094 79 XSS 2018-03-22 2018-04-17
3.5
None Remote Medium Single system None Partial None
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository.
1228 CVE-2017-18093 79 XSS 2018-02-19 2018-03-12
3.5
None Remote Medium Single system None Partial None
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository.
1229 CVE-2017-18092 79 XSS 2018-02-19 2018-03-12
3.5
None Remote Medium Single system None Partial None
The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet.
1230 CVE-2017-18091 79 XSS 2018-02-16 2018-03-06
3.5
None Remote Medium Single system None Partial None
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup.
1231 CVE-2017-18089 79 XSS 2018-02-16 2018-03-06
3.5
None Remote Medium Single system None Partial None
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.
1232 CVE-2017-18084 79 XSS 2018-02-02 2019-04-26
3.5
None Remote Medium Single system None Partial None
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
1233 CVE-2017-18083 79 XSS 2018-02-02 2018-02-15
3.5
None Remote Medium Single system None Partial None
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
1234 CVE-2017-18082 79 XSS 2018-02-02 2018-02-13
3.5
None Remote Medium Single system None Partial None
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
1235 CVE-2017-18041 79 XSS 2018-02-02 2019-04-30
3.5
None Remote Medium Single system None Partial None
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
1236 CVE-2017-18040 79 XSS 2018-02-02 2018-10-17
3.5
None Remote Medium Single system None Partial None
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
1237 CVE-2017-18034 79 XSS 2018-02-02 2018-02-15
3.5
None Remote Medium Single system None Partial None
The source browse resource in Atlassian FishEye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
1238 CVE-2017-18019 20 2018-01-03 2018-01-19
3.6
None Local Low Not required Partial None Partial
In K7 Total Security before 15.1.0.305, user-controlled input to the K7Sentry device is not sufficiently sanitized: the user-controlled input can be used to compare an arbitrary memory address with a fixed value, which in turn can be used to read the contents of arbitrary memory. Similarly, the product crashes upon a \\.\K7Sentry DeviceIoControl call with an invalid kernel pointer.
1239 CVE-2017-18004 79 XSS 2017-12-31 2018-01-11
3.5
None Remote Medium Single system None Partial None
Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint.
1240 CVE-2017-17995 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request.
1241 CVE-2017-17994 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.
1242 CVE-2017-17993 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the amount parameter in an index.php?user=addition_deduction request.
1243 CVE-2017-17991 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the expense_name parameter in an index.php?user=expenses request.
1244 CVE-2017-17989 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action.
1245 CVE-2017-17988 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_add.php event_title parameter.
1246 CVE-2017-17986 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/caste_view.php comm_id parameter.
1247 CVE-2017-17985 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/state_view.php cou_id parameter.
1248 CVE-2017-17984 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_edit.php edit_id parameter.
1249 CVE-2017-17981 79 XSS 2017-12-29 2018-01-09
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/slider_edit.php edit_id parameter.
1250 CVE-2017-17947 79 XSS 2018-01-16 2018-02-06
3.5
None Remote Medium Single system None Partial None
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
Total number of vulnerabilities : 4150   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 (This Page)26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.