CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1201 CVE-2018-5666 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php bg_color parameter.
1202 CVE-2018-5665 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_height parameter.
1203 CVE-2018-5664 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php social_icon_1 parameter.
1204 CVE-2018-5663 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php button_text_link parameter.
1205 CVE-2018-5662 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title parameter.
1206 CVE-2018-5661 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_width parameter.
1207 CVE-2018-5660 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_sub_title parameter.
1208 CVE-2018-5659 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_title parameter.
1209 CVE-2018-5657 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title_icon parameter.
1210 CVE-2018-5652 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_end parameter.
1211 CVE-2018-5651 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_start parameter.
1212 CVE-2018-5528 20 2018-06-27 2018-08-31
3.5
None Remote Medium Single system None None Partial
Under certain conditions, TMM may restart and produce a core file while processing APM data on BIG-IP 13.0.1 or 13.1.0.4-13.1.0.7.
1213 CVE-2018-5520 2018-05-02 2019-10-02
3.5
None Remote Medium Single system Partial None None
On an F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.2.1-11.6.3.1 system configured in Appliance mode, the TMOS Shell (tmsh) may allow an administrative user to use the dig utility to gain unauthorized access to file system resources.
1214 CVE-2018-5449 476 DoS 2018-03-05 2019-10-09
3.3
None Local Network Low Not required None None Partial
A NULL Pointer Dereference issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application does not check for a NULL value, allowing for an attacker to perform a denial of service attack.
1215 CVE-2018-5438 613 2018-03-20 2018-04-20
3.3
None Local Medium Not required Partial Partial None
Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.
1216 CVE-2018-5432 79 XSS 2018-06-13 2019-10-09
3.5
None Remote Medium Single system None Partial None
The TIBCO Administrator server component of of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains multiple vulnerabilities wherein a malicious user could theoretically perform cross-site scripting (XSS) attacks by way of manipulating artifacts prior to uploading them. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions up to and including 5.10.0, and TIBCO Administrator - Enterprise Edition for z/Linux: versions up to and including 5.9.1.
1217 CVE-2018-5431 79 XSS 2018-04-17 2019-10-09
3.5
None Remote Medium Single system None Partial None
The domain designer component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which may allow, in the context of a non-default permissions configuration, persisted cross-site scripting (XSS) attacks. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
1218 CVE-2018-5411 79 XSS 2018-12-13 2019-10-09
3.5
None Remote Medium Single system None Partial None
Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable.
1219 CVE-2018-5405 79 Exec Code XSS 2019-06-03 2019-10-09
3.5
None Remote Medium Single system None Partial None
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator.
1220 CVE-2018-5369 79 XSS 2018-01-12 2018-01-29
3.5
None Remote Medium Single system None Partial None
The SrbTransLatin plugin 1.46 for WordPress has XSS via an srbtranslatoptions action to wp-admin/options-general.php with a lang_identificator parameter.
1221 CVE-2018-5367 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][post] parameter to wp-admin/options.php.
1222 CVE-2018-5366 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[more_languages] parameter to wp-admin/options.php.
1223 CVE-2018-5365 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[selector_wp_list_pages][show_selector] parameter to wp-admin/options.php.
1224 CVE-2018-5364 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[browser_redirect][redirect_by_language] parameter to wp-admin/options.php.
1225 CVE-2018-5363 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[enabled_languages][en] or wpglobus_option[enabled_languages][fr] (or any other language) parameter to wp-admin/options.php.
1226 CVE-2018-5362 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium Single system None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][page] parameter to wp-admin/options.php.
1227 CVE-2018-5331 79 XSS 2018-01-10 2018-01-29
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX X3.4 has XSS via the view parameter to include/space/space_poll.php, as demonstrated by a mod=space do=poll request to home.php.
1228 CVE-2018-5312 79 XSS 2018-01-09 2018-01-26
3.5
None Remote Medium Single system None Partial None
The tabs-responsive plugin 1.8.0 for WordPress has XSS via the post_title parameter to wp-admin/post.php.
1229 CVE-2018-5311 79 XSS 2018-01-09 2018-01-26
3.5
None Remote Medium Single system None Partial None
The Easy Custom Auto Excerpt plugin 2.4.6 for WordPress has XSS via the tonjoo_ecae_options[custom_css] parameter to the wp-admin/admin.php?page=tonjoo_excerpt URI.
1230 CVE-2018-5303 79 XSS 2018-05-11 2018-06-13
3.5
None Remote Medium Single system None Partial None
An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The license key parameter of the web application is vulnerable to Cross Site Scripting; this vulnerability allows an attacker to send malicious code to another user.
1231 CVE-2018-5284 79 XSS 2018-01-08 2018-01-29
3.5
None Remote Medium Single system None Partial None
The ImageInject plugin 1.15 for WordPress has XSS via the flickr_appid parameter to wp-admin/options-general.php.
1232 CVE-2018-5281 79 XSS 2018-01-08 2018-10-17
3.5
None Remote Medium Single system None Partial None
SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens.
1233 CVE-2018-5280 79 XSS 2018-01-08 2018-10-17
3.5
None Remote Medium Single system None Partial None
SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices has XSS via the Configure SSO screens.
1234 CVE-2018-5263 79 XSS 2018-01-08 2018-01-29
3.5
None Remote Medium Single system None Partial None
The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before 4.0.21 for Joomla! allows XSS.
1235 CVE-2018-5236 362 2018-06-20 2018-08-11
3.5
None Remote Medium Single system None None Partial
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may be susceptible to a race condition (or race hazard). This type of issue occurs in software where the output is dependent on the sequence or timing of other uncontrollable events.
1236 CVE-2018-5229 79 XSS 2018-07-16 2018-09-12
3.5
None Remote Medium Single system None Partial None
The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.
1237 CVE-2018-5227 79 XSS 2018-04-10 2018-05-16
3.5
None Remote Medium Single system None Partial None
Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.
1238 CVE-2018-5216 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium Single system None Partial None
Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_content parameter to an admin/pages/*/edit resource.
1239 CVE-2018-5215 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium Single system None Partial None
Fork CMS 5.0.7 has XSS in /private/en/pages/edit via the title parameter.
1240 CVE-2018-5214 79 XSS 2018-01-04 2018-01-18
3.5
None Remote Medium Single system None Partial None
The "Add Link to Facebook" plugin through 2.3 for WordPress has XSS via the al2fb_facebook_id parameter to wp-admin/profile.php.
1241 CVE-2018-5213 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium Single system None Partial None
The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload (aka Downloadable File) parameter in an edit action to wp-admin/post.php.
1242 CVE-2018-5212 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium Single system None Partial None
The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload_thumbnail (aka File Thumbnail) parameter in an edit action to wp-admin/post.php.
1243 CVE-2018-5078 79 XSS 2018-01-03 2018-01-16
3.5
None Remote Medium Single system None Partial None
Online Ticket Booking has XSS via the admin/eventlist.php cast parameter.
1244 CVE-2018-5077 79 XSS 2018-01-03 2018-01-17
3.5
None Remote Medium Single system None Partial None
Online Ticket Booking has XSS via the admin/movieedit.php moviename parameter.
1245 CVE-2018-5076 79 XSS 2018-01-03 2018-01-17
3.5
None Remote Medium Single system None Partial None
Online Ticket Booking has XSS via the admin/newsedit.php newstitle parameter.
1246 CVE-2018-5075 79 XSS 2018-01-03 2018-01-12
3.5
None Remote Medium Single system None Partial None
Online Ticket Booking has XSS via the admin/snacks_edit.php snacks_name parameter.
1247 CVE-2018-5074 79 XSS 2018-01-03 2018-01-16
3.5
None Remote Medium Single system None Partial None
Online Ticket Booking has XSS via the admin/manageownerlist.php contact parameter.
1248 CVE-2018-5072 79 XSS 2018-01-03 2018-01-16
3.5
None Remote Medium Single system None Partial None
Online Ticket Booking has XSS via the admin/sitesettings.php keyword parameter.
1249 CVE-2018-5071 79 XSS 2018-01-07 2018-02-02
3.5
None Remote Medium Single system None Partial None
Persistent XSS exists in the web server on Cobham Sea Tel 116 build 222429 satellite communication system devices: remote attackers can inject malicious JavaScript code using the device's TELNET shell built-in commands, as demonstrated by the "set ship name" command. This is similar to a Cross Protocol Injection with SNMP.
1250 CVE-2018-4844 269 2018-03-20 2019-10-09
3.8
None Local Network Medium Single system Partial Partial None
A vulnerability has been identified in SIMATIC WinCC OA UI for Android (All versions < V3.15.10), SIMATIC WinCC OA UI for iOS (All versions < V3.15.10). Insufficient limitation of CONTROL script capabilities could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app's sandbox on the same mobile device. This includes HMI project cache folders of other configured WinCC OA servers. The security vulnerability could be exploited by an attacker who tricks an app user to connect to an attacker-controlled WinCC OA server. Successful exploitation requires user interaction and read/write access to the app's folder on a mobile device. The vulnerability could allow reading data from and writing data to the app's folder. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue.
Total number of vulnerabilities : 4540   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 (This Page)26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.