CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1401 CVE-2017-0792 200 +Info 2017-09-08 2017-09-12
3.3
None Local Network Low Not required Partial None None
A information disclosure vulnerability in the Broadcom wi-fi driver. Product: Android. Versions: Android kernel. Android ID: A-37305578. References: B-V2017052301.
1402 CVE-2017-0785 200 +Info 2017-09-14 2018-07-27
3.3
None Local Network Low Not required Partial None None
A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698.
1403 CVE-2017-0360 284 2017-04-04 2017-11-03
3.5
None Remote Medium Single system Partial None None
file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.
1404 CVE-2017-0302 118 2017-05-09 2017-07-07
3.5
None Remote Medium Single system None None Partial
In F5 BIG-IP APM 12.0.0 through 12.1.2 and 13.0.0, an authenticated user with an established access session to the BIG-IP APM system may be able to cause a traffic disruption if the length of the requested URL is less than 16 characters.
1405 CVE-2017-0255 79 XSS 2017-05-12 2017-05-23
3.5
None Remote Medium Single system None Partial None
Microsoft SharePoint Foundation 2013 SP1 allows an elevation of privilege vulnerability when it does not properly sanitize a specially crafted web request, aka "Microsoft SharePoint XSS Vulnerability".
1406 CVE-2017-0195 79 XSS 2017-04-12 2017-04-20
3.5
None Remote Medium Single system None Partial None
Microsoft Excel Services on Microsoft SharePoint Server 2010 SP1 and SP2, Microsoft Excel Web Apps 2010 SP2, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps Server 2013 SP1 and Office Online Server allows remote attackers to perform cross-site scripting and run script with local user privileges via a crafted request, aka "Microsoft Office XSS Elevation of Privilege Vulnerability."
1407 CVE-2017-0191 284 DoS 2017-04-12 2017-07-10
3.5
None Remote Medium Single system None None Partial
A denial of service vulnerability exists in the way that Windows 7, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding, aka "Windows Denial of Service Vulnerability."
1408 CVE-2017-0164 20 DoS 2017-04-12 2017-07-10
3.5
None Remote Medium Single system None None Partial
A denial of service vulnerability exists in Windows 10 1607 and Windows Server 2016 Active Directory when an authenticated attacker sends malicious search queries, aka "Active Directory Denial of Service Vulnerability."
1409 CVE-2016-1000121 79 XSS 2016-10-27 2016-11-28
3.5
None Remote Medium Single system None Partial None
XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension
1410 CVE-2016-10716 79 XSS 2018-03-16 2018-04-09
3.5
None Remote Medium Single system None Partial None
The Mail.ru Calendar plugin before 2.5.0.61 for Atlassian Jira has XSS via the Name field in a Create Calender action, related to a MailRuCalendar.jspa#period/month URI.
1411 CVE-2016-10715 79 XSS 2018-03-16 2018-04-09
3.5
None Remote Medium Single system None Partial None
The Artezio Kanban Board plugin 1.4 revision 1914 for Atlassian Jira has XSS via the Board Name in a Create New Board action, related to an artezioboard/mainPage.jspa?kanbanId=7#/kanban-view URI.
1412 CVE-2016-10537 79 XSS 2018-05-31 2018-07-20
3.5
None Remote Medium Single system None Partial None
backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input. This is due to the regex that's replacing things to miss the conversion of things such as `<` to `<`.
1413 CVE-2016-10376 310 2017-05-27 2017-11-05
3.5
None Remote Medium Single system Partial None None
Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions.
1414 CVE-2016-10223 284 Exec Code 2017-02-14 2017-02-16
3.5
None Remote Medium Single system None Partial None
An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
1415 CVE-2016-10112 79 XSS 2017-01-03 2017-01-12
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
1416 CVE-2016-9989 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium Single system None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120555.
1417 CVE-2016-9988 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium Single system None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120554.
1418 CVE-2016-9987 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium Single system None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120553.
1419 CVE-2016-9986 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium Single system None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120552.
1420 CVE-2016-9983 200 +Info 2017-06-22 2017-06-26
3.5
None Remote Medium Single system Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authenticated user with special privileges to view files that they should not have access to. IBM X-Force ID: 120275.
1421 CVE-2016-9980 79 XSS 2017-04-20 2017-04-26
3.5
None Remote Medium Single system None Partial None
IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120256.
1422 CVE-2016-9979 79 XSS 2017-04-20 2017-04-26
3.5
None Remote Medium Single system None Partial None
IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120255.
1423 CVE-2016-9973 79 XSS 2017-06-13 2017-06-26
3.5
None Remote Medium Single system None Partial None
IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120209.
1424 CVE-2016-9891 79 XSS 2016-12-29 2017-01-03
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title).
1425 CVE-2016-9757 79 XSS 2016-12-20 2016-12-27
3.5
None Remote Medium Single system None Partial None
In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user's browser context.
1426 CVE-2016-9747 79 XSS 2017-06-22 2017-06-28
3.5
None Remote Medium Single system None Partial None
IBM RELM 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
1427 CVE-2016-9746 79 XSS 2017-07-05 2017-07-25
3.5
None Remote Medium Single system None Partial None
IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119821.
1428 CVE-2016-9737 79 XSS 2017-03-27 2017-03-29
3.5
None Remote Medium Single system None Partial None
IBM TRIRIGA 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1996200.
1429 CVE-2016-9733 79 XSS 2017-07-05 2017-07-25
3.5
None Remote Medium Single system None Partial None
IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119762.
1430 CVE-2016-9732 79 XSS 2017-08-28 2017-09-02
3.5
None Remote Medium Single system None Partial None
IBM Curam Social Program Management 6.0, 6.1, 6.2 and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119761.
1431 CVE-2016-9731 79 XSS 2017-02-01 2018-05-02
3.5
None Remote Medium Single system None Partial None
IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
1432 CVE-2016-9719 20 2017-07-31 2017-08-03
3.5
None Remote Medium Single system None Partial None
IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 11.5, and 11.6 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 119733.
1433 CVE-2016-9718 79 XSS 2017-07-31 2017-08-03
3.5
None Remote Medium Single system None Partial None
IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119732.
1434 CVE-2016-9715 79 XSS 2017-07-31 2017-08-03
3.5
None Remote Medium Single system None Partial None
IBM InfoSphere Master Data Management Server 11.0, 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119728.
1435 CVE-2016-9701 79 XSS 2017-07-05 2017-07-25
3.5
None Remote Medium Single system None Partial None
IBM Team Concert 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119529.
1436 CVE-2016-9696 79 Exec Code XSS 2017-03-20 2017-03-23
3.5
None Remote Medium Single system None Partial None
IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Reference #: 1999960.
1437 CVE-2016-9694 79 XSS 2017-03-20 2017-03-23
3.5
None Remote Medium Single system None Partial None
IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999960.
1438 CVE-2016-9681 79 XSS 2016-12-25 2016-12-30
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.
1439 CVE-2016-9637 264 +Priv 2017-02-16 2018-02-07
3.7
None Local High Not required Partial Partial Partial
The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.
1440 CVE-2016-9595 59 2018-07-27 2018-09-24
3.6
None Local Low Not required None Partial Partial
A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
1441 CVE-2016-9494 20 DoS 2018-07-13 2018-09-06
3.3
None Local Network Low Not required None None Partial
Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, are potentially vulnerable to improper input validation. The device's advanced status web page that is linked to from the basic status web page does not appear to properly parse malformed GET requests. This may lead to a denial of service.
1442 CVE-2016-9472 79 XSS 2017-03-27 2017-03-29
3.5
None Remote Medium Single system None Partial None
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective.
1443 CVE-2016-9465 79 XSS 2017-03-27 2017-03-30
3.5
None Remote Medium Single system None Partial None
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
1444 CVE-2016-9457 79 XSS 2017-03-27 2017-03-29
3.5
None Remote Medium Single system None Partial None
Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/stats.php` is vulnerable to reflected XSS attacks via multiple parameters that are not properly sanitised or escaped when displayed, such as setPerPage, pageId, bannerid, period_start, period_end, and possibly others.
1445 CVE-2016-9454 79 XSS 2017-03-27 2017-03-29
3.5
None Remote Medium Single system None Partial None
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The banner image URL for external banners wasn't properly escaped when displayed in most of the banner related pages.
1446 CVE-2016-9316 79 XSS 2017-02-21 2017-07-24
3.5
None Remote Medium Single system None Partial None
Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolved in Version 6.5 CP 1737.
1447 CVE-2016-9261 79 XSS 2017-02-28 2017-03-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Tenable Log Correlation Engine (aka LCE) before 4.8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
1448 CVE-2016-9260 79 XSS 2017-01-31 2017-02-03
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to handling of .nessus files.
1449 CVE-2016-9259 79 XSS 2017-02-28 2017-03-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
1450 CVE-2016-9221 399 DoS 2017-01-26 2017-01-27
3.3
None Local Network Low Not required None None Partial
A Denial of Service Vulnerability in 802.11 ingress connection authentication handling for the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause authentication to fail. Affected Products: This vulnerability affects Cisco Mobility Express 2800 Series and 3800 Series Access Points when configured in local mode in 40 MHz. More Information: CSCvb33575. Known Affected Releases: 8.2(121.12) 8.4(1.82). Known Fixed Releases: 8.2(131.2) 8.2(131.3) 8.2(131.4) 8.2(141.0) 8.3(104.53) 8.3(104.54) 8.4(1.80) 8.4(1.85).
Total number of vulnerabilities : 3652   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 (This Page)30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.