CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1401 CVE-2017-9613 79 XSS 2017-06-15 2018-10-09
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality.
1402 CVE-2017-9609 79 XSS 2017-07-17 2017-07-21
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.
1403 CVE-2017-9556 79 XSS 2017-08-11 2017-08-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
1404 CVE-2017-9555 79 XSS 2017-08-24 2017-08-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
1405 CVE-2017-9548 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change).
1406 CVE-2017-9547 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change).
1407 CVE-2017-9546 79 DoS XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None None Partial
admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name.
1408 CVE-2017-9537 79 XSS 2017-10-02 2018-10-09
3.5
None Remote Medium Single system None Partial None
Persistent cross-site scripting (XSS) in the Add Node function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to introduce arbitrary JavaScript into various vulnerable parameters.
1409 CVE-2017-9516 79 XSS 2017-06-08 2017-08-12
3.5
None Remote Medium Single system None Partial None
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
1410 CVE-2017-9510 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The repository changelog resource in Atlassian FishEye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.
1411 CVE-2017-9509 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
1412 CVE-2017-9508 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file.
1413 CVE-2017-9507 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter.
1414 CVE-2017-9477 200 +Info 2017-07-30 2017-08-03
3.3
None Local Network Low Not required Partial None None
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST) and DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) devices allows remote attackers to discover the CM MAC address by connecting to the device's xfinitywifi hotspot.
1415 CVE-2017-9476 200 +Info 2017-07-30 2017-08-03
3.3
None Local Network Low Not required Partial None None
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices makes it easy for remote attackers to determine the hidden SSID and passphrase for a Home Security Wi-Fi network.
1416 CVE-2017-9452 79 XSS 2017-06-06 2017-06-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
1417 CVE-2017-9448 79 XSS 2017-06-06 2017-06-12
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users.
1418 CVE-2017-9441 79 XSS 2017-06-05 2017-06-12
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
1419 CVE-2017-9394 79 XSS 2017-11-14 2017-11-30
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in CA Identity Governance 12.6 allows remote authenticated attackers to display HTML or execute script in the context of another user.
1420 CVE-2017-9366 79 XSS 2017-06-02 2017-06-09
3.5
None Remote Medium Single system None Partial None
Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter.
1421 CVE-2017-9338 79 XSS 2017-07-17 2017-07-24
3.5
None Remote Medium Single system None Partial None
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.
1422 CVE-2017-9331 79 XSS 2017-06-01 2017-06-09
3.5
None Remote Medium Single system None Partial None
The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Utils/RecordBrowser/RecordBrowserCommon_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted meeting description parameter.
1423 CVE-2017-9298 79 Exec Code XSS 2017-05-29 2017-06-08
3.5
None Remote Medium Single system None Partial None
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code.
1424 CVE-2017-9263 20 2017-05-29 2018-01-04
3.3
None Local Network Low Not required None None Partial
In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message, there is a call to the abort() function for undefined role status reasons in the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a malicious switch.
1425 CVE-2017-9249 79 XSS 2017-05-28 2017-06-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php.
1426 CVE-2017-9070 79 XSS 2017-05-18 2017-05-30
3.5
None Remote Medium Single system None Partial None
In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.
1427 CVE-2017-8993 79 XSS 2018-02-15 2018-03-12
3.5
None Remote Medium Single system None Partial None
A Remote Cross-Site Scripting vulnerability in HPE Project and Portfolio Management (PPM) version v9.30, v9.31, v9.32, v9.40 was found.
1428 CVE-2017-8991 79 XSS 2018-08-06 2018-10-05
3.5
None Remote Medium Single system None Partial None
HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.
1429 CVE-2017-8974 264 Bypass 2018-02-15 2018-03-15
3.6
None Local Low Not required Partial Partial None
A Local Authentication Restriction Bypass vulnerability in HPE NonStop Server version L-Series: T6533L01 through T6533L01^ADN; J-Series and H-series: T6533H02 through T6533H04^ADF and T6533H05 through T6533H05^ADL was found.
1430 CVE-2017-8969 20 2018-02-15 2018-03-15
3.5
None Remote Medium Single system None Partial None
An improper input validation vulnerability in HPE Insight Control version 7.6 LR1 was found.
1431 CVE-2017-8953 79 XSS 2018-02-15 2018-03-07
3.5
None Remote Medium Single system None Partial None
A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found.
1432 CVE-2017-8806 59 DoS 2017-11-13 2017-12-08
3.6
None Local Low Not required None Partial Partial
The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.
1433 CVE-2017-8802 79 XSS 2018-01-16 2018-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.8.0 Beta2 might allow remote attackers to inject arbitrary web script or HTML via vectors related to the "Show Snippet" functionality.
1434 CVE-2017-8783 79 XSS 2018-02-03 2018-02-23
3.5
None Remote Medium Single system None Partial None
Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.
1435 CVE-2017-8780 79 XSS 2017-05-04 2017-05-12
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by a comment that is mishandled during a publish operation by an administrator, as demonstrated by a malformed P element.
1436 CVE-2017-8762 79 XSS 2017-05-03 2017-05-12
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by an authenticated user who submits a page, as demonstrated by a crafted oncut attribute in a B element.
1437 CVE-2017-8745 79 XSS 2017-09-12 2017-09-21
3.5
None Remote Medium Single system None Partial None
An elevation of privilege vulnerability exists in Microsoft SharePoint Foundation 2013 Service Pack 1 when it does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Cross Site Scripting Vulnerability".
1438 CVE-2017-8654 79 XSS 2017-08-08 2017-08-15
3.5
None Remote Medium Single system None Partial None
Microsoft SharePoint Server 2010 Service Pack 2 allows a cross-site scripting (XSS) vulnerability when it does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability".
1439 CVE-2017-8629 79 XSS 2017-09-12 2017-09-20
3.5
None Remote Medium Single system None Partial None
Microsoft SharePoint Server 2013 Service Pack 1 allows an elevation of privilege vulnerability when it fails to properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint XSS Vulnerability".
1440 CVE-2017-8581 264 2017-07-11 2017-07-14
3.7
None Local High Not required Partial Partial Partial
Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8577, and CVE-2017-8467.
1441 CVE-2017-8514 79 XSS 2017-06-14 2017-07-07
3.5
None Remote Medium Single system None Partial None
An information disclosure vulnerability exists when Microsoft SharePoint software fails to properly sanitize a specially crafted requests, aka "Microsoft SharePoint Reflective XSS Vulnerability".
1442 CVE-2017-8382 352 CSRF 2017-05-16 2017-06-04
3.5
None Remote Medium Single system None None Partial
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
1443 CVE-2017-8376 79 XSS 2017-05-01 2017-05-10
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by an authenticated comment that is mishandled during a mouse operation by an administrator.
1444 CVE-2017-8302 79 XSS 2017-04-27 2017-05-09
3.5
None Remote Medium Single system None Partial None
Mura CMS 7.0.6967 allows admin/?muraAction= XSS attacks, related to admin/core/views/carch/list.cfm, admin/core/views/carch/loadsiteflat.cfm, admin/core/views/cusers/inc/dsp_nextn.cfm, admin/core/views/cusers/inc/dsp_search_form.cfm, admin/core/views/cusers/inc/dsp_users_list.cfm, admin/core/views/cusers/list.cfm, and admin/core/views/cusers/listusers.cfm.
1445 CVE-2017-8298 79 XSS 2017-04-27 2017-05-03
3.5
None Remote Medium Single system None Partial None
cnvs.io Canvas 3.3.0 has XSS in the title and content fields of a "Posts > Add New" action, and during creation of new tags and users.
1446 CVE-2017-8189 22 Dir. Trav. 2017-11-22 2017-12-08
3.6
None Local Low Not required None Partial Partial
FusionSphere OpenStack V100R006C00SPC102(NFV)has a path traversal vulnerability. Due to insufficient path validation, an attacker with high privilege may exploit this vulnerability to cover some files, causing services abnormal.
1447 CVE-2017-8178 79 Exec Code XSS 2017-11-22 2017-12-12
3.5
None Remote Medium Single system None Partial None
Huawei Email APP Vicky-AL00 smartphones with software of earlier than VKY-AL00C00B171 versions has a stored cross-site scripting vulnerability. A remote attacker could exploit this vulnerability to send email that storing malicious code to a smartphone and waiting for a user to access this email that triggers execution of the code. An exploit could allow the attacker to execute arbitrary script code on the affected device.
1448 CVE-2017-8168 200 +Info 2017-11-22 2017-12-08
3.3
None Local Network Low Not required Partial None None
FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R006C10 have an information leak vulnerability. Due to an incorrect configuration item, the information transmitted by a transmission channel is not encrypted. An attacker accessing the internal network may obtain sensitive information transmitted.
1449 CVE-2017-8102 79 XSS 2017-04-24 2017-04-28
3.5
None Remote Medium Single system None Partial None
Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin.
1450 CVE-2017-8031 285 DoS 2017-11-27 2017-12-21
3.5
None Remote Medium Single system None None Partial
An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.
Total number of vulnerabilities : 4066   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 (This Page)30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.