CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1601 CVE-2017-10069 284 2017-08-08 2017-08-19
3.5
None Remote Medium Single system Partial None None
Vulnerability in the Oracle Payment Interface component of Oracle Hospitality Applications (subcomponent: Core). The supported version that is affected is 6.1.1. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payment Interface. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Payment Interface accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
1602 CVE-2017-10054 284 2017-10-19 2017-10-23
3.6
None Local Low Not required Partial Partial None
Vulnerability in the Oracle Hospitality Cruise Materials Management component of Oracle Hospitality Applications (subcomponent: MMS). The supported version that is affected is 7.30.564.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Hospitality Cruise Materials Management executes to compromise Oracle Hospitality Cruise Materials Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality Cruise Materials Management accessible data as well as unauthorized read access to a subset of Oracle Hospitality Cruise Materials Management accessible data. CVSS 3.0 Base Score 5.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
1603 CVE-2017-10039 284 2017-08-08 2017-08-15
3.5
None Remote Medium Single system Partial None None
Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Web Client). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
1604 CVE-2017-10033 284 2017-10-19 2018-05-27
3.3
None Local Medium Not required Partial Partial None
Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Support Tools). Supported versions that are affected are 11.1.1.8.0 and 12.2.1.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle WebCenter Sites executes to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2318213.1">My Oracle Support Note 2318213.1 for instructions on how to address this issue. CVSS 3.0 Base Score 4.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
1605 CVE-2017-10014 284 2017-10-19 2017-10-23
3.5
None Remote Medium Single system None Partial None
Vulnerability in the Oracle Hospitality Hotel Mobile component of Oracle Hospitality Applications (subcomponent: Suite8/RESTAPI). The supported version that is affected is 1.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Hotel Mobile. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality Hotel Mobile accessible data. CVSS 3.0 Base Score 3.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N).
1606 CVE-2017-9838 79 XSS 2018-04-10 2018-05-16
3.5
None Remote Medium Single system None Partial None
Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu parameter), core/ajax/box.php (PATH_INFO), product/stats/card.php (type parameter), holiday/list.php (month_create, month_start, and month_end parameters), and don/card.php (societe, lastname, firstname, address, zipcode, town, and email parameters).
1607 CVE-2017-9836 79 XSS 2017-06-24 2017-06-27
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
1608 CVE-2017-9796 200 +Info 2018-01-09 2018-02-02
3.5
None Remote Medium Single system Partial None None
When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions.
1609 CVE-2017-9767 79 XSS 2017-08-18 2018-10-09
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Quali CloudShell before 8 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Name or (2) Description parameter to RM/Reservation/ReserveNew; the (3) Description parameter to RM/Topology/Update; the (4) Name, (5) Description, (6) ExecutionBatches[0].Name, (7) ExecutionBatches[0].Description, or (8) Labels parameter to SnQ/JobTemplate/Edit; or (9) Alias or (10) Description parameter to RM/AbstractTemplate/AddOrUpdateAbstractTemplate.
1610 CVE-2017-9674 79 XSS 2017-06-15 2017-06-22
3.5
None Remote Medium Single system None Partial None
In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on index.php/content/text/1?return_url=[XSS] exploitable as a regular or admin user.
1611 CVE-2017-9657 19 2018-04-30 2018-06-12
3.3
None Local Network Low Not required None None Partial
Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.
1612 CVE-2017-9655 79 XSS 2017-08-14 2017-08-23
3.5
None Remote Medium Single system None Partial None
A Cross-Site Scripting issue was discovered in OSIsoft PI Integrator for Business Analytics before 2016 R2, PI Integrator for Microsoft Azure before 2016 R2 SP1, and PI Integrator for SAP HANA before 2017. An attacker may be able to upload a malicious script that attempts to redirect users to a malicious web site.
1613 CVE-2017-9645 326 2017-09-20 2017-10-05
3.3
None Local Network Low Not required Partial None None
An Inadequate Encryption Strength issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). Decryption of data is possible at the hardware level.
1614 CVE-2017-9613 79 XSS 2017-06-15 2018-10-09
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality.
1615 CVE-2017-9609 79 XSS 2017-07-17 2017-07-21
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.
1616 CVE-2017-9556 79 XSS 2017-08-11 2017-08-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
1617 CVE-2017-9555 79 XSS 2017-08-24 2017-08-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
1618 CVE-2017-9548 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change).
1619 CVE-2017-9547 79 XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None Partial None
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change).
1620 CVE-2017-9546 79 DoS XSS 2017-06-12 2017-06-15
3.5
None Remote Medium Single system None None Partial
admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name.
1621 CVE-2017-9537 79 XSS 2017-10-02 2018-10-09
3.5
None Remote Medium Single system None Partial None
Persistent cross-site scripting (XSS) in the Add Node function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to introduce arbitrary JavaScript into various vulnerable parameters.
1622 CVE-2017-9516 79 XSS 2017-06-08 2017-08-12
3.5
None Remote Medium Single system None Partial None
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
1623 CVE-2017-9510 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The repository changelog resource in Atlassian FishEye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.
1624 CVE-2017-9509 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
1625 CVE-2017-9508 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file.
1626 CVE-2017-9507 79 XSS 2017-08-24 2018-01-30
3.5
None Remote Medium Single system None Partial None
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter.
1627 CVE-2017-9477 200 +Info 2017-07-30 2017-08-03
3.3
None Local Network Low Not required Partial None None
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST) and DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) devices allows remote attackers to discover the CM MAC address by connecting to the device's xfinitywifi hotspot.
1628 CVE-2017-9476 200 +Info 2017-07-30 2017-08-03
3.3
None Local Network Low Not required Partial None None
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices makes it easy for remote attackers to determine the hidden SSID and passphrase for a Home Security Wi-Fi network.
1629 CVE-2017-9452 79 XSS 2017-06-06 2017-06-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
1630 CVE-2017-9448 79 XSS 2017-06-06 2017-06-12
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users.
1631 CVE-2017-9441 79 XSS 2017-06-05 2017-06-12
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
1632 CVE-2017-9394 79 XSS 2017-11-14 2017-11-30
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in CA Identity Governance 12.6 allows remote authenticated attackers to display HTML or execute script in the context of another user.
1633 CVE-2017-9387 79 XSS 2019-06-17 2019-06-20
3.5
None Remote Medium Single system None Partial None
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called relay.sh which is used for creating new SSH relays for the device so that the device connects to Vera servers. All the parameters passed in this specific script are logged to a log file called log.relay in the /tmp folder. The user can also read all the log files from the device using a script called log.sh. However, when the script loads the log files it displays them with content-type text/html and passes all the logs through the ansi2html binary which converts all the character text including HTML meta-characters correctly to be displayed in the browser. This allows an attacker to use the log files as a storing mechanism for the XSS payload and thus whenever a user navigates to that log.sh script, it enables the XSS payload and allows an attacker to execute his malicious payload on the user's browser.
1634 CVE-2017-9366 79 XSS 2017-06-02 2017-06-09
3.5
None Remote Medium Single system None Partial None
Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter.
1635 CVE-2017-9338 79 XSS 2017-07-17 2017-07-24
3.5
None Remote Medium Single system None Partial None
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.
1636 CVE-2017-9331 79 XSS 2017-06-01 2017-06-09
3.5
None Remote Medium Single system None Partial None
The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Utils/RecordBrowser/RecordBrowserCommon_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted meeting description parameter.
1637 CVE-2017-9326 255 2019-07-03 2019-07-11
3.5
None Remote Medium Single system Partial None None
The keystore password for the Spark History Server may be exposed in unsecured files under the /var/run/cloudera-scm-agent directory managed by Cloudera Manager. The keystore file itself is not exposed.
1638 CVE-2017-9298 79 Exec Code XSS 2017-05-29 2017-06-08
3.5
None Remote Medium Single system None Partial None
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code.
1639 CVE-2017-9263 20 2017-05-29 2018-01-04
3.3
None Local Network Low Not required None None Partial
In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message, there is a call to the abort() function for undefined role status reasons in the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a malicious switch.
1640 CVE-2017-9249 79 XSS 2017-05-28 2017-06-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php.
1641 CVE-2017-9070 79 XSS 2017-05-18 2017-05-30
3.5
None Remote Medium Single system None Partial None
In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.
1642 CVE-2017-8993 79 XSS 2018-02-15 2018-03-12
3.5
None Remote Medium Single system None Partial None
A Remote Cross-Site Scripting vulnerability in HPE Project and Portfolio Management (PPM) version v9.30, v9.31, v9.32, v9.40 was found.
1643 CVE-2017-8991 79 XSS 2018-08-06 2018-10-05
3.5
None Remote Medium Single system None Partial None
HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.
1644 CVE-2017-8974 264 Bypass 2018-02-15 2018-03-15
3.6
None Local Low Not required Partial Partial None
A Local Authentication Restriction Bypass vulnerability in HPE NonStop Server version L-Series: T6533L01 through T6533L01^ADN; J-Series and H-series: T6533H02 through T6533H04^ADF and T6533H05 through T6533H05^ADL was found.
1645 CVE-2017-8969 20 2018-02-15 2018-03-15
3.5
None Remote Medium Single system None Partial None
An improper input validation vulnerability in HPE Insight Control version 7.6 LR1 was found.
1646 CVE-2017-8953 79 XSS 2018-02-15 2018-03-07
3.5
None Remote Medium Single system None Partial None
A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found.
1647 CVE-2017-8806 59 DoS 2017-11-13 2017-12-08
3.6
None Local Low Not required None Partial Partial
The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.
1648 CVE-2017-8802 79 XSS 2018-01-16 2018-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.8.0 Beta2 might allow remote attackers to inject arbitrary web script or HTML via vectors related to the "Show Snippet" functionality.
1649 CVE-2017-8783 79 XSS 2018-02-03 2018-02-23
3.5
None Remote Medium Single system None Partial None
Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.
1650 CVE-2017-8780 79 XSS 2017-05-04 2017-05-12
3.5
None Remote Medium Single system None Partial None
GeniXCMS 1.0.2 has XSS triggered by a comment that is mishandled during a publish operation by an administrator, as demonstrated by a malformed P element.
Total number of vulnerabilities : 4305   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 (This Page)34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.