CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1901 CVE-2019-20660 79 XSS 2020-04-15 2020-04-20
3.5
None Remote Medium ??? None Partial None
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
1902 CVE-2019-20658 200 +Info 2020-04-15 2020-04-23
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects FS728TLP before 1.0.1.26, GS105Ev2 before 1.6.0.4, GS105PE before 1.6.0.4, GS108Ev3 before 2.06.08, GS108PEv3 before 2.06.08, GS110EMX before 1.0.1.4, GS116Ev2 before 2.6.0.35, GS408EPP before 1.0.0.15, GS808E before 1.7.0.7, GS810EMX before 1.7.1.1, GS908E before 1.7.0.3, GSS108E before 1.6.0.4, GSS108EPP before 1.0.0.15, GSS116E before 1.6.0.9, JGS516PE before 2.6.0.35, JGS524Ev2 before 2.6.0.35, JGS524PE before 2.6.0.35, XS512EM before 1.0.1.1, XS708Ev2 before 1.6.0.23, XS716E before 1.6.0.23, and XS724EM before 1.0.1.1.
1903 CVE-2019-20656 798 2020-04-15 2020-04-22
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by a hardcoded password. This affects D6200 before 1.1.00.36, D7000 before 1.0.1.74, PR2000 before 1.0.0.30, R6020 before 1.0.0.42, R6080 before 1.0.0.42, R6050 before 1.0.1.24, JR6150 before 1.0.1.24, R6120 before 1.0.0.48, R6220 before 1.1.0.86, R6230 before 1.1.0.86, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, and WNR2020 before 1.1.0.62.
1904 CVE-2019-20653 20 DoS 2020-04-15 2020-04-20
3.3
None Local Network Low Not required None None Partial
Certain NETGEAR devices are affected by denial of service. This affects WAC505 before 8.0.6.4 and WAC510 before 8.0.6.4.
1905 CVE-2019-20645 79 XSS 2020-04-15 2020-04-17
3.5
None Remote Medium ??? None Partial None
NETGEAR RAX40 devices before 1.0.3.62 are affected by stored XSS.
1906 CVE-2019-20644 79 XSS 2020-04-15 2020-04-17
3.5
None Remote Medium ??? None Partial None
NETGEAR RAX40 devices before 1.0.3.62 are affected by stored XSS.
1907 CVE-2019-20639 79 XSS 2020-04-15 2020-04-17
3.5
None Remote Medium ??? None Partial None
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
1908 CVE-2019-20626 294 2020-03-23 2020-03-25
3.3
None Local Network Low Not required None Partial None
The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack.
1909 CVE-2019-20609 200 +Info 2020-03-24 2020-03-30
3.3
None Local Network Low Not required Partial None None
An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can use Smartwatch to view Secure Folder notification content. The Samsung ID is SVE-2019-13899 (April 2019).
1910 CVE-2019-20600 416 2020-03-24 2020-03-26
3.6
None Local Low Not required Partial Partial None
An issue was discovered on Samsung mobile devices with O(8.0) and P(9.0) (Exynos8890 chipsets) software. A use-after-free occurs in the MALI GPU driver. The Samsung ID is SVE-2019-13921-1 (May 2019).
1911 CVE-2019-20546 20 2020-03-24 2020-03-26
3.3
None Local Network Low Not required None None Partial
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom Wi-Fi chipsets) software. A denial-of-service attack can leverage a shared interface between Broadcom Bluetooth and Broadcom Wi-Fi. The Samsung ID is SVE-2019-15350 (November 2019).
1912 CVE-2019-20531 125 2020-03-24 2020-03-27
3.6
None Local Low Not required Partial None Partial
An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. The Wi-Fi kernel drivers have an out-of-bounds Read. The Samsung IDs are SVE-2019-15692, SVE-2019-15693 (December 2019).
1913 CVE-2019-20497 79 XSS 2020-03-17 2020-03-19
3.5
None Remote Medium ??? None Partial None
cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).
1914 CVE-2019-20483 79 XSS 2021-01-05 2021-01-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user's last name to an XSS Payload, and read another user's cookie and use that to login to the application.
1915 CVE-2019-20443 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.
1916 CVE-2019-20442 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.
1917 CVE-2019-20441 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'implement phase' of the API Publisher.
1918 CVE-2019-20440 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the update API documentation feature of the API Publisher.
1919 CVE-2019-20439 79 XSS 2020-01-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in defining a scope in the "manage the API" page of the API Publisher.
1920 CVE-2019-20438 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher.
1921 CVE-2019-20435 79 XSS 2020-01-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter.
1922 CVE-2019-20434 79 XSS 2020-01-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console.
1923 CVE-2019-20416 79 XSS 2020-06-30 2020-07-07
3.5
None Remote Medium ??? None Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.
1924 CVE-2019-20414 79 XSS 2020-06-29 2020-07-07
3.5
None Remote Medium ??? None Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
1925 CVE-2019-20204 79 XSS 2020-01-02 2020-01-16
3.5
None Remote Medium ??? None Partial None
The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element.
1926 CVE-2019-20182 79 XSS 2020-01-09 2020-01-14
3.5
None Remote Medium ??? None Partial None
The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.
1927 CVE-2019-20181 79 XSS 2020-01-09 2020-01-14
3.5
None Remote Medium ??? None Partial None
The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter.
1928 CVE-2019-20139 79 XSS 2019-12-30 2020-01-03
3.5
None Remote Medium ??? None Partial None
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.
1929 CVE-2019-20008 79 XSS 2019-12-26 2020-01-02
3.5
None Remote Medium ??? None Partial None
In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page.
1930 CVE-2019-19991 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Reflected Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /vam/vam_anagraphic.php, /vam/vam_vamuser.php, /common/vamp_main.php, and /wiz/change_password.php.
1931 CVE-2019-19990 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Stored Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /monitor/s_headmodel.php and /vam/vam_user.php.
1932 CVE-2019-19983 200 +Info 2019-12-26 2020-08-24
3.5
None Remote Medium ??? Partial None None
In the WordPress plugin, Fast Velocity Minify before 2.7.7, the full web root path to the running WordPress application can be discovered. In order to exploit this vulnerability, FVM Debug Mode needs to be enabled and an admin-ajax request needs to call the fastvelocity_min_files action.
1933 CVE-2019-19968 79 XSS 2020-02-04 2020-02-05
3.5
None Remote Medium ??? None Partial None
PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is later read and included in dynamic content.
1934 CVE-2019-19941 79 XSS 2020-03-16 2021-02-03
3.5
None Remote Medium ??? None Partial None
Missing hostname validation in Swisscom Centro Grande before 6.16.12 allows a remote attacker to inject its local IP address as a domain entry in the DNS service of the router via crafted hostnames in DHCP requests, causing XSS.
1935 CVE-2019-19927 125 2019-12-31 2020-05-14
3.6
None Local Low Not required Partial None Partial
In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.
1936 CVE-2019-19913 79 XSS 2020-03-30 2020-04-14
3.5
None Remote Medium ??? None Partial None
In Intland codeBeamer ALM 9.5 and earlier, there is stored XSS via the Trackers Title parameter.
1937 CVE-2019-19912 79 XSS 2020-03-30 2020-03-31
3.5
None Remote Medium ??? None Partial None
In Intland codeBeamer ALM 9.5 and earlier, a cross-site scripting (XSS) vulnerability in the Upload Flash File feature allows authenticated remote attackers to inject arbitrary scripts via an active script embedded in an SWF file.
1938 CVE-2019-19903 79 XSS 2019-12-19 2019-12-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer file types" permission.
1939 CVE-2019-19901 79 XSS 2019-12-19 2019-12-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout, aka XSS. This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.
1940 CVE-2019-19900 79 XSS 2019-12-19 2019-12-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission.
1941 CVE-2019-19858 79 XSS 2020-01-15 2020-01-17
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/add_user/UID allows stored XSS via the author parameter.
1942 CVE-2019-19856 79 XSS 2020-01-15 2020-01-17
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The User Type on the admin/list_user page allows stored XSS via the type parameter.
1943 CVE-2019-19855 79 XSS 2020-01-15 2020-01-17
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/list_user allows stored XSS via the auth_type parameter.
1944 CVE-2019-19852 79 XSS 2020-03-16 2020-03-19
3.5
None Remote Medium ??? None Partial None
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4.
1945 CVE-2019-19851 79 XSS 2020-03-16 2020-03-20
3.5
None Remote Medium ??? None Partial None
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20.
1946 CVE-2019-19829 79 XSS 2019-12-18 2019-12-23
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U FTP Server 15.1.7 in the email parameter, a different vulnerability than CVE-2018-19934 and CVE-2019-13182.
1947 CVE-2019-19783 20 2019-12-16 2020-10-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
1948 CVE-2019-19773 79 XSS 2020-03-06 2020-03-09
3.5
None Remote Medium ??? None Partial None
Various Lexmark products have stored XSS in the embedded web server used in older generation Lexmark devices. Affected products are available in http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US.
1949 CVE-2019-19772 79 XSS 2020-03-06 2020-03-09
3.5
None Remote Medium ??? None Partial None
Various Lexmark products have reflected XSS in the embedded web server used in older generation Lexmark devices. Affected products are available in http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US.
1950 CVE-2019-19757 79 Exec Code XSS 2020-02-14 2020-02-24
3.5
None Remote Medium ??? None Partial None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.