CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2001 CVE-2019-18831 798 2019-12-16 2020-08-24
3.5
None Remote Medium ??? Partial None None
Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Information Exposure. The encrypted ClickShare Button firmware contains the private key of a test device-certificate.
2002 CVE-2019-18791 79 XSS 2020-02-13 2020-02-20
3.5
None Remote Medium ??? None Partial None
Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server. The vulnerability can be exploited to expose session credentials and other information via the users web browser.
2003 CVE-2019-18664 79 XSS 2019-11-02 2019-11-04
3.5
None Remote Medium ??? None Partial None
The Log module in SECUDOS DOMOS before 5.6 allows XSS.
2004 CVE-2019-18649 79 XSS 2019-11-14 2019-11-14
3.5
None Remote Medium ??? None Partial None
When logged in as an admin user, the Title input field (under Reports) within Untangle NG firewall 14.2.0 is vulnerable to stored XSS.
2005 CVE-2019-18648 79 XSS 2019-11-14 2019-11-14
3.5
None Remote Medium ??? None Partial None
When logged in as an admin user, the Untangle NG firewall 14.2.0 is vulnerable to reflected XSS at multiple places and specific user input fields.
2006 CVE-2019-18636 79 XSS 2019-11-01 2019-11-04
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Jitbit .NET Forum (aka ASP.NET forum) 8.3.8 allows remote attackers to inject arbitrary web script or HTML via the gravatar URL parameter.
2007 CVE-2019-18618 2020-07-22 2020-07-30
3.6
None Local Low Not required Partial Partial None
Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacker to compromise the confidentiality of sensor data via injection of an unverified partition table.
2008 CVE-2019-18615 522 2019-12-19 2019-12-31
3.5
None Remote Medium ??? Partial None None
In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible from the CVP GUI. Application logs can only be read by authorized users with privileged access to the VM hosting the CVP application.
2009 CVE-2019-18588 79 XSS 2020-01-10 2020-01-22
3.5
None Remote Medium ??? None Partial None
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users' sessions.
2010 CVE-2019-18574 79 Exec Code XSS 2019-12-03 2019-12-10
3.5
None Remote Medium ??? None Partial None
RSA Authentication Manager software versions prior to 8.4 P8 contain a stored cross-site scripting vulnerability in the Security Console. A malicious Security Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface which could then be included in a report. When other Security Console administrators open the affected report, the injected scripts could potentially be executed in their browser.
2011 CVE-2019-18571 79 Exec Code XSS 2019-12-18 2020-08-31
3.5
None Remote Medium ??? None Partial None
The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a reflected cross-site scripting vulnerability in the My Access Live module [MAL]. An authenticated malicious local user could potentially exploit this vulnerability by sending crafted URL with scripts. When victim users access the module through their browsers, the malicious code gets injected and executed by the web browser in the context of the vulnerable web application.
2012 CVE-2019-18567 362 DoS 2020-02-03 2020-02-06
3.3
None Local Medium Not required Partial None Partial
Bromium client version 4.0.3.2060 and prior to 4.1.7 Update 1 has an out of bound read results in race condition causing Kernel memory leaks or denial of service.
2013 CVE-2019-18390 125 DoS 2019-12-23 2020-11-16
3.6
None Local Low Not required Partial None Partial
An out-of-bounds read in the vrend_blit_need_swizzle function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_BLIT commands.
2014 CVE-2019-18380 287 2019-12-09 2019-12-17
3.3
None Local Network Low Not required None Partial None
Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication.
2015 CVE-2019-18378 79 XSS Bypass 2019-12-11 2019-12-13
3.5
None Remote Medium ??? None Partial None
Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.
2016 CVE-2019-18347 79 XSS 2019-12-04 2019-12-14
3.5
None Remote Medium ??? None Partial None
A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.
2017 CVE-2019-18273 79 XSS 2020-01-15 2020-01-23
3.5
None Remote Medium ??? None Partial None
OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced.
2018 CVE-2019-18267 79 Exec Code XSS CSRF 2019-12-18 2020-01-07
3.5
None Remote Medium ??? None Partial None
An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution.
2019 CVE-2019-18263 326 2019-12-20 2020-01-10
3.3
None Local Network Low Not required None None Partial
An issue was found in Philips Veradius Unity, Pulsera, and Endura Dual WAN Router, Veradius Unity (718132) with wireless option (shipped between 2016-August 2018), Veradius Unity (718132) with ViewForum option (shipped between 2016-August 2018), Pulsera (718095) and Endura (718075) with wireless option (shipped between 26-June-2017 through 07-August 2018), Pulsera (718095) and Endura (718075) with ViewForum option (shipped between 26-June-2017 through 07-August 2018). The router software uses an encryption scheme that is not strong enough for the level of protection required.
2020 CVE-2019-18252 287 2020-06-29 2021-04-06
3.3
None Local Network Low Not required Partial None None
BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
2021 CVE-2019-18248 319 2020-06-29 2021-04-06
3.3
None Local Network Low Not required Partial None None
BIOTRONIK CardioMessenger II, The affected products transmit credentials in clear-text prior to switching to an encrypted communication channel. An attacker can disclose the product’s client credentials for connecting to the BIOTRONIK Remote Communication infrastructure.
2022 CVE-2019-18246 287 2020-06-29 2021-04-06
3.3
None Local Network Low Not required Partial None None
BIOTRONIK CardioMessenger II, The affected products do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure.
2023 CVE-2019-18241 326 2019-11-26 2019-12-18
3.3
None Local Network Low Not required Partial None None
In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all versions, and IntelliBridge EC80 Hub all versions, the SSH server running on the affected products is configured to allow weak ciphers. This could enable an unauthorized attacker with access to the network to capture and replay the session and gain unauthorized access to the EC40/80 hub.
2024 CVE-2019-18223 79 XSS 2020-04-27 2020-05-06
3.5
None Remote Medium ??? None Partial None
ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config.
2025 CVE-2019-18210 79 XSS 2020-02-11 2020-02-13
3.5
None Remote Medium ??? None Partial None
Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug."
2026 CVE-2019-18207 79 XSS 2019-10-30 2019-11-06
3.5
None Remote Medium ??? None Partial None
In Zucchetti InfoBusiness before and including 4.4.1, an authenticated user can inject client-side code due to improper validation of the Title field in the InfoBusiness Web Component. The payload will be triggered every time a user browses the reports page.
2027 CVE-2019-17674 79 XSS 2019-10-17 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
2028 CVE-2019-17667 79 XSS 2019-10-17 2020-01-10
3.5
None Remote Medium ??? None Partial None
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
2029 CVE-2019-17651 79 XSS 2020-01-28 2020-01-29
3.5
None Remote Medium ??? None Partial None
An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.
2030 CVE-2019-17630 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.
2031 CVE-2019-17629 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.
2032 CVE-2019-17627 287 2019-10-16 2019-10-18
3.3
None Local Network Low Not required Partial None None
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This affects the Yale ZEN-R lock and unspecified other locks.
2033 CVE-2019-17578 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field.
2034 CVE-2019-17577 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.
2035 CVE-2019-17576 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.
2036 CVE-2019-17557 79 Exec Code XSS 2020-05-04 2020-05-07
3.5
None Remote Medium ??? None Partial None
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
2037 CVE-2019-17524 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the "Connected Clients" field to /wlanAccess.asp. An intranet host can use a crafted hostname to exploit this.
2038 CVE-2019-17523 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the FileName parameter to /FTPDiag.asp.
2039 CVE-2019-17522 79 XSS 2019-10-12 2019-10-17
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability was discovered in Hotaru CMS v1.7.2 via the admin_index.php?page=settings SITE NAME field (aka SITE_NAME), a related issue to CVE-2011-4709.1.
2040 CVE-2019-17434 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium ??? None Partial None
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
2041 CVE-2019-17433 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium ??? None Partial None
z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen.
2042 CVE-2019-17417 79 XSS 2019-10-10 2019-10-11
3.5
None Remote Medium ??? None Partial None
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs.
2043 CVE-2019-17356 326 2019-10-15 2019-10-18
3.3
None Local Network Low Not required Partial None None
The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network.
2044 CVE-2019-17338 79 XSS 2020-01-28 2020-02-04
3.5
None Remote Medium ??? None Partial None
The user interface component of TIBCO Software Inc.'s TIBCO Patterns - Search contains multiple vulnerabilities that theoretically allow authenticated users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Patterns - Search: versions 5.4.0 and below.
2045 CVE-2019-17333 79 XSS 2020-02-19 2020-02-26
3.5
None Remote Medium ??? None Partial None
The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.1.fixS and below, versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, and 5.9.7.
2046 CVE-2019-17331 79 XSS 2019-11-12 2019-11-15
3.5
None Remote Medium ??? None Partial None
The Data Exchange Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0.
2047 CVE-2019-17276 79 XSS 2020-03-24 2020-03-26
3.5
None Remote Medium ??? None Partial None
OnCommand System Manager versions 9.3 prior to 9.3P18 and 9.4 prior to 9.4P2 are susceptible to a cross site scripting vulnerability that could allow an authenticated attacker to inject arbitrary scripts into the SNMP Community Names label field.
2048 CVE-2019-17273 20 DoS 2020-01-30 2020-01-31
3.3
None Local Network Low Not required None None Partial
E-Series SANtricity OS Controller Software version 11.60.0 is susceptible to a vulnerability which allows an attacker to cause a Denial of Service (DoS) in IPv6 environments.
2049 CVE-2019-17226 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field.
2050 CVE-2019-17225 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium ??? None Partial None
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.