CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2051 CVE-2019-17207 79 XSS 2019-10-18 2019-10-21
3.5
None Remote Medium ??? None Partial None
A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action.
2052 CVE-2019-17204 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.
2053 CVE-2019-17203 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder.
2054 CVE-2019-17189 79 XSS 2019-10-22 2019-10-22
3.5
None Remote Medium ??? None Partial None
totemodata 3.0.0_b936 has XSS via a folder name.
2055 CVE-2019-17121 79 XSS 2019-10-04 2019-10-08
3.5
None Remote Medium ??? None Partial None
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
2056 CVE-2019-17098 798 2020-09-30 2020-10-08
3.3
None Local Network Low Not required Partial None None
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior versions on Android. August Connect Firmware version 2.2.12 and prior versions.
2057 CVE-2019-17074 79 XSS 2019-10-01 2019-10-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in the module_category area.
2058 CVE-2019-17045 79 XSS 2019-09-30 2019-10-03
3.5
None Remote Medium ??? None Partial None
Ilch 2.1.22 allows stored XSS via the title, text, or email id to the Jobs Tab.
2059 CVE-2019-16962 74 2021-01-06 2021-01-08
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report.
2060 CVE-2019-16961 79 XSS 2021-01-15 2021-01-21
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
2061 CVE-2019-16960 79 XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field.
2062 CVE-2019-16958 79 XSS 2020-12-01 2020-12-02
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name.
2063 CVE-2019-16957 79 XSS 2020-12-18 2020-12-18
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
2064 CVE-2019-16956 79 XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.
2065 CVE-2019-16955 79 XSS 2020-12-18 2020-12-18
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
2066 CVE-2019-16924 319 2019-09-27 2019-10-04
3.3
None Local Network Low Not required Partial None None
The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock.
2067 CVE-2019-16904 79 XSS 2019-09-26 2019-09-27
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.)
2068 CVE-2019-16890 79 XSS 2019-09-25 2019-09-26
3.5
None Remote Medium ??? None Partial None
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
2069 CVE-2019-16878 79 XSS 2019-11-07 2019-11-07
3.5
None Remote Medium ??? None Partial None
Portainer before 1.22.1 has XSS (issue 2 of 2).
2070 CVE-2019-16873 79 XSS 2019-11-07 2019-11-07
3.5
None Remote Medium ??? None Partial None
Portainer before 1.22.1 has XSS (issue 1 of 2).
2071 CVE-2019-16781 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
2072 CVE-2019-16780 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
2073 CVE-2019-16769 79 XSS 2019-12-05 2020-01-17
3.5
None Remote Medium ??? None Partial None
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
2074 CVE-2019-16704 79 XSS 2019-09-23 2019-09-23
3.5
None Remote Medium ??? None Partial None
admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.
2075 CVE-2019-16688 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)
2076 CVE-2019-16687 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
2077 CVE-2019-16686 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
2078 CVE-2019-16685 79 XSS 2019-09-27 2019-10-01
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
2079 CVE-2019-16684 79 XSS 2019-09-30 2019-10-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.
2080 CVE-2019-16683 79 XSS 2019-09-30 2019-10-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.
2081 CVE-2019-16664 79 XSS 2019-09-21 2019-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter.
2082 CVE-2019-16661 79 XSS 2019-09-21 2019-09-23
3.5
None Remote Medium ??? None Partial None
Ogma CMS 0.5 has XSS via creation of a new blog.
2083 CVE-2019-16643 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerability in the article_edit area.
2084 CVE-2019-16564 79 XSS 2019-12-17 2019-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.
2085 CVE-2019-16563 79 XSS 2019-12-17 2019-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.
2086 CVE-2019-16562 79 XSS 2019-12-17 2019-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.
2087 CVE-2019-16524 79 XSS 2019-09-26 2019-10-01
3.5
None Remote Medium ??? None Partial None
The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters. This occurs because there is no inline styles output filter.
2088 CVE-2019-16523 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.
2089 CVE-2019-16522 79 XSS 2019-10-16 2019-10-20
3.5
None Remote Medium ??? None Partial None
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. An attacker with high privileges can attack other users.
2090 CVE-2019-16520 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement.
2091 CVE-2019-16518 668 2019-09-23 2019-09-23
3.3
None Local Network Low Not required None Partial None
An issue was discovered on Swell Kit Mod devices that use the Vandy Vape platform. An attacker may be able to trigger an unintended temperature in the victim's mouth and throat via Bluetooth Low Energy (BLE) packets that specify large power or voltage values.
2092 CVE-2019-16512 79 XSS 2020-01-23 2020-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier.
2093 CVE-2019-16417 79 XSS 2019-10-08 2019-10-09
3.5
None Remote Medium ??? None Partial None
HRworks FLOW 3.36.9 allows XSS via the purpose of a travel-expense report.
2094 CVE-2019-16416 79 XSS 2019-10-08 2019-10-09
3.5
None Remote Medium ??? None Partial None
HRworks 3.36.9 allows XSS via the purpose of a travel-expense report.
2095 CVE-2019-16401 +Info 2019-11-06 2020-08-24
3.3
None Local Network Low Not required Partial None None
Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow injection of AT+CIMI and AT+CGSN over Bluetooth, leaking sensitive information such as IMSI, IMEI, call status, call setup stage, internet service status, signal strength, current roaming status, battery level, and call held status.
2096 CVE-2019-16400 DoS 2019-11-06 2020-08-24
3.3
None Local Network Low Not required None None Partial
Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow attackers to send AT commands over Bluetooth, resulting in several Denial of Service (DoS) attacks.
2097 CVE-2019-16375 79 Exec Code XSS 2020-03-19 2020-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.
2098 CVE-2019-16336 120 DoS 2020-02-12 2020-04-13
3.3
None Local Network Low Not required None None Partial
The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame.
2099 CVE-2019-16334 79 XSS 2019-09-15 2019-09-16
3.5
None Remote Medium ??? None Partial None
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
2100 CVE-2019-16333 79 XSS 2019-09-15 2019-09-19
3.5
None Remote Medium ??? None Partial None
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.