CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2151 CVE-2019-15127 79 XSS 2019-08-21 2019-08-23
3.5
None Remote Medium ??? None Partial None
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
2152 CVE-2019-15108 79 XSS 2019-08-16 2019-10-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.
2153 CVE-2019-15081 79 XSS 2019-08-15 2019-09-02
3.5
None Remote Medium ??? None Partial None
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
2154 CVE-2019-15031 200 +Info 2019-09-13 2020-01-23
3.6
None Local Low Not required Partial None Partial
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.
2155 CVE-2019-15030 862 2019-09-13 2020-08-24
3.6
None Local Low Not required Partial None Partial
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.
2156 CVE-2019-15007 79 XSS 2019-12-11 2019-12-12
3.5
None Remote Medium ??? None Partial None
The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.
2157 CVE-2019-14987 79 XSS 2019-08-13 2019-08-15
3.5
None Remote Medium ??? None Partial None
Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions.
2158 CVE-2019-14948 79 XSS 2019-08-12 2019-08-21
3.5
None Remote Medium ??? None Partial None
The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.
2159 CVE-2019-14947 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium ??? None Partial None
The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.
2160 CVE-2019-14946 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium ??? None Partial None
The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.
2161 CVE-2019-14945 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium ??? None Partial None
The ultimate-member plugin before 2.0.54 for WordPress has XSS.
2162 CVE-2019-14928 79 XSS 2019-10-28 2019-10-30
3.5
None Remote Medium ??? None Partial None
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page.
2163 CVE-2019-14918 79 Exec Code XSS 2020-01-09 2020-01-21
3.5
None Remote Medium ??? None Partial None
XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an attacker to inject arbitrary HTML/JavaScript code to achieve client-side code execution via crafted DHCP request packets to etc_ro/web/internet/dhcpcliinfo.asp.
2164 CVE-2019-14913 79 XSS 2019-09-20 2019-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in PRiSE adAS 1.7.0. Log data are not properly escaped, leading to persistent XSS in the administration panel.
2165 CVE-2019-14861 276 2019-12-10 2021-05-29
3.5
None Remote Medium ??? None None Partial
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.
2166 CVE-2019-14851 617 DoS 2021-03-18 2021-03-25
3.5
None Remote Medium ??? None None Partial
A denial of service vulnerability was discovered in nbdkit. A client issuing a certain sequence of commands could possibly trigger an assertion failure, causing nbdkit to exit. This issue only affected nbdkit versions 1.12.7, 1.14.1, and 1.15.1.
2167 CVE-2019-14849 79 XSS 2019-12-12 2019-12-17
3.5
None Remote Medium ??? None Partial None
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
2168 CVE-2019-14824 732 2019-11-08 2020-12-04
3.5
None Remote Medium ??? Partial None None
A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.
2169 CVE-2019-14822 862 2019-11-25 2020-08-27
3.6
None Local Low Not required Partial Partial None
A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
2170 CVE-2019-14805 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing.
2171 CVE-2019-14804 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing.
2172 CVE-2019-14797 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS.
2173 CVE-2019-14796 79 XSS 2019-08-09 2019-08-20
3.5
None Remote Medium ??? None Partial None
The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter.
2174 CVE-2019-14795 79 XSS 2019-08-15 2019-08-21
3.5
None Remote Medium ??? None Partial None
The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.
2175 CVE-2019-14792 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter.
2176 CVE-2019-14787 79 XSS 2019-08-09 2019-08-22
3.5
None Remote Medium ??? None Partial None
The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.
2177 CVE-2019-14785 79 XSS 2019-08-09 2019-08-15
3.5
None Remote Medium ??? None Partial None
The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.
2178 CVE-2019-14748 79 XSS 2019-08-07 2019-08-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
2179 CVE-2019-14731 79 XSS 2019-08-07 2019-08-15
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vulnerability that leads to the capture of other people's cookies via the Rich Text Box.
2180 CVE-2019-14680 352 CSRF 2019-08-08 2019-08-21
3.5
None Remote Medium ??? None Partial None
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
2181 CVE-2019-14672 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show page.
2182 CVE-2019-14670 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation.
2183 CVE-2019-14669 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name. The JavaScript code is executed during a visit to the audit account statistics page.
2184 CVE-2019-14668 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction link.
2185 CVE-2019-14620 DoS 2020-08-13 2020-08-19
3.3
None Local Network Low Not required None None Partial
Insufficient control flow management for some Intel(R) Wireless Bluetooth(R) products may allow an unprivileged user to potentially enable denial of service via adjacent access.
2186 CVE-2019-14587 DoS 2020-11-23 2021-04-29
3.3
None Local Network Low Not required None None Partial
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
2187 CVE-2019-14550 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus helping him steal victims' cookies (hence compromising their accounts).
2188 CVE-2019-14549 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.
2189 CVE-2019-14548 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).
2190 CVE-2019-14547 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the JavaScript inside the filename and send it to users, thus helping him steal victims' cookies (hence compromising their accounts).
2191 CVE-2019-14546 79 XSS 2019-08-05 2019-08-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).
2192 CVE-2019-14518 79 XSS 2019-08-15 2019-08-21
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Evolution CMS 2.0.x allows XSS via a description and new category location in a template. NOTE: the vendor states that the behavior is consistent with the "access policy in the administration panel."
2193 CVE-2019-14478 79 Exec Code XSS 2020-12-16 2020-12-17
3.5
None Remote Medium ??? None Partial None
AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose "Display Name" contains an XSS payload.
2194 CVE-2019-14469 79 XSS 2019-08-22 2019-08-26
3.5
None Remote Medium ??? None Partial None
In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS.
2195 CVE-2019-14456 79 XSS 2019-07-31 2019-08-07
3.5
None Remote Medium ??? None Partial None
Opengear console server firmware releases prior to 4.5.0 have a stored XSS vulnerability related to serial port logging. If a malicious user of an external system (connected to a serial port on an Opengear console server) sends crafted text to a serial port (that has logging enabled), the text will be replayed when the logs are viewed. Exploiting this vulnerability requires access to the serial port and/or console server.
2196 CVE-2019-14449 79 XSS 2019-11-26 2019-12-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Cloudera Manager 5.x before 5.16.2, 6.0.x before 6.0.2, and 6.1.x before 6.1.1. Malicious impala queries can result in Cross Site Scripting (XSS) when viewed within this product.
2197 CVE-2019-14415 79 XSS 2019-07-29 2019-10-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to.
2198 CVE-2019-14390 79 XSS 2019-07-30 2019-07-30
3.5
None Remote Medium ??? None Partial None
cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).
2199 CVE-2019-14386 79 XSS 2019-07-30 2019-07-30
3.5
None Remote Medium ??? None Partial None
cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).
2200 CVE-2019-14343 79 XSS 2019-11-15 2019-11-25
3.5
None Remote Medium ??? None Partial None
TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin.php?vocabulario_id=list URI.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.