CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2301 CVE-2019-11226 79 XSS 2019-06-05 2019-06-05
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
2302 CVE-2019-11212 79 XSS 2019-10-09 2019-10-10
3.5
None Remote Medium ??? None Partial None
The MDM server component of TIBCO Software Inc's TIBCO MDM contains multiple vulnerabilities that theoretically allow an authenticated user with specific roles to perform cross-site scripting (XSS) attacks. This issue affects TIBCO Software Inc.'s TIBCO MDM version 9.0.1 and prior versions; version 9.1.0.
2303 CVE-2019-11199 79 XSS 2019-07-29 2019-08-05
3.5
None Remote Medium ??? None Partial None
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type.
2304 CVE-2019-11173 384 DoS 2019-11-14 2019-11-19
3.6
None Local Low Not required Partial None Partial
Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via local access.
2305 CVE-2019-11155 276 DoS 2019-11-14 2019-11-18
3.6
None Local Low Not required Partial None Partial
Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.
2306 CVE-2019-11154 269 DoS 2019-11-14 2019-11-18
3.6
None Local Low Not required Partial None Partial
Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.
2307 CVE-2019-11092 522 2019-06-13 2020-08-24
3.6
None Local Low Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
2308 CVE-2019-11025 79 XSS 2019-04-08 2019-04-16
3.5
None Remote Medium ??? None Partial None
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
2309 CVE-2019-11017 79 XSS 2019-04-18 2021-04-23
3.5
None Remote Medium ??? None Partial None
On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter.
2310 CVE-2019-10988 2019-09-04 2020-10-02
3.6
None Local Low Not required Partial Partial None
In Philips HDI 4000 Ultrasound Systems, all versions running on old, unsupported operating systems such as Windows 2000, the HDI 4000 Ultrasound System is built on an old operating system that is no longer supported. Thus, any unmitigated vulnerability in the old operating system could be exploited to affect this product.
2311 CVE-2019-10975 125 2019-07-02 2019-10-09
3.3
None Local Medium Not required Partial None Partial
An out-of-bounds read vulnerability has been identified in Fuji Electric Alpha7 PC Loader Versions 1.1 and prior, which may crash the system.
2312 CVE-2019-10974 119 Overflow 2019-07-26 2019-10-09
3.6
None Local Low Not required None Partial Partial
NREL EnergyPlus, Versions 8.6.0 and possibly prior versions, The application fails to prevent an exception handler from being overwritten with arbitrary code.
2313 CVE-2019-10957 79 Exec Code XSS 2020-01-17 2020-02-10
3.5
None Remote Medium ??? None Partial None
Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user’s browser.
2314 CVE-2019-10909 79 XSS 2019-05-16 2021-04-20
3.5
None Remote Medium ??? None Partial None
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
2315 CVE-2019-10893 79 XSS 2019-04-18 2019-05-02
3.5
None Remote Medium ??? None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute.
2316 CVE-2019-10756 79 XSS 2019-10-08 2019-10-17
3.5
None Remote Medium ??? None Partial None
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
2317 CVE-2019-10715 79 XSS 2019-10-21 2019-10-21
3.5
None Remote Medium ??? None Partial None
There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.
2318 CVE-2019-10689 287 +Info 2019-06-24 2019-06-27
3.3
None Local Network Low Not required Partial None None
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
2319 CVE-2019-10634 79 XSS 2019-04-09 2019-04-09
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields.
2320 CVE-2019-10625 125 2020-04-16 2020-04-21
3.6
None Local Low Not required Partial None Partial
Out of bound access in diag services when DCI command buffer reallocation is not done properly with required capacity in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCS605, Rennell, SC8180X, SDM429W, SDM710, SDX55, SM7150, SM8150
2321 CVE-2019-10623 190 Overflow 2020-04-16 2020-08-24
3.6
None Local Low Not required Partial None Partial
Possible integer overflow can happen in host driver while processing user controlled string due to improper validation on data received. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in QCN7605, QCS605, Rennell, SC8180X, SDA845, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130
2322 CVE-2019-10622 125 2020-04-16 2020-04-22
3.6
None Local Low Not required Partial None Partial
Out of bound memory access can happen while parsing ADSP message due to lack of check of size of payload received from userspace in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8096AU, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCN7605, QCS605, SC8180X, SDM710, SDX24, SDX55, SM8150, SM8250, SXR2130
2323 CVE-2019-10574 125 2020-04-16 2021-04-30
3.6
None Local Low Not required Partial None Partial
Lack of boundary checks for data offsets received from HLOS can lead to out-of-bound read in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130
2324 CVE-2019-10432 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
2325 CVE-2019-10414 312 2019-09-25 2019-10-09
3.5
None Remote Medium ??? Partial None None
Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
2326 CVE-2019-10410 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.
2327 CVE-2019-10406 79 XSS 2019-09-25 2019-09-25
3.5
None Remote Medium ??? None Partial None
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
2328 CVE-2019-10404 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
2329 CVE-2019-10403 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.
2330 CVE-2019-10402 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.
2331 CVE-2019-10401 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).
2332 CVE-2019-10396 79 XSS 2019-09-12 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions.
2333 CVE-2019-10395 79 XSS 2019-09-12 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties.
2334 CVE-2019-10383 79 XSS 2019-08-28 2019-09-20
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
2335 CVE-2019-10374 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.
2336 CVE-2019-10373 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
2337 CVE-2019-10360 79 XSS 2019-07-31 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
2338 CVE-2019-10349 79 XSS 2019-07-11 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
2339 CVE-2019-10335 79 XSS 2019-06-11 2019-06-13
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages.
2340 CVE-2019-10325 79 XSS 2019-05-31 2019-06-03
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.
2341 CVE-2019-10300 352 CSRF 2019-04-18 2019-05-06
3.5
None Remote Medium ??? Partial None None
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
2342 CVE-2019-10261 79 XSS 2019-04-03 2019-05-06
3.5
None Remote Medium ??? None Partial None
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.
2343 CVE-2019-10209 125 2019-10-29 2020-10-01
3.5
None Remote Medium ??? Partial None None
Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan.
2344 CVE-2019-10180 79 XSS 2020-03-31 2020-04-02
3.5
None Remote Medium ??? None Partial None
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
2345 CVE-2019-10155 354 2019-06-12 2020-09-30
3.5
None Remote Medium ??? None None Partial
The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29.
2346 CVE-2019-10131 119 Overflow 2019-04-30 2021-04-28
3.6
None Local Low Not required Partial None Partial
An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
2347 CVE-2019-10111 79 XSS 2019-05-15 2019-05-16
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page.
2348 CVE-2019-10107 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.
2349 CVE-2019-10106 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.
2350 CVE-2019-10105 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.