CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2351 CVE-2019-10067 79 XSS 2019-05-22 2020-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.
2352 CVE-2019-10066 79 XSS 2019-05-22 2019-05-22
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.
2353 CVE-2019-10047 79 Exec Code XSS 2019-05-31 2019-06-03
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application, and tricks an authenticated victim into accessing a URL that results in the HTML code being interpreted by the web browser, then the included JavaScript code is executed under the context of the victim user session.
2354 CVE-2019-10027 79 XSS 2019-03-25 2019-03-26
3.5
None Remote Medium ??? None Partial None
PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field on the personal information screen.
2355 CVE-2019-10017 79 XSS 2019-03-24 2019-07-18
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.
2356 CVE-2019-9957 79 Exec Code XSS CSRF 2019-06-24 2019-06-27
3.5
None Remote Medium ??? None Partial None
Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload can then be triggered by accessing the "Set Security Levels" or "View User/Group Relationships" page. If the attacker does not currently have permission to create a new user, another vulnerability such as CSRF must be exploited first.
2357 CVE-2019-9919 79 XSS 2019-03-29 2019-10-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to craft messages in a way that JavaScript gets executed on the side of the receiving user when the message is opened, aka XSS.
2358 CVE-2019-9862 311 2019-03-27 2020-08-24
3.3
None Local Network Low Not required Partial None None
An issue was discovered on ABUS Secvest wireless alarm system FUAA50000 3.01.01 in conjunction with Secvest remote control FUBE50014 or FUBE50015. Because "encrypted signal transmission" is missing, an attacker is able to eavesdrop sensitive data as cleartext (for instance, the current rolling code state).
2359 CVE-2019-9758 79 XSS 2019-10-29 2019-11-01
3.5
None Remote Medium ??? None Partial None
An issue was discovered in LabKey Server 19.1.0. The display name of a user is vulnerable to stored XSS that can execute on administrators from security/permissions.view, security/addUsers.view, or wiki/Administration/page.view in the admin panel, leading to privilege escalation.
2360 CVE-2019-9751 79 XSS 2019-03-13 2019-03-15
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm.
2361 CVE-2019-9709 79 XSS 2019-05-07 2019-05-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user.
2362 CVE-2019-9701 79 XSS Bypass 2019-06-19 2019-07-03
3.5
None Remote Medium ??? None Partial None
DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
2363 CVE-2019-9698 2019-05-08 2020-08-24
3.6
None Local Low Not required None Partial Partial
Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges.
2364 CVE-2019-9661 79 XSS 2019-03-11 2019-03-11
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in YzmCMS 5.2 via the admin/system_manage/user_config_edit.html "value" parameter,
2365 CVE-2019-9660 79 XSS 2019-03-11 2019-03-11
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html "catname" parameter.
2366 CVE-2019-9606 79 XSS 2019-03-06 2019-03-07
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Personal Video Collection Script 4.0.4 has Stored XSS via the "Update profile" feature.
2367 CVE-2019-9605 79 XSS 2019-03-29 2019-04-01
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload.
2368 CVE-2019-9570 79 XSS 2019-03-05 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in YzmCMS 5.2.0. It has XSS via the bottom text field to the admin/system_manage/save.html URI, related to the site_code parameter.
2369 CVE-2019-9556 79 XSS 2019-12-31 2020-01-08
3.5
None Remote Medium ??? None Partial None
FiberHome an5506-04-f RP2669 devices have XSS.
2370 CVE-2019-9551 79 XSS 2019-03-04 2019-03-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DOYO (aka doyocms) 2.3 through 2015-05-06. It has admin.php XSS.
2371 CVE-2019-9550 79 XSS 2019-03-03 2019-03-04
3.5
None Remote Medium ??? None Partial None
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS.
2372 CVE-2019-9509 79 Exec Code XSS 2020-03-30 2020-10-19
3.5
None Remote Medium ??? None Partial None
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user account to execute arbitrary code.
2373 CVE-2019-9482 200 +Info 2019-03-01 2019-03-01
3.5
None Remote Medium ??? Partial None None
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).
2374 CVE-2019-9078 79 XSS 2019-02-24 2019-02-25
3.5
None Remote Medium ??? None Partial None
zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT.
2375 CVE-2019-9066 79 XSS 2019-02-23 2019-02-25
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML injection in a user profile.
2376 CVE-2019-8987 79 +Priv XSS 2019-03-26 2019-10-09
3.5
None Remote Medium ??? None Partial None
The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site scripting vulnerability that theoretically allows an authenticated user to gain access to all the capabilities of the web interface available to more privileged users. Affected releases are TIBCO Software Inc.'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0.
2377 CVE-2019-8935 79 XSS 2019-02-19 2019-02-19
3.5
None Remote Medium ??? None Partial None
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
2378 CVE-2019-8458 Exec Code +Priv 2019-06-20 2020-10-22
3.5
None Remote Medium ??? None None Partial
Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.
2379 CVE-2019-8455 59 +Priv 2019-04-17 2020-10-22
3.6
None Local Low Not required Partial Partial None
A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file.
2380 CVE-2019-8450 79 XSS 2019-09-11 2019-09-11
3.5
None Remote Medium ??? None Partial None
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.
2381 CVE-2019-8444 79 XSS 2019-08-23 2019-09-16
3.5
None Remote Medium ??? None Partial None
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.
2382 CVE-2019-8440 79 XSS 2019-03-07 2019-03-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the third textbox (aka site logo) of "System setting->site setting" of admin/index.php, aka site_logo.
2383 CVE-2019-8439 79 XSS 2019-03-07 2019-03-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the second textbox of "System setting->site setting" of admin/index.php, aka site_domain.
2384 CVE-2019-8438 79 XSS 2019-03-07 2019-03-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the first textbox of "System setting->site setting" of admin/index.php, aka site_name.
2385 CVE-2019-8436 79 XSS 2019-02-18 2019-02-19
3.5
None Remote Medium ??? None Partial None
imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] parameter.
2386 CVE-2019-8435 79 XSS 2019-02-18 2019-02-20
3.5
None Remote Medium ??? None Partial None
admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header.
2387 CVE-2019-8289 79 XSS 2019-10-01 2019-10-04
3.5
None Remote Medium ??? None Partial None
Vulnerability in Online Store v1.0, stored XSS in admin/user_view.php adidas_member_email variable
2388 CVE-2019-8288 79 XSS 2019-10-01 2019-10-04
3.5
None Remote Medium ??? None Partial None
Vulnerability in Online Store v1.0, Stored XSS in user_view.php where adidas_member_user variable is not sanitized.
2389 CVE-2019-8279 79 XSS 2019-03-02 2019-03-04
3.5
None Remote Medium ??? None Partial None
Multiple stored XSS in Vanilla Forums before 2.5 allow remote attackers to inject arbitrary JavaScript code into any message on forum.
2390 CVE-2019-8228 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.
2391 CVE-2019-8227 79 XSS 2019-11-06 2019-11-08
3.5
None Remote Medium ??? None Partial None
In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.
2392 CVE-2019-8157 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
2393 CVE-2019-8152 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.
2394 CVE-2019-8148 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder.
2395 CVE-2019-8147 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label.
2396 CVE-2019-8146 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores.
2397 CVE-2019-8145 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
2398 CVE-2019-8142 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store.
2399 CVE-2019-8139 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product.
2400 CVE-2019-8138 79 Exec Code XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.