CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2401 CVE-2019-8132 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
2402 CVE-2019-8131 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.
2403 CVE-2019-8129 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation.
2404 CVE-2019-8128 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
2405 CVE-2019-8120 79 XSS 2019-11-05 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
2406 CVE-2019-8117 79 XSS 2019-11-05 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification.
2407 CVE-2019-8115 79 XSS 2019-11-05 2019-11-06
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation.
2408 CVE-2019-8092 79 XSS 2019-11-05 2019-11-07
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview.
2409 CVE-2019-7945 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript.
2410 CVE-2019-7944 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.
2411 CVE-2019-7940 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify store currency options to inject malicious javascript.
2412 CVE-2019-7938 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript.
2413 CVE-2019-7937 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.
2414 CVE-2019-7936 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.
2415 CVE-2019-7935 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.
2416 CVE-2019-7934 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.
2417 CVE-2019-7927 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascript.
2418 CVE-2019-7926 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.
2419 CVE-2019-7921 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.
2420 CVE-2019-7909 79 XSS 2019-08-02 2019-08-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to email templates.
2421 CVE-2019-7908 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify product information.
2422 CVE-2019-7897 79 XSS 2019-08-02 2019-08-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript.
2423 CVE-2019-7887 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.
2424 CVE-2019-7882 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.
2425 CVE-2019-7881 79 XSS Bypass 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
2426 CVE-2019-7880 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript.
2427 CVE-2019-7875 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates.
2428 CVE-2019-7869 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups.
2429 CVE-2019-7868 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules.
2430 CVE-2019-7867 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.
2431 CVE-2019-7866 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor.
2432 CVE-2019-7863 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories.
2433 CVE-2019-7862 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
2434 CVE-2019-7853 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel.
2435 CVE-2019-7671 79 Exec Code XSS 2019-06-05 2020-02-10
3.5
None Remote Medium ??? None Partial None
Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.
2436 CVE-2019-7655 79 XSS 2020-01-29 2020-09-30
3.5
None Remote Medium ??? None Partial None
Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5.
2437 CVE-2019-7646 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter.
2438 CVE-2019-7634 79 XSS 2020-04-29 2020-05-06
3.5
None Remote Medium ??? None Partial None
SUAP V2 allows XSS during the update of user information.
2439 CVE-2019-7621 79 XSS 2019-12-18 2020-02-10
3.5
None Remote Medium ??? None Partial None
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser.
2440 CVE-2019-7618 22 Dir. Trav. 2019-10-01 2020-10-16
3.5
None Remote Medium ??? Partial None None
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
2441 CVE-2019-7553 79 XSS 2019-06-06 2019-06-09
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.
2442 CVE-2019-7552 79 XSS 2019-06-06 2020-04-21
3.5
None Remote Medium ??? None Partial None
An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section.
2443 CVE-2019-7547 79 XSS 2019-02-06 2019-02-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in SIDU 6.0. Because the database name is not strictly filtered, the attacker can insert a name containing an XSS Payload, leading to stored XSS.
2444 CVE-2019-7545 79 XSS 2019-02-06 2019-02-08
3.5
None Remote Medium ??? None Partial None
In DbNinja 3.2.7, the Add Host function of the Manage Hosts pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name field.
2445 CVE-2019-7544 79 XSS 2019-02-06 2019-02-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MyWebSQL 3.7. The Add User function of the User Manager pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name Field.
2446 CVE-2019-7432 79 XSS 2019-03-21 2020-08-24
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Rental Bike Script 2.0.3 has HTML injection via the STREET field in the Profile Edit section.
2447 CVE-2019-7411 79 XSS 2019-05-13 2019-05-14
3.5
None Remote Medium ??? None Partial None
Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL).
2448 CVE-2019-7356 79 XSS 2020-11-04 2020-11-10
3.5
None Remote Medium ??? None Partial None
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
2449 CVE-2019-7345 79 Exec Code XSS 2019-02-04 2019-02-05
3.5
None Remote Medium ??? None Partial None
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'options' (options.php) does no input validation for the WEB_TITLE, HOME_URL, HOME_CONTENT, or WEB_CONSOLE_BANNER value, allowing an attacker to execute HTML or JavaScript code. This relates to functions.php.
2450 CVE-2019-7337 79 XSS 2019-02-04 2019-02-05
3.5
None Remote Medium ??? None Partial None
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 as the view 'events' (events.php) insecurely displays the limit parameter value, without applying any proper output filtration. This issue exists because of the function sortHeader() in functions.php, which insecurely returns the value of the limit query string parameter without applying any filtration.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.