CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2018-17302 79 XSS 2018-09-21 2018-12-28
3.5
None Remote Medium Single system None Partial None
Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.
202 CVE-2018-17301 79 XSS 2018-09-21 2018-12-28
3.5
None Remote Medium Single system None Partial None
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.
203 CVE-2018-17300 79 XSS 2018-09-21 2018-12-10
3.5
None Remote Medium Single system None Partial None
Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name.
204 CVE-2018-17256 79 XSS 2018-11-27 2018-12-31
3.5
None Remote Medium Single system None Partial None
Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users to inject arbitrary web script via the Header Name of a content (Blog, Content Page, etc.). The vulnerability is exploited when updating or removing public access of a content.
205 CVE-2018-17184 79 Exec Code XSS 2018-11-06 2018-12-13
3.5
None Remote Medium Single system None Partial None
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
206 CVE-2018-17140 79 XSS 2018-09-17 2018-11-09
3.5
None Remote Medium Single system None Partial None
The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php.
207 CVE-2018-17138 79 XSS 2018-09-17 2018-11-08
3.5
None Remote Medium Single system None Partial None
The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS via the wp-content/plugins/jibu-pro/quiz_action.php name (aka Quiz Name) field.
208 CVE-2018-17130 79 XSS 2018-09-17 2018-11-01
3.5
None Remote Medium Single system None Partial None
PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header,
209 CVE-2018-17128 79 XSS 2018-09-17 2018-11-07
3.5
None Remote Medium Single system None Partial None
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
210 CVE-2018-17090 79 XSS 2018-09-16 2018-11-01
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DonLinkage 6.6.8. The modules /pages/bazy/bazy_adresow.php and /pages/proxy/add.php are vulnerable to stored XSS that can be triggered by closing <textarea> followed by <script></script> tags.
211 CVE-2018-17044 79 XSS 2018-09-14 2018-11-09
3.5
None Remote Medium Single system None Partial None
In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_config_add.html title parameter.
212 CVE-2018-17026 79 XSS 2018-09-13 2018-10-30
3.5
None Remote Medium Single system None Partial None
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.
213 CVE-2018-17024 79 XSS 2018-09-13 2018-10-30
3.5
None Remote Medium Single system None Partial None
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.
214 CVE-2018-16968 22 Dir. Trav. 2018-09-26 2018-11-23
3.5
None Remote Medium Single system None Partial None
Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal.
215 CVE-2018-16950 20 DoS 2018-09-11 2018-11-27
3.3
None Local Network Low Not required None None Partial
Inteno DG400 WU7U_ELION3.11.6-170614_1328 devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses, as demonstrated by macof.
216 CVE-2018-16887 79 Exec Code +Priv XSS CSRF 2019-01-12 2019-01-24
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
217 CVE-2018-16872 20 2018-12-13 2019-01-10
3.5
None Remote Medium Single system Partial None None
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
218 CVE-2018-16861 79 Exec Code +Priv XSS CSRF 2018-12-07 2018-12-28
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable.
219 CVE-2018-16806 310 2018-09-10 2019-01-08
3.3
None Local Network Low Not required None Partial None
A Pektron Passive Keyless Entry and Start (PKES) system, as used on the Tesla Model S and possibly other vehicles, relies on the DST40 cipher, which makes it easier for attackers to obtain access via an approach involving a 5.4 TB precomputation, followed by wake-frame reception and two challenge/response operations, to clone a key fob within a few seconds.
220 CVE-2018-16805 79 XSS 2018-09-10 2018-11-09
3.5
None Remote Medium Single system None Partial None
In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field, allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator.
221 CVE-2018-16780 79 XSS 2018-09-10 2018-10-29
3.5
None Remote Medium Single system None Partial None
Complete Responsive CMS Blog through 2018-05-20 has XSS via a comment.
222 CVE-2018-16776 79 XSS 2018-09-10 2018-11-02
3.5
None Remote Medium Single system None Partial None
wityCMS 0.6.2 has XSS via the "Site Name" field found in the "Contact" "Configuration" page.
223 CVE-2018-16775 79 XSS 2018-09-10 2018-11-09
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the site name in the "Categories" menu.
224 CVE-2018-16773 79 XSS 2018-09-10 2018-09-24
3.5
None Remote Medium Single system None Partial None
EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field.
225 CVE-2018-16772 79 XSS 2018-09-10 2018-09-24
3.5
None Remote Medium Single system None Partial None
Hoosk v1.7.0 allows XSS via the Navigation Title of a new page entered at admin/pages/new.
226 CVE-2018-16736 79 XSS 2018-09-09 2018-11-06
3.5
None Remote Medium Single system None Partial None
In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings).
227 CVE-2018-16729 79 XSS 2018-09-12 2018-11-09
3.5
None Remote Medium Single system None Partial None
Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a SCRIPT element, and is uploaded via pages->manage under admin.php?action=files.
228 CVE-2018-16728 79 XSS 2018-09-12 2018-11-02
3.5
None Remote Medium Single system None Partial None
feindura 2.0.7 allows XSS via the tags field of a new page created at index.php?category=0&page=new.
229 CVE-2018-16727 79 XSS 2018-09-12 2018-11-02
3.5
None Remote Medium Single system None Partial None
razorCMS 3.4.7 allows Stored XSS via the keywords of the homepage within the settings component.
230 CVE-2018-16726 79 XSS 2018-09-12 2018-11-02
3.5
None Remote Medium Single system None Partial None
razorCMS 3.4.7 allows HTML injection via the description of the homepage within the settings component.
231 CVE-2018-16665 119 Overflow 2018-09-07 2018-10-26
3.6
None Local Low Not required None Partial Partial
An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow while parsing AQL in lvm_shift_for_operator in os/storage/antelope/lvm.c.
232 CVE-2018-16658 200 +Info 2018-09-07 2018-11-28
3.6
None Local Low Not required Partial None Partial
An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940.
233 CVE-2018-16638 79 XSS 2018-12-28 2019-01-06
3.5
None Remote Medium Single system None Partial None
Evolution CMS 1.4.x allows XSS via the manager/ search parameter.
234 CVE-2018-16637 79 XSS 2018-12-28 2019-01-06
3.5
None Remote Medium Single system None Partial None
Evolution CMS 1.4.x allows XSS via the page weblink title parameter to the manager/ URI.
235 CVE-2018-16635 79 XSS 2018-12-10 2018-12-28
3.5
None Remote Medium Single system None Partial None
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.
236 CVE-2018-16633 79 XSS 2018-12-04 2018-12-27
3.5
None Remote Medium Single system None Partial None
Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title.
237 CVE-2018-16632 79 XSS 2018-12-28 2019-01-09
3.5
None Remote Medium Single system None Partial None
Mezzanine CMS v4.3.1 allows XSS via the /admin/blog/blogcategory/add/?_to_field=id&_popup=1 title parameter at admin/blog/blogpost/add/.
238 CVE-2018-16631 79 XSS 2018-12-04 2018-12-27
3.5
None Remote Medium Single system None Partial None
Subrion CMS v4.2.1 allows XSS via the panel/configuration/general/ SITE TITLE parameter.
239 CVE-2018-16630 79 XSS 2018-12-28 2019-01-09
3.5
None Remote Medium Single system None Partial None
Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file.
240 CVE-2018-16628 79 XSS 2018-12-04 2018-12-27
3.5
None Remote Medium Single system None Partial None
panel/login in Kirby v2.5.12 allows XSS via a blog name.
241 CVE-2018-16622 79 XSS 2018-09-06 2018-11-02
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments field, related to users/userAddContent.
242 CVE-2018-16607 79 XSS 2018-09-19 2018-11-07
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudIT Professional edition in 2.2.7 allows remote attackers to inject arbitrary web script via the Orgs name field.
243 CVE-2018-16605 79 XSS 2018-09-12 2018-10-30
3.5
None Remote Medium Single system None Partial None
D-Link DIR-600M devices allow XSS via the Hostname and Username fields in the Dynamic DNS Configuration page.
244 CVE-2018-16551 79 XSS 2018-09-05 2018-10-25
3.5
None Remote Medium Single system None Partial None
LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.
245 CVE-2018-16468 79 XSS 2018-10-30 2019-01-10
3.5
None Remote Medium Single system None Partial None
In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
246 CVE-2018-16464 287 2018-10-30 2019-01-17
3.5
None Remote Medium Single system Partial None None
A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.
247 CVE-2018-16463 384 2018-10-30 2019-01-17
3.6
None Remote High Single system Partial Partial None
A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares.
248 CVE-2018-16379 79 XSS 2018-09-02 2018-11-09
3.5
None Remote Medium Single system None Partial None
Ogma CMS 0.4 Beta has XSS via the "Footer Text footer" field on the "Theme/Theme Options" screen.
249 CVE-2018-16374 79 XSS 2018-09-02 2018-10-24
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has stored XSS via /admin/?/plugin/comment/settings.
250 CVE-2018-16363 79 XSS 2018-09-07 2018-11-06
3.5
None Remote Medium Single system None Partial None
The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.
Total number of vulnerabilities : 3882   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.