CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2018-1000113 79 XSS 2018-03-13 2018-04-04
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript
202 CVE-2018-1000095 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium Single system None Partial None
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.
203 CVE-2018-1000087 79 XSS 2018-03-13 2018-04-10
3.5
None Remote Medium Single system None Partial None
WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Scripting vulnerability in "Create New File" and "Create New Directory" input box from 'files' Tab that can result in Session Hijacking, Spread Worms,Control the browser remotely. . This attack appear to be exploitable via Attacker can execute the JavaScript into the "Create New File" and "Create New Directory" input box from 'files'.
204 CVE-2018-1000084 79 XSS 2018-03-13 2018-04-06
3.5
None Remote Medium Single system None Partial None
WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name .
205 CVE-2018-1000062 79 XSS 2018-02-09 2018-03-05
3.5
None Remote Medium Single system None Partial None
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File.
206 CVE-2018-20838 79 XSS 2019-05-13 2019-05-14
3.5
None Remote Medium Single system None Partial None
ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS.
207 CVE-2018-20837 79 XSS 2019-05-09 2019-05-10
3.5
None Remote Medium Single system None Partial None
include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
208 CVE-2018-20726 79 XSS 2019-01-16 2019-01-17
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
209 CVE-2018-20725 79 XSS 2019-01-16 2019-01-17
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
210 CVE-2018-20724 79 XSS 2019-01-16 2019-01-17
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
211 CVE-2018-20723 79 XSS 2019-01-16 2019-01-17
3.5
None Remote Medium Single system None Partial None
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
212 CVE-2018-20703 79 XSS 2019-01-13 2019-01-16
3.5
None Remote Medium Single system None Partial None
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.
213 CVE-2018-20682 79 XSS 2019-01-09 2019-01-23
3.5
None Remote Medium Single system None Partial None
Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka "Admin ids" input in the Facebook section).
214 CVE-2018-20680 79 XSS 2019-01-09 2019-01-11
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field.
215 CVE-2018-20663 79 XSS 2019-01-03 2019-01-15
3.5
None Remote Medium Single system None Partial None
The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA Platform through 6.10.x has Persistent XSS via the "Reports > Reports" name field.
216 CVE-2018-20601 79 XSS 2018-12-30 2019-01-04
3.5
None Remote Medium Single system None Partial None
UCMS 1.4.7 has XSS via the description parameter in an index.php list_editpost action.
217 CVE-2018-20597 79 XSS 2018-12-30 2019-01-04
3.5
None Remote Medium Single system None Partial None
UCMS 1.4.7 has XSS via the dir parameter in an index.php sadmin_fileedit action.
218 CVE-2018-20590 79 XSS 2018-12-30 2019-01-09
3.5
None Remote Medium Single system None Partial None
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID.
219 CVE-2018-20589 79 XSS 2018-12-30 2019-01-09
3.5
None Remote Medium Single system None Partial None
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/add_pictures.php article ID.
220 CVE-2018-20579 119 Overflow 2018-12-28 2019-01-14
3.6
None Local Low Not required None Partial Partial
Contiki-NG before 4.2 has a stack-based buffer overflow in the push function in os/lib/json/jsonparse.c that allows an out-of-bounds write of an '{' or '[' character.
221 CVE-2018-20565 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.
222 CVE-2018-20564 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter.
223 CVE-2018-20563 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php?rec=system&act=update has XSS via the mobile_name parameter.
224 CVE-2018-20562 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article_category.php?rec=update has XSS via the cat_name parameter.
225 CVE-2018-20561 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article.php?rec=update has XSS via the title parameter.
226 CVE-2018-20560 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/show.php?rec=update has XSS via the show_name parameter.
227 CVE-2018-20559 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.php?rec=update has XSS via the name parameter.
228 CVE-2018-20558 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php?rec=update has XSS via the site_name parameter.
229 CVE-2018-20557 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?rec=edit has XSS via the page_name parameter.
230 CVE-2018-20530 79 XSS 2018-12-28 2019-01-03
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile field such as Company Address, a related issue to CVE-2018-15896.
231 CVE-2018-20448 79 XSS 2018-12-25 2019-01-03
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the Database name field to the /install/index.php URI.
232 CVE-2018-20418 79 XSS 2018-12-23 2019-01-07
3.5
None Remote Medium Single system None Partial None
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
233 CVE-2018-20373 79 XSS 2018-12-22 2019-01-14
3.5
None Remote Medium Single system None Partial None
Tenda ADSL modem routers 1.0.1 allow XSS via the hostname of a DHCP client.
234 CVE-2018-20372 79 XSS 2018-12-22 2019-01-11
3.5
None Remote Medium Single system None Partial None
TP-Link TD-W8961ND devices allow XSS via the hostname of a DHCP client.
235 CVE-2018-20370 79 XSS 2018-12-22 2019-01-09
3.5
None Remote Medium Single system None Partial None
SZ NetChat before 7.9 has XSS in the MyName input field of the Options module. Attackers are able to inject commands to compromise the enabled HTTP server web frontend.
236 CVE-2018-20368 79 XSS 2018-12-22 2019-01-15
3.5
None Remote Medium Single system None Partial None
The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the MSPanel.Settings value on Callback.
237 CVE-2018-20328 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium Single system None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
238 CVE-2018-20327 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium Single system None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
239 CVE-2018-20306 79 XSS 2018-12-20 2019-01-08
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1.
240 CVE-2018-20244 79 XSS 2019-02-27 2019-04-12
3.5
None Remote Medium Single system None Partial None
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
241 CVE-2018-20239 79 XSS 2019-04-30 2019-05-29
3.5
None Remote Medium Single system None Partial None
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.
242 CVE-2018-20217 20 2018-12-26 2019-04-16
3.5
None Remote Medium Single system None None Partial
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
243 CVE-2018-20153 79 XSS 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
244 CVE-2018-20149 79 XSS Bypass 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
245 CVE-2018-20138 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
246 CVE-2018-20137 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium Single system None Partial None
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
247 CVE-2018-20136 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium Single system None Partial None
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
248 CVE-2018-20017 79 XSS 2018-12-10 2018-12-28
3.5
None Remote Medium Single system None Partial None
SEMCMS 3.5 has XSS via the first text box to the SEMCMS_Main.php URI.
249 CVE-2018-20012 79 XSS 2018-12-10 2018-12-31
3.5
None Remote Medium Single system None Partial None
PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI.
250 CVE-2018-20011 79 XSS 2018-12-10 2018-12-21
3.5
None Remote Medium Single system None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
Total number of vulnerabilities : 4066   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.