CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2019-10396 79 XSS 2019-09-12 2019-10-09
3.5
None Remote Medium Single system None Partial None
Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions.
202 CVE-2019-10395 79 XSS 2019-09-12 2019-10-09
3.5
None Remote Medium Single system None Partial None
Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties.
203 CVE-2019-10383 79 XSS 2019-08-28 2019-09-20
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
204 CVE-2019-10374 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.
205 CVE-2019-10373 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
206 CVE-2019-10360 79 XSS 2019-07-31 2019-10-09
3.5
None Remote Medium Single system None Partial None
A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
207 CVE-2019-10349 79 XSS 2019-07-11 2019-10-09
3.5
None Remote Medium Single system None Partial None
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
208 CVE-2019-10335 79 XSS 2019-06-11 2019-06-13
3.5
None Remote Medium Single system None Partial None
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages.
209 CVE-2019-10325 79 XSS 2019-05-31 2019-06-03
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.
210 CVE-2019-10300 352 CSRF 2019-04-18 2019-05-06
3.5
None Remote Medium Single system Partial None None
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
211 CVE-2019-10261 79 XSS 2019-04-03 2019-05-06
3.5
None Remote Medium Single system None Partial None
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.
212 CVE-2019-10177 79 Exec Code +Priv XSS CSRF 2019-06-27 2019-07-08
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
213 CVE-2019-10155 20 2019-06-12 2019-07-29
3.5
None Remote Medium Single system None None Partial
The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29.
214 CVE-2019-10131 119 Overflow 2019-04-30 2019-05-21
3.6
None Local Low Not required Partial None Partial
An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
215 CVE-2019-10111 79 XSS 2019-05-15 2019-05-15
3.5
None Remote Medium Single system None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page.
216 CVE-2019-10067 79 XSS 2019-05-21 2019-05-22
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.
217 CVE-2019-10066 79 XSS 2019-05-21 2019-05-22
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.
218 CVE-2019-10047 79 Exec Code XSS 2019-05-31 2019-06-03
3.5
None Remote Medium Single system None Partial None
A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application, and tricks an authenticated victim into accessing a URL that results in the HTML code being interpreted by the web browser, then the included JavaScript code is executed under the context of the victim user session.
219 CVE-2019-10017 79 XSS 2019-03-24 2019-07-18
3.5
None Remote Medium Single system None Partial None
CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.
220 CVE-2019-9957 79 Exec Code XSS CSRF 2019-06-24 2019-06-27
3.5
None Remote Medium Single system None Partial None
Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload can then be triggered by accessing the "Set Security Levels" or "View User/Group Relationships" page. If the attacker does not currently have permission to create a new user, another vulnerability such as CSRF must be exploited first.
221 CVE-2019-9919 79 XSS 2019-03-29 2019-10-09
3.5
None Remote Medium Single system None Partial None
An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to craft messages in a way that JavaScript gets executed on the side of the receiving user when the message is opened, aka XSS.
222 CVE-2019-9862 200 +Info 2019-03-27 2019-03-28
3.3
None Local Network Low Not required Partial None None
An issue was discovered on ABUS Secvest wireless alarm system FUAA50000 3.01.01 in conjunction with Secvest remote control FUBE50014 or FUBE50015. Because "encrypted signal transmission" is missing, an attacker is able to eavesdrop sensitive data as cleartext (for instance, the current rolling code state).
223 CVE-2019-9709 79 XSS 2019-05-07 2019-05-07
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user.
224 CVE-2019-9701 79 XSS Bypass 2019-06-19 2019-07-03
3.5
None Remote Medium Single system None Partial None
DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
225 CVE-2019-9698 264 2019-05-08 2019-05-09
3.6
None Local Low Not required None Partial Partial
Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges.
226 CVE-2019-9605 79 XSS 2019-03-29 2019-04-01
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload.
227 CVE-2019-8987 79 +Priv XSS 2019-03-26 2019-10-09
3.5
None Remote Medium Single system None Partial None
The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site scripting vulnerability that theoretically allows an authenticated user to gain access to all the capabilities of the web interface available to more privileged users. Affected releases are TIBCO Software Inc.'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0.
228 CVE-2019-8458 20 Exec Code +Priv 2019-06-20 2019-10-09
3.5
None Remote Medium Single system None None Partial
Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.
229 CVE-2019-8455 275 +Priv 2019-04-17 2019-10-09
3.6
None Local Low Not required Partial Partial None
A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file.
230 CVE-2019-8450 79 XSS 2019-09-11 2019-09-11
3.5
None Remote Medium Single system None Partial None
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.
231 CVE-2019-8444 79 XSS 2019-08-23 2019-09-16
3.5
None Remote Medium Single system None Partial None
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.
232 CVE-2019-8289 79 XSS 2019-10-01 2019-10-04
3.5
None Remote Medium Single system None Partial None
Vulnerability in Online Store v1.0, stored XSS in admin/user_view.php adidas_member_email variable
233 CVE-2019-8288 79 XSS 2019-10-01 2019-10-04
3.5
None Remote Medium Single system None Partial None
Vulnerability in Online Store v1.0, Stored XSS in user_view.php where adidas_member_user variable is not sanitized.
234 CVE-2019-7945 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript.
235 CVE-2019-7944 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.
236 CVE-2019-7940 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify store currency options to inject malicious javascript.
237 CVE-2019-7938 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript.
238 CVE-2019-7937 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.
239 CVE-2019-7936 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.
240 CVE-2019-7935 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.
241 CVE-2019-7934 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.
242 CVE-2019-7927 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascript.
243 CVE-2019-7926 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.
244 CVE-2019-7921 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.
245 CVE-2019-7909 79 XSS 2019-08-02 2019-08-08
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to email templates.
246 CVE-2019-7908 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify product information.
247 CVE-2019-7897 79 XSS 2019-08-02 2019-08-08
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript.
248 CVE-2019-7887 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.
249 CVE-2019-7882 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.
250 CVE-2019-7881 79 XSS Bypass 2019-08-02 2019-08-07
3.5
None Remote Medium Single system None Partial None
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
Total number of vulnerabilities : 4556   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.