CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2501 CVE-2019-5471 79 XSS 2019-09-09 2019-10-09
3.5
None Remote Medium ??? None Partial None
An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6.
2502 CVE-2019-5467 79 XSS 2019-09-09 2019-10-09
3.5
None Remote Medium ??? None Partial None
An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
2503 CVE-2019-5458 79 Exec Code XSS 2019-07-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.
2504 CVE-2019-5457 79 Exec Code XSS 2019-07-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in min-http-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.
2505 CVE-2019-5453 287 Bypass 2019-07-30 2020-12-18
3.6
None Local Low Not required Partial Partial None
Bypass lock protection in the Nextcloud Android app prior to version 3.3.0 allowed access to files when being prompted for the lock protection and switching to the Nextcloud file provider.
2506 CVE-2019-5403 79 XSS 2019-08-09 2019-08-16
3.5
None Remote Medium ??? None Partial None
A remote multiple cross-site scripting vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.
2507 CVE-2019-5401 79 XSS 2019-08-01 2019-08-08
3.5
None Remote Medium ??? None Partial None
A potential security vulnerability has been identified in HP2910al-48G version W.15.14.0016. The attack exploits an xss injection by setting the attack vector in one of the switch persistent configuration fields (management URL, location, contact). But admin privileges are required to configure these fields thereby reducing the likelihood of exploit. HPE Aruba has provided firmware updates to resolve the vulnerability in HP 2910-48G al Switch. Please update to W.15.14.0017.
2508 CVE-2019-5398 79 XSS 2019-08-09 2019-08-16
3.5
None Remote Medium ??? None Partial None
A remote multiple multiple cross-site vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1.
2509 CVE-2019-5252 287 2019-12-14 2019-12-27
3.6
None Local Low Not required Partial Partial None
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
2510 CVE-2019-5221 22 Dir. Trav. 2019-07-10 2019-07-18
3.3
None Local Network Low Not required None Partial None
There is a path traversal vulnerability on Huawei Share. The software does not properly validate the path, an attacker could crafted a file path when transporting file through Huawei Share, successful exploit could allow the attacker to transport a file to arbitrary path on the phone. Affected products: Mate 20 X versions earlier than Ever-L29B 9.1.0.300(C432E3R1P12), versions earlier than Ever-L29B 9.1.0.300(C636E3R2P1), and versions earlier than Ever-L29B 9.1.0.300(C185E3R3P1).
2511 CVE-2019-5139 798 2020-02-25 2020-02-26
3.6
None Local Low Not required Partial Partial None
An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.
2512 CVE-2019-5108 20 2019-12-23 2020-06-10
3.3
None Local Network Low Not required None None Partial
An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.
2513 CVE-2019-5068 732 2019-11-05 2020-06-01
3.6
None Local Low Not required Partial Partial None
An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to trigger this vulnerability.
2514 CVE-2019-5062 20 DoS 2019-12-12 2019-12-19
3.3
None Local Network Low Not required None None Partial
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.
2515 CVE-2019-5061 20 DoS 2019-12-12 2019-12-19
3.3
None Local Network Low Not required None None Partial
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby Aps of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.
2516 CVE-2019-5014 306 2019-05-08 2020-08-24
3.3
None Local Network Low Not required None None Partial
An exploitable improper access control vulnerability exists in the bluetooth low energy functionality of Winco Fireworks FireFly FW-1007 V2.0. An attacker can connect to the device to trigger this vulnerability.
2517 CVE-2019-4749 79 XSS 2020-04-17 2020-04-21
3.5
None Remote Medium ??? None Partial None
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 173308.
2518 CVE-2019-4748 79 XSS 2020-07-16 2020-07-21
3.5
None Remote Medium ??? None Partial None
IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 173174.
2519 CVE-2019-4747 79 XSS 2020-07-16 2020-07-23
3.5
None Remote Medium ??? None Partial None
IBM Team Concert (RTC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172887.
2520 CVE-2019-4746 79 XSS 2020-04-08 2020-04-10
3.5
None Remote Medium ??? None Partial None
IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172885.
2521 CVE-2019-4740 79 XSS 2020-04-08 2020-04-10
3.5
None Remote Medium ??? None Partial None
IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172808.
2522 CVE-2019-4737 79 XSS 2020-04-08 2020-04-10
3.5
None Remote Medium ??? None Partial None
IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172707.
2523 CVE-2019-4718 79 XSS 2020-03-23 2020-03-24
3.5
None Remote Medium ??? None Partial None
IBM Jazz for Service Management 3.13 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172123.
2524 CVE-2019-4691 79 XSS 2020-08-26 2020-08-27
3.5
None Remote Medium ??? None Partial None
IBM Security Guardium Data Encryption (GDE) 3.0.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171828.
2525 CVE-2019-4665 79 XSS 2019-12-11 2019-12-12
3.5
None Remote Medium ??? None Partial None
IBM Spectrum Scale 4.2 and 5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171247.
2526 CVE-2019-4663 79 XSS 2019-12-10 2019-12-10
3.5
None Remote Medium ??? None Partial None
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245.
2527 CVE-2019-4653 79 XSS 2021-06-01 2021-06-04
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170964.
2528 CVE-2019-4652 276 +Info 2019-11-12 2019-11-14
3.6
None Local Low Not required Partial Partial None
IBM Spectrum Protect Plus 10.1.0 through 10.1.4 uses insecure file permissions on restored files and directories in Windows which could allow a local user to obtain sensitive information or perform unauthorized actions. IBM X-Force ID: 170963.
2529 CVE-2019-4623 79 XSS 2019-12-30 2020-01-03
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168924.
2530 CVE-2019-4617 384 2020-03-16 2020-03-20
3.6
None Local Low Not required Partial Partial None
IBM Cloud Automation Manager 3.2.1.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 168645.
2531 CVE-2019-4611 79 XSS 2019-12-09 2019-12-11
3.5
None Remote Medium ??? None Partial None
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
2532 CVE-2019-4608 79 XSS 2020-03-10 2020-03-10
3.5
None Remote Medium ??? None Partial None
IBM Tivoli Workload Scheduler 9.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168508.
2533 CVE-2019-4602 79 XSS 2020-04-08 2020-04-10
3.5
None Remote Medium ??? None Partial None
IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168293.
2534 CVE-2019-4596 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 167879.
2535 CVE-2019-4571 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166721.
2536 CVE-2019-4569 79 XSS 2019-11-22 2019-12-03
3.5
None Remote Medium ??? None Partial None
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.16 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166719.
2537 CVE-2019-4555 79 XSS 2019-12-20 2020-03-17
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 and 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166204.
2538 CVE-2019-4536 269 2019-08-29 2020-08-24
3.3
None Local Medium Not required Partial Partial None
IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. A user with restore privileges could exploit this vulnerability to obtain elevated privileges on the restored system. IBM X-Force ID: 165592.
2539 CVE-2019-4497 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164118.
2540 CVE-2019-4495 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164116.
2541 CVE-2019-4494 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164115.
2542 CVE-2019-4486 79 XSS 2019-10-24 2019-10-28
3.5
None Remote Medium ??? None Partial None
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164070.
2543 CVE-2019-4482 79 XSS 2019-08-20 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 164066.
2544 CVE-2019-4470 79 XSS 2019-11-09 2019-11-12
3.5
None Remote Medium ??? None Partial None
IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163779.
2545 CVE-2019-4468 79 XSS 2019-12-03 2019-12-09
3.5
None Remote Medium ??? None Partial None
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163777.
2546 CVE-2019-4467 79 XSS 2019-12-03 2019-12-09
3.5
None Remote Medium ??? None Partial None
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163776.
2547 CVE-2019-4461 74 XSS Http R.Spl. +Info 2019-10-25 2020-08-24
3.5
None Remote Medium ??? None Partial None
IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP Response Splitting caused by improper caching of content. This would allow the attacker to perform further attacks, such as Web Cache poisoning, cross-site scripting and possibly obtain sensitive information. IBM X-Force ID: 163682.
2548 CVE-2019-4459 79 XSS 2019-10-24 2019-10-28
3.5
None Remote Medium ??? None Partial None
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163656.
2549 CVE-2019-4454 79 XSS 2019-11-09 2019-11-12
3.5
None Remote Medium ??? None Partial None
IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163618.
2550 CVE-2019-4451 79 XSS 2020-02-04 2020-02-06
3.5
None Remote Medium ??? None Partial None
IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163493.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.