CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2651 CVE-2015-9423 79 XSS 2019-09-25 2019-09-26
3.5
None Remote Medium Single system None Partial None
The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters.
2652 CVE-2015-9410 79 XSS 2019-09-25 2019-09-26
3.5
None Remote Medium Single system None Partial None
The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.
2653 CVE-2015-9401 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium Single system None Partial None
The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS.
2654 CVE-2015-9397 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium Single system None Partial None
The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.
2655 CVE-2015-9393 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium Single system None Partial None
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.
2656 CVE-2015-9392 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium Single system None Partial None
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.
2657 CVE-2015-9389 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium Single system None Partial None
The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name.
2658 CVE-2015-9354 79 XSS 2019-08-28 2019-08-29
3.5
None Remote Medium Single system None Partial None
The gigpress plugin before 2.3.11 for WordPress has XSS.
2659 CVE-2015-9267 284 2018-10-01 2018-12-01
3.6
None Local Low Not required None Partial Partial
Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which either a plugin or the uninstaller can be replaced by a Trojan horse program.
2660 CVE-2015-9260 79 XSS 2018-07-04 2018-08-28
3.5
None Remote Medium Single system None Partial None
An issue was discovered in BEdita before 3.7.0. A cross-site scripting (XSS) attack occurs via a crafted pages/showObjects URI, as demonstrated by appending a payload to a pages/showObjects/2/0/0/leafs URI.
2661 CVE-2015-9248 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Skybox Platform before 7.5.201. Stored cross-site scripting vulnerabilities exist in the title, Comments, or Description field to /skyboxview/webskybox/tickets in Change Manager.
2662 CVE-2015-9247 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Skybox Platform before 7.5.401. Reflected cross-site scripting vulnerabilities exist in /skyboxview/webservice/services/VersionRepositoryWebService via a soapenv:Body element, or in the status parameter to login.html.
2663 CVE-2015-9230 79 XSS 2017-09-12 2017-09-21
3.5
None Remote Medium Single system None Partial None
In the admin/db-backup-security/db-backup-security.php page in the BulletProof Security plugin before .52.5 for WordPress, XSS is possible for remote authenticated administrators via the DBTablePrefix parameter.
2664 CVE-2015-9229 79 XSS 2017-09-12 2017-09-21
3.5
None Remote Medium Single system None Partial None
In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress, XSS is possible for remote authenticated administrators via the images[1][alttext] parameter.
2665 CVE-2015-9105 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.
2666 CVE-2015-9104 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title.
2667 CVE-2015-9103 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.
2668 CVE-2015-9102 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
2669 CVE-2015-8987 284 2017-03-14 2017-03-23
3.5
None Remote Medium Single system None Partial None
Man-in-the-middle (MitM) attack vulnerability in non-Mac OS agents in McAfee (now Intel Security) Agent (MA) 4.8.0 patch 2 and earlier allows attackers to make a McAfee Agent talk with another, possibly rogue, ePO server via McAfee Agent migration to another ePO server.
2670 CVE-2015-8956 476 DoS +Info 2016-10-10 2018-01-04
3.6
None Local Low Not required Partial None Partial
The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.
2671 CVE-2015-8801 284 Bypass 2016-06-30 2017-08-31
3.3
None Local Medium Not required Partial Partial None
Race condition in the client in Symantec Endpoint Protection (SEP) 12.1 before RU6 MP5 allows local users to bypass intended restrictions on USB file transfer by conducting filesystem operations before the SEP device manager recognizes a new USB device.
2672 CVE-2015-8759 79 XSS 2016-01-08 2016-01-11
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field.
2673 CVE-2015-8758 79 XSS 2016-01-08 2016-01-11
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in unspecified frontend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.
2674 CVE-2015-8756 79 XSS 2016-01-08 2016-01-11
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16 allows remote authenticated editors to inject arbitrary web script or HTML via unspecified vectors.
2675 CVE-2015-8755 79 XSS 2016-01-08 2016-01-11
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.
2676 CVE-2015-8743 125 2016-12-29 2017-11-03
3.6
None Local Low Not required Partial Partial None
QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.
2677 CVE-2015-8698 DoS 2016-06-28 2016-11-28
3.6
None Local Low Not required Partial None Partial
CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026 allows remote attackers to read arbitrary files or cause a denial of service via a request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
2678 CVE-2015-8687 79 XSS 2017-03-23 2017-03-28
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Management Console in Alcatel-Lucent Motive Home Device Manager (HDM) before 4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceTypeID parameter to DeviceType/getDeviceType.do; the (2) policyActionClass or (3) policyActionName parameter to PolicyAction/findPolicyActions.do; the deviceID parameter to (4) SingleDeviceMgmt/getDevice.do or (5) device/editDevice.do; the operation parameter to (6) ajax.do or (7) xmlHttp.do; or the (8) policyAction, (9) policyClass, or (10) policyName parameter to policy/findPolicies.do.
2679 CVE-2015-8603 79 XSS 2016-01-12 2018-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_id] parameter in an "edit" admin action to serendipity_admin.php.
2680 CVE-2015-8602 200 Bypass +Info 2015-12-17 2015-12-18
3.5
None Remote Medium Single system Partial None None
The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.
2681 CVE-2015-8504 189 DoS 2017-04-11 2017-11-03
3.5
None Remote Medium Single system None None Partial
Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.
2682 CVE-2015-8481 200 +Info 2016-01-08 2016-01-12
3.5
None Remote Medium Single system Partial None None
Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer attaches the wrong image to e-mail notifications when a user views an issue with inline wiki markup referencing an image attachment, which might allow remote attackers to obtain sensitive information by updating a different issue that includes wiki markup for an external image reference.
2683 CVE-2015-8375 79 XSS 2017-09-25 2017-10-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in PHP-Fusion 9.
2684 CVE-2015-8326 59 2017-06-07 2017-06-14
3.6
None Local Low Not required None Partial Partial
The IPTables-Parse module before 1.6 for Perl allows local users to write to arbitrary files owned by the current user.
2685 CVE-2015-8310 79 XSS 2017-03-27 2017-03-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to inject arbitrary web script or HTML via the playlistname field when creating a new playlist.
2686 CVE-2015-8105 79 XSS 2015-11-10 2018-10-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.
2687 CVE-2015-8001 284 DoS 2015-11-09 2015-11-10
3.5
None Remote Medium Single system None None Partial
The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size.
2688 CVE-2015-7989 79 XSS 2016-05-21 2017-11-03
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.
2689 CVE-2015-7916 79 XSS 2016-02-06 2016-12-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.
2690 CVE-2015-7881 284 Bypass 2015-10-26 2015-10-28
3.5
None Remote Medium Single system None Partial None
The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors, possibly related to a link in a comment.
2691 CVE-2015-7879 79 XSS 2017-09-11 2017-09-19
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x before 7.x-1.3 for Drupal allows remote authenticated users with permission to create or edit a stickynote to inject arbitrary web script or HTML via note text on the admin listing page.
2692 CVE-2015-7878 79 XSS 2017-11-06 2017-11-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names.
2693 CVE-2015-7836 200 +Info 2015-10-28 2017-09-14
3.3
None Local Network Low Not required Partial None None
Siemens RUGGEDCOM ROS before 4.2.1 allows remote attackers to obtain sensitive information by sniffing the network for VLAN data within the padding section of an Ethernet frame.
2694 CVE-2015-7829 264 2015-10-14 2016-12-08
3.3
None Local Medium Not required None Partial Partial
Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows mishandle junctions in the Synchronizer directory, which allows attackers to delete arbitrary files via Adobe Collaboration Sync, a related issue to CVE-2015-2428.
2695 CVE-2015-7789 20 DoS 2015-12-30 2015-12-30
3.3
None Local Network Low Not required None None Partial
ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remote attackers to cause a denial of service via unspecified vectors.
2696 CVE-2015-7787 200 +Info 2015-12-30 2015-12-30
3.3
None Local Network Low Not required Partial None None
ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remote attackers to discover the WPA2-PSK passphrase via unspecified vectors.
2697 CVE-2015-7775 79 XSS 2016-06-19 2016-06-21
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Cybozu Garoon 4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-1197.
2698 CVE-2015-7676 79 XSS 2016-04-15 2016-11-28
3.5
None Remote Medium Single system None Partial None
Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files.
2699 CVE-2015-7672 79 XSS 2017-09-07 2019-07-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in Centreon 18.10.0 and Centreon web 2.8.27).
2700 CVE-2015-7582 200 +Info 2017-06-27 2017-07-05
3.5
None Remote Medium Single system Partial None None
Satellite 6.1.0 allows remote authenticated users to read administrator bookmarks.
Total number of vulnerabilities : 4556   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 (This Page)55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.