CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2751 CVE-2019-0624 79 XSS 2019-01-17 2020-08-24
3.5
None Remote Medium ??? None Partial None
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
2752 CVE-2019-0562 2019-01-08 2020-08-24
3.5
None Remote Medium ??? None Partial None
An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint.
2753 CVE-2019-0558 79 XSS 2019-01-08 2019-01-15
3.5
None Remote Medium ??? None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers. This CVE ID is unique from CVE-2019-0556, CVE-2019-0557.
2754 CVE-2019-0557 79 XSS 2019-01-08 2019-01-15
3.5
None Remote Medium ??? None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0556, CVE-2019-0558.
2755 CVE-2019-0556 79 XSS 2019-01-08 2019-01-15
3.5
None Remote Medium ??? None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0557, CVE-2019-0558.
2756 CVE-2019-0395 79 XSS 2019-12-11 2019-12-17
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.
2757 CVE-2019-0385 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2758 CVE-2019-0382 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Privileges are required in order to exploit this vulnerability.
2759 CVE-2019-0378 79 XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the file name of the background image resulting in Stored Cross-Site Scripting.
2760 CVE-2019-0377 79 XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the input controls, resulting in Stored Cross-Site Scripting.
2761 CVE-2019-0376 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting.
2762 CVE-2019-0375 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site Scripting.
2763 CVE-2019-0374 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting
2764 CVE-2019-0369 79 Exec Code XSS 2019-10-08 2019-10-10
3.5
None Remote Medium ??? None Partial None
SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability.
2765 CVE-2019-0368 79 XSS 2019-10-08 2019-10-17
3.5
None Remote Medium ??? None Partial None
SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.
2766 CVE-2019-0318 2019-07-10 2020-08-24
3.5
None Remote Medium ??? Partial None None
Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.
2767 CVE-2019-0316 79 XSS 2019-06-14 2020-02-10
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.
2768 CVE-2019-0308 94 Exec Code 2019-06-12 2019-06-13
3.5
None Remote Medium ??? None Partial None
An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.
2769 CVE-2019-0284 611 2019-04-10 2019-04-11
3.6
None Local Low Not required Partial None Partial
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.
2770 CVE-2019-0275 79 XSS 2019-03-12 2019-03-14
3.5
None Remote Medium ??? None Partial None
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.
2771 CVE-2019-0269 79 XSS 2019-03-12 2019-03-13
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.10 and 4.20, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2772 CVE-2019-0262 79 XSS 2019-02-15 2019-02-19
3.5
None Remote Medium ??? None Partial None
SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability.
2773 CVE-2019-0254 79 XSS 2019-02-15 2019-02-20
3.5
None Remote Medium ??? None Partial None
SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2774 CVE-2019-0245 79 XSS 2019-01-08 2019-01-17
3.5
None Remote Medium ??? None Partial None
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2775 CVE-2019-0244 79 XSS 2019-01-08 2019-01-17
3.5
None Remote Medium ??? None Partial None
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2776 CVE-2019-0216 79 XSS 2019-04-10 2019-04-11
3.5
None Remote Medium ??? None Partial None
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
2777 CVE-2019-0180 522 2019-06-13 2020-08-24
3.6
None Local Low Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
2778 CVE-2019-0179 522 2019-06-13 2020-08-24
3.6
None Local Low Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
2779 CVE-2019-0178 362 2019-06-13 2019-06-24
3.3
None Local Medium Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
2780 CVE-2019-0177 2019-06-13 2020-08-24
3.6
None Local Low Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
2781 CVE-2019-0175 522 2019-06-13 2020-08-24
3.6
None Local Low Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
2782 CVE-2019-0136 DoS 2019-06-13 2020-08-24
3.3
None Local Network Low Not required None None Partial
Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
2783 CVE-2019-0122 415 DoS 2019-03-14 2019-03-18
3.6
None Local Low Not required Partial None Partial
Double free in Intel(R) SGX SDK for Linux before version 2.2 and Intel(R) SGX SDK for Windows before version 2.1 may allow an authenticated user to potentially enable information disclosure or denial of service via local access.
2784 CVE-2019-0094 20 DoS 2019-05-17 2019-06-20
3.3
None Local Network Low Not required None None Partial
Insufficient input validation vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an unauthenticated user to potentially enable denial of service via adjacent network access.
2785 CVE-2019-0027 79 XSS 2019-01-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Snort Rules configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
2786 CVE-2019-0026 79 XSS 2019-01-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Zone configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
2787 CVE-2019-0025 79 XSS 2019-01-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in RADIUS configuration menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
2788 CVE-2019-0024 79 XSS 2019-01-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Email Collectors menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
2789 CVE-2019-0023 79 XSS 2019-01-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Golden VM menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
2790 CVE-2019-0018 79 XSS 2019-01-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in the file upload menu of Juniper ATP may allow an authenticated user to inject arbitrary scripts and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
2791 CVE-2019-0011 20 DoS 2019-01-15 2020-07-22
3.3
None Local Network Low Not required None None Partial
The Junos OS kernel crashes after processing a specific incoming packet to the out of band management interface (such as fxp0, me0, em0, vme0) destined for another address. By continuously sending this type of packet, an attacker can repeatedly crash the kernel causing a sustained Denial of Service. Affected releases are Juniper Networks Junos OS: 17.2 versions prior to 17.2R1-S7, 17.2R3; 17.3 versions prior to 17.3R3-S3; 17.4 versions prior to 17.4R1-S4, 17.4R2; 17.2X75 versions prior to 17.2X75-D110; 18.1 versions prior to 18.1R2.
2792 CVE-2018-1999029 79 XSS 2018-08-01 2018-10-01
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
2793 CVE-2018-1999021 79 XSS 2018-07-23 2018-09-19
3.5
None Remote Medium ??? None Partial None
Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. This attack appear to be exploitable via The victim must navigate to the attacker's profile page.
2794 CVE-2018-1999008 79 XSS 2018-07-23 2020-08-03
3.5
None Remote Medium ??? None Partial None
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437.
2795 CVE-2018-1999007 79 XSS 2018-07-23 2018-09-19
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.
2796 CVE-2018-1999005 79 XSS 2018-07-23 2018-09-19
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
2797 CVE-2018-1002100 20 2018-06-02 2019-10-09
3.6
None Local Low Not required None Partial Partial
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
2798 CVE-2018-1002009 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium ??? None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable.
2799 CVE-2018-1002008 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium ??? None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable.
2800 CVE-2018-1002007 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium ??? None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST request variable html_id.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.