CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2901 CVE-2018-20372 79 XSS 2018-12-23 2019-01-11
3.5
None Remote Medium ??? None Partial None
TP-Link TD-W8961ND devices allow XSS via the hostname of a DHCP client.
2902 CVE-2018-20370 79 XSS 2018-12-23 2019-01-09
3.5
None Remote Medium ??? None Partial None
SZ NetChat before 7.9 has XSS in the MyName input field of the Options module. Attackers are able to inject commands to compromise the enabled HTTP server web frontend.
2903 CVE-2018-20368 79 XSS 2018-12-23 2019-01-15
3.5
None Remote Medium ??? None Partial None
The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the MSPanel.Settings value on Callback.
2904 CVE-2018-20345 2018-12-21 2020-08-24
3.5
None Remote Medium ??? Partial None None
Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=<username>" query filter parameters. Enterprise editions with RBAC enabled are not affected.
2905 CVE-2018-20328 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium ??? None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
2906 CVE-2018-20327 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium ??? None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
2907 CVE-2018-20306 79 XSS 2018-12-20 2019-01-08
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1.
2908 CVE-2018-20244 79 XSS 2019-02-27 2019-04-12
3.5
None Remote Medium ??? None Partial None
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
2909 CVE-2018-20241 79 XSS 2019-02-20 2019-02-26
3.5
None Remote Medium ??? None Partial None
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.
2910 CVE-2018-20240 79 XSS 2019-02-20 2019-02-26
3.5
None Remote Medium ??? None Partial None
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.
2911 CVE-2018-20239 79 XSS 2019-04-30 2019-05-29
3.5
None Remote Medium ??? None Partial None
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.
2912 CVE-2018-20232 79 XSS 2019-02-13 2019-02-27
3.5
None Remote Medium ??? None Partial None
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.
2913 CVE-2018-20217 617 2018-12-26 2019-10-03
3.5
None Remote Medium ??? None None Partial
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
2914 CVE-2018-20161 2018-12-15 2020-08-24
3.3
None Local Network Low Not required None None Partial
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the Wi-Fi network. (Access to live video from the app also becomes unavailable.)
2915 CVE-2018-20153 79 XSS 2018-12-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
2916 CVE-2018-20149 79 XSS Bypass 2018-12-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
2917 CVE-2018-20138 79 XSS 2018-12-13 2020-04-22
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
2918 CVE-2018-20137 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium ??? None Partial None
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
2919 CVE-2018-20136 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium ??? None Partial None
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
2920 CVE-2018-20017 79 XSS 2018-12-10 2018-12-28
3.5
None Remote Medium ??? None Partial None
SEMCMS 3.5 has XSS via the first text box to the SEMCMS_Main.php URI.
2921 CVE-2018-20012 79 XSS 2018-12-10 2018-12-31
3.5
None Remote Medium ??? None Partial None
PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI.
2922 CVE-2018-20011 79 XSS 2018-12-10 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
2923 CVE-2018-20010 79 XSS 2018-12-10 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
2924 CVE-2018-20009 79 XSS 2018-12-10 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field.
2925 CVE-2018-19995 79 XSS 2019-01-03 2019-01-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
2926 CVE-2018-19992 79 XSS 2019-01-03 2019-01-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
2927 CVE-2018-19943 79 XSS 2020-10-28 2020-11-13
3.5
None Remote Medium ??? None Partial None
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build 20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later
2928 CVE-2018-19934 79 XSS 2019-03-21 2019-03-25
3.5
None Remote Medium ??? None Partial None
SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site scripting (XSS) in the Web management interface via URL path and HTTP POST parameter.
2929 CVE-2018-19927 79 XSS 2018-12-06 2019-01-02
3.5
None Remote Medium ??? None Partial None
Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zForm_save_changes sip_nick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases.
2930 CVE-2018-19919 79 XSS 2018-12-06 2018-12-31
3.5
None Remote Medium ??? None Partial None
Pixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[title] parameter, as demonstrated by a crafted onload attribute of an SVG element.
2931 CVE-2018-19918 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI.
2932 CVE-2018-19915 79 XSS 2018-12-06 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
2933 CVE-2018-19914 79 XSS 2018-12-06 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
2934 CVE-2018-19913 79 XSS 2018-12-06 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field.
2935 CVE-2018-19906 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in razorCMS 3.4.8 via the /#/page description parameter.
2936 CVE-2018-19905 79 XSS 2018-12-31 2019-02-26
3.5
None Remote Medium ??? None Partial None
HTML injection exists in razorCMS 3.4.8 via the /#/page keywords parameter.
2937 CVE-2018-19902 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article "keyword" parameter.
2938 CVE-2018-19901 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article/index/ "article_title" parameter.
2939 CVE-2018-19892 79 XSS 2018-12-06 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the admin/dw/add-server.php DisplayName, HostName, or UserName field.
2940 CVE-2018-19849 79 XSS 2018-12-04 2018-12-31
3.5
None Remote Medium ??? None Partial None
An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter.
2941 CVE-2018-19845 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.
2942 CVE-2018-19844 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
FROG CMS 0.9.5 has XSS via the admin/?/snippet/add name parameter, which is mishandled during an edit action, a related issue to CVE-2018-10319.
2943 CVE-2018-19752 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar.
2944 CVE-2018-19751 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields.
2945 CVE-2018-19750 79 XSS 2018-11-29 2018-12-27
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Domain Fields.
2946 CVE-2018-19749 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field.
2947 CVE-2018-19658 79 XSS 2020-03-02 2020-04-01
3.5
None Remote Medium ??? None Partial None
The Markdown editor in YXBJ before 8.3.2 on macOS has stored XSS. This behavior may be encountered by some Evernote users; however, it is a vulnerability in YXBJ, not a vulnerability in Evernote.
2948 CVE-2018-19638 59 2019-03-05 2019-05-08
3.3
None Local Medium Not required None Partial Partial
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files.
2949 CVE-2018-19637 59 2019-03-05 2019-05-08
3.6
None Local Low Not required None Partial Partial
Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection
2950 CVE-2018-19600 79 XSS 2019-01-03 2019-02-25
3.5
None Remote Medium ??? None Partial None
Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.