CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2018-10624 388 +Info 2018-08-01 2018-10-15
3.3
None Local Network Low Not required Partial None None
In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.
252 CVE-2018-10593 89 Sql 2018-05-24 2018-06-26
3.8
None Local Network Medium Single system None Partial Partial
A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corruption.
253 CVE-2018-10586 79 XSS 2018-11-01 2018-12-12
3.5
None Remote Medium Single system None Partial None
NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12.
254 CVE-2018-10580 79 XSS 2018-05-11 2018-06-14
3.5
None Remote Medium Single system None Partial None
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
255 CVE-2018-10570 79 XSS 2018-04-30 2018-06-07
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS in /install/index.php via the ['config']['admin_username'] field.
256 CVE-2018-10554 79 XSS CSRF 2018-04-29 2018-06-05
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter.
257 CVE-2018-10527 79 XSS 2018-04-28 2018-06-05
3.5
None Remote Medium Single system None Partial None
EasyCMS 1.3 is prone to Stored XSS when posting an article; four fields are affected: title, keyword, abstract, and content, as demonstrated by the /admin/index/index.html#listarticle URI.
258 CVE-2018-10430 79 XSS 2018-04-26 2018-06-06
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DiliCMS (aka DiligentCMS) 2.4.0. There is a Stored XSS Vulnerability in the fourth textbox of "System setting->site setting" of admin/index.php.
259 CVE-2018-10422 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
260 CVE-2018-10391 79 XSS 2018-04-26 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI.
261 CVE-2018-10382 79 XSS 2018-06-01 2018-06-27
3.5
None Remote Medium Single system None Partial None
MODX Revolution 2.6.3 has XSS.
262 CVE-2018-10368 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.
263 CVE-2018-10367 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
264 CVE-2018-10365 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
265 CVE-2018-10364 79 XSS 2018-04-30 2018-06-05
3.5
None Remote Medium Single system None Partial None
BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
266 CVE-2018-10328 798 2018-04-24 2018-08-30
3.3
None Local Network Low Not required Partial None None
Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream.
267 CVE-2018-10326 79 XSS 2018-05-17 2018-06-19
3.5
None Remote Medium Single system None Partial None
PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities via the (1) department field in the printer configuration, (2) description field in the print server configuration, and (3) username field for authentication to print as guest.
268 CVE-2018-10321 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
269 CVE-2018-10320 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit layout[name] parameter, aka Edit Layout.
270 CVE-2018-10319 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit snippet[name] parameter, aka Edit Snippet.
271 CVE-2018-10318 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/page/edit page[keywords] parameter, aka Edit Page Metadata.
272 CVE-2018-10314 79 XSS 2018-05-09 2018-06-13
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List Scripts -> Download section.
273 CVE-2018-10313 79 XSS 2018-04-23 2018-05-23
3.5
None Remote Medium Single system None Partial None
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
274 CVE-2018-10310 79 Exec Code XSS 2018-04-25 2018-06-13
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser.
275 CVE-2018-10309 79 XSS 2018-04-23 2018-06-06
3.5
None Remote Medium Single system None Partial None
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
276 CVE-2018-10298 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.
277 CVE-2018-10297 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.
278 CVE-2018-10268 79 XSS 2018-04-21 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in FastAdmin V1.0.0.20180417_beta. There is XSS via the application\api\controller\User.php avatar parameter.
279 CVE-2018-10259 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
280 CVE-2018-10250 79 XSS 2018-04-20 2018-05-21
3.5
None Remote Medium Single system None Partial None
iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search.
281 CVE-2018-10234 79 XSS 2018-04-23 2018-05-24
3.5
None Remote Medium Single system None Partial None
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.
282 CVE-2018-10227 79 XSS 2018-04-19 2018-10-30
3.5
None Remote Medium Single system None Partial None
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter.
283 CVE-2018-10221 79 XSS 2018-04-19 2018-05-21
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload.
284 CVE-2018-10213 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is XSS in invitation mail received from a different user, who can modify the HTML in that mail before sending it.
285 CVE-2018-10209 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS on the file or folder download pop-up via a crafted file or folder name.
286 CVE-2018-10206 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS via the optional message field of a file request.
287 CVE-2018-10165 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.
288 CVE-2018-10164 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.
289 CVE-2018-10121 79 XSS 2018-04-16 2018-05-16
3.5
None Remote Medium Single system None Partial None
plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action.
290 CVE-2018-10118 79 XSS 2018-04-16 2018-06-09
3.5
None Remote Medium Single system None Partial None
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
291 CVE-2018-10110 79 XSS 2018-04-18 2018-05-21
3.5
None Remote Medium Single system None Partial None
D-Link DIR-615 T1 devices allow XSS via the Add User feature.
292 CVE-2018-10109 79 XSS 2018-04-16 2018-05-16
3.5
None Remote Medium Single system None Partial None
Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog.
293 CVE-2018-10096 79 XSS 2018-04-13 2018-05-11
3.5
None Remote Medium Single system None Partial None
joyplus-cms 1.6.0 has XSS via the device_name parameter in a manager/admin_ajax.php?action=save flag=add request.
294 CVE-2018-10078 79 XSS 2018-04-20 2018-05-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via a server description.
295 CVE-2018-10073 79 XSS 2018-04-12 2018-05-14
3.5
None Remote Medium Single system None Partial None
joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword parameter.
296 CVE-2018-10061 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
297 CVE-2018-10060 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
298 CVE-2018-10059 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
299 CVE-2018-10052 79 XSS 2018-04-11 2018-05-09
3.5
None Remote Medium Single system None Partial None
iScripts SupportDesk v4.3 has XSS via the admin/inteligentsearchresult.php txtinteligentsearch parameter.
300 CVE-2018-10051 79 XSS 2018-04-11 2018-05-09
3.5
None Remote Medium Single system None Partial None
iScripts SupportDesk v4.3 has XSS via the staff/inteligentsearchresult.php txtinteligentsearch parameter.
Total number of vulnerabilities : 3652   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.