CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3001 CVE-2018-18824 79 XSS 2019-04-25 2020-07-29
3.5
None Remote Medium ??? None Partial None
WolfCMS v0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/.
3002 CVE-2018-18823 79 XSS 2019-04-25 2020-07-29
3.5
None Remote Medium ??? None Partial None
WolfCMS 0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/.
3003 CVE-2018-18816 79 XSS 2019-03-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
The repository component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS contains a persistent cross site scripting vulnerability. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi- Tenancy versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
3004 CVE-2018-18812 732 2019-01-16 2020-08-24
3.5
None Remote Medium ??? None Partial None
The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the Spotfire Library is configured to use external storage. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace versions up to and including 10.0.0, and TIBCO Spotfire Server versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0.
3005 CVE-2018-18807 79 XSS 2018-11-26 2019-10-09
3.5
None Remote Medium ??? None Partial None
The web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0.
3006 CVE-2018-18745 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Menu.php?lgid=1 during editing.
3007 CVE-2018-18744 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the fifth text box to the admin/SEMCMS_Main.php URI.
3008 CVE-2018-18743 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the second text field to the admin/SEMCMS_Categories.php?pid=1&lgid=1 URI.
3009 CVE-2018-18741 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Download.php?lgid=1 during editing.
3010 CVE-2018-18740 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the first input field to the admin/SEMCMS_Link.php?lgid=1 URI.
3011 CVE-2018-18739 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Products.php?lgid=1 Keywords field.
3012 CVE-2018-18738 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Categories.php?pid=1&lgid=1 category_key parameter.
3013 CVE-2018-18736 79 XSS 2018-10-29 2018-12-07
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in catfish blog 2.0.33, related to "write source code."
3014 CVE-2018-18733 79 XSS 2018-10-29 2018-12-07
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in Catfish CMS 4.8.30, related to "write source code," a similar issue to CVE-2018-13999.
3015 CVE-2018-18726 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in admin/sitelink/editsitelink?id=16 in YUNUCMS 1.1.5.
3016 CVE-2018-18725 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in admin/banner/editbanner?id=20 in YUNUCMS 1.1.5.
3017 CVE-2018-18724 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in index.php/admin/category/editcategory?id=73 in YUNUCMS 1.1.5.
3018 CVE-2018-18723 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in index.php/admin/area/editarea/id/110000 in YUNUCMS 1.1.5.
3019 CVE-2018-18722 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in admin/content/editcontent?id=29&gopage=1 in YUNUCMS 1.1.5.
3020 CVE-2018-18721 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in admin/link/editlink?id=5 in YUNUCMS 1.1.5.
3021 CVE-2018-18720 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5.
3022 CVE-2018-18717 79 XSS 2018-10-29 2018-12-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Eleanor CMS through 2015-03-19. XSS exists via the ajax.php?direct=admin&file=autocomplete&query=[XSS] URI.
3023 CVE-2018-18694 79 XSS 2018-10-29 2018-12-06
3.5
None Remote Medium ??? None Partial None
admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases.
3024 CVE-2018-18564 2018-11-20 2020-08-24
3.3
None Local Network Low Not required None Partial None
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). Improper access control allows attackers in the adjacent network to change the instrument configuration.
3025 CVE-2018-18562 521 2018-11-20 2019-10-03
3.3
None Local Network Low Not required Partial None None
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.
3026 CVE-2018-18517 79 XSS 2018-10-24 2018-12-06
3.5
None Remote Medium ??? None Partial None
Citrix NetScaler Gateway 10.5.x before 10.5.69.003, 11.1.x before 11.1.59.004, 12.0.x before 12.0.58.7, and 12.1.x before 12.1.49.1 has XSS.
3027 CVE-2018-18433 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DESTOON B2B 7.0. admin/category.inc.php has XSS via the category[catname] parameter to the admin.php URI.
3028 CVE-2018-18431 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DESTOON B2B 7.0. XSS exists via certain text boxes to the admin.php?moduleid=2&action=add URI.
3029 CVE-2018-18430 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DESTOON B2B 7.0. admin\setting.inc.php has XSS via the first text box to the admin.php URI.
3030 CVE-2018-18419 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium ??? None Partial None
Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.
3031 CVE-2018-18417 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium ??? None Partial None
In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.
3032 CVE-2018-18416 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium ??? None Partial None
LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI.
3033 CVE-2018-18381 79 XSS 2018-10-16 2019-09-23
3.5
None Remote Medium ??? None Partial None
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
3034 CVE-2018-18374 79 XSS 2018-10-16 2018-11-27
3.5
None Remote Medium ??? None Partial None
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
3035 CVE-2018-18373 79 XSS 2018-10-17 2019-09-10
3.5
None Remote Medium ??? None Partial None
In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action.
3036 CVE-2018-18290 79 XSS 2018-10-14 2018-12-04
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html&name=home_content allows XSS via the HTML Source Editor. NOTE: the vendor disputes this because the form requires administrator privileges, and entering JavaScript is supported functionality.
3037 CVE-2018-18276 79 XSS 2019-04-26 2019-04-27
3.5
None Remote Medium ??? None Partial None
XSS exists in the ProFiles 1.5 component for Joomla! via the name or path parameter when creating a new folder in the administrative panel.
3038 CVE-2018-18247 79 XSS 2018-12-17 2020-01-16
3.5
None Remote Medium ??? None Partial None
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.
3039 CVE-2018-18245 79 XSS 2018-12-17 2020-04-11
3.5
None Remote Medium ??? None Partial None
Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE.
3040 CVE-2018-18087 79 XSS 2018-10-09 2018-11-24
3.5
None Remote Medium ??? None Partial None
The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the "Manage portfolio" privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor. The vulnerability is triggered by visiting /portfolio/${project_title}.
3041 CVE-2018-18029 79 XSS 2018-10-09 2018-11-23
3.5
None Remote Medium ??? None Partial None
Navigate CMS has Stored XSS via the navigate.php Title field in an edit action.
3042 CVE-2018-18021 20 DoS 2018-10-07 2019-04-03
3.6
None Local Low Not required None Partial Partial
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
3043 CVE-2018-17989 79 XSS 2019-04-01 2019-04-02
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user's browser when "/cgi-bin/New_GUI/Acl.asp" is requested.
3044 CVE-2018-17955 59 2019-03-15 2019-10-09
3.6
None Local Low Not required None Partial Partial
In yast2-multipath before version 4.1.1 a static temporary filename allows local attackers to overwrite files on systems without symlink protection
3045 CVE-2018-17928 287 Bypass 2019-01-31 2019-10-09
3.3
None Local Network Low Not required Partial None None
The product CMS-770 (Software Versions 1.7.1 and prior)is vulnerable that an attacker can read sensitive configuration files by bypassing the user authentication mechanism.
3046 CVE-2018-17926 287 Bypass 2019-01-31 2019-10-09
3.3
None Local Network Low Not required None Partial None
The product M2M ETHERNET (FW Versions 2.22 and prior, ETH-FW Versions 1.01 and prior) is vulnerable in that an attacker can upload a malicious language file by bypassing the user authentication mechanism.
3047 CVE-2018-17906 306 2018-11-19 2020-09-18
3.3
None Local Network Low Not required Partial None None
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
3048 CVE-2018-17886 79 XSS Bypass 2018-10-02 2018-11-16
3.5
None Remote Medium ??? None Partial None
An issue was discovered in JEESNS 1.3. The XSS filter in com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper.java could be bypassed, as demonstrated by a <svg/onLoad=confirm substring. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-12429.
3049 CVE-2018-17873 732 2018-10-23 2020-08-24
3.3
None Local Network Low Not required Partial None None
An incorrect access control vulnerability in the FTP configuration of WiFiRanger devices with firmware version 7.0.8rc3 and earlier allows an attacker with adjacent network access to read the SSH Private Key and log in to the root account.
3050 CVE-2018-17868 79 XSS 2018-10-01 2018-11-16
3.5
None Remote Medium ??? None Partial None
DASAN H660GW devices have Stored XSS in the Port Forwarding functionality.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.