CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3301 CVE-2018-11124 79 XSS 2018-07-06 2018-09-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of an Attribute.
3302 CVE-2018-11076 +Info 2018-11-26 2020-08-24
3.3
None Local Network Low Not required Partial None None
Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and 7.4.1 and Dell EMC Integrated Data Protection Appliance (IDPA) 2.0 are affected by an information exposure vulnerability. Avamar Java management console's SSL/TLS private key may be leaked in the Avamar Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.
3303 CVE-2018-11073 79 Exec Code XSS 2018-09-28 2020-03-27
3.5
None Remote Medium ??? None Partial None
RSA Authentication Manager versions prior to 8.3 P3 contain a stored cross-site scripting vulnerability in the Operations Console. A malicious Operations Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser.
3304 CVE-2018-11059 79 Exec Code XSS 2018-07-24 2019-10-09
3.5
None Remote Medium ??? None Partial None
RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.
3305 CVE-2018-11050 319 2018-08-01 2019-10-03
3.3
None Local Network Low Not required Partial None None
Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote AMQP service. An unauthenticated attacker in the same network collision domain, could potentially sniff the password from the network and use it to access the component using the privileges of the compromised user.
3306 CVE-2018-10989 1188 Bypass 2018-05-14 2019-10-03
3.5
None Remote Medium ??? Partial None None
Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user's guides distributed by ISPs state "At a minimum, you should set a login password."
3307 CVE-2018-10948 79 XSS 2019-05-30 2019-05-31
3.5
None Remote Medium ??? None Partial None
Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS via mail addrs.
3308 CVE-2018-10937 79 XSS 2018-09-11 2019-10-09
3.5
None Remote Medium ??? None Partial None
A cross site scripting flaw exists in the tetonic-console component of Openshift Container Platform 3.11. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim.
3309 CVE-2018-10934 79 XSS 2019-03-27 2019-06-11
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users.
3310 CVE-2018-10932 119 Overflow 2018-08-21 2019-10-09
3.3
None Local Network Low Not required None Partial None
lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.
3311 CVE-2018-10896 2018-08-01 2020-10-29
3.6
None Local Low Not required Partial Partial None
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
3312 CVE-2018-10854 79 XSS 2019-11-22 2019-12-04
3.5
None Remote Medium ??? None Partial None
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
3313 CVE-2018-10821 79 XSS 2018-06-14 2020-06-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
3314 CVE-2018-10806 352 XSS CSRF 2018-05-08 2020-08-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross Site Scripting Vulnerability via the file[current_name] parameter to the admin/?/plugin/file_manager/rename URI. This can be used in conjunction with CSRF.
3315 CVE-2018-10763 79 XSS 2018-09-14 2018-11-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synametrics SynaMan 4.0 build 1488 via the (1) Main heading or (2) Sub heading fields in the Partial Branding configuration page.
3316 CVE-2018-10752 79 XSS 2018-05-05 2019-03-07
3.5
None Remote Medium ??? None Partial None
The Tagregator plugin 0.6 for WordPress has stored XSS via the title field in an Add New action.
3317 CVE-2018-10726 79 XSS 2018-05-04 2018-06-05
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** A stored XSS vulnerability was found in Datenstrom Yellow 0.7.3 via an "Edit page" action. NOTE: the vendor disputes the relevance of this report because an installation accessible to untrusted users is supposed to have parserSafeMode=1 in system/config/config.ini to prevent XSS.
3318 CVE-2018-10626 345 +Info 2018-08-10 2019-10-09
3.8
None Local Network Medium ??? Partial Partial None
A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected product's update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
3319 CVE-2018-10624 388 +Info 2018-08-01 2019-10-09
3.3
None Local Network Low Not required Partial None None
In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.
3320 CVE-2018-10593 89 Sql 2018-05-24 2019-10-09
3.8
None Local Network Medium ??? None Partial Partial
A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corruption.
3321 CVE-2018-10586 79 XSS 2018-11-01 2018-12-12
3.5
None Remote Medium ??? None Partial None
NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12.
3322 CVE-2018-10580 79 XSS 2018-05-11 2018-06-14
3.5
None Remote Medium ??? None Partial None
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
3323 CVE-2018-10570 79 XSS 2018-04-30 2018-06-07
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS in /install/index.php via the ['config']['admin_username'] field.
3324 CVE-2018-10554 352 XSS CSRF 2018-04-30 2020-08-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter.
3325 CVE-2018-10527 79 XSS 2018-04-28 2018-06-05
3.5
None Remote Medium ??? None Partial None
EasyCMS 1.3 is prone to Stored XSS when posting an article; four fields are affected: title, keyword, abstract, and content, as demonstrated by the /admin/index/index.html#listarticle URI.
3326 CVE-2018-10430 79 XSS 2018-04-26 2018-06-06
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DiliCMS (aka DiligentCMS) 2.4.0. There is a Stored XSS Vulnerability in the fourth textbox of "System setting->site setting" of admin/index.php.
3327 CVE-2018-10422 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium ??? None Partial None
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
3328 CVE-2018-10391 79 XSS 2018-04-26 2018-05-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI.
3329 CVE-2018-10382 79 XSS 2018-06-01 2018-06-27
3.5
None Remote Medium ??? None Partial None
MODX Revolution 2.6.3 has XSS.
3330 CVE-2018-10368 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.
3331 CVE-2018-10367 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
3332 CVE-2018-10365 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium ??? None Partial None
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
3333 CVE-2018-10364 79 XSS 2018-04-30 2018-06-05
3.5
None Remote Medium ??? None Partial None
BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
3334 CVE-2018-10328 798 2018-04-24 2018-08-30
3.3
None Local Network Low Not required Partial None None
Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream.
3335 CVE-2018-10326 79 XSS 2018-05-17 2018-06-19
3.5
None Remote Medium ??? None Partial None
PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities via the (1) department field in the printer configuration, (2) description field in the print server configuration, and (3) username field for authentication to print as guest.
3336 CVE-2018-10321 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
3337 CVE-2018-10320 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit layout[name] parameter, aka Edit Layout.
3338 CVE-2018-10319 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit snippet[name] parameter, aka Edit Snippet.
3339 CVE-2018-10318 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/page/edit page[keywords] parameter, aka Edit Page Metadata.
3340 CVE-2018-10314 79 XSS 2018-05-10 2018-06-13
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List Scripts -> Download section.
3341 CVE-2018-10313 79 XSS 2018-04-24 2018-05-23
3.5
None Remote Medium ??? None Partial None
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
3342 CVE-2018-10310 79 Exec Code XSS 2018-04-25 2018-06-13
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser.
3343 CVE-2018-10309 79 XSS 2018-04-24 2018-06-06
3.5
None Remote Medium ??? None Partial None
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
3344 CVE-2018-10298 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium ??? None Partial None
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.
3345 CVE-2018-10297 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium ??? None Partial None
Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.
3346 CVE-2018-10268 79 XSS 2018-04-22 2018-05-25
3.5
None Remote Medium ??? None Partial None
An issue was discovered in FastAdmin V1.0.0.20180417_beta. There is XSS via the application\api\controller\User.php avatar parameter.
3347 CVE-2018-10259 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium ??? None Partial None
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
3348 CVE-2018-10250 79 XSS 2018-04-20 2018-05-21
3.5
None Remote Medium ??? None Partial None
iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search.
3349 CVE-2018-10234 79 XSS 2018-04-23 2018-05-24
3.5
None Remote Medium ??? None Partial None
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.
3350 CVE-2018-10227 79 XSS 2018-04-19 2018-10-30
3.5
None Remote Medium ??? None Partial None
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.