CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2018-18927 79 XSS 2018-11-04 2018-12-11
3.5
None Remote Medium Single system None Partial None
An issue was discovered in PublicCMS V4.0. It allows XSS by modifying the page_list "attached" attribute (which typically has 'class="icon-globe icon-large"' in its value), as demonstrated by an 'UPDATE sys_module SET attached = "[XSS]" WHERE id="page_list"' statement.
302 CVE-2018-18919 79 XSS 2018-11-04 2018-12-11
3.5
None Remote Medium Single system None Partial None
The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area.
303 CVE-2018-18882 79 XSS 2019-03-21 2019-04-03
3.5
None Remote Medium Single system None Partial None
A stored cross-site scripting (XSS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can inject arbitrary script via setup.html in the web interface.
304 CVE-2018-18880 79 XSS 2019-06-18 2019-06-18
3.5
None Remote Medium Single system None Partial None
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script.
305 CVE-2018-18875 79 XSS 2019-06-18 2019-06-18
3.5
None Remote Medium Single system None Partial None
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.
306 CVE-2018-18872 79 XSS 2019-05-13 2019-05-13
3.5
None Remote Medium Single system None Partial None
The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories URI.
307 CVE-2018-18841 79 XSS 2018-10-30 2018-12-06
3.5
None Remote Medium Single system None Partial None
XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexkey parameter.
308 CVE-2018-18840 79 XSS 2018-10-30 2018-12-06
3.5
None Remote Medium Single system None Partial None
XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexmetatit parameter.
309 CVE-2018-18824 79 XSS 2019-04-25 2019-04-26
3.5
None Remote Medium Single system None Partial None
WolfCMS v0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/.
310 CVE-2018-18823 79 XSS 2019-04-25 2019-04-26
3.5
None Remote Medium Single system None Partial None
WolfCMS 0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/.
311 CVE-2018-18807 79 XSS 2018-11-26 2019-01-02
3.5
None Remote Medium Single system None Partial None
The web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0.
312 CVE-2018-18745 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Menu.php?lgid=1 during editing.
313 CVE-2018-18744 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the fifth text box to the admin/SEMCMS_Main.php URI.
314 CVE-2018-18743 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the second text field to the admin/SEMCMS_Categories.php?pid=1&lgid=1 URI.
315 CVE-2018-18741 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Download.php?lgid=1 during editing.
316 CVE-2018-18740 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the first input field to the admin/SEMCMS_Link.php?lgid=1 URI.
317 CVE-2018-18739 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Products.php?lgid=1 Keywords field.
318 CVE-2018-18738 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Categories.php?pid=1&lgid=1 category_key parameter.
319 CVE-2018-18736 79 XSS 2018-10-29 2018-12-07
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in catfish blog 2.0.33, related to "write source code."
320 CVE-2018-18733 79 XSS 2018-10-29 2018-12-07
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in Catfish CMS 4.8.30, related to "write source code," a similar issue to CVE-2018-13999.
321 CVE-2018-18726 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in admin/sitelink/editsitelink?id=16 in YUNUCMS 1.1.5.
322 CVE-2018-18725 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in admin/banner/editbanner?id=20 in YUNUCMS 1.1.5.
323 CVE-2018-18724 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in index.php/admin/category/editcategory?id=73 in YUNUCMS 1.1.5.
324 CVE-2018-18723 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in index.php/admin/area/editarea/id/110000 in YUNUCMS 1.1.5.
325 CVE-2018-18722 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in admin/content/editcontent?id=29&gopage=1 in YUNUCMS 1.1.5.
326 CVE-2018-18721 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in admin/link/editlink?id=5 in YUNUCMS 1.1.5.
327 CVE-2018-18720 79 XSS 2018-10-29 2018-12-04
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5.
328 CVE-2018-18717 79 XSS 2018-10-29 2018-12-10
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Eleanor CMS through 2015-03-19. XSS exists via the ajax.php?direct=admin&file=autocomplete&query=[XSS] URI.
329 CVE-2018-18694 79 XSS 2018-10-29 2018-12-06
3.5
None Remote Medium Single system None Partial None
admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases.
330 CVE-2018-18564 284 2018-11-20 2018-12-28
3.3
None Local Network Low Not required None Partial None
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). Improper access control allows attackers in the adjacent network to change the instrument configuration.
331 CVE-2018-18562 255 2018-11-20 2018-12-28
3.3
None Local Network Low Not required Partial None None
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.
332 CVE-2018-18517 79 XSS 2018-10-24 2018-12-06
3.5
None Remote Medium Single system None Partial None
Citrix NetScaler Gateway 10.5.x before 10.5.69.003, 11.1.x before 11.1.59.004, 12.0.x before 12.0.58.7, and 12.1.x before 12.1.49.1 has XSS.
333 CVE-2018-18433 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DESTOON B2B 7.0. admin/category.inc.php has XSS via the category[catname] parameter to the admin.php URI.
334 CVE-2018-18431 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DESTOON B2B 7.0. XSS exists via certain text boxes to the admin.php?moduleid=2&action=add URI.
335 CVE-2018-18430 79 XSS 2018-10-17 2018-11-29
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DESTOON B2B 7.0. admin\setting.inc.php has XSS via the first text box to the admin.php URI.
336 CVE-2018-18419 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium Single system None Partial None
Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.
337 CVE-2018-18417 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium Single system None Partial None
In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.
338 CVE-2018-18416 79 XSS 2018-10-19 2018-12-04
3.5
None Remote Medium Single system None Partial None
LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI.
339 CVE-2018-18381 79 XSS 2018-10-16 2018-11-30
3.5
None Remote Medium Single system None Partial None
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
340 CVE-2018-18374 79 XSS 2018-10-15 2018-11-27
3.5
None Remote Medium Single system None Partial None
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
341 CVE-2018-18373 79 XSS 2018-10-17 2018-11-30
3.5
None Remote Medium Single system None Partial None
In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action.
342 CVE-2018-18290 79 XSS 2018-10-14 2018-12-04
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html&name=home_content allows XSS via the HTML Source Editor. NOTE: the vendor disputes this because the form requires administrator privileges, and entering JavaScript is supported functionality.
343 CVE-2018-18276 79 XSS 2019-04-26 2019-04-27
3.5
None Remote Medium Single system None Partial None
XSS exists in the ProFiles 1.5 component for Joomla! via the name or path parameter when creating a new folder in the administrative panel.
344 CVE-2018-18247 79 XSS 2018-12-17 2019-01-04
3.5
None Remote Medium Single system None Partial None
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.
345 CVE-2018-18245 79 XSS 2018-12-17 2019-01-04
3.5
None Remote Medium Single system None Partial None
Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE.
346 CVE-2018-18087 79 XSS 2018-10-09 2018-11-23
3.5
None Remote Medium Single system None Partial None
The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the "Manage portfolio" privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor. The vulnerability is triggered by visiting /portfolio/${project_title}.
347 CVE-2018-18029 79 XSS 2018-10-09 2018-11-23
3.5
None Remote Medium Single system None Partial None
Navigate CMS has Stored XSS via the navigate.php Title field in an edit action.
348 CVE-2018-18021 20 DoS 2018-10-07 2019-04-02
3.6
None Local Low Not required None Partial Partial
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
349 CVE-2018-17989 79 XSS 2019-04-01 2019-04-02
3.5
None Remote Medium Single system None Partial None
A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user's browser when "/cgi-bin/New_GUI/Acl.asp" is requested.
350 CVE-2018-17886 79 XSS Bypass 2018-10-02 2018-11-16
3.5
None Remote Medium Single system None Partial None
An issue was discovered in JEESNS 1.3. The XSS filter in com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper.java could be bypassed, as demonstrated by a <svg/onLoad=confirm substring. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-12429.
Total number of vulnerabilities : 4066   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.