CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3951 CVE-2017-18704 200 +Info 2020-04-24 2020-04-28
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by an attacker's ability to read arbitrary files. This affects D6220 before 1.0.0.32, D6400 before 1.0.0.60, D8500 before 1.0.3.29, R6250 before 1.0.4.16, R6300v2 before 1.0.4.18, R6400 before 1.01.32, R6400v2 before 1.0.2.44, R6700 before 1.0.1.36, R6900 before 1.0.1.34, R7000 before 1.0.9.14, R7000P before 1.3.0.8, R6900P before 1.3.0.8, R7100LG before 1.0.0.34, R7300DST before 1.0.0.56, R7900 before 1.0.1.26, R8000 before 1.0.4.4, R8500 before 1.0.2.106, R8300 before 1.0.2.106, and WNDR3400v3 before 1.0.1.16.
3952 CVE-2017-18695 522 2020-04-07 2020-04-08
3.5
None Remote Medium ??? Partial None None
An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) software. Attackers (who control a certain subdomain) can discover a user's credentials, during an email account login, via an EAS autodiscover packet. The Samsung ID is SVE-2016-7654 (January 2017).
3953 CVE-2017-18680 20 2020-04-07 2020-04-08
3.6
None Local Low Not required Partial Partial None
An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) (tablets) software. The lockscreen interface allows Add User actions, leading to an unintended ability to access user data in external storage. The Samsung ID is SVE-2016-7797 (March 2017).
3954 CVE-2017-18642 200 +Info 2020-02-10 2020-02-12
3.3
None Local Network Low Not required Partial None None
Syska Smart Bulb devices through 2017-08-06 receive RGB parameters over cleartext Bluetooth Low Energy (BLE), leading to sniffing, reverse engineering, and replay attacks.
3955 CVE-2017-18601 79 XSS 2019-09-10 2019-09-10
3.5
None Remote Medium ??? None Partial None
The examapp plugin 1.0 for WordPress has XSS via exam input text fields.
3956 CVE-2017-18600 79 XSS 2019-09-10 2019-09-10
3.5
None Remote Medium ??? None Partial None
The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field.
3957 CVE-2017-18481 79 XSS 2019-08-05 2019-08-07
3.5
None Remote Medium ??? None Partial None
cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension List interface (SEC-211).
3958 CVE-2017-18473 79 XSS 2019-08-05 2019-08-07
3.5
None Remote Medium ??? None Partial None
cPanel before 62.0.4 allows self XSS on the webmail Password and Security page (SEC-199).
3959 CVE-2017-18471 79 XSS 2019-08-05 2019-08-07
3.5
None Remote Medium ??? None Partial None
cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen (SEC-197).
3960 CVE-2017-18458 20 2019-08-02 2019-08-06
3.6
None Local Low Not required None Partial Partial
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).
3961 CVE-2017-18454 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262).
3962 CVE-2017-18437 74 Exec Code 2019-08-02 2019-08-09
3.6
None Local Low Not required Partial Partial None
cPanel before 64.0.21 allows a Webmail account to execute code via forwarders (SEC-240).
3963 CVE-2017-18420 79 XSS 2019-08-02 2019-08-05
3.5
None Remote Medium ??? None Partial None
cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing (SEC-269).
3964 CVE-2017-18419 79 XSS 2019-08-02 2019-08-05
3.5
None Remote Medium ??? None Partial None
cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallation (SEC-266).
3965 CVE-2017-18418 79 XSS 2019-08-02 2019-08-05
3.5
None Remote Medium ??? None Partial None
cPanel before 66.0.2 allows stored XSS during WHM cPAddons file operations (SEC-265).
3966 CVE-2017-18417 79 XSS 2019-08-02 2019-08-05
3.5
None Remote Medium ??? None Partial None
cPanel before 66.0.2 allows stored XSS during WHM cPAddons installation (SEC-263).
3967 CVE-2017-18416 284 2019-08-02 2019-08-12
3.6
None Local Low Not required None Partial Partial
cPanel before 67.9999.103 allows arbitrary file-overwrite operations during a Roundcube SQLite schema update (SEC-303).
3968 CVE-2017-18408 79 XSS 2019-08-02 2019-08-12
3.5
None Remote Medium ??? None Partial None
cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Change interfaces (SEC-282).
3969 CVE-2017-18402 79 XSS 2019-08-02 2019-08-13
3.5
None Remote Medium ??? None Partial None
cPanel before 68.0.15 allows stored XSS during a cpaddons moderated upgrade (SEC-336).
3970 CVE-2017-18286 79 XSS 2018-06-05 2018-07-31
3.5
None Remote Medium ??? None Partial None
nZEDb v0.7.3.3 has XSS in the 404 error page.
3971 CVE-2017-18285 732 2018-06-04 2019-10-03
3.6
None Local Low Not required Partial Partial None
The Gentoo app-backup/burp package before 2.1.32 has incorrect group ownership of the /etc/burp directory, which might allow local users to obtain read and write access to arbitrary files by leveraging access to a certain account for a burp-server.conf change.
3972 CVE-2017-18284 732 2018-06-04 2019-10-03
3.6
None Local Low Not required None Partial Partial
The Gentoo app-backup/burp package before 2.1.32 sets the ownership of the PID file directory to the burp account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL.
3973 CVE-2017-18270 DoS 2018-05-18 2020-08-14
3.6
None Local Low Not required None Partial Partial
In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.
3974 CVE-2017-18259 79 XSS 2018-04-11 2018-05-16
3.5
None Remote Medium ??? None Partial None
Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0.
3975 CVE-2017-18248 20 2018-03-26 2018-07-13
3.5
None Remote Medium ??? None None Partial
The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.
3976 CVE-2017-18228 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium ??? None Partial None
Remedy Mid Tier in BMC Remedy AR System 9.1 allows XSS via the ATTKey parameter in an arsys/servlet/AttachServlet request.
3977 CVE-2017-18177 79 XSS 2018-02-12 2018-03-05
3.5
None Remote Medium ??? None Partial None
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
3978 CVE-2017-18176 79 XSS 2018-02-12 2018-03-05
3.5
None Remote Medium ??? None Partial None
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
3979 CVE-2017-18175 79 XSS 2018-02-12 2018-03-05
3.5
None Remote Medium ??? None Partial None
Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.
3980 CVE-2017-18102 79 XSS 2018-04-17 2019-10-08
3.5
None Remote Medium ??? None Partial None
The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup.
3981 CVE-2017-18097 79 XSS 2018-04-06 2018-05-09
3.5
None Remote Medium ??? None Partial None
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.
3982 CVE-2017-18094 79 XSS 2018-03-22 2018-04-18
3.5
None Remote Medium ??? None Partial None
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository.
3983 CVE-2017-18093 79 XSS 2018-02-19 2018-03-12
3.5
None Remote Medium ??? None Partial None
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository.
3984 CVE-2017-18092 79 XSS 2018-02-19 2018-03-12
3.5
None Remote Medium ??? None Partial None
The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet.
3985 CVE-2017-18091 79 XSS 2018-02-16 2018-03-06
3.5
None Remote Medium ??? None Partial None
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup.
3986 CVE-2017-18089 79 XSS 2018-02-16 2018-03-06
3.5
None Remote Medium ??? None Partial None
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review.
3987 CVE-2017-18084 79 XSS 2018-02-02 2019-04-26
3.5
None Remote Medium ??? None Partial None
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
3988 CVE-2017-18083 79 XSS 2018-02-02 2018-02-15
3.5
None Remote Medium ??? None Partial None
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
3989 CVE-2017-18082 79 XSS 2018-02-02 2018-02-13
3.5
None Remote Medium ??? None Partial None
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
3990 CVE-2017-18041 79 XSS 2018-02-02 2019-04-30
3.5
None Remote Medium ??? None Partial None
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
3991 CVE-2017-18040 79 XSS 2018-02-02 2018-10-17
3.5
None Remote Medium ??? None Partial None
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
3992 CVE-2017-18034 79 XSS 2018-02-02 2020-11-25
3.5
None Remote Medium ??? None Partial None
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
3993 CVE-2017-18019 20 2018-01-04 2018-01-19
3.6
None Local Low Not required Partial None Partial
In K7 Total Security before 15.1.0.305, user-controlled input to the K7Sentry device is not sufficiently sanitized: the user-controlled input can be used to compare an arbitrary memory address with a fixed value, which in turn can be used to read the contents of arbitrary memory. Similarly, the product crashes upon a \\.\K7Sentry DeviceIoControl call with an invalid kernel pointer.
3994 CVE-2017-18004 79 XSS 2017-12-31 2018-01-11
3.5
None Remote Medium ??? None Partial None
Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint.
3995 CVE-2017-17995 79 XSS 2017-12-30 2018-01-09
3.5
None Remote Medium ??? None Partial None
Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request.
3996 CVE-2017-17994 79 XSS 2017-12-30 2018-01-09
3.5
None Remote Medium ??? None Partial None
Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.
3997 CVE-2017-17993 79 XSS 2017-12-30 2018-01-09
3.5
None Remote Medium ??? None Partial None
Biometric Shift Employee Management System has XSS via the amount parameter in an index.php?user=addition_deduction request.
3998 CVE-2017-17991 79 XSS 2017-12-30 2018-01-09
3.5
None Remote Medium ??? None Partial None
Biometric Shift Employee Management System has XSS via the expense_name parameter in an index.php?user=expenses request.
3999 CVE-2017-17989 79 XSS 2017-12-30 2018-01-09
3.5
None Remote Medium ??? None Partial None
Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action.
4000 CVE-2017-17988 79 XSS 2017-12-30 2018-01-09
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_add.php event_title parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.