CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4051 CVE-2017-16789 79 XSS 2017-12-11 2018-03-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS 3 before 3.2.0 Hotfix 7, as used in TIBCO BusinessWorks Process Monitor through 3.0.1.3 and other products, allows remote authenticated administrators to inject arbitrary web script or HTML via the users management panel of the web interface.
4052 CVE-2017-16781 79 XSS 2017-11-10 2017-11-27
3.5
None Remote Medium ??? None Partial None
The installer in MyBB before 1.8.13 has XSS.
4053 CVE-2017-16774 79 XSS 2019-04-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
4054 CVE-2017-16768 79 XSS 2017-12-27 2018-01-10
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.
4055 CVE-2017-16767 79 XSS 2018-02-27 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
4056 CVE-2017-16758 79 XSS 2017-11-09 2017-12-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "access_token" parameter.
4057 CVE-2017-16710 79 XSS 2018-07-11 2018-09-05
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
4058 CVE-2017-16636 79 +Priv XSS Bypass 2017-11-06 2017-11-29
3.5
None Remote Medium ??? None Partial None
In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context. Remote attackers are able to bypass the basic editor validation to trigger cross site scripting. The XSS is persistent and the request method to inject via editor is GET. To save the editor context, the followup POST method request must be processed to perform the attack via the application side. The basic validation of the editor does not allow injecting script codes and blocks the context. Attackers can inject the code by using an editor tag that is not recognized by the basic validation. Thus allows a restricted user account to inject malicious script code to perform a persistent attack against higher privilege web-application user accounts.
4059 CVE-2017-16635 79 Exec Code XSS 2017-11-06 2017-11-29
3.5
None Remote Medium ??? None Partial None
In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.
4060 CVE-2017-16568 79 XSS 2017-11-10 2017-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a radio URL.
4061 CVE-2017-16567 79 XSS 2017-11-10 2017-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a "favorite."
4062 CVE-2017-16564 79 XSS 2017-11-06 2017-11-27
3.5
None Remote Medium ??? None Partial None
Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148).
4063 CVE-2017-16230 79 XSS 2017-10-30 2017-11-17
3.5
None Remote Medium ??? None Partial None
In admin/write-post.php in Typecho through 1.1, one can log in to the background page, write a new article, and add payload in the article content, resulting in XSS via index.php/action/contents-post-edit.
4064 CVE-2017-15948 79 XSS 2017-10-28 2019-11-18
3.5
None Remote Medium ??? None Partial None
Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. This is exploitable with a Limited Admin account.
4065 CVE-2017-15947 79 XSS 2017-10-28 2020-09-16
3.5
None Remote Medium ??? None Partial None
Simple ASC Content Management System v1.2 has XSS in the location field in the sign function, related to guestbook.asp, formgb.asp, and msggb.asp.
4066 CVE-2017-15936 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium ??? None Partial None
In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.
4067 CVE-2017-15934 79 XSS 2017-10-27 2017-11-14
3.5
None Remote Medium ??? None Partial None
Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.
4068 CVE-2017-15911 79 Exec Code XSS Bypass CSRF 2017-10-26 2017-11-17
3.5
None Remote Medium ??? None Partial None
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
4069 CVE-2017-15892 79 XSS 2017-12-28 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.
4070 CVE-2017-15890 79 XSS 2017-12-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
4071 CVE-2017-15888 79 XSS 2017-10-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.
4072 CVE-2017-15881 79 XSS 2017-10-24 2019-12-09
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.
4073 CVE-2017-15872 79 XSS 2017-10-24 2017-10-31
3.5
None Remote Medium ??? None Partial None
phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.
4074 CVE-2017-15835 835 DoS 2018-12-07 2019-10-03
3.3
None Local Network Low Not required None None Partial
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.
4075 CVE-2017-15811 79 XSS 2017-10-23 2017-11-14
3.5
None Remote Medium ??? None Partial None
The Pootle Button plugin before 1.2.0 for WordPress has XSS via the assets_url parameter in assets/dialog.php, exploitable via wp-admin/admin-ajax.php.
4076 CVE-2017-15728 79 XSS 2017-10-22 2017-10-24
3.5
None Remote Medium ??? None Partial None
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via metaDescription or metaKeywords.
4077 CVE-2017-15727 79 XSS 2017-10-22 2019-03-14
3.5
None Remote Medium ??? None Partial None
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
4078 CVE-2017-15703 502 DoS 2018-01-25 2018-02-12
3.5
None Remote Medium ??? None None Partial
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
4079 CVE-2017-15640 79 XSS 2018-04-21 2018-05-24
3.5
None Remote Medium ??? None Partial None
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
4080 CVE-2017-15538 79 +Priv XSS 2017-10-17 2018-06-19
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
4081 CVE-2017-15515 79 XSS 2019-03-04 2019-03-07
3.5
None Remote Medium ??? None Partial None
NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scripting vulnerability that could allow a privileged user to inject arbitrary scripts into the custom secondary policy label field.
4082 CVE-2017-15360 79 XSS 2017-10-15 2017-11-01
3.5
None Remote Medium ??? None Partial None
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all group names created, related to incorrect error handling for an HTML encoded script.
4083 CVE-2017-15322 20 2017-12-22 2018-01-09
3.3
None Local Network Low Not required None None Partial
Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 and BGO-L03C331B009CUSTC331D001 have a DoS vulnerability due to insufficient input validation. An attacker could exploit this vulnerability by sending specially crafted NFC messages to the target device. Successful exploit could make a service crash.
4084 CVE-2017-15312 79 XSS 2017-12-22 2018-01-04
3.5
None Remote Medium ??? None Partial None
Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) vulnerability in the dashboard module. A remote authenticated attacker could exploit this vulnerability to inject malicious scripts in the affected device.
4085 CVE-2017-15284 79 Exec Code XSS 2017-10-12 2020-08-03
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
4086 CVE-2017-15279 79 XSS 2017-10-12 2017-10-25
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.
4087 CVE-2017-15278 79 Exec Code XSS 2017-10-12 2017-10-26
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
4088 CVE-2017-15273 79 XSS 2017-10-31 2017-11-13
3.5
None Remote Medium ??? None Partial None
Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts.
4089 CVE-2017-15219 79 XSS 2017-10-10 2017-10-25
3.5
None Remote Medium ??? None Partial None
The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field.
4090 CVE-2017-15214 79 +Priv XSS 2017-10-11 2017-10-27
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter to plugins/dokuwiki/lib/plugins/changelinks/syntax.php.
4091 CVE-2017-15213 79 +Priv XSS 2017-10-11 2017-10-27
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/templates/common.editallusers.tpl.
4092 CVE-2017-15188 79 XSS 2017-10-11 2021-02-23
3.5
None Remote Medium ??? None Partial None
A persistent (stored) XSS vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the hosts array parameter to module/admin_device/index.php.
4093 CVE-2017-15125 79 XSS 2018-07-27 2019-10-09
3.5
None Remote Medium ??? None Partial None
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
4094 CVE-2017-15113 532 2018-07-27 2019-10-09
3.5
None Remote Medium ??? Partial None None
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.
4095 CVE-2017-15111 59 2018-01-20 2019-08-06
3.6
None Local Low Not required None Partial Partial
keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link.
4096 CVE-2017-15093 20 2018-01-23 2019-10-09
3.5
None Remote Medium ??? None Partial None
When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration.
4097 CVE-2017-15051 79 XSS 2017-11-27 2017-12-07
3.5
None Remote Medium ??? None Partial None
Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an administrator to modify its profile. From there, whenever the administrator accesses the log, it can be XSS'ed.
4098 CVE-2017-15039 79 XSS 2017-11-06 2017-11-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a data: URL in the redirectUrl parameter to app/index.php/meetings/default/createMeeting.
4099 CVE-2017-15008 79 XSS 2017-10-04 2017-10-12
3.5
None Remote Medium ??? None Partial None
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all sensor titles, related to incorrect error handling for a %00 in the SRC attribute of an IMG element.
4100 CVE-2017-14985 79 XSS 2017-10-03 2021-02-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the url parameter to module/module_frame/index.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.