CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2018-10593 89 Sql 2018-05-24 2018-06-26
3.8
None Local Network Medium Single system None Partial Partial
A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corruption.
402 CVE-2018-10586 79 XSS 2018-11-01 2018-12-12
3.5
None Remote Medium Single system None Partial None
NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12.
403 CVE-2018-10580 79 XSS 2018-05-11 2018-06-14
3.5
None Remote Medium Single system None Partial None
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
404 CVE-2018-10570 79 XSS 2018-04-30 2018-06-07
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS in /install/index.php via the ['config']['admin_username'] field.
405 CVE-2018-10554 79 XSS CSRF 2018-04-29 2018-06-05
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter.
406 CVE-2018-10527 79 XSS 2018-04-28 2018-06-05
3.5
None Remote Medium Single system None Partial None
EasyCMS 1.3 is prone to Stored XSS when posting an article; four fields are affected: title, keyword, abstract, and content, as demonstrated by the /admin/index/index.html#listarticle URI.
407 CVE-2018-10430 79 XSS 2018-04-26 2018-06-06
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DiliCMS (aka DiligentCMS) 2.4.0. There is a Stored XSS Vulnerability in the fourth textbox of "System setting->site setting" of admin/index.php.
408 CVE-2018-10422 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
409 CVE-2018-10391 79 XSS 2018-04-26 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI.
410 CVE-2018-10382 79 XSS 2018-06-01 2018-06-27
3.5
None Remote Medium Single system None Partial None
MODX Revolution 2.6.3 has XSS.
411 CVE-2018-10368 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.
412 CVE-2018-10367 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
413 CVE-2018-10365 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
414 CVE-2018-10364 79 XSS 2018-04-30 2018-06-05
3.5
None Remote Medium Single system None Partial None
BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
415 CVE-2018-10328 798 2018-04-24 2018-08-30
3.3
None Local Network Low Not required Partial None None
Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream.
416 CVE-2018-10326 79 XSS 2018-05-17 2018-06-19
3.5
None Remote Medium Single system None Partial None
PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities via the (1) department field in the printer configuration, (2) description field in the print server configuration, and (3) username field for authentication to print as guest.
417 CVE-2018-10321 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
418 CVE-2018-10320 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit layout[name] parameter, aka Edit Layout.
419 CVE-2018-10319 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit snippet[name] parameter, aka Edit Snippet.
420 CVE-2018-10318 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/page/edit page[keywords] parameter, aka Edit Page Metadata.
421 CVE-2018-10314 79 XSS 2018-05-09 2018-06-13
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List Scripts -> Download section.
422 CVE-2018-10313 79 XSS 2018-04-23 2018-05-23
3.5
None Remote Medium Single system None Partial None
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
423 CVE-2018-10310 79 Exec Code XSS 2018-04-25 2018-06-13
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser.
424 CVE-2018-10309 79 XSS 2018-04-23 2018-06-06
3.5
None Remote Medium Single system None Partial None
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
425 CVE-2018-10298 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.
426 CVE-2018-10297 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.
427 CVE-2018-10268 79 XSS 2018-04-21 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in FastAdmin V1.0.0.20180417_beta. There is XSS via the application\api\controller\User.php avatar parameter.
428 CVE-2018-10259 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
429 CVE-2018-10250 79 XSS 2018-04-20 2018-05-21
3.5
None Remote Medium Single system None Partial None
iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search.
430 CVE-2018-10234 79 XSS 2018-04-23 2018-05-24
3.5
None Remote Medium Single system None Partial None
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.
431 CVE-2018-10227 79 XSS 2018-04-19 2018-10-30
3.5
None Remote Medium Single system None Partial None
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter.
432 CVE-2018-10221 79 XSS 2018-04-19 2018-05-21
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload.
433 CVE-2018-10213 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is XSS in invitation mail received from a different user, who can modify the HTML in that mail before sending it.
434 CVE-2018-10209 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS on the file or folder download pop-up via a crafted file or folder name.
435 CVE-2018-10206 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS via the optional message field of a file request.
436 CVE-2018-10165 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.
437 CVE-2018-10164 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.
438 CVE-2018-10121 79 XSS 2018-04-16 2018-05-16
3.5
None Remote Medium Single system None Partial None
plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action.
439 CVE-2018-10118 79 XSS 2018-04-16 2018-06-09
3.5
None Remote Medium Single system None Partial None
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
440 CVE-2018-10110 79 XSS 2018-04-18 2018-05-21
3.5
None Remote Medium Single system None Partial None
D-Link DIR-615 T1 devices allow XSS via the Add User feature.
441 CVE-2018-10109 79 XSS 2018-04-16 2018-05-16
3.5
None Remote Medium Single system None Partial None
Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog.
442 CVE-2018-10096 79 XSS 2018-04-13 2018-05-11
3.5
None Remote Medium Single system None Partial None
joyplus-cms 1.6.0 has XSS via the device_name parameter in a manager/admin_ajax.php?action=save flag=add request.
443 CVE-2018-10078 79 XSS 2018-04-20 2018-05-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via a server description.
444 CVE-2018-10073 79 XSS 2018-04-12 2018-05-14
3.5
None Remote Medium Single system None Partial None
joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword parameter.
445 CVE-2018-10061 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
446 CVE-2018-10060 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
447 CVE-2018-10059 79 XSS 2018-04-12 2018-04-26
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
448 CVE-2018-10052 79 XSS 2018-04-11 2018-05-09
3.5
None Remote Medium Single system None Partial None
iScripts SupportDesk v4.3 has XSS via the admin/inteligentsearchresult.php txtinteligentsearch parameter.
449 CVE-2018-10051 79 XSS 2018-04-11 2018-05-09
3.5
None Remote Medium Single system None Partial None
iScripts SupportDesk v4.3 has XSS via the staff/inteligentsearchresult.php txtinteligentsearch parameter.
450 CVE-2018-10049 79 XSS 2018-04-11 2018-05-09
3.5
None Remote Medium Single system None Partial None
iScripts eSwap v2.4 has XSS via the "registration_settings.php" txtDate parameter in the Admin Panel.
Total number of vulnerabilities : 3882   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.