CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-1000177 79 XSS 2018-05-08 2018-06-13
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.
2 CVE-2018-1000172 79 XSS 2018-04-30 2018-06-07
3.5
None Remote Medium Single system None Partial None
Imagely NextGEN Gallery version 2.2.30 and earlier contains a Cross Site Scripting (XSS) vulnerability in Image Alt & Title Text. This attack appears to be exploitable via a victim viewing the image in the administrator page. This vulnerability appears to have been fixed in 2.2.45.
3 CVE-2018-1000170 79 XSS 2018-04-16 2018-05-23
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.
4 CVE-2018-1000161 22 Dir. Trav. 2018-04-18 2018-05-24
3.5
None Remote Medium Single system None Partial None
nmap version 6.49BETA6 through 7.60, up to and including SVN revision 37147 contains a Directory Traversal vulnerability in NSE script http-fetch that can result in file overwrite as the user is running it. This attack appears to be exploitable via a victim that runs NSE script http-fetch against a malicious web site. This vulnerability appears to have been fixed in 7.7.
5 CVE-2018-1000113 79 XSS 2018-03-13 2018-04-04
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript
6 CVE-2018-1000095 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium Single system None Partial None
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.
7 CVE-2018-1000087 79 XSS 2018-03-13 2018-04-10
3.5
None Remote Medium Single system None Partial None
WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Scripting vulnerability in "Create New File" and "Create New Directory" input box from 'files' Tab that can result in Session Hijacking, Spread Worms,Control the browser remotely. . This attack appear to be exploitable via Attacker can execute the JavaScript into the "Create New File" and "Create New Directory" input box from 'files'.
8 CVE-2018-1000084 79 XSS 2018-03-13 2018-04-06
3.5
None Remote Medium Single system None Partial None
WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name .
9 CVE-2018-1000062 79 XSS 2018-02-09 2018-03-05
3.5
None Remote Medium Single system None Partial None
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File.
10 CVE-2018-11581 79 XSS 2018-06-01 2018-06-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability on Brother HL-L2340D and HL-L2380DW series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.
11 CVE-2018-11208 79 XSS 2018-05-16 2018-06-18
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege.
12 CVE-2018-10989 255 Bypass 2018-05-14 2018-06-19
3.5
None Remote Medium Single system Partial None None
Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user's guides distributed by ISPs state "At a minimum, you should set a login password."
13 CVE-2018-10806 79 XSS CSRF 2018-05-08 2018-06-13
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross Site Scripting Vulnerability via the file[current_name] parameter to the admin/?/plugin/file_manager/rename URI. This can be used in conjunction with CSRF.
14 CVE-2018-10752 79 XSS 2018-05-04 2018-06-07
3.5
None Remote Medium Single system None Partial None
The Tagregator plugin 0.6 for WordPress has stored XSS via the title field in an Add New action.
15 CVE-2018-10726 79 XSS 2018-05-04 2018-06-05
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** A stored XSS vulnerability was found in Datenstrom Yellow 0.7.3 via an "Edit page" action. NOTE: the vendor disputes the relevance of this report because an installation accessible to untrusted users is supposed to have parserSafeMode=1 in system/config/config.ini to prevent XSS.
16 CVE-2018-10680 79 XSS 2018-05-02 2018-06-13
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug."
17 CVE-2018-10580 79 XSS 2018-05-11 2018-06-14
3.5
None Remote Medium Single system None Partial None
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
18 CVE-2018-10570 79 XSS 2018-04-30 2018-06-07
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS in /install/index.php via the ['config']['admin_username'] field.
19 CVE-2018-10554 79 XSS CSRF 2018-04-29 2018-06-05
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter.
20 CVE-2018-10527 79 XSS 2018-04-28 2018-06-05
3.5
None Remote Medium Single system None Partial None
EasyCMS 1.3 is prone to Stored XSS when posting an article; four fields are affected: title, keyword, abstract, and content, as demonstrated by the /admin/index/index.html#listarticle URI.
21 CVE-2018-10430 79 XSS 2018-04-26 2018-06-06
3.5
None Remote Medium Single system None Partial None
An issue was discovered in DiliCMS (aka DiligentCMS) 2.4.0. There is a Stored XSS Vulnerability in the fourth textbox of "System setting->site setting" of admin/index.php.
22 CVE-2018-10422 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
23 CVE-2018-10391 79 XSS 2018-04-26 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI.
24 CVE-2018-10368 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.
25 CVE-2018-10367 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
26 CVE-2018-10365 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
27 CVE-2018-10364 79 XSS 2018-04-30 2018-06-05
3.5
None Remote Medium Single system None Partial None
BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
28 CVE-2018-10328 798 2018-04-24 2018-06-04
3.3
None Local Network Low Not required Partial None None
Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream.
29 CVE-2018-10326 79 XSS 2018-05-17 2018-06-19
3.5
None Remote Medium Single system None Partial None
PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities via the (1) department field in the printer configuration, (2) description field in the print server configuration, and (3) username field for authentication to print as guest.
30 CVE-2018-10321 79 XSS 2018-04-24 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
31 CVE-2018-10320 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit layout[name] parameter, aka Edit Layout.
32 CVE-2018-10319 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit snippet[name] parameter, aka Edit Snippet.
33 CVE-2018-10318 79 XSS 2018-04-23 2018-05-16
3.5
None Remote Medium Single system None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/page/edit page[keywords] parameter, aka Edit Page Metadata.
34 CVE-2018-10314 79 XSS 2018-05-09 2018-06-13
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List Scripts -> Download section.
35 CVE-2018-10313 79 XSS 2018-04-23 2018-05-23
3.5
None Remote Medium Single system None Partial None
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
36 CVE-2018-10310 79 Exec Code XSS 2018-04-25 2018-06-13
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser.
37 CVE-2018-10309 79 XSS 2018-04-23 2018-06-06
3.5
None Remote Medium Single system None Partial None
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
38 CVE-2018-10298 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.
39 CVE-2018-10297 79 XSS 2018-04-22 2018-05-18
3.5
None Remote Medium Single system None Partial None
Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.
40 CVE-2018-10268 79 XSS 2018-04-21 2018-05-25
3.5
None Remote Medium Single system None Partial None
An issue was discovered in FastAdmin V1.0.0.20180417_beta. There is XSS via the application\api\controller\User.php avatar parameter.
41 CVE-2018-10259 79 XSS 2018-05-01 2018-06-05
3.5
None Remote Medium Single system None Partial None
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
42 CVE-2018-10250 79 XSS 2018-04-20 2018-05-21
3.5
None Remote Medium Single system None Partial None
iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin_category action, aka a WeChat Classified Management keyword search.
43 CVE-2018-10234 79 XSS 2018-04-23 2018-05-24
3.5
None Remote Medium Single system None Partial None
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options&section=account page.
44 CVE-2018-10227 79 XSS 2018-04-19 2018-05-21
3.5
None Remote Medium Single system None Partial None
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter.
45 CVE-2018-10221 79 XSS 2018-04-19 2018-05-21
3.5
None Remote Medium Single system None Partial None
An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload.
46 CVE-2018-10213 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is XSS in invitation mail received from a different user, who can modify the HTML in that mail before sending it.
47 CVE-2018-10209 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS on the file or folder download pop-up via a crafted file or folder name.
48 CVE-2018-10206 79 XSS 2018-04-25 2018-05-24
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is Stored XSS via the optional message field of a file request.
49 CVE-2018-10165 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.
50 CVE-2018-10164 79 XSS 2018-05-03 2018-06-12
3.5
None Remote Medium Single system None Partial None
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.
Total number of vulnerabilities : 3203   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.