CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-1000113 79 XSS 2018-03-13 2018-04-04
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript
2 CVE-2018-1000095 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium Single system None Partial None
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.
3 CVE-2018-1000087 79 XSS 2018-03-13 2018-04-10
3.5
None Remote Medium Single system None Partial None
WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Scripting vulnerability in "Create New File" and "Create New Directory" input box from 'files' Tab that can result in Session Hijacking, Spread Worms,Control the browser remotely. . This attack appear to be exploitable via Attacker can execute the JavaScript into the "Create New File" and "Create New Directory" input box from 'files'.
4 CVE-2018-1000084 79 XSS 2018-03-13 2018-04-06
3.5
None Remote Medium Single system None Partial None
WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name .
5 CVE-2018-1000062 79 XSS 2018-02-09 2018-03-05
3.5
None Remote Medium Single system None Partial None
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File.
6 CVE-2018-10061 79 XSS 2018-04-12 2018-04-13
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
7 CVE-2018-10060 79 XSS 2018-04-12 2018-04-13
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
8 CVE-2018-10059 79 XSS 2018-04-12 2018-04-17
3.5
None Remote Medium Single system None Partial None
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
9 CVE-2018-10033 79 XSS 2018-04-11 2018-04-13
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter.
10 CVE-2018-10032 79 XSS 2018-04-11 2018-04-13
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter.
11 CVE-2018-10029 79 XSS 2018-04-11 2018-04-13
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799.
12 CVE-2018-9925 79 XSS 2018-04-10 2018-04-17
3.5
None Remote Medium Single system None Partial None
An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request.
13 CVE-2018-9123 79 XSS 2018-03-29 2018-04-17
3.5
None Remote Medium Single system None Partial None
In Crea8social 2018.2, there is Stored Cross-Site Scripting via a User Profile.
14 CVE-2018-9122 79 XSS 2018-03-29 2018-04-17
3.5
None Remote Medium Single system None Partial None
In Crea8social 2018.2, there is Reflected Cross-Site Scripting via the term parameter to the /search URI.
15 CVE-2018-9121 79 XSS 2018-03-29 2018-04-17
3.5
None Remote Medium Single system None Partial None
In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post comment.
16 CVE-2018-9120 79 XSS 2018-03-29 2018-04-17
3.5
None Remote Medium Single system None Partial None
In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post.
17 CVE-2018-9020 79 XSS 2018-03-25 2018-04-18
3.5
None Remote Medium Single system None Partial None
The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Google Maps miniature.
18 CVE-2018-9017 79 XSS 2018-03-25 2018-04-17
3.5
None Remote Medium Single system None Partial None
dsmall v20180320 allows XSS via the member search box at the public/index.php/home/membersnsfriend/findlist.html URI.
19 CVE-2018-9015 79 XSS 2018-03-25 2018-04-17
3.5
None Remote Medium Single system None Partial None
dsmall v20180320 allows XSS via the public/index.php/home/predeposit/index.html pdr_sn parameter (aka the CMS search box).
20 CVE-2018-8978 79 XSS 2018-03-25 2018-04-18
3.5
None Remote Medium Single system None Partial None
Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an IMG element within a URI.
21 CVE-2018-8957 79 XSS 2018-03-23 2018-04-17
3.5
None Remote Medium Single system None Partial None
CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related to admina/mconfigs.inc.php.
22 CVE-2018-8942 79 XSS 2018-03-22 2018-04-17
3.5
None Remote Medium Single system None Partial None
Xiuno BBS 4.0.0 has XSS in the adminpage sitename parameter.
23 CVE-2018-8903 79 XSS 2018-03-22 2018-04-17
3.5
None Remote Medium Single system None Partial None
Open-AudIT Professional 2.1 allows XSS via the Name or Description field on the Credentials screen.
24 CVE-2018-8832 79 XSS 2018-03-20 2018-04-17
3.5
None Remote Medium Single system None Partial None
enhavo 0.4.0 has XSS via a user-group that contains executable JavaScript code in the user-group name. The XSS attack launches when a victim visits the admin user group page.
25 CVE-2018-8815 79 XSS 2018-03-20 2018-04-13
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image.
26 CVE-2018-8767 79 XSS 2018-03-18 2018-04-13
3.5
None Remote Medium Single system None Partial None
joyplus-cms 1.6.0 has XSS in manager/admin_ajax.php?action=save&tab={pre}vod_type via the t_name parameter.
27 CVE-2018-8737 79 XSS 2018-03-17 2018-04-13
3.5
None Remote Medium Single system None Partial None
Bookme Control Panel 2.0 Application is vulnerable to stored XSS within the Customers "Book Me" function. Within the Name and Note (aka custName and custNote) sections of the Customers screen, the application does not sanitize user-supplied input and renders injected JavaScript code to the user's browser.
28 CVE-2018-8732 79 XSS 2018-03-19 2018-04-12
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in WampServer 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the virtual_del parameter.
29 CVE-2018-8720 79 XSS 2018-03-15 2018-04-10
3.5
None Remote Medium Single system None Partial None
ServiceNow ITSM 2016-06-02 has XSS via the First Name or Last Name field of My Profile (aka navpage.do), or the Search bar of My Portal (aka search_results.do).
30 CVE-2018-8078 79 XSS 2018-03-13 2018-03-29
3.5
None Remote Medium Single system None Partial None
YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html.
31 CVE-2018-8070 79 XSS 2018-03-12 2018-03-30
3.5
None Remote Medium Single system None Partial None
QCMS version 3.0 has XSS via the title parameter to the /guest/index.html URI.
32 CVE-2018-8069 79 XSS 2018-03-12 2018-03-30
3.5
None Remote Medium Single system None Partial None
QCMS version 3.0 has XSS via the webname parameter to the /backend/system.html URI.
33 CVE-2018-8058 79 XSS 2018-03-11 2018-03-29
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via the pagedata parameter.
34 CVE-2018-7893 79 XSS 2018-03-11 2018-03-29
3.5
None Remote Medium Single system None Partial None
CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface.php via the metadata parameter.
35 CVE-2018-7724 79 XSS CSRF 2018-03-06 2018-03-26
3.5
None Remote Medium Single system None Partial None
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
36 CVE-2018-7723 79 XSS CSRF 2018-03-06 2018-03-26
3.5
None Remote Medium Single system None Partial None
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
37 CVE-2018-7722 79 XSS CSRF 2018-03-06 2018-03-26
3.5
None Remote Medium Single system None Partial None
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
38 CVE-2018-7678 79 XSS 2018-03-14 2018-04-10
3.5
None Remote Medium Single system None Partial None
A cross site scripting vulnerability exist in the Administration Console in NetIQ Access Manager (NAM) 4.3 and 4.4.
39 CVE-2018-7675 200 +Info 2018-03-07 2018-03-29
3.5
None Remote Medium Single system Partial None None
In NetIQ Sentinel before 8.1.x, a Sentinel user is logged into the Sentinel Web Interface. After performing some tasks within Sentinel the user does not log out but does go idle for a period of time. This in turn causes the interface to timeout so that it requires the user to re-authenticate. If another user is passing by and decides to login, their credentials are accepted. While The user does not inherit any of the other users privileges, they are able to view the previous screen. In this case it is possible that the user can see another users events or configuration information for whatever view is currently showing.
40 CVE-2018-7650 79 XSS 2018-03-06 2018-03-27
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Hot Scripts Clone:Script Classified Version 3.1 Application is vulnerable to stored XSS within the "Add New" function for a Management User. Within the "Add New" section, the application does not sanitize user supplied input to the name parameter, and renders injected JavaScript code to the user's browser. This is different from CVE-2018-6878.
41 CVE-2018-7547 79 XSS 2018-02-27 2018-03-23
3.5
None Remote Medium Single system None Partial None
lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the /admin.php?s=/admin/config/groupsave.html URI.
42 CVE-2018-7469 79 XSS 2018-02-28 2018-03-16
3.5
None Remote Medium Single system None Partial None
PHP Scripts Mall Entrepreneur Job Portal Script 2.0.9 has XSS via the p_name (aka Edit Category Name) field to admin/categories_industry.php (aka Categories - Industry Type).
43 CVE-2018-7447 79 XSS 2018-02-23 2018-03-12
3.5
None Remote Medium Single system None Partial None
mojoPortal through 2.6.0.0 is prone to multiple persistent cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. The 'Title' and 'Subtitle' fields of the 'Blog' page are vulnerable.
44 CVE-2018-7303 79 XSS 2018-02-21 2018-03-13
3.5
None Remote Medium Single system None Partial None
The Calendar component in Tiki 17.1 allows HTML injection.
45 CVE-2018-7302 79 XSS 2018-02-21 2018-03-12
3.5
None Remote Medium Single system None Partial None
Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS.
46 CVE-2018-7290 79 XSS 2018-03-09 2018-03-27
3.5
None Remote Medium Single system None Partial None
Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1.
47 CVE-2018-7261 79 XSS 2018-02-21 2018-03-06
3.5
None Remote Medium Single system None Partial None
There are multiple Persistent XSS vulnerabilities in Radiant CMS 1.1.4. They affect Personal Preferences (Name and Username) and Configuration (Site Title, Dev Site Domain, Page Parts, and Page Fields).
48 CVE-2018-7260 79 XSS 2018-02-21 2018-03-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
49 CVE-2018-7205 79 Exec Code XSS 2018-02-20 2018-03-19
3.5
None Remote Medium Single system None Partial None
** DISPUTED ** Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.
50 CVE-2018-7188 79 +Priv XSS 2018-02-16 2018-03-13
3.5
None Remote Medium Single system None Partial None
An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php.
Total number of vulnerabilities : 3017   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.