CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5101 CVE-2017-15890 79 XSS 2017-12-15 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
5102 CVE-2017-15888 79 XSS 2017-10-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.
5103 CVE-2017-15881 79 XSS 2017-10-24 2019-12-09
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.
5104 CVE-2017-15872 79 XSS 2017-10-24 2017-10-31
3.5
None Remote Medium ??? None Partial None
phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.
5105 CVE-2017-15835 835 DoS 2018-12-07 2019-10-03
3.3
None Local Network Low Not required None None Partial
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.
5106 CVE-2017-15811 79 XSS 2017-10-23 2017-11-14
3.5
None Remote Medium ??? None Partial None
The Pootle Button plugin before 1.2.0 for WordPress has XSS via the assets_url parameter in assets/dialog.php, exploitable via wp-admin/admin-ajax.php.
5107 CVE-2017-15728 79 XSS 2017-10-22 2017-10-24
3.5
None Remote Medium ??? None Partial None
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via metaDescription or metaKeywords.
5108 CVE-2017-15727 79 XSS 2017-10-22 2019-03-14
3.5
None Remote Medium ??? None Partial None
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
5109 CVE-2017-15703 502 DoS 2018-01-25 2018-02-12
3.5
None Remote Medium ??? None None Partial
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
5110 CVE-2017-15640 79 XSS 2018-04-21 2018-05-24
3.5
None Remote Medium ??? None Partial None
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
5111 CVE-2017-15538 79 +Priv XSS 2017-10-17 2018-06-19
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
5112 CVE-2017-15515 79 XSS 2019-03-04 2019-03-07
3.5
None Remote Medium ??? None Partial None
NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scripting vulnerability that could allow a privileged user to inject arbitrary scripts into the custom secondary policy label field.
5113 CVE-2017-15360 79 XSS 2017-10-15 2017-11-01
3.5
None Remote Medium ??? None Partial None
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all group names created, related to incorrect error handling for an HTML encoded script.
5114 CVE-2017-15322 20 2017-12-22 2018-01-09
3.3
None Local Network Low Not required None None Partial
Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 and BGO-L03C331B009CUSTC331D001 have a DoS vulnerability due to insufficient input validation. An attacker could exploit this vulnerability by sending specially crafted NFC messages to the target device. Successful exploit could make a service crash.
5115 CVE-2017-15312 79 XSS 2017-12-22 2018-01-04
3.5
None Remote Medium ??? None Partial None
Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) vulnerability in the dashboard module. A remote authenticated attacker could exploit this vulnerability to inject malicious scripts in the affected device.
5116 CVE-2017-15284 79 Exec Code XSS 2017-10-12 2020-08-03
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
5117 CVE-2017-15279 79 XSS 2017-10-12 2017-10-25
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.
5118 CVE-2017-15278 79 Exec Code XSS 2017-10-12 2017-10-26
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
5119 CVE-2017-15273 79 XSS 2017-10-31 2017-11-13
3.5
None Remote Medium ??? None Partial None
Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts.
5120 CVE-2017-15219 79 XSS 2017-10-10 2017-10-25
3.5
None Remote Medium ??? None Partial None
The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field.
5121 CVE-2017-15214 79 +Priv XSS 2017-10-11 2017-10-27
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter to plugins/dokuwiki/lib/plugins/changelinks/syntax.php.
5122 CVE-2017-15213 79 +Priv XSS 2017-10-11 2017-10-27
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/templates/common.editallusers.tpl.
5123 CVE-2017-15188 79 XSS 2017-10-11 2021-02-23
3.5
None Remote Medium ??? None Partial None
A persistent (stored) XSS vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the hosts array parameter to module/admin_device/index.php.
5124 CVE-2017-15125 79 XSS 2018-07-27 2019-10-09
3.5
None Remote Medium ??? None Partial None
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
5125 CVE-2017-15113 532 2018-07-27 2019-10-09
3.5
None Remote Medium ??? Partial None None
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.
5126 CVE-2017-15111 59 2018-01-20 2019-08-06
3.6
None Local Low Not required None Partial Partial
keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link.
5127 CVE-2017-15093 20 2018-01-23 2019-10-09
3.5
None Remote Medium ??? None Partial None
When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration.
5128 CVE-2017-15051 79 XSS 2017-11-27 2017-12-07
3.5
None Remote Medium ??? None Partial None
Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an administrator to modify its profile. From there, whenever the administrator accesses the log, it can be XSS'ed.
5129 CVE-2017-15039 79 XSS 2017-11-06 2017-11-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a data: URL in the redirectUrl parameter to app/index.php/meetings/default/createMeeting.
5130 CVE-2017-15008 79 XSS 2017-10-04 2017-10-12
3.5
None Remote Medium ??? None Partial None
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all sensor titles, related to incorrect error handling for a %00 in the SRC attribute of an IMG element.
5131 CVE-2017-14985 79 XSS 2017-10-03 2021-02-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the url parameter to module/module_frame/index.php.
5132 CVE-2017-14984 79 XSS 2017-10-03 2021-02-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the bp_name parameter to /module/admin_bp/add_services.php.
5133 CVE-2017-14983 79 XSS 2017-10-03 2021-02-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the object parameter to module/admin_conf/index.php.
5134 CVE-2017-14981 79 XSS 2017-10-03 2017-10-11
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website.
5135 CVE-2017-14973 79 XSS 2017-10-09 2017-10-27
3.5
None Remote Medium ??? None Partial None
IDenticard Two-Reader Controller Configuration Manager 1.18.8 (396) is vulnerable to Stored Cross-Site Scripting (XSS) via the notes field in /~user_handler?file=logged_in.shtm (aka the edit user page).
5136 CVE-2017-14956 352 CSRF 2017-10-18 2019-05-13
3.5
None Remote Medium ??? Partial None None
AlienVault USM v5.4.2 and earlier offers authenticated users the functionality of exporting generated reports via the "/ossim/report/wizard_email.php" script. Besides offering an export via a local download, the script also offers the possibility to send out any report via email to a given address (either in PDF or XLS format). Since there is no anti-CSRF token protecting this functionality, it is vulnerable to Cross-Site Request Forgery attacks.
5137 CVE-2017-14953 311 2017-12-01 2019-10-03
3.3
None Local Network Low Not required None Partial None
** DISPUTED ** HikVision Wi-Fi IP cameras, when used in a wired configuration, allow physically proximate attackers to trigger association with an arbitrary access point by leveraging a default SSID with no WiFi encryption or authentication. NOTE: Vendor states that this is not a vulnerability, but more an increase to the attack surface of the product.
5138 CVE-2017-14923 79 XSS 2017-09-30 2017-10-05
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
5139 CVE-2017-14922 79 XSS 2017-09-30 2017-10-05
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
5140 CVE-2017-14921 79 XSS 2017-09-30 2017-10-05
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability via IMG element at "Filename" of Filemanager in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
5141 CVE-2017-14771 20 2017-10-03 2017-10-11
3.6
None Local Low Not required None Partial Partial
Skybox Manager Client Application prior to 8.5.501 is prone to an arbitrary file upload vulnerability due to insufficient input validation of user-supplied files path when uploading files via the application. During a debugger-pause state, a local authenticated attacker can upload an arbitrary file and overwrite existing files within the scope of the affected application.
5142 CVE-2017-14753 79 XSS 2017-09-27 2021-02-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the filter parameter to module/module_filters/index.php.
5143 CVE-2017-14752 79 Exec Code XSS 2017-10-31 2017-11-13
3.5
None Remote Medium ??? None Partial None
Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name, or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara.
5144 CVE-2017-14748 362 DoS 2017-09-26 2017-10-06
3.5
None Remote Medium ??? None None Partial
Race condition in Blizzard Overwatch 1.15.0.2 allows remote authenticated users to cause a denial of service (season bans and SR losses for other users) by leaving a competitive match at a specific time during the initial loading of that match.
5145 CVE-2017-14740 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in GeniXCMS 1.1.0 allows remote authenticated users to inject arbitrary web script or HTML via the Menu ID when adding a menu.
5146 CVE-2017-14717 79 XSS 2017-09-22 2017-10-06
3.5
None Remote Medium ??? None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
5147 CVE-2017-14716 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium ??? None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title parameter.
5148 CVE-2017-14715 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium ??? None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Title parameter.
5149 CVE-2017-14714 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium ??? None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subject parameter.
5150 CVE-2017-14713 79 XSS 2017-09-22 2017-09-28
3.5
None Remote Medium ??? None Partial None
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Description parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.