CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5701 CVE-2016-10776 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium ??? None Partial None
cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).
5702 CVE-2016-10774 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).
5703 CVE-2016-10767 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium ??? None Partial None
cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159).
5704 CVE-2016-10763 79 XSS 2019-07-18 2019-07-18
3.5
None Remote Medium ??? None Partial None
The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body.
5705 CVE-2016-10761 74 Bypass 2019-06-29 2019-07-08
3.3
None Local Network Low Not required None Partial None
Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack.
5706 CVE-2016-10737 79 XSS 2019-01-16 2019-01-23
3.5
None Remote Medium ??? None Partial None
Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.
5707 CVE-2016-10716 79 XSS 2018-03-16 2018-04-09
3.5
None Remote Medium ??? None Partial None
The Mail.ru Calendar plugin before 2.5.0.61 for Atlassian Jira has XSS via the Name field in a Create Calender action, related to a MailRuCalendar.jspa#period/month URI.
5708 CVE-2016-10715 79 XSS 2018-03-16 2018-04-09
3.5
None Remote Medium ??? None Partial None
The Artezio Kanban Board plugin 1.4 revision 1914 for Atlassian Jira has XSS via the Board Name in a Create New Board action, related to an artezioboard/mainPage.jspa?kanbanId=7#/kanban-view URI.
5709 CVE-2016-10537 79 XSS 2018-05-31 2019-10-09
3.5
None Remote Medium ??? None Partial None
backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input. This is due to the regex that's replacing things to miss the conversion of things such as `<` to `<`.
5710 CVE-2016-10376 310 2017-05-28 2017-11-06
3.5
None Remote Medium ??? Partial None None
Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions.
5711 CVE-2016-10223 284 Exec Code 2017-02-14 2017-02-16
3.5
None Remote Medium ??? None Partial None
An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
5712 CVE-2016-10112 79 XSS 2017-01-04 2017-01-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
5713 CVE-2016-9989 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120555.
5714 CVE-2016-9988 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120554.
5715 CVE-2016-9987 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120553.
5716 CVE-2016-9986 79 XSS 2017-07-05 2017-07-12
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120552.
5717 CVE-2016-9983 200 +Info 2017-06-22 2017-06-26
3.5
None Remote Medium ??? Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authenticated user with special privileges to view files that they should not have access to. IBM X-Force ID: 120275.
5718 CVE-2016-9980 79 XSS 2017-04-20 2017-04-27
3.5
None Remote Medium ??? None Partial None
IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120256.
5719 CVE-2016-9979 79 XSS 2017-04-20 2017-04-27
3.5
None Remote Medium ??? None Partial None
IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120255.
5720 CVE-2016-9973 79 XSS 2017-06-13 2017-06-26
3.5
None Remote Medium ??? None Partial None
IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120209.
5721 CVE-2016-9891 79 XSS 2016-12-29 2017-01-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title).
5722 CVE-2016-9757 79 XSS 2016-12-20 2016-12-27
3.5
None Remote Medium ??? None Partial None
In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user's browser context.
5723 CVE-2016-9747 79 XSS 2017-06-22 2017-06-28
3.5
None Remote Medium ??? None Partial None
IBM RELM 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
5724 CVE-2016-9746 79 XSS 2017-07-05 2017-07-26
3.5
None Remote Medium ??? None Partial None
IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119821.
5725 CVE-2016-9737 79 XSS 2017-03-27 2017-03-29
3.5
None Remote Medium ??? None Partial None
IBM TRIRIGA 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1996200.
5726 CVE-2016-9733 79 XSS 2017-07-05 2017-07-26
3.5
None Remote Medium ??? None Partial None
IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119762.
5727 CVE-2016-9732 79 XSS 2017-08-29 2017-09-02
3.5
None Remote Medium ??? None Partial None
IBM Curam Social Program Management 6.0, 6.1, 6.2 and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119761.
5728 CVE-2016-9731 79 XSS 2017-02-01 2018-05-02
3.5
None Remote Medium ??? None Partial None
IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
5729 CVE-2016-9719 20 2017-07-31 2017-08-03
3.5
None Remote Medium ??? None Partial None
IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 11.5, and 11.6 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 119733.
5730 CVE-2016-9718 79 XSS 2017-07-31 2017-08-03
3.5
None Remote Medium ??? None Partial None
IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119732.
5731 CVE-2016-9715 79 XSS 2017-07-31 2017-08-03
3.5
None Remote Medium ??? None Partial None
IBM InfoSphere Master Data Management Server 11.0, 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119728.
5732 CVE-2016-9701 79 XSS 2017-07-05 2017-07-26
3.5
None Remote Medium ??? None Partial None
IBM Team Concert 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119529.
5733 CVE-2016-9696 79 Exec Code XSS 2017-03-20 2017-03-23
3.5
None Remote Medium ??? None Partial None
IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Reference #: 1999960.
5734 CVE-2016-9694 79 XSS 2017-03-20 2017-03-23
3.5
None Remote Medium ??? None Partial None
IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999960.
5735 CVE-2016-9681 79 XSS 2016-12-25 2016-12-30
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.
5736 CVE-2016-9637 264 +Priv 2017-02-17 2018-02-08
3.7
None Local High Not required Partial Partial Partial
The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.
5737 CVE-2016-9595 59 2018-07-27 2019-10-09
3.6
None Local Low Not required None Partial Partial
A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
5738 CVE-2016-9494 20 DoS 2018-07-13 2019-10-09
3.3
None Local Network Low Not required None None Partial
Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, are potentially vulnerable to improper input validation. The device's advanced status web page that is linked to from the basic status web page does not appear to properly parse malformed GET requests. This may lead to a denial of service.
5739 CVE-2016-9472 79 XSS 2017-03-28 2019-10-09
3.5
None Remote Medium ??? None Partial None
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective.
5740 CVE-2016-9465 79 XSS 2017-03-28 2019-10-09
3.5
None Remote Medium ??? None Partial None
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
5741 CVE-2016-9457 79 XSS 2017-03-28 2017-03-30
3.5
None Remote Medium ??? None Partial None
Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/stats.php` is vulnerable to reflected XSS attacks via multiple parameters that are not properly sanitised or escaped when displayed, such as setPerPage, pageId, bannerid, period_start, period_end, and possibly others.
5742 CVE-2016-9454 79 XSS 2017-03-28 2017-03-30
3.5
None Remote Medium ??? None Partial None
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The banner image URL for external banners wasn't properly escaped when displayed in most of the banner related pages.
5743 CVE-2016-9316 79 XSS 2017-02-21 2017-07-25
3.5
None Remote Medium ??? None Partial None
Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolved in Version 6.5 CP 1737.
5744 CVE-2016-9271 79 XSS 2019-11-26 2019-12-05
3.5
None Remote Medium ??? None Partial None
Cloudera Manager 5.7.x before 5.7.6, 5.8.x before 5.8.4, and 5.9.x before 5.9.1 allows XSS in the help search feature.
5745 CVE-2016-9261 79 XSS 2017-02-28 2021-08-31
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Tenable Log Correlation Engine (aka LCE) before 4.8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
5746 CVE-2016-9260 79 XSS 2017-01-31 2017-02-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to handling of .nessus files.
5747 CVE-2016-9259 79 XSS 2017-02-28 2017-03-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
5748 CVE-2016-9221 399 DoS 2017-01-26 2017-01-27
3.3
None Local Network Low Not required None None Partial
A Denial of Service Vulnerability in 802.11 ingress connection authentication handling for the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause authentication to fail. Affected Products: This vulnerability affects Cisco Mobility Express 2800 Series and 3800 Series Access Points when configured in local mode in 40 MHz. More Information: CSCvb33575. Known Affected Releases: 8.2(121.12) 8.4(1.82). Known Fixed Releases: 8.2(131.2) 8.2(131.3) 8.2(131.4) 8.2(141.0) 8.3(104.53) 8.3(104.54) 8.4(1.80) 8.4(1.85).
5749 CVE-2016-9220 399 DoS 2017-01-26 2017-01-27
3.3
None Local Network Low Not required None None Partial
A Denial of Service Vulnerability in 802.11 ingress packet processing of the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause the connection table to be full of invalid connections and be unable to process new incoming requests. More Information: CSCvb66659. Known Affected Releases: 8.2(130.0). Known Fixed Releases: 8.2(131.10) 8.2(131.6) 8.2(141.0) 8.3(104.56) 8.4(1.88) 8.4(1.91).
5750 CVE-2016-9130 79 XSS 2017-03-28 2019-10-09
3.5
None Remote Medium ??? None Partial None
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The website name wasn't properly escaped when displayed in the campaign-zone.php script.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.