CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6101 CVE-2016-0261 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0.0 before SP2 EP29, 6.0.4 before 6.0.4.6 iFix3, 6.0.5 before 6.0.5.9 iFix2, 6.1.0 before 6.1.0.1 iFix1, and 6.1.1 before 6.1.1.1 iFix1; and IBM Care Management 6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110604.
6102 CVE-2016-0253 79 XSS 2018-03-09 2018-03-26
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 110562.
6103 CVE-2016-0227 79 XSS 2016-03-03 2016-12-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the document-list control implementation in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, and 8.5.5 and 8.5.6 through 8.5.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
6104 CVE-2016-0221 79 XSS 2016-07-03 2017-09-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Cognos TM1, as used in IBM Cognos Business Intelligence 10.2 before IF20, 10.2.1 before IF17, 10.2.1.1 before IF16, 10.2.2 before IF12, and 10.1.1 before IF19, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
6105 CVE-2016-0218 79 XSS 2017-02-01 2017-04-06
3.5
None Remote Medium ??? None Partial None
IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
6106 CVE-2016-0217 79 XSS 2017-02-01 2019-09-30
3.5
None Remote Medium ??? None Partial None
IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
6107 CVE-2016-0207 20 2018-01-16 2018-02-01
3.5
None Remote Medium ??? None Partial None
IBM Algorithmics One-Algo Risk Application (ARA) 4.9.1 through 5.1.0 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors. IBM X-Force ID: 109399.
6108 CVE-2016-0011 79 XSS Bypass 2016-01-13 2018-10-12
3.5
None Remote Medium ??? None Partial None
Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP1 allow remote authenticated users to bypass intended Access Control Policy restrictions and conduct cross-site scripting (XSS) attacks by modifying a webpart, aka "Microsoft SharePoint Security Feature Bypass," a different vulnerability than CVE-2015-6117.
6109 CVE-2015-20019 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The Content text slider on post WordPress plugin before 6.9 does not sanitise and escape the Title and Message/Content settings, which could lead to Cross-Site Scripting issues
6110 CVE-2015-9537 79 XSS 2019-11-26 2020-11-10
3.5
None Remote Medium ??? None Partial None
The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XSS issues involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template.
6111 CVE-2015-9469 79 XSS 2019-10-10 2019-10-16
3.5
None Remote Medium ??? None Partial None
The content-grabber plugin 1.0 for WordPress has XSS via obj_field_name or obj_field_id.
6112 CVE-2015-9439 79 XSS CSRF 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter.
6113 CVE-2015-9438 79 XSS 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter.
6114 CVE-2015-9436 79 XSS 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter.
6115 CVE-2015-9426 79 XSS CSRF 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter.
6116 CVE-2015-9423 79 XSS 2019-09-26 2019-09-26
3.5
None Remote Medium ??? None Partial None
The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters.
6117 CVE-2015-9410 79 XSS 2019-09-26 2020-11-10
3.5
None Remote Medium ??? None Partial None
The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.
6118 CVE-2015-9401 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS.
6119 CVE-2015-9397 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.
6120 CVE-2015-9393 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.
6121 CVE-2015-9392 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.
6122 CVE-2015-9389 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name.
6123 CVE-2015-9354 79 XSS 2019-08-28 2019-08-29
3.5
None Remote Medium ??? None Partial None
The gigpress plugin before 2.3.11 for WordPress has XSS.
6124 CVE-2015-9267 269 2018-10-01 2021-03-15
3.6
None Local Low Not required None Partial Partial
Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which either a plugin or the uninstaller can be replaced by a Trojan horse program.
6125 CVE-2015-9260 79 XSS 2018-07-05 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in BEdita before 3.7.0. A cross-site scripting (XSS) attack occurs via a crafted pages/showObjects URI, as demonstrated by appending a payload to a pages/showObjects/2/0/0/leafs URI.
6126 CVE-2015-9248 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Skybox Platform before 7.5.201. Stored cross-site scripting vulnerabilities exist in the title, Comments, or Description field to /skyboxview/webskybox/tickets in Change Manager.
6127 CVE-2015-9247 79 XSS 2018-01-12 2018-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Skybox Platform before 7.5.401. Reflected cross-site scripting vulnerabilities exist in /skyboxview/webservice/services/VersionRepositoryWebService via a soapenv:Body element, or in the status parameter to login.html.
6128 CVE-2015-9230 79 XSS 2017-09-12 2020-11-10
3.5
None Remote Medium ??? None Partial None
In the admin/db-backup-security/db-backup-security.php page in the BulletProof Security plugin before .52.5 for WordPress, XSS is possible for remote authenticated administrators via the DBTablePrefix parameter.
6129 CVE-2015-9229 79 XSS 2017-09-12 2020-11-10
3.5
None Remote Medium ??? None Partial None
In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress, XSS is possible for remote authenticated administrators via the images[1][alttext] parameter.
6130 CVE-2015-9105 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.
6131 CVE-2015-9104 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title.
6132 CVE-2015-9103 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.
6133 CVE-2015-9102 79 XSS 2017-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
6134 CVE-2015-8987 284 2017-03-14 2017-03-23
3.5
None Remote Medium ??? None Partial None
Man-in-the-middle (MitM) attack vulnerability in non-Mac OS agents in McAfee (now Intel Security) Agent (MA) 4.8.0 patch 2 and earlier allows attackers to make a McAfee Agent talk with another, possibly rogue, ePO server via McAfee Agent migration to another ePO server.
6135 CVE-2015-8956 476 DoS +Info 2016-10-10 2018-01-05
3.6
None Local Low Not required Partial None Partial
The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.
6136 CVE-2015-8801 254 Bypass 2016-06-30 2017-09-01
3.3
None Local Medium Not required Partial Partial None
Race condition in the client in Symantec Endpoint Protection (SEP) 12.1 before RU6 MP5 allows local users to bypass intended restrictions on USB file transfer by conducting filesystem operations before the SEP device manager recognizes a new USB device.
6137 CVE-2015-8759 79 XSS 2016-01-08 2016-01-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field.
6138 CVE-2015-8758 79 XSS 2016-01-08 2016-01-12
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in unspecified frontend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.
6139 CVE-2015-8756 79 XSS 2016-01-08 2016-01-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the search result view in the Indexed Search (indexed_search) component in TYPO3 6.2.x before 6.2.16 allows remote authenticated editors to inject arbitrary web script or HTML via unspecified vectors.
6140 CVE-2015-8755 79 XSS 2016-01-08 2016-01-12
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allow remote authenticated editors to inject arbitrary web script or HTML via unknown vectors.
6141 CVE-2015-8743 125 2016-12-29 2020-10-29
3.6
None Local Low Not required Partial Partial None
QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.
6142 CVE-2015-8698 DoS 2016-06-29 2021-04-12
3.6
None Local Low Not required Partial None Partial
CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026 allows remote attackers to read arbitrary files or cause a denial of service via a request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
6143 CVE-2015-8687 79 XSS 2017-03-23 2017-03-28
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Management Console in Alcatel-Lucent Motive Home Device Manager (HDM) before 4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceTypeID parameter to DeviceType/getDeviceType.do; the (2) policyActionClass or (3) policyActionName parameter to PolicyAction/findPolicyActions.do; the deviceID parameter to (4) SingleDeviceMgmt/getDevice.do or (5) device/editDevice.do; the operation parameter to (6) ajax.do or (7) xmlHttp.do; or the (8) policyAction, (9) policyClass, or (10) policyName parameter to policy/findPolicies.do.
6144 CVE-2015-8666 787 Overflow 2017-04-11 2020-10-13
3.3
None Local Medium Not required None Partial Partial
Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.
6145 CVE-2015-8603 79 XSS 2016-01-12 2018-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_id] parameter in an "edit" admin action to serendipity_admin.php.
6146 CVE-2015-8602 200 Bypass +Info 2015-12-17 2015-12-18
3.5
None Remote Medium ??? Partial None None
The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.
6147 CVE-2015-8504 369 DoS 2017-04-11 2020-09-09
3.5
None Remote Medium ??? None None Partial
Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.
6148 CVE-2015-8481 200 +Info 2016-01-08 2016-01-13
3.5
None Remote Medium ??? Partial None None
Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer attaches the wrong image to e-mail notifications when a user views an issue with inline wiki markup referencing an image attachment, which might allow remote attackers to obtain sensitive information by updating a different issue that includes wiki markup for an external image reference.
6149 CVE-2015-8375 79 XSS 2017-09-25 2017-10-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in PHP-Fusion 9.
6150 CVE-2015-8326 59 2017-06-07 2017-06-14
3.6
None Local Low Not required None Partial Partial
The IPTables-Parse module before 1.6 for Perl allows local users to write to arbitrary files owned by the current user.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.