CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2951 CVE-2019-20639 79 XSS 2020-04-15 2020-04-17
3.5
None Remote Medium ??? None Partial None
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
2952 CVE-2019-20626 294 2020-03-23 2021-09-14
3.3
None Local Network Low Not required None Partial None
The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack.
2953 CVE-2019-20609 200 +Info 2020-03-24 2021-07-21
3.3
None Local Network Low Not required Partial None None
An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can use Smartwatch to view Secure Folder notification content. The Samsung ID is SVE-2019-13899 (April 2019).
2954 CVE-2019-20600 416 2020-03-24 2020-03-26
3.6
None Local Low Not required Partial Partial None
An issue was discovered on Samsung mobile devices with O(8.0) and P(9.0) (Exynos8890 chipsets) software. A use-after-free occurs in the MALI GPU driver. The Samsung ID is SVE-2019-13921-1 (May 2019).
2955 CVE-2019-20546 20 2020-03-24 2021-07-21
3.3
None Local Network Low Not required None None Partial
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom Wi-Fi chipsets) software. A denial-of-service attack can leverage a shared interface between Broadcom Bluetooth and Broadcom Wi-Fi. The Samsung ID is SVE-2019-15350 (November 2019).
2956 CVE-2019-20531 125 2020-03-24 2020-03-27
3.6
None Local Low Not required Partial None Partial
An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. The Wi-Fi kernel drivers have an out-of-bounds Read. The Samsung IDs are SVE-2019-15692, SVE-2019-15693 (December 2019).
2957 CVE-2019-20497 79 XSS 2020-03-17 2020-03-19
3.5
None Remote Medium ??? None Partial None
cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).
2958 CVE-2019-20483 79 XSS 2021-01-05 2021-01-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user's last name to an XSS Payload, and read another user's cookie and use that to login to the application.
2959 CVE-2019-20443 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.
2960 CVE-2019-20442 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.
2961 CVE-2019-20441 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'implement phase' of the API Publisher.
2962 CVE-2019-20440 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the update API documentation feature of the API Publisher.
2963 CVE-2019-20439 79 XSS 2020-01-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in defining a scope in the "manage the API" page of the API Publisher.
2964 CVE-2019-20438 79 XSS 2020-01-28 2020-11-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher.
2965 CVE-2019-20435 79 XSS 2020-01-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter.
2966 CVE-2019-20434 79 XSS 2020-01-28 2020-10-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console.
2967 CVE-2019-20416 79 XSS 2020-06-30 2020-07-07
3.5
None Remote Medium ??? None Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.
2968 CVE-2019-20414 79 XSS 2020-06-29 2020-07-07
3.5
None Remote Medium ??? None Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
2969 CVE-2019-20204 79 XSS 2020-01-02 2020-01-16
3.5
None Remote Medium ??? None Partial None
The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element.
2970 CVE-2019-20182 79 XSS 2020-01-09 2020-01-14
3.5
None Remote Medium ??? None Partial None
The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.
2971 CVE-2019-20181 79 XSS 2020-01-09 2020-01-14
3.5
None Remote Medium ??? None Partial None
The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter.
2972 CVE-2019-20139 79 XSS 2019-12-30 2020-01-03
3.5
None Remote Medium ??? None Partial None
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.
2973 CVE-2019-20008 79 XSS 2019-12-26 2020-01-02
3.5
None Remote Medium ??? None Partial None
In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page.
2974 CVE-2019-19991 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Reflected Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /vam/vam_anagraphic.php, /vam/vam_vamuser.php, /common/vamp_main.php, and /wiz/change_password.php.
2975 CVE-2019-19990 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Stored Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /monitor/s_headmodel.php and /vam/vam_user.php.
2976 CVE-2019-19983 200 +Info 2019-12-26 2020-08-24
3.5
None Remote Medium ??? Partial None None
In the WordPress plugin, Fast Velocity Minify before 2.7.7, the full web root path to the running WordPress application can be discovered. In order to exploit this vulnerability, FVM Debug Mode needs to be enabled and an admin-ajax request needs to call the fastvelocity_min_files action.
2977 CVE-2019-19968 79 XSS 2020-02-04 2020-02-05
3.5
None Remote Medium ??? None Partial None
PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is later read and included in dynamic content.
2978 CVE-2019-19941 79 XSS 2020-03-16 2021-02-03
3.5
None Remote Medium ??? None Partial None
Missing hostname validation in Swisscom Centro Grande before 6.16.12 allows a remote attacker to inject its local IP address as a domain entry in the DNS service of the router via crafted hostnames in DHCP requests, causing XSS.
2979 CVE-2019-19927 125 2019-12-31 2020-05-14
3.6
None Local Low Not required Partial None Partial
In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.
2980 CVE-2019-19913 79 XSS 2020-03-30 2020-04-14
3.5
None Remote Medium ??? None Partial None
In Intland codeBeamer ALM 9.5 and earlier, there is stored XSS via the Trackers Title parameter.
2981 CVE-2019-19912 79 XSS 2020-03-30 2020-03-31
3.5
None Remote Medium ??? None Partial None
In Intland codeBeamer ALM 9.5 and earlier, a cross-site scripting (XSS) vulnerability in the Upload Flash File feature allows authenticated remote attackers to inject arbitrary scripts via an active script embedded in an SWF file.
2982 CVE-2019-19903 79 XSS 2019-12-19 2019-12-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer file types" permission.
2983 CVE-2019-19901 79 XSS 2019-12-19 2019-12-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout, aka XSS. This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.
2984 CVE-2019-19900 79 XSS 2019-12-19 2019-12-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission.
2985 CVE-2019-19858 79 XSS 2020-01-15 2020-01-17
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/add_user/UID allows stored XSS via the author parameter.
2986 CVE-2019-19856 79 XSS 2020-01-15 2020-01-17
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The User Type on the admin/list_user page allows stored XSS via the type parameter.
2987 CVE-2019-19855 79 XSS 2020-01-15 2020-01-17
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/list_user allows stored XSS via the auth_type parameter.
2988 CVE-2019-19852 79 XSS 2020-03-16 2020-03-19
3.5
None Remote Medium ??? None Partial None
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4.
2989 CVE-2019-19851 79 XSS 2020-03-16 2020-03-20
3.5
None Remote Medium ??? None Partial None
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20.
2990 CVE-2019-19829 79 XSS 2019-12-18 2019-12-23
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U FTP Server 15.1.7 in the email parameter, a different vulnerability than CVE-2018-19934 and CVE-2019-13182.
2991 CVE-2019-19783 20 2019-12-16 2021-07-21
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
2992 CVE-2019-19773 79 XSS 2020-03-06 2020-03-09
3.5
None Remote Medium ??? None Partial None
Various Lexmark products have stored XSS in the embedded web server used in older generation Lexmark devices. Affected products are available in http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US.
2993 CVE-2019-19772 79 XSS 2020-03-06 2020-03-09
3.5
None Remote Medium ??? None Partial None
Various Lexmark products have reflected XSS in the embedded web server used in older generation Lexmark devices. Affected products are available in http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US.
2994 CVE-2019-19757 79 Exec Code XSS 2020-02-14 2020-02-24
3.5
None Remote Medium ??? None Partial None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself.
2995 CVE-2019-19756 532 2020-03-13 2021-11-02
3.6
None Local Low Not required Partial Partial None
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.
2996 CVE-2019-19742 79 XSS 2019-12-18 2021-04-23
3.5
None Remote Medium ??? None Partial None
On D-Link DIR-615 devices, the User Account Configuration page is vulnerable to blind XSS via the name field.
2997 CVE-2019-19693 200 Exec Code +Info 2019-12-20 2021-07-21
3.6
None Local Low Not required Partial None Partial
The Trend Micro Security 2020 consumer family of products contains a vulnerability that could allow a local attacker to disclose sensitive information or to create a denial-of-service condition on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
2998 CVE-2019-19687 522 +Info 2019-12-09 2019-12-20
3.5
None Remote Medium ??? Partial None None
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)
2999 CVE-2019-19682 79 XSS 2019-12-09 2019-12-10
3.5
None Remote Medium ??? None Partial None
nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a "feature" because the affected components are an HTML content editor.
3000 CVE-2019-19679 79 XSS 2019-12-09 2019-12-11
3.5
None Remote Medium ??? None Partial None
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.