CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3001 CVE-2019-19542 79 XSS 2019-12-26 2019-12-30
3.5
None Remote Medium ??? None Partial None
The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Good For field on the new listing submit page.
3002 CVE-2019-19541 79 XSS 2019-12-26 2020-01-02
3.5
None Remote Medium ??? None Partial None
The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Best Day/Night field on the new listing submit page.
3003 CVE-2019-19514 79 XSS 2020-05-05 2020-05-07
3.5
None Remote Medium ??? None Partial None
Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID.
3004 CVE-2019-19500 79 XSS 2020-04-15 2020-04-17
3.5
None Remote Medium ??? None Partial None
Matrix42 Workspace Management 9.1.2.2765 and below allows stored XSS via unfiltered description parameters, as demonstrated by the comment field of a special order for individual software.
3005 CVE-2019-19497 79 XSS 2019-12-17 2019-12-20
3.5
None Remote Medium ??? None Partial None
MDaemon Email Server 17.5.1 allows XSS via the filename of an attachment to an email message.
3006 CVE-2019-19496 79 XSS 2019-12-02 2019-12-11
3.5
None Remote Medium ??? None Partial None
Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.
3007 CVE-2019-19461 79 XSS 2020-03-16 2020-03-19
3.5
None Remote Medium ??? None Partial None
Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title.
3008 CVE-2019-19457 79 XSS 2019-12-03 2019-12-11
3.5
None Remote Medium ??? None Partial None
SALTO ProAccess SPACE 5.4.3.0 allows XSS.
3009 CVE-2019-19441 200 +Info 2020-01-03 2021-07-21
3.3
None Local Network Low Not required Partial None None
HUAWEI P30 smart phones with versions earlier than 10.0.0.166(C00E66R1P11) have an information leak vulnerability. An attacker could send specific command in the local area network (LAN) to exploit this vulnerability. Successful exploitation may cause information leak.
3010 CVE-2019-19390 79 XSS 2020-04-15 2020-04-22
3.5
None Remote Medium ??? None Partial None
The Search parameter of the Software Catalogue section of Matrix42 Workspace Management 9.1.2.2765 and below accepts unfiltered parameters that lead to multiple reflected XSS issues.
3011 CVE-2019-19389 74 Http R.Spl. 2019-12-26 2020-08-24
3.5
None Remote Medium ??? None Partial None
JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting.
3012 CVE-2019-19311 79 XSS 2020-01-03 2020-01-09
3.5
None Remote Medium ??? None Partial None
GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields.
3013 CVE-2019-19306 79 XSS 2019-11-26 2020-10-29
3.5
None Remote Medium ??? None Partial None
The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.
3014 CVE-2019-19294 79 Exec Code XSS 2020-03-10 2021-04-22
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains multiple stored Cross-site Scripting (XSS) vulnerabilities in several input fields. This could allow an authenticated remote attacker to inject malicious JavaScript code into the CCS web application that is later executed in the browser context of any other user who views the relevant CCS web content.
3015 CVE-2019-19291 313 2020-03-10 2021-04-22
3.5
None Remote Medium ??? Partial None None
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0). The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain log files that store login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service.
3016 CVE-2019-19285 79 XSS 2020-12-14 2021-10-29
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow injections that could lead to XSS attacks if unsuspecting users are tricked into accessing a malicious link.
3017 CVE-2019-19284 79 XSS 2020-12-14 2020-12-15
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.
3018 CVE-2019-19266 79 XSS 2020-01-06 2020-01-08
3.5
None Remote Medium ??? None Partial None
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects.
3019 CVE-2019-19222 79 XSS 2020-03-04 2020-03-05
3.5
None Remote Medium ??? None Partial None
A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request.
3020 CVE-2019-19210 79 XSS 2020-03-16 2020-03-18
3.5
None Remote Medium ??? None Partial None
Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
3021 CVE-2019-19206 79 XSS 2019-11-26 2019-12-10
3.5
None Remote Medium ??? None Partial None
Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
3022 CVE-2019-19198 79 XSS 2019-12-12 2020-03-19
3.5
None Remote Medium ??? None Partial None
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.
3023 CVE-2019-19196 120 DoS Overflow 2020-02-12 2020-02-25
3.3
None Local Network Low Not required None None Partial
The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices accepts a pairing request with a key size greater than 16 bytes, allowing an attacker in radio range to cause a buffer overflow and denial of service (crash) via crafted packets.
3024 CVE-2019-19192 20 2020-02-12 2020-02-26
3.3
None Local Network Low Not required None None Partial
The Bluetooth Low Energy implementation on STMicroelectronics BLE Stack through 1.3.1 for STM32WB5x devices does not properly handle consecutive Attribute Protocol (ATT) requests on reception, allowing attackers in radio range to cause an event deadlock or crash via crafted packets.
3025 CVE-2019-19150 532 2019-12-23 2019-12-30
3.5
None Remote Medium ??? Partial None None
On versions 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, the BIG-IP APM system logs the client-session-id when a per-session policy is attached to the virtual server with debug logging enabled.
3026 CVE-2019-19110 79 XSS 2020-06-15 2020-06-15
3.5
None Remote Medium ??? None Partial None
The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.
3027 CVE-2019-19100 2020-04-29 2021-09-14
3.6
None Local Low Not required None Partial Partial
A privilege escalation vulnerability in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.4SP, <. 4.6.3SP, < 4.7.2 and < 4.8.1 allow authenticated users to delete arbitrary files via an exposed interface.
3028 CVE-2019-19096 522 2020-04-02 2020-04-03
3.6
None Local Low Not required Partial Partial None
The Redis data structure component used in ABB eSOMS versions 6.0 to 6.0.2 stores credentials in clear text. If an attacker has file system access, this can potentially compromise the credentials' confidentiality.
3029 CVE-2019-19095 79 XSS 2020-04-02 2020-04-03
3.5
None Remote Medium ??? None Partial None
Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database.
3030 CVE-2019-19092 306 2020-04-02 2020-04-03
3.5
None Remote Medium ??? Partial None None
ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed.
3031 CVE-2019-19090 311 2020-04-02 2020-04-03
3.5
None Remote Medium ??? Partial None None
For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping.
3032 CVE-2019-19085 79 XSS 2019-11-18 2019-11-20
3.5
None Remote Medium ??? None Partial None
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML.
3033 CVE-2019-19002 79 XSS 2020-04-02 2020-04-03
3.5
None Remote Medium ??? None Partial None
For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.
3034 CVE-2019-18994 20 DoS 2019-12-18 2019-12-31
3.5
None Remote Medium ??? None None Partial
Due to a lack of file length check, the HMIStudio component of ABB PB610 Panel Builder 600 versions 2.8.0.424 and earlier crashes when trying to load an empty *.JPR application file. An attacker with access to the file system might be able to cause application malfunction such as denial of service.
3035 CVE-2019-18993 79 XSS 2019-12-03 2019-12-16
3.5
None Remote Medium ??? None Partial None
OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device).
3036 CVE-2019-18992 79 XSS 2019-12-03 2019-12-16
3.5
None Remote Medium ??? None Partial None
OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device).
3037 CVE-2019-18946 384 2021-02-26 2021-03-01
3.8
None Local Network Medium ??? Partial Partial None
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.
3038 CVE-2019-18845 269 +Priv 2019-11-09 2020-03-18
3.6
None Local Low Not required Partial Partial None
The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, by mapping \Device\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection.
3039 CVE-2019-18831 798 2019-12-16 2020-08-24
3.5
None Remote Medium ??? Partial None None
Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Information Exposure. The encrypted ClickShare Button firmware contains the private key of a test device-certificate.
3040 CVE-2019-18791 79 XSS 2020-02-13 2020-02-20
3.5
None Remote Medium ??? None Partial None
Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server. The vulnerability can be exploited to expose session credentials and other information via the users web browser.
3041 CVE-2019-18664 79 XSS 2019-11-02 2019-11-04
3.5
None Remote Medium ??? None Partial None
The Log module in SECUDOS DOMOS before 5.6 allows XSS.
3042 CVE-2019-18649 79 XSS 2019-11-14 2019-11-14
3.5
None Remote Medium ??? None Partial None
When logged in as an admin user, the Title input field (under Reports) within Untangle NG firewall 14.2.0 is vulnerable to stored XSS.
3043 CVE-2019-18648 79 XSS 2019-11-14 2019-11-14
3.5
None Remote Medium ??? None Partial None
When logged in as an admin user, the Untangle NG firewall 14.2.0 is vulnerable to reflected XSS at multiple places and specific user input fields.
3044 CVE-2019-18636 79 XSS 2019-11-01 2019-11-04
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Jitbit .NET Forum (aka ASP.NET forum) 8.3.8 allows remote attackers to inject arbitrary web script or HTML via the gravatar URL parameter.
3045 CVE-2019-18618 2020-07-22 2020-07-30
3.6
None Local Low Not required Partial Partial None
Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacker to compromise the confidentiality of sensor data via injection of an unverified partition table.
3046 CVE-2019-18615 522 2019-12-19 2021-07-21
3.5
None Remote Medium ??? Partial None None
In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible from the CVP GUI. Application logs can only be read by authorized users with privileged access to the VM hosting the CVP application.
3047 CVE-2019-18588 79 XSS 2020-01-10 2020-01-22
3.5
None Remote Medium ??? None Partial None
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users' sessions.
3048 CVE-2019-18574 79 Exec Code XSS 2019-12-03 2019-12-10
3.5
None Remote Medium ??? None Partial None
RSA Authentication Manager software versions prior to 8.4 P8 contain a stored cross-site scripting vulnerability in the Security Console. A malicious Security Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface which could then be included in a report. When other Security Console administrators open the affected report, the injected scripts could potentially be executed in their browser.
3049 CVE-2019-18571 79 Exec Code XSS 2019-12-18 2020-08-31
3.5
None Remote Medium ??? None Partial None
The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a reflected cross-site scripting vulnerability in the My Access Live module [MAL]. An authenticated malicious local user could potentially exploit this vulnerability by sending crafted URL with scripts. When victim users access the module through their browsers, the malicious code gets injected and executed by the web browser in the context of the vulnerable web application.
3050 CVE-2019-18567 125 DoS 2020-02-03 2021-11-03
3.3
None Local Medium Not required Partial None Partial
Bromium client version 4.0.3.2060 and prior to 4.1.7 Update 1 has an out of bound read results in race condition causing Kernel memory leaks or denial of service.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.