CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3051 CVE-2019-18273 79 XSS 2020-01-15 2020-01-23
3.5
None Remote Medium ??? None Partial None
OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced.
3052 CVE-2019-18267 79 Exec Code XSS CSRF 2019-12-18 2020-01-07
3.5
None Remote Medium ??? None Partial None
An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution.
3053 CVE-2019-18263 326 2019-12-20 2020-01-10
3.3
None Local Network Low Not required None None Partial
An issue was found in Philips Veradius Unity, Pulsera, and Endura Dual WAN Router, Veradius Unity (718132) with wireless option (shipped between 2016-August 2018), Veradius Unity (718132) with ViewForum option (shipped between 2016-August 2018), Pulsera (718095) and Endura (718075) with wireless option (shipped between 26-June-2017 through 07-August 2018), Pulsera (718095) and Endura (718075) with ViewForum option (shipped between 26-June-2017 through 07-August 2018). The router software uses an encryption scheme that is not strong enough for the level of protection required.
3054 CVE-2019-18252 287 2020-06-29 2021-04-06
3.3
None Local Network Low Not required Partial None None
BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
3055 CVE-2019-18248 319 2020-06-29 2021-04-06
3.3
None Local Network Low Not required Partial None None
BIOTRONIK CardioMessenger II, The affected products transmit credentials in clear-text prior to switching to an encrypted communication channel. An attacker can disclose the product’s client credentials for connecting to the BIOTRONIK Remote Communication infrastructure.
3056 CVE-2019-18246 287 2020-06-29 2021-04-06
3.3
None Local Network Low Not required Partial None None
BIOTRONIK CardioMessenger II, The affected products do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure.
3057 CVE-2019-18241 326 2019-11-26 2019-12-18
3.3
None Local Network Low Not required Partial None None
In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all versions, and IntelliBridge EC80 Hub all versions, the SSH server running on the affected products is configured to allow weak ciphers. This could enable an unauthorized attacker with access to the network to capture and replay the session and gain unauthorized access to the EC40/80 hub.
3058 CVE-2019-18223 79 XSS 2020-04-27 2021-08-27
3.5
None Remote Medium ??? None Partial None
ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config.
3059 CVE-2019-18210 79 XSS 2020-02-11 2020-02-13
3.5
None Remote Medium ??? None Partial None
Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug."
3060 CVE-2019-18207 79 XSS 2019-10-30 2019-11-06
3.5
None Remote Medium ??? None Partial None
In Zucchetti InfoBusiness before and including 4.4.1, an authenticated user can inject client-side code due to improper validation of the Title field in the InfoBusiness Web Component. The payload will be triggered every time a user browses the reports page.
3061 CVE-2019-17674 79 XSS 2019-10-17 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
3062 CVE-2019-17667 79 XSS 2019-10-17 2020-01-10
3.5
None Remote Medium ??? None Partial None
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
3063 CVE-2019-17651 79 XSS 2020-01-28 2020-01-29
3.5
None Remote Medium ??? None Partial None
An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule.
3064 CVE-2019-17630 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.
3065 CVE-2019-17629 79 XSS 2019-10-16 2019-10-16
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.
3066 CVE-2019-17627 287 2019-10-16 2019-10-18
3.3
None Local Network Low Not required Partial None None
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This affects the Yale ZEN-R lock and unspecified other locks.
3067 CVE-2019-17578 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field.
3068 CVE-2019-17577 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.
3069 CVE-2019-17576 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.
3070 CVE-2019-17557 79 Exec Code XSS 2020-05-04 2020-05-07
3.5
None Remote Medium ??? None Partial None
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
3071 CVE-2019-17524 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the "Connected Clients" field to /wlanAccess.asp. An intranet host can use a crafted hostname to exploit this.
3072 CVE-2019-17523 79 XSS 2019-11-13 2019-11-15
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the FileName parameter to /FTPDiag.asp.
3073 CVE-2019-17522 79 XSS 2019-10-12 2019-10-17
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability was discovered in Hotaru CMS v1.7.2 via the admin_index.php?page=settings SITE NAME field (aka SITE_NAME), a related issue to CVE-2011-4709.1.
3074 CVE-2019-17434 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium ??? None Partial None
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
3075 CVE-2019-17433 79 XSS 2019-10-10 2019-10-10
3.5
None Remote Medium ??? None Partial None
z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen.
3076 CVE-2019-17417 79 XSS 2019-10-10 2019-10-11
3.5
None Remote Medium ??? None Partial None
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs.
3077 CVE-2019-17356 326 2019-10-15 2021-07-21
3.3
None Local Network Low Not required Partial None None
The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network.
3078 CVE-2019-17338 79 XSS 2020-01-28 2020-02-04
3.5
None Remote Medium ??? None Partial None
The user interface component of TIBCO Software Inc.'s TIBCO Patterns - Search contains multiple vulnerabilities that theoretically allow authenticated users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Patterns - Search: versions 5.4.0 and below.
3079 CVE-2019-17333 79 XSS 2020-02-19 2020-02-26
3.5
None Remote Medium ??? None Partial None
The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.1.fixS and below, versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, and 5.9.7.
3080 CVE-2019-17331 79 XSS 2019-11-12 2019-11-15
3.5
None Remote Medium ??? None Partial None
The Data Exchange Web Interface component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions up to and including 3.20.13, version 4.1.0.
3081 CVE-2019-17276 79 XSS 2020-03-24 2020-03-26
3.5
None Remote Medium ??? None Partial None
OnCommand System Manager versions 9.3 prior to 9.3P18 and 9.4 prior to 9.4P2 are susceptible to a cross site scripting vulnerability that could allow an authenticated attacker to inject arbitrary scripts into the SNMP Community Names label field.
3082 CVE-2019-17273 20 DoS 2020-01-30 2021-07-21
3.3
None Local Network Low Not required None None Partial
E-Series SANtricity OS Controller Software version 11.60.0 is susceptible to a vulnerability which allows an attacker to cause a Denial of Service (DoS) in IPv6 environments.
3083 CVE-2019-17226 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Module Manager > Search Term field.
3084 CVE-2019-17225 79 XSS 2019-10-06 2019-10-08
3.5
None Remote Medium ??? None Partial None
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue.
3085 CVE-2019-17207 79 XSS 2019-10-18 2019-10-21
3.5
None Remote Medium ??? None Partial None
A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker (aka Broken Link Checker) plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the wp-admin/tools.php?page=view-broken-links s_filter parameter in a search action.
3086 CVE-2019-17204 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.
3087 CVE-2019-17203 79 XSS 2019-10-05 2019-10-08
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder.
3088 CVE-2019-17189 79 XSS 2019-10-22 2019-10-22
3.5
None Remote Medium ??? None Partial None
totemodata 3.0.0_b936 has XSS via a folder name.
3089 CVE-2019-17121 79 XSS 2019-10-04 2019-10-08
3.5
None Remote Medium ??? None Partial None
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
3090 CVE-2019-17098 798 2020-09-30 2020-10-08
3.3
None Local Network Low Not required Partial None None
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior versions on Android. August Connect Firmware version 2.2.12 and prior versions.
3091 CVE-2019-17074 79 XSS 2019-10-01 2019-10-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in the module_category area.
3092 CVE-2019-17045 79 XSS 2019-09-30 2019-10-03
3.5
None Remote Medium ??? None Partial None
Ilch 2.1.22 allows stored XSS via the title, text, or email id to the Jobs Tab.
3093 CVE-2019-16962 74 2021-01-06 2021-07-21
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report.
3094 CVE-2019-16961 79 XSS 2021-01-15 2021-01-21
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
3095 CVE-2019-16960 79 XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field.
3096 CVE-2019-16958 79 XSS 2020-12-01 2020-12-02
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name.
3097 CVE-2019-16957 79 XSS 2020-12-18 2020-12-18
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
3098 CVE-2019-16956 79 XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.
3099 CVE-2019-16955 79 XSS 2020-12-18 2020-12-18
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
3100 CVE-2019-16924 319 2019-09-27 2019-10-04
3.3
None Local Network Low Not required Partial None None
The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.