CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3101 CVE-2019-17074 79 XSS 2019-10-01 2019-10-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in the module_category area.
3102 CVE-2019-17045 79 XSS 2019-09-30 2019-10-03
3.5
None Remote Medium ??? None Partial None
Ilch 2.1.22 allows stored XSS via the title, text, or email id to the Jobs Tab.
3103 CVE-2019-16962 74 2021-01-06 2021-07-21
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report.
3104 CVE-2019-16961 79 XSS 2021-01-15 2021-01-21
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
3105 CVE-2019-16960 79 XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field.
3106 CVE-2019-16958 79 XSS 2020-12-01 2020-12-02
3.5
None Remote Medium ??? None Partial None
Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name.
3107 CVE-2019-16957 79 XSS 2020-12-18 2020-12-18
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
3108 CVE-2019-16956 79 XSS 2021-01-04 2021-01-06
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.
3109 CVE-2019-16955 79 XSS 2020-12-18 2020-12-18
3.5
None Remote Medium ??? None Partial None
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
3110 CVE-2019-16924 319 2019-09-27 2019-10-04
3.3
None Local Network Low Not required Partial None None
The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock.
3111 CVE-2019-16904 79 XSS 2019-09-26 2019-09-27
3.5
None Remote Medium ??? None Partial None
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.)
3112 CVE-2019-16890 79 XSS 2019-09-25 2019-09-26
3.5
None Remote Medium ??? None Partial None
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
3113 CVE-2019-16878 79 XSS 2019-11-07 2019-11-07
3.5
None Remote Medium ??? None Partial None
Portainer before 1.22.1 has XSS (issue 2 of 2).
3114 CVE-2019-16873 79 XSS 2019-11-07 2019-11-07
3.5
None Remote Medium ??? None Partial None
Portainer before 1.22.1 has XSS (issue 1 of 2).
3115 CVE-2019-16781 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
3116 CVE-2019-16780 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
3117 CVE-2019-16769 79 XSS 2019-12-05 2020-01-17
3.5
None Remote Medium ??? None Partial None
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
3118 CVE-2019-16704 79 XSS 2019-09-23 2019-09-23
3.5
None Remote Medium ??? None Partial None
admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.
3119 CVE-2019-16688 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)
3120 CVE-2019-16687 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
3121 CVE-2019-16686 79 XSS 2019-09-27 2019-09-30
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
3122 CVE-2019-16685 79 XSS 2019-09-27 2019-10-01
3.5
None Remote Medium ??? None Partial None
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
3123 CVE-2019-16684 79 XSS 2019-09-30 2019-10-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the image-manager in Xoops 2.5.10. When any image with a JavaScript payload as its name is hovered over in the list or in the Edit page, the payload executes.
3124 CVE-2019-16683 79 XSS 2019-09-30 2019-10-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes.
3125 CVE-2019-16664 79 XSS 2019-09-21 2019-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter.
3126 CVE-2019-16661 79 XSS 2019-09-21 2019-09-23
3.5
None Remote Medium ??? None Partial None
Ogma CMS 0.5 has XSS via creation of a new blog.
3127 CVE-2019-16643 79 XSS 2019-09-20 2019-09-20
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerability in the article_edit area.
3128 CVE-2019-16564 79 XSS 2019-12-17 2019-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.
3129 CVE-2019-16563 79 XSS 2019-12-17 2019-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.
3130 CVE-2019-16562 79 XSS 2019-12-17 2021-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.
3131 CVE-2019-16524 79 XSS 2019-09-26 2019-10-01
3.5
None Remote Medium ??? None Partial None
The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters. This occurs because there is no inline styles output filter.
3132 CVE-2019-16523 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.
3133 CVE-2019-16522 79 XSS 2019-10-16 2019-10-20
3.5
None Remote Medium ??? None Partial None
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. An attacker with high privileges can attack other users.
3134 CVE-2019-16520 79 XSS 2019-10-16 2019-10-18
3.5
None Remote Medium ??? None Partial None
The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement.
3135 CVE-2019-16518 668 2019-09-23 2019-09-23
3.3
None Local Network Low Not required None Partial None
An issue was discovered on Swell Kit Mod devices that use the Vandy Vape platform. An attacker may be able to trigger an unintended temperature in the victim's mouth and throat via Bluetooth Low Energy (BLE) packets that specify large power or voltage values.
3136 CVE-2019-16512 79 XSS 2020-01-23 2020-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier.
3137 CVE-2019-16417 79 XSS 2019-10-08 2019-10-09
3.5
None Remote Medium ??? None Partial None
HRworks FLOW 3.36.9 allows XSS via the purpose of a travel-expense report.
3138 CVE-2019-16416 79 XSS 2019-10-08 2019-10-09
3.5
None Remote Medium ??? None Partial None
HRworks 3.36.9 allows XSS via the purpose of a travel-expense report.
3139 CVE-2019-16401 +Info 2019-11-06 2020-08-24
3.3
None Local Network Low Not required Partial None None
Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow injection of AT+CIMI and AT+CGSN over Bluetooth, leaking sensitive information such as IMSI, IMEI, call status, call setup stage, internet service status, signal strength, current roaming status, battery level, and call held status.
3140 CVE-2019-16400 DoS 2019-11-06 2020-08-24
3.3
None Local Network Low Not required None None Partial
Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow attackers to send AT commands over Bluetooth, resulting in several Denial of Service (DoS) attacks.
3141 CVE-2019-16375 79 Exec Code XSS 2020-03-19 2020-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.
3142 CVE-2019-16336 120 DoS 2020-02-12 2020-04-13
3.3
None Local Network Low Not required None None Partial
The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame.
3143 CVE-2019-16334 79 XSS 2019-09-15 2019-09-16
3.5
None Remote Medium ??? None Partial None
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
3144 CVE-2019-16333 79 XSS 2019-09-15 2019-09-19
3.5
None Remote Medium ??? None Partial None
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
3145 CVE-2019-16330 79 XSS 2019-10-17 2019-10-21
3.5
None Remote Medium ??? None Partial None
In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript.
3146 CVE-2019-16310 79 XSS 2019-09-14 2019-09-16
3.5
None Remote Medium ??? None Partial None
NIUSHOP V1.11 has XSS via the index.php?s=/admin URI.
3147 CVE-2019-16289 79 XSS 2019-09-13 2019-09-16
3.5
None Remote Medium ??? None Partial None
The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
3148 CVE-2019-16282 79 XSS 2019-10-14 2019-10-16
3.5
None Remote Medium ??? None Partial None
In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript.
3149 CVE-2019-16275 346 DoS 2019-09-12 2020-08-24
3.3
None Local Network Low Not required None None Partial
hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.
3150 CVE-2019-16268 74 2021-02-03 2021-07-21
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.