CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3151 CVE-2019-15614 79 XSS 2020-02-04 2020-02-12
3.5
None Remote Medium ??? None Partial None
Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files.
3152 CVE-2019-15612 384 2020-02-04 2020-03-24
3.2
None Local Low ??? Partial Partial None
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
3153 CVE-2019-15607 79 XSS 2020-01-28 2020-01-29
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.
3154 CVE-2019-15587 79 XSS 2019-10-22 2020-09-17
3.5
None Remote Medium ??? None Partial None
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
3155 CVE-2019-15508 532 2019-08-23 2021-07-21
3.5
None Remote Medium ??? Partial None None
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7.
3156 CVE-2019-15507 532 2019-08-23 2021-07-21
3.5
None Remote Medium ??? Partial None None
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8.
3157 CVE-2019-15480 79 XSS 2019-08-23 2019-08-26
3.5
None Remote Medium ??? None Partial None
Domoticz 4.10717 has XSS via item.Name.
3158 CVE-2019-15317 79 XSS 2019-08-22 2019-08-26
3.5
None Remote Medium ??? None Partial None
The give plugin before 2.4.7 for WordPress has XSS via a donor name.
3159 CVE-2019-15314 79 Exec Code XSS 2019-08-22 2019-08-28
3.5
None Remote Medium ??? None Partial None
tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI.
3160 CVE-2019-15281 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must have valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a troubleshooting file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
3161 CVE-2019-15280 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious code in certain sections of the interface that are visible to other users. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. An attacker would need valid administrator credentials to exploit this vulnerability.
3162 CVE-2019-15270 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
3163 CVE-2019-15269 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
3164 CVE-2019-15268 79 Exec Code XSS 2019-10-16 2019-10-22
3.5
None Remote Medium ??? None Partial None
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
3165 CVE-2019-15253 79 Exec Code XSS 2020-02-05 2020-05-12
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.0.6 and 1.3.1.4.
3166 CVE-2019-15230 79 XSS 2019-08-28 2019-08-30
3.5
None Remote Medium ??? None Partial None
LibreNMS v1.54 has XSS in the Create User, Inventory, Add Device, Notifications, Alert Rule, Create Maintenance, and Alert Template sections of the admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account.
3167 CVE-2019-15228 79 XSS 2019-08-20 2019-08-26
3.5
None Remote Medium ??? None Partial None
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
3168 CVE-2019-15127 79 XSS 2019-08-21 2019-08-23
3.5
None Remote Medium ??? None Partial None
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
3169 CVE-2019-15108 79 XSS 2019-08-16 2019-10-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.
3170 CVE-2019-15081 79 XSS 2019-08-15 2019-09-02
3.5
None Remote Medium ??? None Partial None
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
3171 CVE-2019-15031 200 +Info 2019-09-13 2021-07-21
3.6
None Local Low Not required Partial None Partial
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.
3172 CVE-2019-15030 862 2019-09-13 2020-08-24
3.6
None Local Low Not required Partial None Partial
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.
3173 CVE-2019-15007 79 XSS 2019-12-11 2019-12-12
3.5
None Remote Medium ??? None Partial None
The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.
3174 CVE-2019-14987 79 XSS 2019-08-13 2019-08-15
3.5
None Remote Medium ??? None Partial None
Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions.
3175 CVE-2019-14948 79 XSS 2019-08-12 2019-08-21
3.5
None Remote Medium ??? None Partial None
The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.
3176 CVE-2019-14947 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium ??? None Partial None
The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.
3177 CVE-2019-14946 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium ??? None Partial None
The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.
3178 CVE-2019-14945 79 XSS 2019-08-12 2019-08-14
3.5
None Remote Medium ??? None Partial None
The ultimate-member plugin before 2.0.54 for WordPress has XSS.
3179 CVE-2019-14928 79 XSS 2019-10-28 2019-10-30
3.5
None Remote Medium ??? None Partial None
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page.
3180 CVE-2019-14918 79 Exec Code XSS 2020-01-09 2020-01-21
3.5
None Remote Medium ??? None Partial None
XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an attacker to inject arbitrary HTML/JavaScript code to achieve client-side code execution via crafted DHCP request packets to etc_ro/web/internet/dhcpcliinfo.asp.
3181 CVE-2019-14913 79 XSS 2019-09-20 2019-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in PRiSE adAS 1.7.0. Log data are not properly escaped, leading to persistent XSS in the administration panel.
3182 CVE-2019-14861 276 2019-12-10 2021-05-29
3.5
None Remote Medium ??? None None Partial
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.
3183 CVE-2019-14851 617 DoS 2021-03-18 2021-03-25
3.5
None Remote Medium ??? None None Partial
A denial of service vulnerability was discovered in nbdkit. A client issuing a certain sequence of commands could possibly trigger an assertion failure, causing nbdkit to exit. This issue only affected nbdkit versions 1.12.7, 1.14.1, and 1.15.1.
3184 CVE-2019-14849 79 XSS 2019-12-12 2019-12-17
3.5
None Remote Medium ??? None Partial None
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
3185 CVE-2019-14824 732 2019-11-08 2020-12-04
3.5
None Remote Medium ??? Partial None None
A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.
3186 CVE-2019-14822 862 2019-11-25 2020-08-27
3.6
None Local Low Not required Partial Partial None
A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
3187 CVE-2019-14805 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the System Name field under Sets during set editing.
3188 CVE-2019-14804 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing.
3189 CVE-2019-14797 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS.
3190 CVE-2019-14796 79 XSS 2019-08-09 2019-08-20
3.5
None Remote Medium ??? None Partial None
The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter.
3191 CVE-2019-14795 79 XSS 2019-08-15 2019-08-21
3.5
None Remote Medium ??? None Partial None
The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.
3192 CVE-2019-14792 79 XSS 2019-08-09 2019-08-14
3.5
None Remote Medium ??? None Partial None
The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter.
3193 CVE-2019-14787 79 XSS 2019-08-09 2019-08-22
3.5
None Remote Medium ??? None Partial None
The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.
3194 CVE-2019-14785 79 XSS 2019-08-09 2019-08-15
3.5
None Remote Medium ??? None Partial None
The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.
3195 CVE-2019-14748 79 XSS 2019-08-07 2019-08-14
3.5
None Remote Medium ??? None Partial None
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
3196 CVE-2019-14731 79 XSS 2019-08-07 2019-08-15
3.5
None Remote Medium ??? None Partial None
An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vulnerability that leads to the capture of other people's cookies via the Rich Text Box.
3197 CVE-2019-14680 352 CSRF 2019-08-08 2019-08-21
3.5
None Remote Medium ??? None Partial None
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
3198 CVE-2019-14672 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show page.
3199 CVE-2019-14670 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation.
3200 CVE-2019-14669 79 Exec Code XSS 2019-08-05 2020-12-16
3.5
None Remote Medium ??? None Partial None
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name. The JavaScript code is executed during a visit to the audit account statistics page.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.