CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3301 CVE-2019-12203 384 2019-09-25 2019-09-27
3.7
None Local High Not required Partial Partial Partial
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
3302 CVE-2019-12195 79 XSS 2019-05-24 2019-05-29
3.5
None Remote Medium ??? None Partial None
TP-Link TL-WR840N v5 00000005 devices allow XSS via the network name. The attacker must log into the router by breaking the password and going to the admin login page by THC-HYDRA to get the network name. With an XSS payload, the network name changed automatically and the internet connection was disconnected. All the users become disconnected from the internet.
3303 CVE-2019-12190 79 XSS 2019-05-21 2019-05-21
3.5
None Remote Medium ??? None Partial None
XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter.
3304 CVE-2019-12186 79 XSS 2019-12-31 2020-01-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The contents are an object, with malicious code returned by the __toString() method of that object.
3305 CVE-2019-12184 79 XSS 2019-05-19 2019-05-20
3.5
None Remote Medium ??? None Partial None
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
3306 CVE-2019-12136 79 XSS 2019-05-16 2019-05-16
3.5
None Remote Medium ??? None Partial None
There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, as demonstrated by a crafted SRC attribute of an IFRAME element.
3307 CVE-2019-11878 190 Overflow 2019-05-10 2019-05-13
3.3
None Local Network Low Not required None None Partial
An issue was discovered on XiongMai Besder IP20H1 V4.02.R12.00035520.12012.047500.00200 cameras. An attacker on the same local network as the camera can craft a message with a size field larger than 0x80000000 and send it to the camera, related to an integer overflow or use of a negative number. This then crashes the camera for about 120 seconds.
3308 CVE-2019-11871 79 XSS 2019-05-10 2019-06-17
3.5
None Remote Medium ??? None Partial None
The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for editors or admins.
3309 CVE-2019-11828 79 XSS 2019-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
3310 CVE-2019-11827 79 XSS 2019-06-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
3311 CVE-2019-11825 79 XSS 2019-06-30 2021-05-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
3312 CVE-2019-11656 79 XSS 2019-10-04 2019-10-08
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in Micro Focus ArcSight Logger, affects versions prior to Logger 6.7.1 HotFix 6.7.1.8262.0. This vulnerability could allow Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
3313 CVE-2019-11649 79 Exec Code XSS 2019-06-19 2021-05-12
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting vulnerability in Micro Focus Fortify Software Security Center Server, versions 17.2, 18.1, 18.2, has been identified in Micro Focus Software Security Center. The vulnerability could be exploited to execute JavaScript code in user’s browser. The vulnerability could be exploited to execute JavaScript code in user’s browser.
3314 CVE-2019-11548 79 XSS 2019-09-09 2019-09-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint.
3315 CVE-2019-11546 362 2019-09-09 2019-09-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has a Race Condition which could allow users to approve a merge request multiple times and potentially reach the approval count required to merge.
3316 CVE-2019-11522 79 XSS 2019-08-20 2019-08-23
3.5
None Remote Medium ??? None Partial None
OX App Suite 7.10.0 to 7.10.2 allows XSS.
3317 CVE-2019-11513 79 XSS 2019-04-25 2019-04-27
3.5
None Remote Medium ??? None Partial None
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.
3318 CVE-2019-11504 79 XSS 2019-04-24 2019-05-06
3.5
None Remote Medium ??? None Partial None
Zotonic before version 0.47 has mod_admin XSS.
3319 CVE-2019-11429 79 XSS 2019-05-13 2019-05-15
3.5
None Remote Medium ??? None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.
3320 CVE-2019-11370 79 XSS 2019-06-03 2019-06-04
3.5
None Remote Medium ??? None Partial None
Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field.
3321 CVE-2019-11368 79 XSS 2019-06-03 2019-06-05
3.5
None Remote Medium ??? None Partial None
Stored XSS was discovered in AUO Solar Data Recorder before 1.3.0 via the protect/config.htm addr parameter.
3322 CVE-2019-11360 119 Exec Code Overflow 2019-07-12 2021-07-21
3.5
None Remote Medium ??? None None Partial
A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3323 CVE-2019-11318 79 XSS 2020-01-27 2020-01-28
3.5
None Remote Medium ??? None Partial None
Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS.
3324 CVE-2019-11293 532 2019-12-06 2019-12-12
3.5
None Remote Medium ??? Partial None None
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
3325 CVE-2019-11291 79 XSS 2019-11-22 2020-02-19
3.5
None Remote Medium ??? None Partial None
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
3326 CVE-2019-11281 79 XSS 2019-10-16 2021-07-19
3.5
None Remote Medium ??? None Partial None
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
3327 CVE-2019-11250 532 2019-08-29 2020-10-16
3.5
None Remote Medium ??? Partial None None
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
3328 CVE-2019-11230 59 2019-07-18 2019-07-24
3.6
None Local Low Not required None Partial Partial
In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart.
3329 CVE-2019-11226 79 XSS 2019-06-05 2019-06-05
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
3330 CVE-2019-11212 79 XSS 2019-10-09 2019-10-10
3.5
None Remote Medium ??? None Partial None
The MDM server component of TIBCO Software Inc's TIBCO MDM contains multiple vulnerabilities that theoretically allow an authenticated user with specific roles to perform cross-site scripting (XSS) attacks. This issue affects TIBCO Software Inc.'s TIBCO MDM version 9.0.1 and prior versions; version 9.1.0.
3331 CVE-2019-11199 79 XSS 2019-07-29 2019-08-05
3.5
None Remote Medium ??? None Partial None
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type.
3332 CVE-2019-11173 384 DoS 2019-11-14 2021-07-21
3.6
None Local Low Not required Partial None Partial
Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via local access.
3333 CVE-2019-11155 276 DoS 2019-11-14 2021-07-21
3.6
None Local Low Not required Partial None Partial
Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.
3334 CVE-2019-11154 269 DoS 2019-11-14 2021-07-21
3.6
None Local Low Not required Partial None Partial
Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.
3335 CVE-2019-11092 522 2019-06-13 2020-08-24
3.6
None Local Low Not required Partial Partial None
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
3336 CVE-2019-11025 79 XSS 2019-04-08 2019-04-16
3.5
None Remote Medium ??? None Partial None
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
3337 CVE-2019-11017 79 XSS 2019-04-18 2021-04-23
3.5
None Remote Medium ??? None Partial None
On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter.
3338 CVE-2019-10988 2019-09-04 2020-10-02
3.6
None Local Low Not required Partial Partial None
In Philips HDI 4000 Ultrasound Systems, all versions running on old, unsupported operating systems such as Windows 2000, the HDI 4000 Ultrasound System is built on an old operating system that is no longer supported. Thus, any unmitigated vulnerability in the old operating system could be exploited to affect this product.
3339 CVE-2019-10975 125 2019-07-02 2019-10-09
3.3
None Local Medium Not required Partial None Partial
An out-of-bounds read vulnerability has been identified in Fuji Electric Alpha7 PC Loader Versions 1.1 and prior, which may crash the system.
3340 CVE-2019-10974 787 2019-07-26 2021-10-28
3.6
None Local Low Not required None Partial Partial
NREL EnergyPlus, Versions 8.6.0 and possibly prior versions, The application fails to prevent an exception handler from being overwritten with arbitrary code.
3341 CVE-2019-10957 79 Exec Code XSS 2020-01-17 2020-02-10
3.5
None Remote Medium ??? None Partial None
Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user’s browser.
3342 CVE-2019-10909 79 XSS 2019-05-16 2021-04-20
3.5
None Remote Medium ??? None Partial None
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
3343 CVE-2019-10893 79 XSS 2019-04-18 2019-05-02
3.5
None Remote Medium ??? None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute.
3344 CVE-2019-10756 79 XSS 2019-10-08 2019-10-17
3.5
None Remote Medium ??? None Partial None
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
3345 CVE-2019-10715 79 XSS 2019-10-21 2019-10-21
3.5
None Remote Medium ??? None Partial None
There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.
3346 CVE-2019-10689 287 +Info 2019-06-24 2019-06-27
3.3
None Local Network Low Not required Partial None None
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
3347 CVE-2019-10634 79 XSS 2019-04-09 2019-04-09
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields.
3348 CVE-2019-10625 125 2020-04-16 2020-04-21
3.6
None Local Low Not required Partial None Partial
Out of bound access in diag services when DCI command buffer reallocation is not done properly with required capacity in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCS605, Rennell, SC8180X, SDM429W, SDM710, SDX55, SM7150, SM8150
3349 CVE-2019-10623 190 Overflow 2020-04-16 2020-08-24
3.6
None Local Low Not required Partial None Partial
Possible integer overflow can happen in host driver while processing user controlled string due to improper validation on data received. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in QCN7605, QCS605, Rennell, SC8180X, SDA845, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130
3350 CVE-2019-10622 125 2020-04-16 2020-04-22
3.6
None Local Low Not required Partial None Partial
Out of bound memory access can happen while parsing ADSP message due to lack of check of size of payload received from userspace in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8096AU, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCN7605, QCS605, SC8180X, SDM710, SDX24, SDX55, SM8150, SM8250, SXR2130
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.