CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3351 CVE-2019-10715 79 XSS 2019-10-21 2019-10-21
3.5
None Remote Medium ??? None Partial None
There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.
3352 CVE-2019-10689 287 +Info 2019-06-24 2019-06-27
3.3
None Local Network Low Not required Partial None None
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
3353 CVE-2019-10634 79 XSS 2019-04-09 2019-04-09
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields.
3354 CVE-2019-10625 125 2020-04-16 2020-04-21
3.6
None Local Low Not required Partial None Partial
Out of bound access in diag services when DCI command buffer reallocation is not done properly with required capacity in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCS605, Rennell, SC8180X, SDM429W, SDM710, SDX55, SM7150, SM8150
3355 CVE-2019-10623 190 Overflow 2020-04-16 2020-08-24
3.6
None Local Low Not required Partial None Partial
Possible integer overflow can happen in host driver while processing user controlled string due to improper validation on data received. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in QCN7605, QCS605, Rennell, SC8180X, SDA845, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130
3356 CVE-2019-10622 125 2020-04-16 2020-04-22
3.6
None Local Low Not required Partial None Partial
Out of bound memory access can happen while parsing ADSP message due to lack of check of size of payload received from userspace in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8096AU, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCN7605, QCS605, SC8180X, SDM710, SDX24, SDX55, SM8150, SM8250, SXR2130
3357 CVE-2019-10574 125 2020-04-16 2021-04-30
3.6
None Local Low Not required Partial None Partial
Lack of boundary checks for data offsets received from HLOS can lead to out-of-bound read in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130
3358 CVE-2019-10432 79 XSS 2019-10-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
3359 CVE-2019-10414 312 2019-09-25 2019-10-09
3.5
None Remote Medium ??? Partial None None
Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
3360 CVE-2019-10410 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.
3361 CVE-2019-10406 79 XSS 2019-09-25 2019-09-25
3.5
None Remote Medium ??? None Partial None
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
3362 CVE-2019-10404 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
3363 CVE-2019-10403 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.
3364 CVE-2019-10402 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.
3365 CVE-2019-10401 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).
3366 CVE-2019-10396 79 XSS 2019-09-12 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Dashboard View Plugin 2.11 and earlier did not escape build descriptions, resulting in a cross-site scripting vulnerability exploitable by users able to change build descriptions.
3367 CVE-2019-10395 79 XSS 2019-09-12 2019-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Build Environment Plugin 1.6 and earlier did not escape variables shown on its views, resulting in a cross-site scripting vulnerability in Jenkins 2.145, 2.138.1, or older, exploitable by users able to change various job/build properties.
3368 CVE-2019-10383 79 XSS 2019-08-28 2019-09-20
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
3369 CVE-2019-10374 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.
3370 CVE-2019-10373 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
3371 CVE-2019-10360 79 XSS 2019-07-31 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
3372 CVE-2019-10349 79 XSS 2019-07-11 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
3373 CVE-2019-10335 79 XSS 2019-06-11 2019-06-13
3.5
None Remote Medium ??? None Partial None
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages.
3374 CVE-2019-10325 79 XSS 2019-05-31 2019-06-03
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.
3375 CVE-2019-10300 352 CSRF 2019-04-18 2019-05-06
3.5
None Remote Medium ??? Partial None None
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
3376 CVE-2019-10261 79 XSS 2019-04-03 2019-05-06
3.5
None Remote Medium ??? None Partial None
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.
3377 CVE-2019-10209 125 2019-10-29 2020-10-01
3.5
None Remote Medium ??? Partial None None
Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan.
3378 CVE-2019-10180 79 XSS 2020-03-31 2020-04-02
3.5
None Remote Medium ??? None Partial None
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
3379 CVE-2019-10155 354 2019-06-12 2020-09-30
3.5
None Remote Medium ??? None None Partial
The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29.
3380 CVE-2019-10131 193 2019-04-30 2021-10-28
3.6
None Local Low Not required Partial None Partial
An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
3381 CVE-2019-10111 79 XSS 2019-05-15 2019-05-16
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page.
3382 CVE-2019-10107 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.
3383 CVE-2019-10106 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.
3384 CVE-2019-10105 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.
3385 CVE-2019-10067 79 XSS 2019-05-22 2020-09-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.
3386 CVE-2019-10066 79 XSS 2019-05-22 2019-05-22
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.
3387 CVE-2019-10047 79 Exec Code XSS 2019-05-31 2019-06-03
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application, and tricks an authenticated victim into accessing a URL that results in the HTML code being interpreted by the web browser, then the included JavaScript code is executed under the context of the victim user session.
3388 CVE-2019-10027 79 XSS 2019-03-25 2019-03-26
3.5
None Remote Medium ??? None Partial None
PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field on the personal information screen.
3389 CVE-2019-10017 79 XSS 2019-03-24 2019-07-18
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.
3390 CVE-2019-9957 79 Exec Code XSS CSRF 2019-06-24 2019-06-27
3.5
None Remote Medium ??? None Partial None
Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload can then be triggered by accessing the "Set Security Levels" or "View User/Group Relationships" page. If the attacker does not currently have permission to create a new user, another vulnerability such as CSRF must be exploited first.
3391 CVE-2019-9919 79 XSS 2019-03-29 2019-10-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to craft messages in a way that JavaScript gets executed on the side of the receiving user when the message is opened, aka XSS.
3392 CVE-2019-9862 311 2019-03-27 2020-08-24
3.3
None Local Network Low Not required Partial None None
An issue was discovered on ABUS Secvest wireless alarm system FUAA50000 3.01.01 in conjunction with Secvest remote control FUBE50014 or FUBE50015. Because "encrypted signal transmission" is missing, an attacker is able to eavesdrop sensitive data as cleartext (for instance, the current rolling code state).
3393 CVE-2019-9758 79 XSS 2019-10-29 2019-11-01
3.5
None Remote Medium ??? None Partial None
An issue was discovered in LabKey Server 19.1.0. The display name of a user is vulnerable to stored XSS that can execute on administrators from security/permissions.view, security/addUsers.view, or wiki/Administration/page.view in the admin panel, leading to privilege escalation.
3394 CVE-2019-9751 79 XSS 2019-03-13 2019-03-15
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm.
3395 CVE-2019-9709 79 XSS 2019-05-07 2019-05-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user.
3396 CVE-2019-9701 79 XSS Bypass 2019-06-19 2019-07-03
3.5
None Remote Medium ??? None Partial None
DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
3397 CVE-2019-9698 2019-05-08 2020-08-24
3.6
None Local Low Not required None Partial Partial
Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges.
3398 CVE-2019-9661 79 XSS 2019-03-11 2019-03-11
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in YzmCMS 5.2 via the admin/system_manage/user_config_edit.html "value" parameter,
3399 CVE-2019-9660 79 XSS 2019-03-11 2019-03-11
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html "catname" parameter.
3400 CVE-2019-9606 79 XSS 2019-03-06 2019-03-07
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Personal Video Collection Script 4.0.4 has Stored XSS via the "Update profile" feature.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.