CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3401 CVE-2019-9698 2019-05-08 2020-08-24
3.6
None Local Low Not required None Partial Partial
Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges.
3402 CVE-2019-9661 79 XSS 2019-03-11 2019-03-11
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in YzmCMS 5.2 via the admin/system_manage/user_config_edit.html "value" parameter,
3403 CVE-2019-9660 79 XSS 2019-03-11 2019-03-11
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html "catname" parameter.
3404 CVE-2019-9606 79 XSS 2019-03-06 2019-03-07
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Personal Video Collection Script 4.0.4 has Stored XSS via the "Update profile" feature.
3405 CVE-2019-9605 79 XSS 2019-03-29 2019-04-01
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload.
3406 CVE-2019-9570 79 XSS 2019-03-05 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in YzmCMS 5.2.0. It has XSS via the bottom text field to the admin/system_manage/save.html URI, related to the site_code parameter.
3407 CVE-2019-9556 79 XSS 2019-12-31 2020-01-08
3.5
None Remote Medium ??? None Partial None
FiberHome an5506-04-f RP2669 devices have XSS.
3408 CVE-2019-9551 79 XSS 2019-03-04 2019-03-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DOYO (aka doyocms) 2.3 through 2015-05-06. It has admin.php XSS.
3409 CVE-2019-9550 79 XSS 2019-03-03 2019-03-04
3.5
None Remote Medium ??? None Partial None
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS.
3410 CVE-2019-9509 79 Exec Code XSS 2020-03-30 2020-10-19
3.5
None Remote Medium ??? None Partial None
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user account to execute arbitrary code.
3411 CVE-2019-9508 79 XSS 2020-03-30 2021-10-26
3.5
None Remote Medium ??? None Partial None
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to stored XSS. A remote attacker authenticated with an administrator account could store a maliciously named file within the web application that would execute each time a user browsed to the page.
3412 CVE-2019-9482 200 +Info 2019-03-01 2021-07-21
3.5
None Remote Medium ??? Partial None None
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting. The issue affects instances with restrictive sighting settings (event only / sighting reported only).
3413 CVE-2019-9078 79 XSS 2019-02-24 2019-02-25
3.5
None Remote Medium ??? None Partial None
zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT.
3414 CVE-2019-9066 79 XSS 2019-02-23 2019-02-25
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML injection in a user profile.
3415 CVE-2019-8987 79 +Priv XSS 2019-03-26 2019-10-09
3.5
None Remote Medium ??? None Partial None
The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site scripting vulnerability that theoretically allows an authenticated user to gain access to all the capabilities of the web interface available to more privileged users. Affected releases are TIBCO Software Inc.'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0.
3416 CVE-2019-8935 79 XSS 2019-02-19 2019-02-19
3.5
None Remote Medium ??? None Partial None
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
3417 CVE-2019-8921 345 2021-11-29 2021-12-03
3.3
None Local Network Low Not required Partial None None
An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same.
3418 CVE-2019-8458 Exec Code +Priv 2019-06-20 2020-10-22
3.5
None Remote Medium ??? None None Partial
Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.
3419 CVE-2019-8455 59 +Priv 2019-04-17 2020-10-22
3.6
None Local Low Not required Partial Partial None
A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file.
3420 CVE-2019-8450 79 XSS 2019-09-11 2019-09-11
3.5
None Remote Medium ??? None Partial None
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.
3421 CVE-2019-8444 79 XSS 2019-08-23 2019-09-16
3.5
None Remote Medium ??? None Partial None
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.
3422 CVE-2019-8440 79 XSS 2019-03-07 2019-03-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the third textbox (aka site logo) of "System setting->site setting" of admin/index.php, aka site_logo.
3423 CVE-2019-8439 79 XSS 2019-03-07 2019-03-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the second textbox of "System setting->site setting" of admin/index.php, aka site_domain.
3424 CVE-2019-8438 79 XSS 2019-03-07 2019-03-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the first textbox of "System setting->site setting" of admin/index.php, aka site_name.
3425 CVE-2019-8436 79 XSS 2019-02-18 2019-02-19
3.5
None Remote Medium ??? None Partial None
imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] parameter.
3426 CVE-2019-8435 79 XSS 2019-02-18 2019-02-20
3.5
None Remote Medium ??? None Partial None
admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header.
3427 CVE-2019-8289 79 XSS 2019-10-01 2019-10-04
3.5
None Remote Medium ??? None Partial None
Vulnerability in Online Store v1.0, stored XSS in admin/user_view.php adidas_member_email variable
3428 CVE-2019-8288 79 XSS 2019-10-01 2019-10-04
3.5
None Remote Medium ??? None Partial None
Vulnerability in Online Store v1.0, Stored XSS in user_view.php where adidas_member_user variable is not sanitized.
3429 CVE-2019-8279 79 XSS 2019-03-02 2019-03-04
3.5
None Remote Medium ??? None Partial None
Multiple stored XSS in Vanilla Forums before 2.5 allow remote attackers to inject arbitrary JavaScript code into any message on forum.
3430 CVE-2019-8228 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.
3431 CVE-2019-8227 79 XSS 2019-11-06 2019-11-08
3.5
None Remote Medium ??? None Partial None
In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.
3432 CVE-2019-8157 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
3433 CVE-2019-8152 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.
3434 CVE-2019-8148 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder.
3435 CVE-2019-8147 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label.
3436 CVE-2019-8146 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores.
3437 CVE-2019-8145 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
3438 CVE-2019-8142 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store.
3439 CVE-2019-8139 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product.
3440 CVE-2019-8138 79 Exec Code XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.
3441 CVE-2019-8132 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
3442 CVE-2019-8131 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.
3443 CVE-2019-8129 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation.
3444 CVE-2019-8128 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
3445 CVE-2019-8120 79 XSS 2019-11-05 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
3446 CVE-2019-8117 79 XSS 2019-11-05 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification.
3447 CVE-2019-8115 79 XSS 2019-11-05 2019-11-06
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation.
3448 CVE-2019-8092 79 XSS 2019-11-05 2019-11-07
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview.
3449 CVE-2019-7945 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript.
3450 CVE-2019-7944 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.