CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3451 CVE-2019-7908 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify product information.
3452 CVE-2019-7897 79 XSS 2019-08-02 2019-08-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript.
3453 CVE-2019-7887 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.
3454 CVE-2019-7882 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.
3455 CVE-2019-7881 79 XSS Bypass 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
3456 CVE-2019-7880 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript.
3457 CVE-2019-7875 79 XSS 2019-08-02 2019-08-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates.
3458 CVE-2019-7869 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups.
3459 CVE-2019-7868 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules.
3460 CVE-2019-7867 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.
3461 CVE-2019-7866 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor.
3462 CVE-2019-7863 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories.
3463 CVE-2019-7862 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
3464 CVE-2019-7853 79 XSS 2019-08-02 2019-08-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel.
3465 CVE-2019-7671 79 Exec Code XSS 2019-06-05 2020-02-10
3.5
None Remote Medium ??? None Partial None
Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.
3466 CVE-2019-7655 79 XSS 2020-01-29 2020-09-30
3.5
None Remote Medium ??? None Partial None
Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5.
3467 CVE-2019-7646 79 XSS 2019-03-26 2019-03-27
3.5
None Remote Medium ??? None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter.
3468 CVE-2019-7634 79 XSS 2020-04-29 2020-05-06
3.5
None Remote Medium ??? None Partial None
SUAP V2 allows XSS during the update of user information.
3469 CVE-2019-7621 79 XSS 2019-12-18 2020-02-10
3.5
None Remote Medium ??? None Partial None
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser.
3470 CVE-2019-7618 22 Dir. Trav. 2019-10-01 2020-10-16
3.5
None Remote Medium ??? Partial None None
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
3471 CVE-2019-7553 79 XSS 2019-06-06 2019-06-09
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.
3472 CVE-2019-7552 79 XSS 2019-06-06 2020-04-21
3.5
None Remote Medium ??? None Partial None
An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section.
3473 CVE-2019-7547 79 XSS 2019-02-06 2019-02-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in SIDU 6.0. Because the database name is not strictly filtered, the attacker can insert a name containing an XSS Payload, leading to stored XSS.
3474 CVE-2019-7545 79 XSS 2019-02-06 2019-02-08
3.5
None Remote Medium ??? None Partial None
In DbNinja 3.2.7, the Add Host function of the Manage Hosts pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name field.
3475 CVE-2019-7544 79 XSS 2019-02-06 2019-02-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in MyWebSQL 3.7. The Add User function of the User Manager pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name Field.
3476 CVE-2019-7432 79 XSS 2019-03-21 2020-08-24
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Rental Bike Script 2.0.3 has HTML injection via the STREET field in the Profile Edit section.
3477 CVE-2019-7411 79 XSS 2019-05-13 2019-05-14
3.5
None Remote Medium ??? None Partial None
Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL).
3478 CVE-2019-7356 79 XSS 2020-11-04 2020-11-10
3.5
None Remote Medium ??? None Partial None
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
3479 CVE-2019-7345 79 Exec Code XSS 2019-02-04 2019-02-05
3.5
None Remote Medium ??? None Partial None
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'options' (options.php) does no input validation for the WEB_TITLE, HOME_URL, HOME_CONTENT, or WEB_CONSOLE_BANNER value, allowing an attacker to execute HTML or JavaScript code. This relates to functions.php.
3480 CVE-2019-7337 79 XSS 2019-02-04 2019-02-05
3.5
None Remote Medium ??? None Partial None
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 as the view 'events' (events.php) insecurely displays the limit parameter value, without applying any proper output filtration. This issue exists because of the function sortHeader() in functions.php, which insecurely returns the value of the limit query string parameter without applying any filtration.
3481 CVE-2019-7223 79 XSS 2019-03-21 2019-03-25
3.5
None Remote Medium ??? None Partial None
InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save invoice_password parameter, aka the "PDF password" field to the "Create Invoice" option. The XSS payload is rendered at an index.php/invoices/view/## URI. NOTE: this is different from CVE-2018-12255.
3482 CVE-2019-7197 79 XSS 2019-12-04 2019-12-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console. To fix this vulnerability, QNAP recommend updating QTS to the latest version.
3483 CVE-2019-7185 79 XSS 2019-12-05 2020-02-10
3.5
None Remote Medium ??? None Partial None
This cross-site scripting (XSS) vulnerability in Music Station allows remote attackers to inject and execute scripts on the administrator’s management console. To fix this vulnerability, QNAP recommend updating Music Station to their latest versions.
3484 CVE-2019-7184 79 XSS 2019-12-05 2020-02-10
3.5
None Remote Medium ??? None Partial None
This cross-site scripting (XSS) vulnerability in Video Station allows remote attackers to inject and execute scripts on the administrator’s management console. To fix this vulnerability, QNAP recommend updating Video Station to their latest versions.
3485 CVE-2019-7173 79 Exec Code XSS 2019-01-29 2019-01-29
3.5
None Remote Medium ??? None Partial None
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4.
3486 CVE-2019-7171 79 Exec Code XSS 2019-01-29 2019-01-29
3.5
None Remote Medium ??? None Partial None
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8.
3487 CVE-2019-7170 79 Exec Code XSS 2019-01-29 2019-01-29
3.5
None Remote Medium ??? None Partial None
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/taxonomy/vocabularies.
3488 CVE-2019-7169 79 Exec Code XSS 2019-01-29 2019-01-29
3.5
None Remote Medium ??? None Partial None
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/menus/menus/edit/3.
3489 CVE-2019-7168 79 Exec Code XSS 2019-01-29 2019-01-29
3.5
None Remote Medium ??? None Partial None
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog.
3490 CVE-2019-6990 79 Exec Code XSS 2019-01-28 2019-01-29
3.5
None Remote Medium ??? None Partial None
A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zones&action=zoneImage&mid=1 URI.
3491 CVE-2019-6835 79 XSS 2019-09-17 2019-10-09
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting (XSS) CWE-79 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow an attacker to inject client-side script when a user visits a web page.
3492 CVE-2019-6699 79 XSS 2020-03-13 2020-03-18
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface.
3493 CVE-2019-6679 59 2019-12-23 2020-01-02
3.6
None Local Low Not required None Partial Partial
On BIG-IP versions 15.0.0-15.0.1, 14.1.0.2-14.1.2.2, 14.0.0.5-14.0.1, 13.1.1.5-13.1.3.1, 12.1.4.1-12.1.5, 11.6.4-11.6.5, and 11.5.9-11.5.10, the access controls implemented by scp.whitelist and scp.blacklist are not properly enforced for paths that are symlinks. This allows authenticated users with SCP access to overwrite certain configuration files that would otherwise be restricted.
3494 CVE-2019-6654 20 2019-09-25 2019-09-26
3.3
None Local Network Low Not required None Partial None
On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on an adjacent system to force BIG-IP into processing packets with spoofed source addresses.
3495 CVE-2019-6653 79 XSS 2019-09-25 2019-10-09
3.5
None Remote Medium ??? None Partial None
There is a Stored Cross Site Scripting vulnerability in the undisclosed page of a BIG-IQ 6.0.0-6.1.0 or 5.2.0-5.4.0 system. The attack can be stored by users granted the Device Manager and Administrator roles.
3496 CVE-2019-6639 79 XSS 2019-07-03 2019-07-09
3.5
None Remote Medium ??? None Partial None
On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the XSS.
3497 CVE-2019-6635 Bypass 2019-07-03 2020-08-24
3.6
None Local Low Not required None Partial Partial
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions.
3498 CVE-2019-6633 Bypass 2019-07-03 2020-08-24
3.6
None Local Low Not required Partial Partial None
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions.
3499 CVE-2019-6591 79 XSS 2019-02-05 2019-02-06
3.5
None Remote Medium ??? None Partial None
On BIG-IP APM 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.3 and 12.1.0 to 12.1.3.7, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.
3500 CVE-2019-6577 79 XSS 2019-05-14 2019-05-22
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions < V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions < V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The integrated web server could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify particular parts of the device configuration via SNMP. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires system privileges and user interaction. An attacker could use the vulnerability to compromise confidentiality and the integrity of the affected system. At the stage of publishing this security advisory no public exploitation is known.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.