CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3851 CVE-2018-1000513 79 Exec Code XSS 2018-06-26 2018-08-21
3.5
None Remote Medium ??? None Partial None
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x.
3852 CVE-2018-1000508 79 XSS 2018-06-26 2018-08-20
3.5
None Remote Medium ??? None Partial None
WP ULike version 2.8.1, 3.1 contains a Cross Site Scripting (XSS) vulnerability in Settings screen that can result in allows unauthorised users to do almost anything an admin can. This attack appear to be exploitable via Admin must visit logs page. This vulnerability appears to have been fixed in 3.2.
3853 CVE-2018-1000415 79 XSS 2019-01-09 2019-01-30
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms.
3854 CVE-2018-1000413 79 XSS 2019-01-09 2019-01-15
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.
3855 CVE-2018-1000219 79 XSS 2018-08-20 2018-10-12
3.5
None Remote Medium ??? None Partial None
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL..
3856 CVE-2018-1000218 79 XSS 2018-08-20 2018-10-12
3.5
None Remote Medium ??? None Partial None
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL..
3857 CVE-2018-1000202 79 XSS 2018-06-05 2018-07-18
3.5
None Remote Medium ??? None Partial None
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
3858 CVE-2018-1000177 79 XSS 2018-05-08 2018-06-13
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.
3859 CVE-2018-1000172 79 XSS 2018-04-30 2018-06-07
3.5
None Remote Medium ??? None Partial None
Imagely NextGEN Gallery version 2.2.30 and earlier contains a Cross Site Scripting (XSS) vulnerability in Image Alt & Title Text. This attack appears to be exploitable via a victim viewing the image in the administrator page. This vulnerability appears to have been fixed in 2.2.45.
3860 CVE-2018-1000170 79 XSS 2018-04-16 2019-05-08
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.
3861 CVE-2018-1000161 22 Dir. Trav. 2018-04-18 2018-05-24
3.5
None Remote Medium ??? None Partial None
nmap version 6.49BETA6 through 7.60, up to and including SVN revision 37147 contains a Directory Traversal vulnerability in NSE script http-fetch that can result in file overwrite as the user is running it. This attack appears to be exploitable via a victim that runs NSE script http-fetch against a malicious web site. This vulnerability appears to have been fixed in 7.7.
3862 CVE-2018-1000113 79 XSS 2018-03-13 2018-04-04
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript
3863 CVE-2018-1000095 79 XSS 2018-03-13 2019-11-06
3.5
None Remote Medium ??? None Partial None
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.
3864 CVE-2018-1000087 79 XSS 2018-03-13 2018-04-10
3.5
None Remote Medium ??? None Partial None
WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Scripting vulnerability in "Create New File" and "Create New Directory" input box from 'files' Tab that can result in Session Hijacking, Spread Worms,Control the browser remotely. . This attack appear to be exploitable via Attacker can execute the JavaScript into the "Create New File" and "Create New Directory" input box from 'files'.
3865 CVE-2018-1000084 79 XSS 2018-03-13 2018-04-06
3.5
None Remote Medium ??? None Partial None
WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name .
3866 CVE-2018-1000062 79 XSS 2018-02-09 2018-03-05
3.5
None Remote Medium ??? None Partial None
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File.
3867 CVE-2018-1000030 787 Overflow Mem. Corr. 2018-02-08 2020-08-24
3.3
None Local Medium Not required Partial None Partial
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
3868 CVE-2018-21229 2020-04-24 2020-05-01
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects R7500v2 before 1.0.3.20, R7800 before 1.0.2.38, WN3000RPv3 before 1.0.2.50, WNDR4300v2 before 1.0.0.50, and WNDR4500v3 before 1.0.0.50.
3869 CVE-2018-21209 79 XSS 2020-04-28 2020-05-04
3.5
None Remote Medium ??? None Partial None
Certain NETGEAR devices are affected by reflected XSS. This affects JNR1010v2 before 1.1.0.46, JR6150 before 1.0.1.10, JWNR2010v5 before 1.1.0.46, PR2000 before 1.0.0.20, R6050 before 1.0.1.10, R6220 before 1.1.0.60, WNDR3700v5 before 1.1.0.50, WNR1000v4 before 1.1.0.46, WNR2020 before 1.1.0.46, and WNR2050 before 1.1.0.46.
3870 CVE-2018-21167 79 XSS 2020-04-27 2020-05-05
3.5
None Remote Medium ??? None Partial None
Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.57, DM200 before 1.0.0.50, EX2700 before 1.0.1.32, EX6100v2 before 1.0.1.70, EX6150v2 before 1.0.1.70, EX6200v2 before 1.0.1.62, EX6400 before 1.0.1.78, EX7300 before 1.0.1.78, EX8000 before 1.0.0.114, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WN2000RPTv3 before 1.0.1.26, WN3000RPv3 before 1.0.2.66, WN3100RPv2 before 1.0.0.42, WNDR3700v4 before 1.0.2.96, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64.
3871 CVE-2018-21143 200 +Info 2020-04-21 2020-04-27
3.3
None Local Network Low Not required Partial None None
NETGEAR GS810EMX devices before 1.0.0.5 are affected by disclosure of sensitive information.
3872 CVE-2018-21140 20 2020-04-21 2020-04-23
3.3
None Local Network Low Not required None Partial None
Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects D3600 before 1.0.0.76 and D6000 before 1.0.0.76.
3873 CVE-2018-21129 200 +Info 2020-04-22 2020-04-27
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects WAC505 before 5.0.0.17 and WAC510 before 5.0.0.17.
3874 CVE-2018-21122 20 DoS 2020-04-22 2020-04-24
3.3
None Local Network Low Not required None None Partial
Certain NETGEAR devices are affected by denial of service. This affects GS110EMX before 1.0.0.9, GS810EMX before 1.0.0.5, XS512EM before 1.0.0.6, and XS724EM before 1.0.0.6.
3875 CVE-2018-21092 20 2020-04-08 2020-04-09
3.3
None Local Network Low Not required None Partial None
An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) software. A crafted AT command may be sent by the DeviceTest application via an NFC tag. The Samsung ID is SVE-2017-10885 (January 2018).
3876 CVE-2018-21014 79 XSS 2019-09-09 2019-09-10
3.5
None Remote Medium ??? None Partial None
The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS.
3877 CVE-2018-20986 79 XSS 2019-08-22 2019-08-27
3.5
None Remote Medium ??? None Partial None
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.
3878 CVE-2018-20958 200 +Info 2019-08-07 2019-08-15
3.3
None Local Network Low Not required Partial None None
The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 relies on Key1 and SerialNo for unlock operations; however, these are derived from the MAC address, which is broadcasted by the device.
3879 CVE-2018-20935 79 XSS 2019-08-01 2019-08-07
3.5
None Remote Medium ??? None Partial None
cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412).
3880 CVE-2018-20933 79 XSS 2019-08-01 2019-08-07
3.5
None Remote Medium ??? None Partial None
cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410).
3881 CVE-2018-20916 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370).
3882 CVE-2018-20915 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369).
3883 CVE-2018-20913 200 +Info 2019-08-01 2019-08-02
3.5
None Remote Medium ??? Partial None None
cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).
3884 CVE-2018-20909 732 2019-08-01 2020-08-24
3.6
None Local Low Not required Partial Partial None
cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).
3885 CVE-2018-20897 20 2019-08-01 2019-08-08
3.3
None Local Medium Not required None Partial Partial
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
3886 CVE-2018-20896 94 2019-08-01 2019-08-07
3.3
None Local Medium Not required None Partial Partial
cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394).
3887 CVE-2018-20889 200 +Info 2019-08-01 2019-08-07
3.6
None Local Low Not required Partial Partial None
cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425).
3888 CVE-2018-20884 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367).
3889 CVE-2018-20881 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446).
3890 CVE-2018-20878 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Restoration" interface (SEC-441).
3891 CVE-2018-20877 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SEC-437).
3892 CVE-2018-20876 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434).
3893 CVE-2018-20875 79 XSS 2019-08-01 2019-08-01
3.5
None Remote Medium ??? None Partial None
cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433).
3894 CVE-2018-20874 79 XSS 2019-08-01 2019-08-06
3.5
None Remote Medium ??? None Partial None
cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface (SEC-428).
3895 CVE-2018-20838 79 XSS 2019-05-13 2019-05-14
3.5
None Remote Medium ??? None Partial None
ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS.
3896 CVE-2018-20837 79 XSS 2019-05-09 2019-05-10
3.5
None Remote Medium ??? None Partial None
include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
3897 CVE-2018-20827 79 XSS 2019-08-09 2019-08-13
3.5
None Remote Medium ??? None Partial None
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.
3898 CVE-2018-20777 79 XSS 2019-02-11 2019-02-11
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit/1 Body field.
3899 CVE-2018-20774 79 XSS 2019-02-11 2019-02-11
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit/1 Body field.
3900 CVE-2018-20758 79 XSS 2019-02-06 2019-10-23
3.5
None Remote Medium ??? None Partial None
MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.