CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3901 CVE-2018-20737 79 XSS 2019-03-21 2019-03-25
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
3902 CVE-2018-20736 79 XSS 2019-03-21 2019-03-25
3.5
None Remote Medium ??? None Partial None
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product.
3903 CVE-2018-20726 79 XSS 2019-01-16 2020-03-01
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
3904 CVE-2018-20725 79 XSS 2019-01-16 2020-03-01
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
3905 CVE-2018-20724 79 XSS 2019-01-16 2020-03-01
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
3906 CVE-2018-20723 79 XSS 2019-01-16 2020-03-01
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
3907 CVE-2018-20703 79 XSS 2019-01-13 2019-01-16
3.5
None Remote Medium ??? None Partial None
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.
3908 CVE-2018-20682 79 XSS 2019-01-09 2019-01-23
3.5
None Remote Medium ??? None Partial None
Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka "Admin ids" input in the Facebook section).
3909 CVE-2018-20681 200 +Info 2019-01-09 2019-01-30
3.6
None Local Low Not required Partial Partial None
mate-screensaver before 1.20.2 in MATE Desktop Environment allows physically proximate attackers to view screen content and possibly control applications. By unplugging and re-plugging or power-cycling external output devices (such as additionally attached graphical outputs via HDMI, VGA, DVI, etc.) the content of a screensaver-locked session can be revealed. In some scenarios, the attacker can execute applications, such as by clicking with a mouse.
3910 CVE-2018-20680 79 XSS 2019-01-09 2019-01-11
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field.
3911 CVE-2018-20663 79 XSS 2019-01-03 2019-01-15
3.5
None Remote Medium ??? None Partial None
The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA Platform through 6.10.x has Persistent XSS via the "Reports > Reports" name field.
3912 CVE-2018-20645 79 XSS 2019-03-21 2020-08-24
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Basic B2B Script 2.0.9 has HTML injection via the First Name or Last Name field.
3913 CVE-2018-20640 79 XSS 2019-03-21 2019-03-26
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has stored Cross-Site Scripting (XSS) via the Full Name field.
3914 CVE-2018-20636 79 XSS 2019-03-21 2020-08-24
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has HTML injection via the First Name field.
3915 CVE-2018-20632 79 XSS 2019-03-21 2019-03-21
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Advance B2B Script 2.1.4 has stored Cross-Site Scripting (XSS) via the FIRST NAME or LAST NAME field.
3916 CVE-2018-20627 79 XSS 2019-03-21 2020-08-24
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Consumer Reviews Script 4.0.3 has HTML injection via the search box.
3917 CVE-2018-20601 79 XSS 2018-12-30 2019-01-04
3.5
None Remote Medium ??? None Partial None
UCMS 1.4.7 has XSS via the description parameter in an index.php list_editpost action.
3918 CVE-2018-20597 79 XSS 2018-12-30 2019-01-04
3.5
None Remote Medium ??? None Partial None
UCMS 1.4.7 has XSS via the dir parameter in an index.php sadmin_fileedit action.
3919 CVE-2018-20590 79 XSS 2018-12-30 2020-05-08
3.5
None Remote Medium ??? None Partial None
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID.
3920 CVE-2018-20589 79 XSS 2018-12-30 2019-01-09
3.5
None Remote Medium ??? None Partial None
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/add_pictures.php article ID.
3921 CVE-2018-20579 787 Overflow 2018-12-28 2020-08-24
3.6
None Local Low Not required None Partial Partial
Contiki-NG before 4.2 has a stack-based buffer overflow in the push function in os/lib/json/jsonparse.c that allows an out-of-bounds write of an '{' or '[' character.
3922 CVE-2018-20565 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.
3923 CVE-2018-20564 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter.
3924 CVE-2018-20563 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php?rec=system&act=update has XSS via the mobile_name parameter.
3925 CVE-2018-20562 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article_category.php?rec=update has XSS via the cat_name parameter.
3926 CVE-2018-20561 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article.php?rec=update has XSS via the title parameter.
3927 CVE-2018-20560 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/show.php?rec=update has XSS via the show_name parameter.
3928 CVE-2018-20559 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.php?rec=update has XSS via the name parameter.
3929 CVE-2018-20558 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php?rec=update has XSS via the site_name parameter.
3930 CVE-2018-20557 79 XSS 2018-12-28 2019-01-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?rec=edit has XSS via the page_name parameter.
3931 CVE-2018-20530 79 XSS 2018-12-28 2019-01-03
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile field such as Company Address, a related issue to CVE-2018-15896.
3932 CVE-2018-20496 79 XSS 2019-12-30 2020-01-07
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
3933 CVE-2018-20491 79 XSS 2019-12-30 2020-01-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
3934 CVE-2018-20490 79 XSS 2019-12-30 2020-01-08
3.5
None Remote Medium ??? None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
3935 CVE-2018-20448 79 XSS 2018-12-25 2019-03-04
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has XSS via the Database name field to the /install/index.php URI.
3936 CVE-2018-20418 79 XSS 2018-12-24 2019-03-16
3.5
None Remote Medium ??? None Partial None
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
3937 CVE-2018-20373 79 XSS 2018-12-23 2019-01-14
3.5
None Remote Medium ??? None Partial None
Tenda ADSL modem routers 1.0.1 allow XSS via the hostname of a DHCP client.
3938 CVE-2018-20372 79 XSS 2018-12-23 2019-01-11
3.5
None Remote Medium ??? None Partial None
TP-Link TD-W8961ND devices allow XSS via the hostname of a DHCP client.
3939 CVE-2018-20370 79 XSS 2018-12-23 2019-01-09
3.5
None Remote Medium ??? None Partial None
SZ NetChat before 7.9 has XSS in the MyName input field of the Options module. Attackers are able to inject commands to compromise the enabled HTTP server web frontend.
3940 CVE-2018-20368 79 XSS 2018-12-23 2019-01-15
3.5
None Remote Medium ??? None Partial None
The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the MSPanel.Settings value on Callback.
3941 CVE-2018-20345 2018-12-21 2020-08-24
3.5
None Remote Medium ??? Partial None None
Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=<username>" query filter parameters. Enterprise editions with RBAC enabled are not affected.
3942 CVE-2018-20328 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium ??? None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
3943 CVE-2018-20327 79 XSS 2018-12-21 2019-01-07
3.5
None Remote Medium ??? None Partial None
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
3944 CVE-2018-20306 79 XSS 2018-12-20 2019-01-08
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1.
3945 CVE-2018-20244 79 XSS 2019-02-27 2019-04-12
3.5
None Remote Medium ??? None Partial None
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
3946 CVE-2018-20241 79 XSS 2019-02-20 2019-02-26
3.5
None Remote Medium ??? None Partial None
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.
3947 CVE-2018-20240 79 XSS 2019-02-20 2019-02-26
3.5
None Remote Medium ??? None Partial None
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.
3948 CVE-2018-20239 79 XSS 2019-04-30 2019-05-29
3.5
None Remote Medium ??? None Partial None
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.
3949 CVE-2018-20232 79 XSS 2019-02-13 2019-02-27
3.5
None Remote Medium ??? None Partial None
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.
3950 CVE-2018-20217 617 2018-12-26 2021-10-18
3.5
None Remote Medium ??? None None Partial
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.