CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3951 CVE-2018-20161 2018-12-15 2020-08-24
3.3
None Local Network Low Not required None None Partial
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the Wi-Fi network. (Access to live video from the app also becomes unavailable.)
3952 CVE-2018-20153 79 XSS 2018-12-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
3953 CVE-2018-20149 79 XSS Bypass 2018-12-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
3954 CVE-2018-20138 79 XSS 2018-12-13 2020-04-22
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
3955 CVE-2018-20137 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium ??? None Partial None
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
3956 CVE-2018-20136 79 XSS 2018-12-13 2019-01-03
3.5
None Remote Medium ??? None Partial None
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
3957 CVE-2018-20017 79 XSS 2018-12-10 2018-12-28
3.5
None Remote Medium ??? None Partial None
SEMCMS 3.5 has XSS via the first text box to the SEMCMS_Main.php URI.
3958 CVE-2018-20012 79 XSS 2018-12-10 2018-12-31
3.5
None Remote Medium ??? None Partial None
PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI.
3959 CVE-2018-20011 79 XSS 2018-12-10 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
3960 CVE-2018-20010 79 XSS 2018-12-10 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
3961 CVE-2018-20009 79 XSS 2018-12-10 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field.
3962 CVE-2018-19995 79 XSS 2019-01-03 2019-01-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
3963 CVE-2018-19992 79 XSS 2019-01-03 2019-01-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
3964 CVE-2018-19943 79 XSS 2020-10-28 2020-11-13
3.5
None Remote Medium ??? None Partial None
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build 20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later
3965 CVE-2018-19934 79 XSS 2019-03-21 2019-03-25
3.5
None Remote Medium ??? None Partial None
SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site scripting (XSS) in the Web management interface via URL path and HTTP POST parameter.
3966 CVE-2018-19927 79 XSS 2018-12-06 2019-01-02
3.5
None Remote Medium ??? None Partial None
Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zForm_save_changes sip_nick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases.
3967 CVE-2018-19919 79 XSS 2018-12-06 2018-12-31
3.5
None Remote Medium ??? None Partial None
Pixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[title] parameter, as demonstrated by a crafted onload attribute of an SVG element.
3968 CVE-2018-19918 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI.
3969 CVE-2018-19915 79 XSS 2018-12-06 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
3970 CVE-2018-19914 79 XSS 2018-12-06 2019-02-26
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
3971 CVE-2018-19913 79 XSS 2018-12-06 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field.
3972 CVE-2018-19906 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
Stored XSS exists in razorCMS 3.4.8 via the /#/page description parameter.
3973 CVE-2018-19905 79 XSS 2018-12-31 2019-02-26
3.5
None Remote Medium ??? None Partial None
HTML injection exists in razorCMS 3.4.8 via the /#/page keywords parameter.
3974 CVE-2018-19902 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article "keyword" parameter.
3975 CVE-2018-19901 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article/index/ "article_title" parameter.
3976 CVE-2018-19892 79 XSS 2018-12-06 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the admin/dw/add-server.php DisplayName, HostName, or UserName field.
3977 CVE-2018-19849 79 XSS 2018-12-04 2018-12-31
3.5
None Remote Medium ??? None Partial None
An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter.
3978 CVE-2018-19845 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.
3979 CVE-2018-19844 79 XSS 2018-12-31 2019-02-25
3.5
None Remote Medium ??? None Partial None
FROG CMS 0.9.5 has XSS via the admin/?/snippet/add name parameter, which is mishandled during an edit action, a related issue to CVE-2018-10319.
3980 CVE-2018-19752 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar.
3981 CVE-2018-19751 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields.
3982 CVE-2018-19750 79 XSS 2018-11-29 2018-12-27
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Domain Fields.
3983 CVE-2018-19749 79 XSS 2018-11-29 2018-12-21
3.5
None Remote Medium ??? None Partial None
DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field.
3984 CVE-2018-19658 79 XSS 2020-03-02 2021-09-08
3.5
None Remote Medium ??? None Partial None
The Markdown editor in YXBJ before 8.3.2 on macOS has stored XSS. This behavior may be encountered by some Evernote users; however, it is a vulnerability in YXBJ, not a vulnerability in Evernote.
3985 CVE-2018-19638 59 2019-03-05 2019-05-08
3.3
None Local Medium Not required None Partial Partial
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files.
3986 CVE-2018-19637 59 2019-03-05 2019-05-08
3.6
None Local Low Not required None Partial Partial
Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection
3987 CVE-2018-19600 79 XSS 2019-01-03 2019-02-25
3.5
None Remote Medium ??? None Partial None
Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload.
3988 CVE-2018-19599 79 XSS 2020-03-02 2020-06-24
3.5
None Remote Medium ??? None Partial None
Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product.
3989 CVE-2018-19598 79 XSS 2018-12-19 2019-02-26
3.5
None Remote Medium ??? None Partial None
Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an 'Add new user' request.
3990 CVE-2018-19597 79 XSS 2018-12-19 2019-02-26
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798.
3991 CVE-2018-19596 79 XSS 2018-12-19 2019-02-26
3.5
None Remote Medium ??? None Partial None
Zurmo 3.2.4 allows HTML Injection via an admin's use of HTML in the report section, a related issue to CVE-2018-19506.
3992 CVE-2018-19579 79 XSS 2019-07-10 2019-07-11
3.5
None Remote Medium ??? None Partial None
GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1.
3993 CVE-2018-19574 79 XSS 2019-07-10 2019-07-16
3.5
None Remote Medium ??? None Partial None
GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page.
3994 CVE-2018-19573 79 XSS 2019-07-10 2019-07-16
3.5
None Remote Medium ??? None Partial None
GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via Mermaid.
3995 CVE-2018-19570 79 XSS 2019-07-10 2019-07-16
3.5
None Remote Medium ??? None Partial None
GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags.
3996 CVE-2018-19554 79 XSS 2018-11-26 2019-03-06
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.
3997 CVE-2018-19508 79 XSS 2018-12-19 2019-02-26
3.5
None Remote Medium ??? None Partial None
CMSimple 4.7.5 has XSS via an admin's upload of an SVG file at a ?userfiles&subdir=userfiles/images/flags/ URI.
3998 CVE-2018-19507 79 XSS 2018-12-19 2019-02-25
3.5
None Remote Medium ??? None Partial None
CMSimple 4.7.5 has XSS via an admin's use of a ?file=config&action=array URI.
3999 CVE-2018-19506 79 XSS 2018-12-19 2019-02-26
3.5
None Remote Medium ??? None Partial None
Zurmo 3.2.4 has XSS via an admin's use of the name parameter in the reports section, aka the app/index.php/reports/default/details?id=1 URI.
4000 CVE-2018-19464 79 XSS 2018-11-22 2020-01-17
3.5
None Remote Medium ??? None Partial None
Discuz! X3.4 allows XSS via admin.php because admincp/admincp_setting.php and template\default\common\footer.htm mishandles statcode field from third-party stats code.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.