CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4151 CVE-2018-16623 79 XSS 2019-05-13 2019-05-13
3.5
None Remote Medium ??? None Partial None
Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown.
4152 CVE-2018-16622 79 XSS 2018-09-06 2018-11-02
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments field, related to users/userAddContent.
4153 CVE-2018-16607 79 XSS 2018-09-19 2018-11-07
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudIT Professional edition in 2.2.7 allows remote attackers to inject arbitrary web script via the Orgs name field.
4154 CVE-2018-16605 79 XSS 2018-09-12 2021-04-23
3.5
None Remote Medium ??? None Partial None
D-Link DIR-600M devices allow XSS via the Hostname and Username fields in the Dynamic DNS Configuration page.
4155 CVE-2018-16595 119 Overflow 2019-06-19 2019-06-24
3.3
None Local Network Low Not required None None Partial
The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices has a Buffer Overflow.
4156 CVE-2018-16555 79 XSS 2018-12-13 2019-10-09
3.5
None Remote Medium ??? None Partial None
A vulnerability has been identified in SCALANCE S602 (All versions < V4.0.1.1), SCALANCE S612 (All versions < V4.0.1.1), SCALANCE S623 (All versions < V4.0.1.1), SCALANCE S627-2M (All versions < V4.0.1.1). The integrated web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known.
4157 CVE-2018-16551 79 XSS 2018-09-05 2019-10-15
3.5
None Remote Medium ??? None Partial None
LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.
4158 CVE-2018-16484 79 Exec Code XSS 2019-02-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names.
4159 CVE-2018-16468 79 XSS 2018-10-30 2019-10-09
3.5
None Remote Medium ??? None Partial None
In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
4160 CVE-2018-16464 287 2018-10-30 2019-10-09
3.5
None Remote Medium ??? Partial None None
A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.
4161 CVE-2018-16463 384 2018-10-30 2019-10-09
3.6
None Remote High ??? Partial Partial None
A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares.
4162 CVE-2018-16379 79 XSS 2018-09-03 2019-09-23
3.5
None Remote Medium ??? None Partial None
Ogma CMS 0.4 Beta has XSS via the "Footer Text footer" field on the "Theme/Theme Options" screen.
4163 CVE-2018-16374 79 XSS 2018-09-03 2018-10-24
3.5
None Remote Medium ??? None Partial None
Frog CMS 0.9.5 has stored XSS via /admin/?/plugin/comment/settings.
4164 CVE-2018-16363 79 XSS 2018-09-07 2018-11-06
3.5
None Remote Medium ??? None Partial None
The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.
4165 CVE-2018-16358 79 XSS 2018-09-02 2018-10-24
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml.
4166 CVE-2018-16348 79 XSS 2018-09-02 2018-10-25
3.5
None Remote Medium ??? None Partial None
SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name.
4167 CVE-2018-16346 79 XSS 2018-09-02 2018-11-09
3.5
None Remote Medium ??? None Partial None
ChemCMS 1.0.6 has XSS via the "setting -> website information" field.
4168 CVE-2018-16342 79 XSS 2018-09-02 2018-10-25
3.5
None Remote Medium ??? None Partial None
ShowDoc v1.8.0 has XSS via a new page.
4169 CVE-2018-16327 79 XSS 2018-09-01 2018-11-09
3.5
None Remote Medium ??? None Partial None
There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration.
4170 CVE-2018-16316 79 XSS 2018-09-01 2018-11-09
3.5
None Remote Medium ??? None Partial None
A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field.
4171 CVE-2018-16277 79 XSS 2018-09-28 2018-11-15
3.5
None Remote Medium ??? None Partial None
The Image Import function in XWiki through 10.7 has XSS.
4172 CVE-2018-16271 269 2020-01-22 2020-01-30
3.3
None Local Network Low Not required None Partial None
The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations. An arbitrary email can also be sent from the mailbox via the paired smartphone. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.
4173 CVE-2018-16268 269 2020-01-22 2020-02-03
3.3
None Local Network Low Not required None Partial None
The SoundServer/FocusServer system services in Tizen allow an unprivileged process to perform media-related system actions, due to improper D-Bus security policy configurations. Such actions include playing an arbitrary sound file or DTMF tones. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.
4174 CVE-2018-16265 269 2020-01-22 2020-02-03
3.3
None Local Network Low Not required None Partial None
The bt/bt_core system service in Tizen allows an unprivileged process to create a system user interface and control the Bluetooth pairing process, due to improper D-Bus security policy configurations. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.
4175 CVE-2018-16264 200 +Info 2020-01-22 2020-02-03
3.3
None Local Network Low Not required Partial None None
The BlueZ system service in Tizen allows an unprivileged process to partially control Bluetooth or acquire sensitive information, due to improper D-Bus security policy configurations. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.
4176 CVE-2018-16250 79 XSS 2019-06-20 2019-06-21
3.5
None Remote Medium ??? None Partial None
The "utilisateur" menu in Creatiwity wityCMS 0.6.2 modifies the presence of XSS at two input points for user information, with the "first name" and "last name" parameters.
4177 CVE-2018-16249 79 XSS 2019-06-20 2019-06-21
3.5
None Remote Medium ??? None Partial None
In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.
4178 CVE-2018-16247 79 XSS 2019-06-20 2019-06-20
3.5
None Remote Medium ??? None Partial None
YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html title parameter.
4179 CVE-2018-16243 79 XSS 2020-12-15 2020-12-17
3.5
None Remote Medium ??? None Partial None
SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen.
4180 CVE-2018-16219 287 2019-04-25 2019-04-26
3.3
None Local Network Low Not required None Partial None
A missing password verification in the web interface in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an remote attacker (in the same network as the device) to change the admin password without authentication via a POST request.
4181 CVE-2018-16205 79 XSS 2019-01-09 2019-01-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal.
4182 CVE-2018-16204 79 XSS 2019-01-09 2019-10-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Google XML Sitemaps Version 4.0.9 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
4183 CVE-2018-16197 Bypass 2019-01-09 2019-10-03
3.3
None Local Network Low Not required Partial None None
Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an attacker on the same network segment to bypass access restriction to access the information and files stored on the affected device.
4184 CVE-2018-16193 79 XSS 2019-01-09 2019-01-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
4185 CVE-2018-16192 200 +Info 2019-01-09 2019-01-17
3.3
None Local Network Low Not required Partial None None
Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allow an attacker on the same network segment to obtain information registered on the device via unspecified vectors.
4186 CVE-2018-16164 79 XSS 2019-01-09 2019-01-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
4187 CVE-2018-16138 79 XSS 2019-05-13 2019-05-15
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the administration page in IPBRICK OS 6.3. There are multiple XSS vulnerabilities.
4188 CVE-2018-15917 79 XSS 2018-09-05 2018-10-25
3.5
None Remote Medium ??? None Partial None
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
4189 CVE-2018-15903 79 XSS 2018-10-08 2018-11-26
3.5
None Remote Medium ??? None Partial None
The Discuss v1.2.1 module in Claromentis 8.2.2 is vulnerable to stored Cross Site Scripting (XSS). An authenticated attacker will be able to place malicious JavaScript in the discussion forum, which is present in the login landing page. A low privilege user can use this to steal the session cookies from high privilege accounts and hijack these, enabling them to hijack the elevated session and perform actions in their security context.
4190 CVE-2018-15896 79 XSS 2018-08-28 2018-10-31
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via Personal Address or Company Name.
4191 CVE-2018-15891 79 XSS 2019-06-20 2019-12-10
3.5
None Remote Medium ??? None Partial None
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
4192 CVE-2018-15880 79 XSS 2018-08-29 2018-11-02
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack.
4193 CVE-2018-15843 79 XSS 2018-08-25 2018-10-17
3.5
None Remote Medium ??? None Partial None
GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field.
4194 CVE-2018-15842 79 XSS 2018-08-25 2018-10-17
3.5
None Remote Medium ??? None Partial None
WolfCMS 0.8.3.1 has XSS via the /?/admin/page/add slug parameter.
4195 CVE-2018-15800 200 +Info 2018-12-10 2019-10-09
3.5
None Remote Medium ??? Partial None None
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
4196 CVE-2018-15772 400 2018-11-13 2019-02-04
3.6
None Local Low Not required Partial None Partial
Dell EMC RecoverPoint versions prior to 5.1.2.1 and RecoverPoint for VMs versions prior to 5.2.0.2 contain an uncontrolled resource consumption vulnerability. A malicious boxmgmt user may potentially be able to consume large amount of CPU bandwidth to make the system slow or to determine the existence of any system file via Boxmgmt CLI.
4197 CVE-2018-15713 79 XSS 2018-11-14 2018-12-06
3.5
None Remote Medium ??? None Partial None
Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php.
4198 CVE-2018-15707 79 XSS 2018-10-31 2018-12-12
3.5
None Remote Medium ??? None Partial None
Advantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scripting in the Bwmainleft.asp page. An attacker could leverage this vulnerability to disclose credentials amongst other things.
4199 CVE-2018-15701 20 DoS 2018-10-01 2018-11-27
3.3
None Local Network Low Not required None None Partial
The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to a denial of service when an unauthenticated LAN user sends a crafted HTTP header containing an unexpected Cookie field.
4200 CVE-2018-15693 863 Bypass 2018-11-16 2019-10-03
3.5
None Remote Medium ??? None Partial None
Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass via insecure direct object reference.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.