CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4551 CVE-2018-6867 79 XSS 2018-02-23 2018-03-01
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) exists in PHP Scripts Mall Alibaba Clone Script 1.0.2 via a profile parameter.
4552 CVE-2018-6866 79 XSS 2018-02-23 2018-03-01
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) exists in PHP Scripts Mall Learning and Examination Management System Script 2.3.1 via a crafted message.
4553 CVE-2018-6864 79 XSS 2018-02-12 2018-02-26
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) exists in PHP Scripts Mall Multi religion Responsive Matrimonial 4.7.2 via a user profile update parameter.
4554 CVE-2018-6862 79 XSS 2018-02-12 2018-02-26
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) exists in PHP Scripts Mall Bitcoin MLM Software 1.0.2 via a profile field.
4555 CVE-2018-6861 79 XSS 2018-02-12 2020-03-11
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) exists in PHP Scripts Mall Lawyer Search Script 1.0.2 via a profile update parameter.
4556 CVE-2018-6858 79 XSS 2018-02-12 2020-03-11
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) exists in PHP Scripts Mall Facebook Clone Script.
4557 CVE-2018-6844 79 XSS 2018-02-08 2018-02-26
3.5
None Remote Medium ??? None Partial None
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.
4558 CVE-2018-6842 79 XSS 2018-03-19 2018-04-12
3.5
None Remote Medium ??? None Partial None
Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page.
4559 CVE-2018-6796 79 XSS 2018-02-07 2018-02-26
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Multilanguage Real Estate MLM Script 3.0 has Stored XSS via every profile input field.
4560 CVE-2018-6795 79 XSS 2018-02-07 2018-03-01
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Naukri Clone Script 3.0.3 has Stored XSS via every profile input field.
4561 CVE-2018-6693 367 2018-09-18 2019-10-09
3.3
None Local Medium Not required None Partial Partial
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escalation to delete arbitrary files.
4562 CVE-2018-6690 346 Exec Code 2018-09-18 2019-10-09
3.6
None Local Low Not required Partial Partial None
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
4563 CVE-2018-6681 79 XSS 2018-07-17 2019-10-09
3.5
None Remote Medium ??? None Partial None
Abuse of Functionality vulnerability in the web interface in McAfee Network Security Management (NSM) 9.1.7.11 and earlier allows authenticated users to allow arbitrary HTML code to be reflected in the response web page via appliance web interface.
4564 CVE-2018-6659 79 XSS 2018-04-02 2019-10-09
3.5
None Remote Medium ??? None Partial None
Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows remote authenticated users to exploit an XSS issue via not sanitizing the user input.
4565 CVE-2018-6655 79 XSS 2018-02-07 2018-02-26
3.5
None Remote Medium ??? None Partial None
PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an arbitrary profile field.
4566 CVE-2018-6622 2018-08-17 2019-10-03
3.6
None Local Low Not required None Partial Partial
An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.
4567 CVE-2018-6550 79 XSS 2018-02-02 2018-02-14
3.5
None Remote Medium ??? None Partial None
Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php.
4568 CVE-2018-6518 79 XSS 2018-04-26 2018-05-25
3.5
None Remote Medium ??? None Partial None
Composr CMS 10.0.13 has XSS via the site_name parameter in a page=admin-setupwizard&type=step3 request to /adminzone/index.php.
4569 CVE-2018-6511 79 XSS 2018-05-08 2019-10-09
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.
4570 CVE-2018-6510 79 XSS 2018-05-08 2019-10-09
3.5
None Remote Medium ??? None Partial None
A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.
4571 CVE-2018-6506 79 XSS 2018-02-12 2018-03-06
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting (XSS) exists in the Add Forum feature in the Administrative Panel in miniBB 3.2.2 via crafted use of an onload attribute of an SVG element in the supertitle field.
4572 CVE-2018-6495 79 XSS 2018-05-23 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, version 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0, CMS, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1 and Micro Focus UCMDB Browser, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1. This vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS).
4573 CVE-2018-6447 79 XSS 2020-09-25 2021-08-23
3.5
None Remote Medium ??? None Partial None
A Reflective XSS Vulnerability in HTTP Management Interface in Brocade Fabric OS versions before Brocade Fabric OS v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, v7.4.2g could allow authenticated attackers with access to the web interface to hijack a user’s session and take over the account.
4574 CVE-2018-6313 79 XSS 2018-01-25 2018-02-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) in WBCE CMS 1.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the Modify Page screen, a different issue than CVE-2017-2118.
4575 CVE-2018-6227 79 XSS 2018-03-15 2018-04-04
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject client-side scripts into vulnerable systems.
4576 CVE-2018-6226 79 XSS 2018-03-15 2018-04-04
3.5
None Remote Medium ??? None Partial None
Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micro Email Encryption Gateway 5.5 configuration files could allow an attacker to inject client-side scripts into vulnerable systems.
4577 CVE-2018-6198 59 2018-01-25 2019-10-03
3.3
None Local Medium Not required None Partial Partial
w3m through 0.5.3 does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files.
4578 CVE-2018-6194 79 XSS 2018-01-30 2018-02-14
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in admin/partials/wp-splashing-admin-sidebar.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search parameter to wp-admin/upload.php.
4579 CVE-2018-6190 79 XSS 2018-01-24 2018-02-09
3.5
None Remote Medium ??? None Partial None
Netis WF2419 V3.2.41381 devices allow XSS via the Description field on the MAC Filtering page.
4580 CVE-2018-6013 79 XSS 2018-01-23 2018-02-07
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. This issue exists in core/admin/ajax/developer/extensions/file-browser.php.
4581 CVE-2018-5967 79 XSS 2018-01-25 2018-02-12
3.5
None Remote Medium ??? None Partial None
Netis WF2419 V2.2.36123 devices allow XSS via the Description parameter on the Bandwidth Control Rule Settings page.
4582 CVE-2018-5965 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_errors parameter.
4583 CVE-2018-5964 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via the m1_messages parameter.
4584 CVE-2018-5963 79 XSS 2018-01-25 2018-02-07
3.5
None Remote Medium ??? None Partial None
CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the title parameter.
4585 CVE-2018-5871 338 2018-09-20 2019-10-03
3.3
None Local Network Low Not required None Partial None
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests (for privacy reasons) is not done properly due to a flawed RNG which produces repeating output much earlier than expected.
4586 CVE-2018-5797 798 2018-02-05 2019-10-03
3.3
None Local Network Low Not required Partial None None
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is an Smint_encrypt Hardcoded AES Key that can be used for packet decryption (obtaining cleartext credentials) by an attacker who has access to a wired port.
4587 CVE-2018-5754 79 XSS 2018-06-16 2018-08-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.
4588 CVE-2018-5745 327 2019-10-09 2019-11-06
3.5
None Remote Medium ??? None None Partial
"managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745.
4589 CVE-2018-5736 2019-01-16 2019-10-03
3.5
None Remote Medium ??? None None Partial
An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test. Affects BIND 9.12.0 and 9.12.1.
4590 CVE-2018-5691 79 XSS 2018-01-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
SonicWall Global Management System (GMS) 8.1 has XSS via the `newName` and `Name` values of the `/sgms/TreeControl` module.
4591 CVE-2018-5690 79 XSS 2018-01-14 2018-01-31
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit number).
4592 CVE-2018-5689 79 XSS 2018-01-14 2018-01-31
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user's email.
4593 CVE-2018-5687 79 XSS 2018-01-14 2018-02-02
3.5
None Remote Medium ??? None Partial None
NewsBee allows XSS via the Company Name field in the Settings under admin/admin.php.
4594 CVE-2018-5681 79 XSS 2018-01-13 2018-01-31
3.5
None Remote Medium ??? None Partial None
PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen.
4595 CVE-2018-5672 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.
4596 CVE-2018-5671 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.
4597 CVE-2018-5670 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.
4598 CVE-2018-5668 79 XSS 2018-01-13 2018-01-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_title parameter.
4599 CVE-2018-5667 79 XSS 2018-01-13 2018-01-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_pattern parameter.
4600 CVE-2018-5666 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php bg_color parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.