CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4601 CVE-2018-5670 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.
4602 CVE-2018-5668 79 XSS 2018-01-13 2018-01-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_title parameter.
4603 CVE-2018-5667 79 XSS 2018-01-13 2018-01-23
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_pattern parameter.
4604 CVE-2018-5666 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php bg_color parameter.
4605 CVE-2018-5665 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_height parameter.
4606 CVE-2018-5664 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php social_icon_1 parameter.
4607 CVE-2018-5663 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php button_text_link parameter.
4608 CVE-2018-5662 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title parameter.
4609 CVE-2018-5661 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_width parameter.
4610 CVE-2018-5660 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_sub_title parameter.
4611 CVE-2018-5659 79 XSS 2018-01-13 2019-03-05
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_title parameter.
4612 CVE-2018-5657 79 XSS 2018-01-13 2019-03-04
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title_icon parameter.
4613 CVE-2018-5652 79 XSS 2018-01-13 2018-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_end parameter.
4614 CVE-2018-5651 79 XSS 2018-01-13 2018-01-24
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_start parameter.
4615 CVE-2018-5528 20 2018-06-27 2018-08-31
3.5
None Remote Medium ??? None None Partial
Under certain conditions, TMM may restart and produce a core file while processing APM data on BIG-IP 13.0.1 or 13.1.0.4-13.1.0.7.
4616 CVE-2018-5520 863 2018-05-02 2020-08-24
3.5
None Remote Medium ??? Partial None None
On an F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.2.1-11.6.3.1 system configured in Appliance mode, the TMOS Shell (tmsh) may allow an administrative user to use the dig utility to gain unauthorized access to file system resources.
4617 CVE-2018-5498 20 DoS 2019-02-01 2019-02-05
3.5
None Remote Medium ??? None None Partial
Clustered Data ONTAP versions 9.0 through 9.4 are susceptible to a vulnerability which allows remote authenticated attackers to cause a Denial of Service (DoS) in NFS and SMB environments. Exploitation of this vulnerability will allow a remote authenticated attacker to cause a Denial of Service (DoS) on affected versions of clustered Data ONTAP configured for multiprotocol access.
4618 CVE-2018-5449 476 DoS 2018-03-05 2019-10-09
3.3
None Local Network Low Not required None None Partial
A NULL Pointer Dereference issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application does not check for a NULL value, allowing for an attacker to perform a denial of service attack.
4619 CVE-2018-5438 613 2018-03-20 2018-04-20
3.3
None Local Medium Not required Partial Partial None
Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.
4620 CVE-2018-5432 79 XSS 2018-06-13 2019-10-09
3.5
None Remote Medium ??? None Partial None
The TIBCO Administrator server component of of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains multiple vulnerabilities wherein a malicious user could theoretically perform cross-site scripting (XSS) attacks by way of manipulating artifacts prior to uploading them. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions up to and including 5.10.0, and TIBCO Administrator - Enterprise Edition for z/Linux: versions up to and including 5.9.1.
4621 CVE-2018-5431 79 XSS 2018-04-17 2019-10-09
3.5
None Remote Medium ??? None Partial None
The domain designer component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which may allow, in the context of a non-default permissions configuration, persisted cross-site scripting (XSS) attacks. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
4622 CVE-2018-5411 79 XSS 2018-12-13 2019-10-09
3.5
None Remote Medium ??? None Partial None
Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable.
4623 CVE-2018-5405 79 Exec Code XSS 2019-06-03 2019-10-09
3.5
None Remote Medium ??? None Partial None
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator.
4624 CVE-2018-5369 79 XSS 2018-01-12 2018-01-29
3.5
None Remote Medium ??? None Partial None
The SrbTransLatin plugin 1.46 for WordPress has XSS via an srbtranslatoptions action to wp-admin/options-general.php with a lang_identificator parameter.
4625 CVE-2018-5367 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium ??? None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][post] parameter to wp-admin/options.php.
4626 CVE-2018-5366 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium ??? None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[more_languages] parameter to wp-admin/options.php.
4627 CVE-2018-5365 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium ??? None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[selector_wp_list_pages][show_selector] parameter to wp-admin/options.php.
4628 CVE-2018-5364 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium ??? None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[browser_redirect][redirect_by_language] parameter to wp-admin/options.php.
4629 CVE-2018-5363 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium ??? None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[enabled_languages][en] or wpglobus_option[enabled_languages][fr] (or any other language) parameter to wp-admin/options.php.
4630 CVE-2018-5362 79 XSS 2018-01-12 2018-01-23
3.5
None Remote Medium ??? None Partial None
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][page] parameter to wp-admin/options.php.
4631 CVE-2018-5331 79 XSS 2018-01-10 2018-01-29
3.5
None Remote Medium ??? None Partial None
Discuz! DiscuzX X3.4 has XSS via the view parameter to include/space/space_poll.php, as demonstrated by a mod=space do=poll request to home.php.
4632 CVE-2018-5312 79 XSS 2018-01-09 2018-01-26
3.5
None Remote Medium ??? None Partial None
The tabs-responsive plugin 1.8.0 for WordPress has XSS via the post_title parameter to wp-admin/post.php.
4633 CVE-2018-5311 79 XSS 2018-01-09 2018-01-26
3.5
None Remote Medium ??? None Partial None
The Easy Custom Auto Excerpt plugin 2.4.6 for WordPress has XSS via the tonjoo_ecae_options[custom_css] parameter to the wp-admin/admin.php?page=tonjoo_excerpt URI.
4634 CVE-2018-5303 79 XSS 2018-05-11 2018-06-13
3.5
None Remote Medium ??? None Partial None
An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The license key parameter of the web application is vulnerable to Cross Site Scripting; this vulnerability allows an attacker to send malicious code to another user.
4635 CVE-2018-5284 79 XSS 2018-01-08 2018-01-29
3.5
None Remote Medium ??? None Partial None
The ImageInject plugin 1.15 for WordPress has XSS via the flickr_appid parameter to wp-admin/options-general.php.
4636 CVE-2018-5281 79 XSS 2018-01-08 2018-10-17
3.5
None Remote Medium ??? None Partial None
SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens.
4637 CVE-2018-5280 79 XSS 2018-01-08 2018-10-17
3.5
None Remote Medium ??? None Partial None
SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices has XSS via the Configure SSO screens.
4638 CVE-2018-5263 79 XSS 2018-01-08 2018-01-29
3.5
None Remote Medium ??? None Partial None
The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before 4.0.21 for Joomla! allows XSS.
4639 CVE-2018-5236 362 2018-06-20 2018-08-11
3.5
None Remote Medium ??? None None Partial
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may be susceptible to a race condition (or race hazard). This type of issue occurs in software where the output is dependent on the sequence or timing of other uncontrollable events.
4640 CVE-2018-5229 79 XSS 2018-07-16 2018-09-12
3.5
None Remote Medium ??? None Partial None
The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.
4641 CVE-2018-5227 79 XSS 2018-04-10 2018-05-16
3.5
None Remote Medium ??? None Partial None
Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.
4642 CVE-2018-5216 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium ??? None Partial None
Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_content parameter to an admin/pages/*/edit resource.
4643 CVE-2018-5215 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium ??? None Partial None
Fork CMS 5.0.7 has XSS in /private/en/pages/edit via the title parameter.
4644 CVE-2018-5214 79 XSS 2018-01-04 2018-01-18
3.5
None Remote Medium ??? None Partial None
The "Add Link to Facebook" plugin through 2.3 for WordPress has XSS via the al2fb_facebook_id parameter to wp-admin/profile.php.
4645 CVE-2018-5213 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium ??? None Partial None
The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload (aka Downloadable File) parameter in an edit action to wp-admin/post.php.
4646 CVE-2018-5212 79 XSS 2018-01-04 2018-01-16
3.5
None Remote Medium ??? None Partial None
The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload_thumbnail (aka File Thumbnail) parameter in an edit action to wp-admin/post.php.
4647 CVE-2018-5078 79 XSS 2018-01-03 2018-01-16
3.5
None Remote Medium ??? None Partial None
Online Ticket Booking has XSS via the admin/eventlist.php cast parameter.
4648 CVE-2018-5077 79 XSS 2018-01-03 2018-01-17
3.5
None Remote Medium ??? None Partial None
Online Ticket Booking has XSS via the admin/movieedit.php moviename parameter.
4649 CVE-2018-5076 79 XSS 2018-01-03 2018-01-17
3.5
None Remote Medium ??? None Partial None
Online Ticket Booking has XSS via the admin/newsedit.php newstitle parameter.
4650 CVE-2018-5075 79 XSS 2018-01-03 2018-01-12
3.5
None Remote Medium ??? None Partial None
Online Ticket Booking has XSS via the admin/snacks_edit.php snacks_name parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.