Search
Total
2662 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-9154 | 1 Jasper Project | 1 Jasper | 2019-08-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a reachable abort in the function jpc_dec_process_sot in libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial of service attack by triggering an unexpected jas_alloc2 return value, a different vulnerability than CVE-2017-13745. | |||||
| CVE-2017-18388 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 7.2 HIGH | 7.8 HIGH |
| cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315). | |||||
| CVE-2016-10771 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 5.5 MEDIUM | 8.1 HIGH |
| cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165). | |||||
| CVE-2016-10787 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 5.5 MEDIUM | 8.1 HIGH |
| The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187). | |||||
| CVE-2016-10788 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 9.0 HIGH | 8.8 HIGH |
| cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188). | |||||
| CVE-2016-10789 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 6.5 MEDIUM | 8.8 HIGH |
| cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191). | |||||
| CVE-2016-10804 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 8.7 HIGH | 8.1 HIGH |
| The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58). | |||||
| CVE-2016-10805 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 6.5 MEDIUM | 8.8 HIGH |
| cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109). | |||||
| CVE-2017-18433 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 9.0 HIGH | 8.8 HIGH |
| cPanel before 64.0.21 allows code execution by webmail and demo accounts via a store_filter API call (SEC-236). | |||||
| CVE-2017-18434 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 7.2 HIGH | 7.8 HIGH |
| cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237). | |||||
| CVE-2016-2098 | 2 Debian, Rubyonrails | 3 Debian Linux, Rails, Ruby On Rails | 2019-08-08 | 7.5 HIGH | 7.3 HIGH |
| Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. | |||||
| CVE-2017-18460 | 1 Cpanel | 1 Cpanel | 2019-08-07 | 7.2 HIGH | 7.8 HIGH |
| cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221). | |||||
| CVE-2017-18459 | 1 Cpanel | 1 Cpanel | 2019-08-07 | 7.2 HIGH | 7.8 HIGH |
| cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220). | |||||
| CVE-2019-7885 | 1 Magento | 1 Magento | 2019-08-07 | 6.5 MEDIUM | 8.8 HIGH |
| Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search. | |||||
| CVE-2016-10823 | 1 Cpanel | 1 Cpanel | 2019-08-07 | 9.0 HIGH | 8.8 HIGH |
| cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89). | |||||
| CVE-2018-20895 | 1 Cpanel | 1 Cpanel | 2019-08-07 | 6.5 MEDIUM | 7.2 HIGH |
| In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393). | |||||
| CVE-2017-18463 | 1 Cpanel | 1 Cpanel | 2019-08-06 | 7.2 HIGH | 7.8 HIGH |
| cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225). | |||||
| CVE-2018-14598 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2019-08-06 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). | |||||
| CVE-2018-19788 | 3 Canonical, Debian, Polkit Project | 3 Ubuntu Linux, Debian Linux, Polkit | 2019-08-06 | 9.0 HIGH | 8.8 HIGH |
| A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command. | |||||
| CVE-2016-10850 | 1 Cpanel | 1 Cpanel | 2019-08-06 | 9.0 HIGH | 8.8 HIGH |
| cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83). | |||||
| CVE-2016-10816 | 1 Cpanel | 1 Cpanel | 2019-08-06 | 6.5 MEDIUM | 8.8 HIGH |
| cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121). | |||||
| CVE-2018-20857 | 1 Zendesk | 1 Samlr | 2019-08-01 | 5.0 MEDIUM | 7.5 HIGH |
| Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as a name_id node with user@example.com followed by <!---->. and then the attacker's domain name. | |||||
| CVE-2018-14732 | 1 Webpack.js | 1 Webpack-dev-server | 2019-08-01 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin. | |||||
| CVE-2017-17831 | 1 Git Large File Storage Project | 1 Git Large File Storage | 2019-08-01 | 6.8 MEDIUM | 8.8 HIGH |
| GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a repository. | |||||
| CVE-2018-20869 | 1 Cpanel | 1 Cpanel | 2019-07-31 | 7.2 HIGH | 7.8 HIGH |
| cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465). | |||||
| CVE-2018-1000156 | 4 Canonical, Debian, Gnu and 1 more | 9 Ubuntu Linux, Debian Linux, Patch and 6 more | 2019-07-30 | 6.8 MEDIUM | 7.8 HIGH |
| GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time. | |||||
| CVE-2016-1408 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2019-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| Cisco Prime Infrastructure 1.2 through 3.1 and Evolved Programmable Network Manager (EPNM) 1.2 and 2.0 allow remote authenticated users to execute arbitrary commands or upload files via a crafted HTTP request, aka Bug ID CSCuz01488. | |||||
| CVE-2016-1442 | 1 Cisco | 1 Prime Infrastructure | 2019-07-29 | 9.0 HIGH | 8.8 HIGH |
| The administrative web interface in Cisco Prime Infrastructure (PI) before 3.1.1 allows remote authenticated users to execute arbitrary commands via crafted field values, aka Bug ID CSCuy96280. | |||||
| CVE-2016-1359 | 1 Cisco | 1 Prime Infrastructure | 2019-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| Cisco Prime Infrastructure 3.0 allows remote authenticated users to execute arbitrary code via a crafted HTTP request that is mishandled during viewing of a log file, aka Bug ID CSCuw81494. | |||||
| CVE-2013-0267 | 1 Apache | 1 Vcl | 2019-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation. | |||||
| CVE-2019-11696 | 1 Mozilla | 1 Firefox | 2019-07-28 | 6.8 MEDIUM | 7.8 HIGH |
| Files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local system. This could allow users to mistakenly launch an executable binary locally. This vulnerability affects Firefox < 67. | |||||
| CVE-2019-13097 | 1 Cat Runner\ | 1 Decorate Home Project | 2019-07-26 | 5.0 MEDIUM | 7.5 HIGH |
| The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users' score parameters exchanged between client and server. | |||||
| CVE-2019-5285 | 1 Huawei | 28 S12700, S12700 Firmware, S1700 and 25 more | 2019-07-26 | 7.8 HIGH | 7.5 HIGH |
| Some Huawei S series switches have a DoS vulnerability. An unauthenticated remote attacker can send crafted packets to the affected device to exploit this vulnerability. Due to insufficient verification of the packets, successful exploitation may cause the device reboot and denial of service (DoS) condition. (Vulnerability ID: HWPSIRT-2019-03109) | |||||
| CVE-2019-14211 | 2 Foxitsoftware, Microsoft | 2 Phantompdf, Windows | 2019-07-25 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash due to the lack of proper validation of the existence of an object prior to performing operations on that object when executing JavaScript. | |||||
| CVE-2019-1010251 | 1 Oisf | 1 Suricata | 2019-07-23 | 5.0 MEDIUM | 7.5 HIGH |
| Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Service - DNS detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed network packet. The component is: app-layer-detect-proto.c, decode.c, decode-teredo.c and decode-ipv6.c (https://github.com/OISF/suricata/pull/3590/commits/11f3659f64a4e42e90cb3c09fcef66894205aefe, https://github.com/OISF/suricata/pull/3590/commits/8357ef3f8ffc7d99ef6571350724160de356158b). The attack vector is: An attacker can trigger the vulnerability by sending a specifically crafted network request. The fixed version is: 4.1.2. | |||||
| CVE-2018-18541 | 2 Debian, Teeworlds | 2 Debian Linux, Teeworlds | 2019-07-23 | 5.0 MEDIUM | 7.5 HIGH |
| In Teeworlds before 0.6.5, connection packets could be forged. There was no challenge-response involved in the connection build up. A remote attacker could send connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets. | |||||
| CVE-2018-20743 | 2 Debian, Mumble | 2 Debian Linux, Mumble | 2019-07-23 | 5.0 MEDIUM | 7.5 HIGH |
| murmur in Mumble through 1.2.19 before 2018-08-31 mishandles multiple concurrent requests that are persisted in the database, which allows remote attackers to cause a denial of service (daemon hang or crash) via a message flood. | |||||
| CVE-2019-7843 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2019-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user. | |||||
| CVE-2018-8779 | 3 Canonical, Debian, Ruby-lang | 3 Ubuntu Linux, Debian Linux, Ruby | 2019-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket. | |||||
| CVE-2018-19629 | 1 Hyland | 1 Perceptive Content Server | 2019-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection. | |||||
| CVE-2019-1113 | 1 Microsoft | 10 .net Framework, Visual Studio 2017, Windows 10 and 7 more | 2019-07-19 | 6.8 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'. | |||||
| CVE-2017-7189 | 1 Php | 1 Php | 2019-07-17 | 5.0 MEDIUM | 7.5 HIGH |
| main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input. | |||||
| CVE-2019-12841 | 1 Jetbrains | 1 Teamcity | 2019-07-09 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. The issue was fixed in TeamCity 2018.2.2. | |||||
| CVE-2018-14733 | 1 Odoo | 1 Odoo | 2019-07-09 | 5.0 MEDIUM | 7.5 HIGH |
| The Odoo Community Association (OCA) dbfilter_from_header module makes Odoo 8.x, 9.x, 10.x, and 11.x vulnerable to ReDoS (regular expression denial of service) under certain circumstances. | |||||
| CVE-2018-20809 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2019-07-03 | 5.0 MEDIUM | 7.5 HIGH |
| A crafted message can cause the web server to crash with Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R5 and Pulse Policy Secure 5.4RX before 5.4R5. This is not applicable to PCS 8.1RX. | |||||
| CVE-2018-6121 | 1 Google | 1 Chrome | 2019-07-01 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient validation of input in Blink in Google Chrome prior to 66.0.3359.170 allowed a remote attacker to perform privilege escalation via a crafted HTML page. | |||||
| CVE-2018-6176 | 1 Google | 1 Chrome | 2019-06-28 | 4.6 MEDIUM | 7.8 HIGH |
| Insufficient file type enforcement in Extensions API in Google Chrome prior to 68.0.3440.75 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted Chrome Extension. | |||||
| CVE-2018-6161 | 1 Google | 1 Chrome | 2019-06-28 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient policy enforcement in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2018-6138 | 1 Google | 1 Chrome | 2019-06-28 | 5.8 MEDIUM | 8.1 HIGH |
| Insufficient policy enforcement in Extensions API in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. | |||||
| CVE-2016-0363 | 3 Ibm, Novell, Redhat | 13 Java Sdk, Suse Linux Enterprise Module For Legacy Software, Suse Linux Enterprise Server and 10 more | 2019-06-24 | 6.8 MEDIUM | 8.1 HIGH |
| The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009. | |||||