Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8822 | 1 Digi | 4 Transport Wr21, Transport Wr21 Firmware, Transport Wr44 and 1 more | 2020-02-11 | 3.5 LOW | 4.8 MEDIUM |
| Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices allow stored XSS in the web application. | |||||
| CVE-2012-2204 | 1 Ibm | 1 Infosphere Guardium | 2020-02-11 | 4.9 MEDIUM | 5.5 MEDIUM |
| InfoSphere Guardium aix_ktap module: DoS | |||||
| CVE-2020-8788 | 1 Synaptivemedical | 1 Clearcanvas | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Synaptive Medical ClearCanvas ImageServer 3.0 Alpha allows XSS (and HTML injection) via the Default.aspx UserName parameter. NOTE: the issues/227 reference does not imply that the affected product can be downloaded from GitHub. It was simply a convenient location for a public bug report. | |||||
| CVE-2013-5113 | 1 Logmein | 1 Lastpass | 2020-02-11 | 1.9 LOW | 6.8 MEDIUM |
| LastPass prior to 2.5.1 has an insecure PIN implementation. | |||||
| CVE-2010-4658 | 1 Status | 1 Statusnet | 2020-02-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| statusnet through 2010 allows attackers to spoof syslog messages via newline injection attacks. | |||||
| CVE-2014-6413 | 1 Watchguard | 1 Fireware Xtm | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11.8.3 via the poll_name parameter in the firewall/policy script. | |||||
| CVE-2019-15616 | 1 Nextcloud | 1 Nextcloud Server | 2020-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long. | |||||
| CVE-2013-2675 | 1 Brother | 2 Mfc-9970cdw, Mfc-9970cdw Firmware | 2020-02-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Brother MFC-9970CDW 1.10 devices with Firmware L contain a Frameable response (Clickjacking) vulnerability which could allow remote attackers to obtain sensitive information. | |||||
| CVE-2012-6340 | 1 Netgear | 4 Wgr614v7, Wgr614v7 Firmware, Wgr614v9 and 1 more | 2020-02-11 | 2.1 LOW | 4.6 MEDIUM |
| An Authentication vulnerability exists in NETGEAR WGR614 v7 and v9 due to a hardcoded credential used for serial programming, a related issue to CVE-2006-1002. | |||||
| CVE-2014-10399 | 1 Keplerproject | 1 Cgilua | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875. | |||||
| CVE-2012-6666 | 1 Vbseo | 1 Vbseo | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| vBSeo before 3.6.0PL2 allows XSS via the member.php u parameter. | |||||
| CVE-2019-19670 | 1 Maxum | 1 Rumpus Ftp | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A HTTP Response Splitting vulnerability was identified in the Web Settings Component of Web File Manager in Rumpus FTP Server 8.2.9.1. A successful exploit can result in stored XSS, website defacement, etc. via ExtraHTTPHeader to RAPR/WebSettingsGeneralSet.html. | |||||
| CVE-2014-10400 | 1 Keplerproject | 1 Cgilua | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875. | |||||
| CVE-2019-15611 | 1 Nextcloud | 1 Nextcloud | 2020-02-11 | 4.0 MEDIUM | 4.9 MEDIUM |
| Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications. | |||||
| CVE-2013-1353 | 1 Orangehrm | 1 Orangehrm | 2020-02-11 | 3.5 LOW | 5.4 MEDIUM |
| Orange HRM 2.7.1 allows XSS via the vacancy name. | |||||
| CVE-2019-19661 | 1 Maxum | 1 Rumpus Ftp | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cookie based reflected XSS exists in the Web File Manager of Rumpus FTP Server 8.2.9.1, related to RumpusLoginUserName and snp. | |||||
| CVE-2019-19667 | 1 Maxum | 1 Rumpus Ftp | 2020-02-11 | 5.8 MEDIUM | 5.4 MEDIUM |
| A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html. | |||||
| CVE-2019-19666 | 1 Maxum | 1 Rumpus Ftp | 2020-02-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html. | |||||
| CVE-2020-1768 | 1 Otrs | 1 Otrs | 2020-02-11 | 5.5 MEDIUM | 5.4 MEDIUM |
| The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. | |||||
| CVE-2019-19669 | 1 Maxum | 1 Rumpus Ftp | 2020-02-11 | 5.8 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html. | |||||
| CVE-2019-19668 | 1 Maxum | 1 Rumpus Ftp | 2020-02-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html. | |||||
| CVE-2020-8122 | 1 Nextcloud | 1 Nextcloud Server | 2020-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received. | |||||
| CVE-2014-8271 | 1 Tianocore | 1 Edk2 | 2020-02-11 | 4.6 MEDIUM | 6.8 MEDIUM |
| Buffer overflow in the Reclaim function in Tianocore EDK2 before SVN 16280 allows physically proximate attackers to gain privileges via a long variable name. | |||||
| CVE-2019-19660 | 1 Maxum | 1 Rumpus | 2020-02-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability exists in the Web File Manager's Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html. | |||||
| CVE-2019-19665 | 1 Maxum | 1 Rumpus | 2020-02-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html. | |||||
| CVE-2020-3120 | 1 Cisco | 143 Asr 9000v, Asr 9001, Asr 9006 and 140 more | 2020-02-11 | 6.1 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the Cisco Discovery Protocol implementation for Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a missing check when the affected software processes Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to exhaust system memory, causing the device to reload. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). | |||||
| CVE-2013-1422 | 1 Webcalendar Project | 1 Webcalendar | 2020-02-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| webcalendar before 1.2.7 shows the reason for a failed login (e.g., "no such user"). | |||||
| CVE-2020-8115 | 1 Revive-adserver | 1 Revive Adserver | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim. | |||||
| CVE-2014-5278 | 1 Docker | 1 Docker | 2020-02-11 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs. | |||||
| CVE-2020-5231 | 1 Apereo | 1 Opencast | 2020-02-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. | |||||
| CVE-2019-5531 | 1 Vmware | 3 Esxi, Vcenter Server, Vsphere Esxi | 2020-02-10 | 5.8 MEDIUM | 5.4 MEDIUM |
| VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out. | |||||
| CVE-2019-6833 | 1 Schneider-electric | 49 Hmig2u, Hmig3u, Hmig3ufc and 46 more | 2020-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CWE-754 – Improper Check for Unusual or Exceptional Conditions vulnerability exists in Magelis HMI Panels (all versions of - HMIGTO, HMISTO, XBTGH, HMIGTU, HMIGTUX, HMISCU, HMISTU, XBTGT, XBTGT, HMIGXO, HMIGXU), which could cause a temporary freeze of the HMI when a high rate of frames is received. When the attack stops, the buffered commands are processed by the HMI panel. | |||||
| CVE-2019-7184 | 1 Qnap | 2 Qts, Video Station | 2020-02-10 | 3.5 LOW | 4.8 MEDIUM |
| This cross-site scripting (XSS) vulnerability in Video Station allows remote attackers to inject and execute scripts on the administrator’s management console. To fix this vulnerability, QNAP recommend updating Video Station to their latest versions. | |||||
| CVE-2019-7185 | 1 Qnap | 2 Music Station, Qts | 2020-02-10 | 3.5 LOW | 4.8 MEDIUM |
| This cross-site scripting (XSS) vulnerability in Music Station allows remote attackers to inject and execute scripts on the administrator’s management console. To fix this vulnerability, QNAP recommend updating Music Station to their latest versions. | |||||
| CVE-2019-7621 | 1 Elastic | 1 Kibana | 2020-02-10 | 3.5 LOW | 5.4 MEDIUM |
| Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser. | |||||
| CVE-2019-7671 | 1 Primasystems | 1 Flexair | 2020-02-10 | 3.5 LOW | 5.4 MEDIUM |
| Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site. | |||||
| CVE-2019-3797 | 1 Pivotal Software | 1 Spring Data Java Persistence Api | 2020-02-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly. | |||||
| CVE-2019-1578 | 1 Paloaltonetworks | 1 Minemeld | 2020-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Palo Alto Networks MineMeld version 0.9.60 and earlier may allow a remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser. | |||||
| CVE-2019-16925 | 1 Flower Project | 1 Flower | 2020-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access. | |||||
| CVE-2019-16926 | 1 Flower Project | 1 Flower | 2020-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Flower 0.9.3 has XSS via a crafted worker name. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access. | |||||
| CVE-2019-14607 | 1 Intel | 756 Core I3-1000g1, Core I3-1000g1 Firmware, Core I3-1000g4 and 753 more | 2020-02-10 | 4.6 MEDIUM | 5.3 MEDIUM |
| Improper conditions check in multiple Intel® Processors may allow an authenticated user to potentially enable partial escalation of privilege, denial of service and/or information disclosure via local access. | |||||
| CVE-2019-14979 | 1 Woocommerce | 1 Paypal Checkout Payment Gateway | 2020-02-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| ** DISPUTED ** cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. | |||||
| CVE-2019-1002101 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift Container Platform | 2020-02-10 | 5.8 MEDIUM | 5.5 MEDIUM |
| The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0. | |||||
| CVE-2019-10695 | 1 Puppet | 1 Continuous Delivery | 2020-02-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the puppetlabs/cd4pe module. | |||||
| CVE-2019-10955 | 1 Rockwellautomation | 11 Compactlogix 5370 L1, Compactlogix 5370 L1 Firmware, Compactlogix 5370 L2 and 8 more | 2020-02-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versions Series B, v15.002 and earlier, MicroLogix 1100 Controllers v14.00 and earlier, CompactLogix 5370 L1 controllers v30.014 and earlier, CompactLogix 5370 L2 controllers v30.014 and earlier, CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) v30.014 and earlier, an open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine. | |||||
| CVE-2019-10957 | 1 Geutebrueck | 22 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 19 more | 2020-02-10 | 3.5 LOW | 4.8 MEDIUM |
| Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user’s browser. | |||||
| CVE-2019-12455 | 1 Linux | 1 Linux Kernel | 2020-02-10 | 4.9 MEDIUM | 5.5 MEDIUM |
| ** DISPUTED ** An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because “The memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.”. | |||||
| CVE-2018-7827 | 1 Schneider-electric | 118 D6220, D6220 Firmware, D6220l and 115 more | 2020-02-10 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera which a remote attacker can execute arbitrary HTML and script code in a user’s browser session. | |||||
| CVE-2019-0316 | 1 Sap | 1 Netweaver Process Integration | 2020-02-10 | 3.5 LOW | 4.8 MEDIUM |
| SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability. | |||||
| CVE-2019-0380 | 1 Sap | 1 Landscape Management | 2020-02-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| Under certain conditions, SAP Landscape Management enterprise edition, before version 3.0, allows custom secure parameters’ default values to be part of the application logs leading to Information Disclosure. | |||||