Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-1474 | 1 Linux | 1 Linux Kernel | 2020-01-10 | 4.9 MEDIUM | 5.5 MEDIUM |
| A locally locally exploitable DOS vulnerability was found in pax-linux versions 2.6.32.33-test79.patch, 2.6.38-test3.patch, and 2.6.37.4-test14.patch. A bad bounds check in arch_get_unmapped_area_topdown triggered by programs doing an mmap after a MAP_GROWSDOWN mmap will create an infinite loop condition without releasing the VM semaphore eventually leading to a system crash. | |||||
| CVE-2017-7320 | 1 Modx | 1 Modx Revolution | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value. | |||||
| CVE-2019-6025 | 1 Sixapart | 1 Movable Type | 2020-01-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL. | |||||
| CVE-2014-1454 | 1 Pearson | 1 Esis Enterprise Student Information System | 2020-01-10 | 3.5 LOW | 4.8 MEDIUM |
| Pearson eSIS (Enterprise Student Information System) message board has stored XSS due to improper validation of user input | |||||
| CVE-2014-8674 | 1 Soplanning | 1 Soplanning | 2020-01-10 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cookie in nb_mois and mb_ligness and the debug GET parameter to export.php, which allows malicious users to execute arbitrary code. | |||||
| CVE-2019-5989 | 1 Anglers-net | 1 Cgi An-anlyzer | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| DOM-based cross-site scripting vulnerability in Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote attackers to inject arbitrary web script or HTML via the Analysis Object Page. | |||||
| CVE-2014-0183 | 1 Redhat | 1 Subscription Asset Manager | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering. | |||||
| CVE-2011-3585 | 2 Redhat, Samba | 2 Enterprise Linux, Samba | 2020-01-10 | 1.9 LOW | 4.7 MEDIUM |
| Multiple race conditions in the (1) mount.cifs and (2) umount.cifs programs in Samba 3.6 allow local users to cause a denial of service (mounting outage) via a SIGKILL signal during a time window when the /etc/mtab~ file exists. | |||||
| CVE-2019-17667 | 1 Comtechtel | 2 H8 Heights Remote Gateway, H8 Heights Remote Gateway Firmware | 2020-01-10 | 3.5 LOW | 5.4 MEDIUM |
| Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field. | |||||
| CVE-2020-6166 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2020-01-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes. | |||||
| CVE-2016-6588 | 1 Symantec | 1 It Management Suite | 2020-01-10 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the ITMS workflow process manager console in Symantec IT Management Suite 8.0. | |||||
| CVE-2014-0104 | 1 Clusterlabs | 1 Fence-agents | 2020-01-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates. | |||||
| CVE-2014-0161 | 1 Ovirt-engine-sdk-python Project | 1 Ovirt-engine-sdk-python | 2020-01-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate. | |||||
| CVE-2014-5118 | 3 Fedoraproject, Redhat, Trusted Boot Project | 3 Fedora, Enterprise Linux, Trusted Boot | 2020-01-10 | 2.1 LOW | 5.5 MEDIUM |
| Trusted Boot (tboot) before 1.8.2 has a 'loader.c' Security Bypass Vulnerability | |||||
| CVE-2013-4764 | 1 Samsung | 4 Galaxy S3, Galaxy S3 Firmware, Galaxy S4 and 1 more | 2020-01-10 | 2.1 LOW | 4.3 MEDIUM |
| Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission. | |||||
| CVE-2013-4763 | 1 Samsung | 4 Galaxy S3, Galaxy S3 Firmware, Galaxy S4 and 1 more | 2020-01-10 | 2.1 LOW | 4.6 MEDIUM |
| Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitrary SMS text messages without requesting permission. | |||||
| CVE-2019-5844 | 1 Google | 1 Chrome | 2020-01-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2019-5845 | 1 Google | 1 Chrome | 2020-01-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2019-5846 | 1 Google | 1 Chrome | 2020-01-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2019-18263 | 1 Philips | 6 Endura, Endura Firmware, Pulsera and 3 more | 2020-01-10 | 3.3 LOW | 6.5 MEDIUM |
| An issue was found in Philips Veradius Unity, Pulsera, and Endura Dual WAN Router, Veradius Unity (718132) with wireless option (shipped between 2016-August 2018), Veradius Unity (718132) with ViewForum option (shipped between 2016-August 2018), Pulsera (718095) and Endura (718075) with wireless option (shipped between 26-June-2017 through 07-August 2018), Pulsera (718095) and Endura (718075) with ViewForum option (shipped between 26-June-2017 through 07-August 2018). The router software uses an encryption scheme that is not strong enough for the level of protection required. | |||||
| CVE-2018-0576 | 1 Wp-events-plugin | 1 Events Manager | 2020-01-10 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Events Manager plugin prior to version 5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-20077 | 1 Typesettercms | 1 Typesetter | 2020-01-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability. | |||||
| CVE-2018-20507 | 1 Gitlab | 1 Gitlab | 2020-01-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2014-4553 | 1 Spreadshirt-rss-3d-cube-flash-gallery Project | 1 Spreadshirt-rss-3d-cube-flash-gallery | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress allows remote attackers to execute arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2013-3931 | 1 Jomres | 1 Jomres | 2020-01-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to inject arbitrary web script or HTML via the property_name parameter, related to editing property details. | |||||
| CVE-2013-0737 | 1 Boltwire | 1 Boltwire | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in BoltWire 3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the fieldnames parameter. | |||||
| CVE-2013-1642 | 1 Quixplorer Project | 1 Quixplorer | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in QuiXplorer before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) dir, (2) item, (3) order, (4) searchitem, (5) selitems[], or (6) srt parameter to index.php or (7) the QUERY_STRING to index.php. | |||||
| CVE-2019-16717 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.2 has XSS. | |||||
| CVE-2012-5476 | 2 Debian, Openstack | 2 Debian Linux, Horizon | 2020-01-09 | 2.1 LOW | 5.5 MEDIUM |
| Within the RHOS Essex Preview (2012.2) of the OpenStack dashboard package, the file /etc/quantum/quantum.conf is world readable which exposes the admin password and token value. | |||||
| CVE-2019-19311 | 1 Gitlab | 1 Gitlab | 2020-01-09 | 3.5 LOW | 5.4 MEDIUM |
| GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields. | |||||
| CVE-2019-9471 | 1 Google | 1 Android | 2020-01-09 | 4.6 MEDIUM | 6.7 MEDIUM |
| In set_outbound_iatu of abc-pcie.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-144168326 | |||||
| CVE-2019-9470 | 1 Google | 1 Android | 2020-01-09 | 4.6 MEDIUM | 6.7 MEDIUM |
| In dma_sblk_start of abc-pcie.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-144167528 | |||||
| CVE-2013-7351 | 1 Shaarli Project | 1 Shaarli | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks. | |||||
| CVE-2019-15603 | 1 Seeftl Project | 1 Seeftl | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability via a malicious filename rendered in a directory listing. | |||||
| CVE-2019-14863 | 2 Angularjs, Redhat | 3 Angular.js, Decision Manager, Process Automation | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. | |||||
| CVE-2019-10227 | 1 It-novum | 1 Openitcockpit | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component. | |||||
| CVE-2020-5842 | 1 Codologic | 1 Codoforum | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Codoforum 4.8.3 allows XSS in the user registration page: via the username field to the index.php?u=/user/register URI. The payload is, for example, executed on the admin/index.php?page=users/manage page. | |||||
| CVE-2018-1253 | 1 Emc | 1 Rsa Authentication Manager | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser. | |||||
| CVE-2013-7062 | 1 Plone | 1 Plone | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. | |||||
| CVE-2013-6242 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the body of the email and the publication name were SPLIT from this CVE ID because they affect different sets of versions. | |||||
| CVE-2013-7485 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions. | |||||
| CVE-2013-7486 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions. | |||||
| CVE-2015-8313 | 2 Debian, Gnu | 2 Debian Linux, Gnutls | 2020-01-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| GnuTLS incorrectly validates the first byte of padding in CBC modes | |||||
| CVE-2019-14854 | 1 Redhat | 1 Openshift Container Platform | 2020-01-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. | |||||
| CVE-2019-20005 | 1 Ezxml Project | 1 Ezxml | 2020-01-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_decode, while parsing a crafted XML file, performs incorrect memory handling, leading to a heap-based buffer over-read while running strchr() starting with a pointer after a '\0' character (where the processing of a string was finished). | |||||
| CVE-2019-9554 | 1 Craftcms | 1 Craft Cms | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. | |||||
| CVE-2019-20336 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2020-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PHP Scripts Mall advanced-real-estate-script 4.0.9, the search-results.php searchtext parameter is vulnerable to XSS. | |||||
| CVE-2017-16778 | 1 Fermax | 2 Outdoor Panel, Outdoor Panel Firmware | 2020-01-08 | 2.1 LOW | 4.6 MEDIUM |
| An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz). | |||||
| CVE-2019-20016 | 1 Symonics | 1 Libmysofa | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| libmysofa before 2019-11-24 does not properly restrict recursive function calls, as demonstrated by reports of stack consumption in readOHDRHeaderMessageDatatype in dataobject.c and directblockRead in fractalhead.c. NOTE: a download of v0.9 after 2019-12-06 should fully remediate this issue. | |||||
| CVE-2020-5305 | 1 Codologic | 1 Codoforum | 2020-01-08 | 3.5 LOW | 4.8 MEDIUM |
| Codoforum 4.8.3 allows XSS in the admin dashboard via a name field of a new user, i.e., on the Manage Users screen. | |||||