Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20056 | 1 Nothings | 1 Stb Image.h | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has an assertion failure in stbi__shiftsigned. | |||||
| CVE-2019-15983 | 1 Cisco | 1 Data Center Network Manager | 2020-01-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the DCNM application. The vulnerability exists because the SOAP API improperly handles XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by inserting malicious XML content in an API request. A successful exploit could allow the attacker to read arbitrary files from the affected device. Note: The severity of this vulnerability is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. | |||||
| CVE-2019-20058 | 1 Boltcms | 1 Bolt | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in production. This is related to CVE-2018-12040. | |||||
| CVE-2017-14165 | 1 Graphicsmagick | 1 Graphicsmagick | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has an issue where memory allocation is excessive because it depends only on a length field in a header. This may lead to remote denial of service in the MagickMalloc function in magick/memory.c. | |||||
| CVE-2017-14314 | 2 Debian, Graphicsmagick | 2 Debian Linux, Graphicsmagick | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (DrawDashPolygon heap-based buffer over-read and application crash) via a crafted file. | |||||
| CVE-2017-16353 | 2 Debian, Graphicsmagick | 2 Debian Linux, Graphicsmagick | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked. | |||||
| CVE-2019-20225 | 1 Mybb | 1 Mybb | 2020-01-08 | 5.8 MEDIUM | 6.1 MEDIUM |
| MyBB before 1.8.22 allows an open redirect on login. | |||||
| CVE-2014-4544 | 1 Podcast Channels Project | 1 Podcast Channels | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Podcast Channels plugin 0.20 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the Filename parameter to getid3/demos/demo.write.php. | |||||
| CVE-2014-4539 | 1 Movies Project | 1 Movies | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php. | |||||
| CVE-2014-4548 | 1 Ruven-toolkit Project | 1 Ruven-toolkit | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in tinymce/popup.php in the Ruven Toolkit plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the popup parameter. | |||||
| CVE-2019-20000 | 1 Bullguard | 1 Premium Protection | 2020-01-08 | 5.8 MEDIUM | 5.9 MEDIUM |
| The malware scan function in BullGuard Premium Protection 20.0.371.8 has a TOCTOU issue that enables a symbolic link attack, allowing privileged files to be deleted. | |||||
| CVE-2019-12186 | 1 Sylius | 2 Grid, Sylius | 2020-01-08 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The contents are an object, with malicious code returned by the __toString() method of that object. | |||||
| CVE-2019-9556 | 1 Fiberhomegroup | 2 An5506-04-f, An5506-04-f Firmware | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| FiberHome an5506-04-f RP2669 devices have XSS. | |||||
| CVE-2019-6034 | 1 Appleple | 1 A-blog Cms | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| a-blog cms versions prior to Ver.2.10.23 (Ver.2.10.x), Ver.2.9.26 (Ver.2.9.x), and Ver.2.8.64 (Ver.2.8.x) allows arbitrary scripts to be executed in the context of the application due to unspecified vectors. | |||||
| CVE-2013-4868 | 1 Karotz | 1 Api | 2020-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Karotz API 12.07.19.00: Session Token Information Disclosure | |||||
| CVE-2020-5843 | 1 Codologic | 1 Codoforum | 2020-01-08 | 3.5 LOW | 4.8 MEDIUM |
| Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen. | |||||
| CVE-2020-5512 | 1 Gilacms | 1 Gila Cms | 2020-01-08 | 6.8 MEDIUM | 6.8 MEDIUM |
| Gila CMS 1.11.8 allows /admin/media?path=../ Path Traversal. | |||||
| CVE-2020-5513 | 1 Gilacms | 1 Gila Cms | 2020-01-08 | 6.8 MEDIUM | 6.8 MEDIUM |
| Gila CMS 1.11.8 allows /cm/delete?t=../ Directory Traversal. | |||||
| CVE-2013-0196 | 1 Redhat | 2 Enterprise Linux, Openshift | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using 'Basic authentication' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web browser. | |||||
| CVE-2016-2774 | 3 Canonical, Debian, Isc | 3 Ubuntu Linux, Debian Linux, Dhcp | 2020-01-08 | 7.1 HIGH | 5.9 MEDIUM |
| ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to cause a denial of service (INSIST assertion failure or request-processing outage) by establishing many sessions. | |||||
| CVE-2019-15584 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that would let an attacker bypass input validation in markdown fields take down the affected page. | |||||
| CVE-2013-5571 | 1 Hmailserver | 1 Hmailserver | 2020-01-08 | 2.6 LOW | 5.9 MEDIUM |
| HMailServer 5.3.x and prior: Memory Corruption which could cause DOS | |||||
| CVE-2018-20489 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2018-20497 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 5.0 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | |||||
| CVE-2013-7071 | 1 Fibranet | 1 Monitorix | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the handle_request function in lib/HTTPServer.pm in Monitorix before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | |||||
| CVE-2020-5393 | 1 Appspace | 1 On-prem | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Appspace On-Prem through 7.1.3, an adversary can steal a session token via XSS. | |||||
| CVE-2013-3936 | 1 Opsview | 2 Opsview, Opsview Core | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2019-19265 | 1 Icewarp | 1 Mail Server | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 1 of 2) in notes for contacts. | |||||
| CVE-2019-19266 | 1 Icewarp | 1 Mail Server | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects. | |||||
| CVE-2019-19310 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure. | |||||
| CVE-2018-20488 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. | |||||
| CVE-2019-19722 | 1 Dovecot | 1 Dovecot | 2020-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. | |||||
| CVE-2018-20490 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||||
| CVE-2018-20491 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||||
| CVE-2018-20498 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2018-20501 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2019-16780 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. | |||||
| CVE-2019-16781 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. | |||||
| CVE-2019-17672 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. | |||||
| CVE-2019-17674 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. | |||||
| CVE-2013-5637 | 1 Pqigroup | 2 Air Card, Air Card Firmware | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| PQI AirCard has persistent XSS | |||||
| CVE-2013-5638 | 1 Transcend-info | 2 Wifisd, Wifisd Firmware | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| Transcend WiFiSD 1.8 has persistent XSS | |||||
| CVE-2013-5658 | 1 Aultware | 1 Pwstore | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| AultWare pwStore 2010.8.30.0 has XSS | |||||
| CVE-2018-20496 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||||
| CVE-2018-20495 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. | |||||
| CVE-2014-4558 | 1 Cybercompany | 1 Swipehq-payment-gateway-woocommerce | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter. | |||||
| CVE-2018-20493 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2019-19736 | 1 Mfscripts | 1 Yetishare | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting. | |||||
| CVE-2015-6671 | 1 Edx | 1 Edx-platform | 2020-01-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| Open edX edx-platform before 2015-08-25 requires use of the database for storage of SAML SSO secrets, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging access to a database backup. | |||||
| CVE-2015-6960 | 1 Edx | 1 Edx-platform | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| edx-platform before 2015-09-17 allows XSS via a team name. | |||||