Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15948 | 1 Edgeofmyseat | 1 Perch | 2019-11-18 | 3.5 LOW | 4.8 MEDIUM |
| Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. This is exploitable with a Limited Admin account. | |||||
| CVE-2013-4106 | 1 Cryptocat Project | 1 Cryptocat | 2019-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability exists in Conversation Overview Nickname in Cryptocat before 2.0.22. | |||||
| CVE-2013-3516 | 1 Netgear | 4 Wnr3500l, Wnr3500l Firmware, Wnr3500u and 1 more | 2019-11-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| NETGEAR WNR3500U and WNR3500L routers uses form tokens abased solely on router's current date and time, which allows attackers to guess the CSRF tokens. | |||||
| CVE-2019-13555 | 1 Mitsubishielectric | 20 L02\/06\/26cpu, L02\/06\/26cpu-cm, L02\/06\/26cpu-cm Firmware and 17 more | 2019-11-18 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU: serial number 21081 and prior, Q04/06/13/26UDPVCPU: serial number 21081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior, MELSEC-L Series L02/06/26CPU, L26CPU-BT: serial number 21101 and prior, L02/06/26CPU-P, L26CPU-PBT: serial number 21101 and prior, and L02/06/26CPU-CM, L26CPU-BT-CM: serial number 21101 and prior, a remote attacker can cause the FTP service to enter a denial-of-service condition dependent on the timing at which a remote attacker connects to the FTP server on the above CPU modules. | |||||
| CVE-2019-3003 | 1 Oracle | 1 Mysql | 2019-11-18 | 4.0 MEDIUM | 4.9 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2019-18196 | 2 Microsoft, Teamviewer | 2 Windows, Teamviewer | 2019-11-18 | 6.9 MEDIUM | 6.7 MEDIUM |
| A DLL side loading vulnerability in the Windows Service in TeamViewer versions up to 11.0.133222 (fixed in 11.0.214397), 12.0.181268 (fixed in 12.0.214399), 13.2.36215 (fixed in 13.2.36216), and 14.6.4835 (fixed in 14.7.1965) on Windows could allow an attacker to perform code execution on a target system via a service restart where the DLL was previously installed with administrative privileges. Exploitation requires that an attacker be able to create a new file in the TeamViewer application directory; directory permissions restrict that by default. | |||||
| CVE-2019-2950 | 1 Oracle | 1 Mysql | 2019-11-18 | 4.0 MEDIUM | 4.9 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2019-2948 | 1 Oracle | 1 Mysql | 2019-11-18 | 4.0 MEDIUM | 4.9 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2011-1136 | 2 Debian, Tesseract Project | 2 Debian Linux, Tesseract | 2019-11-18 | 6.3 MEDIUM | 4.7 MEDIUM |
| In tesseract 2.03 and 2.04, an attacker can rewrite an arbitrary user file by guessing the PID and creating a link to the user's file. | |||||
| CVE-2010-4653 | 2 Debian, Freedesktop | 2 Debian Linux, Poppler | 2019-11-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| An integer overflow condition in poppler before 0.16.3 can occur when parsing CharCodes for fonts. | |||||
| CVE-2012-1158 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2019-11-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export | |||||
| CVE-2012-1157 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2019-11-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default | |||||
| CVE-2013-4275 | 1 Zen Project | 1 Zen | 2019-11-18 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the zen_breadcrumb function in template.php in the Zen theme 6.x-1.x, 7.x-3.x before 7.x-3.2, and 7.x-5.x before 7.x-5.4 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via the breadcrumb separator field. | |||||
| CVE-2019-17515 | 1 Cleantalk | 1 Spam Protection\, Antispam\, Firewall | 2019-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter. The component is: inc/cleantalk-users.php and inc/cleantalk-comments.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL. | |||||
| CVE-2019-17550 | 1 Adenion | 1 Blog2social | 2019-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social plugin before 5.9.0 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the b2s_id parameter. The component is: views/b2s/post.calendar.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL. | |||||
| CVE-2012-1169 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2019-11-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs. | |||||
| CVE-2013-3097 | 1 Actiontec | 2 Mi424wr-gen3i, Mi424wr-gen3i Firmware | 2019-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unspecified Cross-site scripting (XSS) vulnerability in the Verizon FIOS Actiontec MI424WR-GEN3I router. | |||||
| CVE-2019-18923 | 1 Go-camo Project | 1 Go-camo | 2019-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient content type validation of proxied resources in go-camo before 2.1.1 allows a remote attacker to serve arbitrary content from go-camo's origin. | |||||
| CVE-2013-4109 | 1 Cryptocat Project | 1 Cryptocat | 2019-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An unspecified cross-site scripting (XSS) vulnerability exists in Cryptocat Message Handling 1.1.165. | |||||
| CVE-2019-18957 | 1 Microstrategy | 1 Microstrategy Library | 2019-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS. | |||||
| CVE-2012-5193 | 1 Bitweaver | 1 Bitweaver | 2019-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) stats/index.php or (2) newsletters/edition.php or the (3) username parameter to users/remind_password.php, (4) days parameter to stats/index.php, (5) login parameter to users/register.php, or (6) highlight parameter. | |||||
| CVE-2019-0390 | 1 Sap | 1 Diagnostics Agent | 2019-11-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Under certain conditions SAP Data Hub (corrected in DH_Foundation version 2) allows an attacker to access information which would otherwise be restricted. Connection details that are maintained in Connection Manager are visible to users. | |||||
| CVE-2019-3662 | 1 Mcafee | 1 Advanced Threat Defense | 2019-11-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests. | |||||
| CVE-2019-0385 | 1 Sap | 1 Enable Now | 2019-11-15 | 3.5 LOW | 6.5 MEDIUM |
| SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2019-0382 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-11-15 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Business Intelligence Platform (Web Intelligence-Publication related pages); corrected in version 4.2. Privileges are required in order to exploit this vulnerability. | |||||
| CVE-2013-3517 | 1 Netgear | 4 Wnr3500l, Wnr3500l Firmware, Wnr3500u and 1 more | 2019-11-15 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in NETGEAR WNR3500U and WNR3500L. | |||||
| CVE-2019-0393 | 1 Sap | 1 Quality Management | 2019-11-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry out targeted database queries that can read individual fields of historical inspection results. | |||||
| CVE-2019-16950 | 1 Enghouse | 1 Web Chat | 2019-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. The QueueName parameter of a GET request allows for insertion of user-supplied JavaScript. | |||||
| CVE-2019-16949 | 1 Enghouse | 1 Web Chat | 2019-11-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. A user is allowed to send an archive of their chat log to an email address specified at the beginning of the chat (where the user enters in their name and e-mail address). This POST request can be modified to change the message as well as the end recipient of the message. The e-mail address will have the same domain name and user as the product allotted. This can be used in phishing campaigns against users on the same domain. | |||||
| CVE-2019-2196 | 1 Google | 1 Android | 2019-11-15 | 4.9 MEDIUM | 5.5 MEDIUM |
| In Download Provider, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135269143 | |||||
| CVE-2016-10704 | 1 Magento | 1 Magento | 2019-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503. | |||||
| CVE-2019-2198 | 1 Google | 1 Android | 2019-11-15 | 4.9 MEDIUM | 5.5 MEDIUM |
| In Download Provider, there is a possible SQL injection vulnerability. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135270103 | |||||
| CVE-2012-4385 | 2 Debian, Trilexnet | 2 Debian Linux, Letodms | 2019-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| letodms 3.3.6 has CSRF via change password | |||||
| CVE-2011-0544 | 2 Debian, Phpbb | 2 Debian Linux, Phpbb | 2019-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag. | |||||
| CVE-2019-5246 | 1 Huawei | 2 Elle-al00b, Elle-al00b Firmware | 2019-11-15 | 4.6 MEDIUM | 6.2 MEDIUM |
| Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain parameters sufficiently, an attacker should connect to the phone and gain high privilege to launch the attack. Successful exploit could cause DOS or malicious code execution. | |||||
| CVE-2010-3359 | 2 Debian, Gargoyle Project | 2 Debian Linux, Gargoyle | 2019-11-15 | 4.4 MEDIUM | 4.8 MEDIUM |
| If LD_LIBRARY_PATH is undefined in gargoyle-free before 2009-08-25, the variable will point to the current directory. This can allow a local user to trick another user into running gargoyle in a directory with a cracked libgarglk.so and gain access to the user's account. | |||||
| CVE-2019-17523 | 1 Technicolor | 2 Tc7300.b0, Tc7300.b0 Firmware | 2019-11-15 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the FileName parameter to /FTPDiag.asp. | |||||
| CVE-2019-17524 | 1 Technicolor | 2 Tc7300.b0, Tc7300.b0 Firmware | 2019-11-15 | 3.5 LOW | 5.4 MEDIUM |
| An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows remote attackers to inject arbitrary web script via the "Connected Clients" field to /wlanAccess.asp. An intranet host can use a crafted hostname to exploit this. | |||||
| CVE-2014-8167 | 1 Redhat | 3 Enterprise Virtualization, Vdsclient, Virtual Desktop Server Manager | 2019-11-15 | 4.3 MEDIUM | 5.9 MEDIUM |
| vdsm and vdsclient does not validate certficate hostname from another vdsm which could facilitate a man-in-the-middle attack | |||||
| CVE-2010-4532 | 2 Debian, Offlineimap | 2 Debian Linux, Offlineimap | 2019-11-15 | 4.3 MEDIUM | 5.9 MEDIUM |
| offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks. | |||||
| CVE-2012-1159 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2019-11-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Moodle before 2.2.2: Overview report allows users to see hidden courses | |||||
| CVE-2012-1161 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2019-11-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results | |||||
| CVE-2019-2209 | 1 Google | 1 Android | 2019-11-15 | 4.9 MEDIUM | 5.5 MEDIUM |
| In BTA_DmPinReply of bta_dm_api.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139287605 | |||||
| CVE-2010-4177 | 2 Fedoraproject, Oracle | 2 Fedora, Mysql-gui-tools | 2019-11-15 | 2.1 LOW | 5.5 MEDIUM |
| mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes. | |||||
| CVE-2019-14980 | 1 Imagemagick | 1 Imagemagick | 2019-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file. | |||||
| CVE-2019-15141 | 1 Imagemagick | 1 Imagemagick | 2019-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597. | |||||
| CVE-2011-1803 | 1 Google | 1 Blink | 2019-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue exists in third_party/WebKit/Source/WebCore/svg/animation/SVGSMILElement.h in WebKit in Google Chrome before Blink M11 and M12 when trying to access a removed smil element. | |||||
| CVE-2019-5229 | 1 Huawei | 2 P30, P30 Firmware | 2019-11-15 | 4.6 MEDIUM | 6.2 MEDIUM |
| P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1) have an insufficient verification vulnerability. The system does not verify certain parameters sufficiently, an attacker should connect to the phone and gain high privilege to launch the attack, successful exploit could cause malicious code execution. | |||||
| CVE-2019-5230 | 1 Huawei | 6 Mate Rs, Mate Rs Firmware, P20 and 3 more | 2019-11-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform a properly validation of certain input models, an attacker could trick the user to install a malicious application then craft a malformed model, successful exploit could allow the attacker to get and tamper certain output data information. | |||||
| CVE-2019-5231 | 1 Huawei | 2 P30, P30 Firmware | 2019-11-15 | 2.1 LOW | 4.6 MEDIUM |
| P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package. | |||||