Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12707 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im And Presence Service, Unity Connection | 2019-10-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based interface of multiple Cisco Unified Communications products could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2019-17452 | 1 Axiosys | 1 Bento4 | 2019-10-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListInspector::Action in Core/Ap4Descriptor.h, related to AP4_IodsAtom::InspectFields in Core/Ap4IodsAtom.cpp, as demonstrated by mp4dump. | |||||
| CVE-2019-17417 | 1 Pbootcms | 1 Pbootcms | 2019-10-11 | 3.5 LOW | 4.8 MEDIUM |
| PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs. | |||||
| CVE-2019-17131 | 1 Vbulletin | 1 Vbulletin | 2019-10-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| vBulletin before 5.5.4 allows clickjacking. | |||||
| CVE-2019-1363 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2019-10-11 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system, aka 'Windows GDI Information Disclosure Vulnerability'. | |||||
| CVE-2019-1328 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Foundation | 2019-10-11 | 3.5 LOW | 5.4 MEDIUM |
| A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'. | |||||
| CVE-2019-1329 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Foundation | 2019-10-11 | 3.5 LOW | 5.4 MEDIUM |
| An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1330. | |||||
| CVE-2019-17454 | 1 Axiosys | 1 Bento4 | 2019-10-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Bento4 1.5.1.0 has a NULL pointer dereference in AP4_Descriptor::GetTag in Core/Ap4Descriptor.h, related to AP4_StsdAtom::GetSampleDescription in Core/Ap4StsdAtom.cpp, as demonstrated by mp4info. | |||||
| CVE-2019-17453 | 1 Axiosys | 1 Bento4 | 2019-10-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListWriter::Action in Core/Ap4Descriptor.h, related to AP4_IodsAtom::WriteFields in Core/Ap4IodsAtom.cpp, as demonstrated by mp4encrypt or mp4compact. | |||||
| CVE-2015-9459 | 1 Seo Searchterms Tagging 2 Project | 1 Seo Searchterms Tagging 2 | 2019-10-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS via the wp-admin/options-general.php count parameter. | |||||
| CVE-2015-9468 | 1 K-78 | 1 Broken Link Manager | 2019-10-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The broken-link-manager plugin 0.4.5 for WordPress has XSS via the page parameter in a delURL action. | |||||
| CVE-2019-17491 | 1 Jnoj | 1 Jiangnan Online Judge | 2019-10-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[description] parameter to web/admin/problem/create or web/polygon/problem/update. | |||||
| CVE-2019-17489 | 1 Jnoj | 1 Jiangnan Online Judge | 2019-10-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[title] parameter to web/polygon/problem/create or web/polygon/problem/update or web/admin/problem/create. | |||||
| CVE-2019-17493 | 1 Jnoj | 1 Jiangnan Online Judge | 2019-10-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[sample_input] parameter to web/admin/problem/create or web/polygon/problem/update. | |||||
| CVE-2019-17239 | 1 Wpfactory | 1 Download Plugins And Themes From Dashboard | 2019-10-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| includes/settings/class-alg-download-plugins-settings.php in the download-plugins-dashboard plugin through 1.5.0 for WordPress has multiple unauthenticated stored XSS issues. | |||||
| CVE-2019-0370 | 1 Sap | 1 Financial Consolidation | 2019-10-11 | 6.4 MEDIUM | 6.5 MEDIUM |
| Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection. | |||||
| CVE-2015-9453 | 1 K-78 | 1 Broken Link Manager | 2019-10-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The broken-link-manager plugin before 0.6.0 for WordPress has XSS via the HTTP Referer or User-Agent header to a URL that does not exist. | |||||
| CVE-2015-9456 | 1 Orbisius | 1 Child Theme Creator | 2019-10-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| The orbisius-child-theme-creator plugin before 1.2.8 for WordPress has incorrect access control for file modification via the wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file theme_1, theme_1_file, or theme_1_file_contents parameter. | |||||
| CVE-2019-17130 | 1 Vbulletin | 1 Vbulletin | 2019-10-10 | 6.4 MEDIUM | 6.5 MEDIUM |
| vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. | |||||
| CVE-2019-17071 | 1 Realbigplugins | 1 Client Dash | 2019-10-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows XSS. | |||||
| CVE-2019-0369 | 1 Sap | 1 Financial Consolidation | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| SAP Financial Consolidation, before versions 10.0 and 10.1, does not sufficiently encode user-controlled inputs, which allows an attacker to execute scripts by uploading files containing malicious scripts, leading to reflected cross site scripting vulnerability. | |||||
| CVE-2019-17433 | 1 Laravel-admin | 1 Laravel-admin | 2019-10-10 | 3.5 LOW | 4.8 MEDIUM |
| z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen. | |||||
| CVE-2019-12701 | 1 Cisco | 2 Firepower Management Center, Vdb Fingerprint Database | 2019-10-10 | 5.0 MEDIUM | 5.8 MEDIUM |
| A vulnerability in the file and malware inspection feature of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass the file and malware inspection policies on an affected system. The vulnerability exists because the affected software insufficiently validates incoming traffic. An attacker could exploit this vulnerability by sending a crafted HTTP request through an affected device. A successful exploit could allow the attacker to bypass the file and malware inspection policies and send malicious traffic through the affected device. | |||||
| CVE-2019-11651 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2019-10-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3.0 Patch Update 20, version 4.0 Patch Update 12, and version 5.0 Patch Update 2. The vulnerability could be exploited to redirect a user to a malicious page or forge certain types of web requests. | |||||
| CVE-2019-17434 | 1 Lavalite | 1 Lavalite | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. | |||||
| CVE-2019-0374 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the chart title resulting in reflected Cross-Site Scripting | |||||
| CVE-2019-0375 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows execution of scripts in the export dialog box of the report name resulting in reflected Cross-Site Scripting. | |||||
| CVE-2019-0376 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs and allows an attacker to save malicious scripts in the publication name, which can be executed later by the victim, resulting in Stored Cross-Site Scripting. | |||||
| CVE-2019-0377 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before versions 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the input controls, resulting in Stored Cross-Site Scripting. | |||||
| CVE-2019-0378 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), before version 4.2, does not sufficiently encode user-controlled inputs and allows an attacker to store malicious scripts in the file name of the background image resulting in Stored Cross-Site Scripting. | |||||
| CVE-2019-12691 | 1 Cisco | 1 Firepower Management Center | 2019-10-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to perform a directory traversal attack on an affected device. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass Cisco FMC Software security restrictions and gain access to the underlying filesystem of the affected device. | |||||
| CVE-2019-12694 | 1 Cisco | 1 Firepower Threat Defense | 2019-10-10 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the command line interface (CLI) of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker with administrative privileges to execute commands on the underlying operating system with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by executing a specific CLI command that includes crafted arguments. A successful exploit could allow the attacker to execute commands on the underlying OS with root privileges. | |||||
| CVE-2019-17257 | 1 Irfanview | 1 Irfanview | 2019-10-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| IrfanView 4.53 allows a Exception Handler Chain to be Corrupted starting at EXR!ReadEXR+0x000000000002af80. | |||||
| CVE-2019-0367 | 1 Sap | 1 Netweaver Process Integration | 2019-10-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check. | |||||
| CVE-2019-17106 | 1 Centreon | 1 Centreon Web | 2019-10-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components. | |||||
| CVE-2019-13628 | 1 Wolfssl | 1 Wolfssl | 2019-10-10 | 1.2 LOW | 4.7 MEDIUM |
| wolfSSL and wolfCrypt 4.0.0 and earlier (when configured without --enable-fpecc, --enable-sp, or --enable-sp-math) contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to precisely measure the duration of signature operations, to infer information about the nonces used and potentially mount a lattice attack to recover the private key used. The issue occurs because ecc.c scalar multiplication might leak the bit length. | |||||
| CVE-2019-11212 | 1 Tibco | 1 Master Data Management | 2019-10-10 | 3.5 LOW | 5.4 MEDIUM |
| The MDM server component of TIBCO Software Inc's TIBCO MDM contains multiple vulnerabilities that theoretically allow an authenticated user with specific roles to perform cross-site scripting (XSS) attacks. This issue affects TIBCO Software Inc.'s TIBCO MDM version 9.0.1 and prior versions; version 9.1.0. | |||||
| CVE-2019-9919 | 1 Harmistechnology | 1 Je Messenger | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to craft messages in a way that JavaScript gets executed on the side of the receiving user when the message is opened, aka XSS. | |||||
| CVE-2019-9753 | 1 Otrs | 1 Otrs | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 7.x before 7.0.5. An attacker who is logged into OTRS as an agent or a customer user can use the search result screens to disclose information from invalid system entities. Following is the list of affected entities: Custom Pages, FAQ Articles, Service Catalogue Items, ITSM Configuration Items. | |||||
| CVE-2019-8995 | 1 Tibco | 2 Activematrix Bpm, Silver Fabric Enabler | 2019-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| The workspace client, openspace client, and app development client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain a vulnerability wherein a malicious URL could trick a user into visiting a website of the attacker's choice. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1. | |||||
| CVE-2019-7614 | 1 Elastic | 1 Elasticsearch | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user. | |||||
| CVE-2019-8987 | 1 Tibco | 2 Data Science For Aws, Spotfire Data Science | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site scripting vulnerability that theoretically allows an authenticated user to gain access to all the capabilities of the web interface available to more privileged users. Affected releases are TIBCO Software Inc.'s TIBCO Data Science for AWS: versions up to and including 6.4.0, and TIBCO Spotfire Data Science: versions up to and including 6.4.0. | |||||
| CVE-2019-5634 | 1 Belwith-keeler | 1 Hickory Smart | 2019-10-09 | 2.1 LOW | 4.3 MEDIUM |
| An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and direct connections to the lock via Bluetooth Low Energy (BLE) from the mobile application are logged in a debug log on the Android device at HickorySmartLog/Logs/SRDeviceLog.txt. This information was found stored in the Android device's default USB or SDcard storage paths and is accessible without rooting the device. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions. | |||||
| CVE-2019-6728 | 2 Foxitsoftware, Microsoft | 3 Phantompdf, Reader, Windows | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7353. | |||||
| CVE-2019-7231 | 1 Abb | 2 Pb610 Panel Builder 600, Pb610 Panel Builder 600 Firmware | 2019-10-09 | 2.7 LOW | 5.7 MEDIUM |
| The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that terminates the server. | |||||
| CVE-2019-6180 | 1 Lenovo | 1 Xclarity Administrator | 2019-10-09 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the user's web browser. The JavaScript code is not executed on LXCA itself. | |||||
| CVE-2019-6158 | 1 Lenovo | 1 Xclarity Administrator | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered HTTP proxy credentials being written to a log file in clear text. This only affects LXCA when HTTP proxy credentials have been configured. This affects LXCA versions 2.0.0 to 2.3.x. | |||||
| CVE-2019-6181 | 1 Lenovo | 1 Xclarity Administrator | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaScript code is not executed on LXCA itself. | |||||
| CVE-2019-6766 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.4.1.16828. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the removeField method when processing AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8162. | |||||
| CVE-2019-6547 | 1 Deltaww | 1 Screeneditor | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.84 and prior. An out-of-bounds read vulnerability may cause the software to crash due to lacking user input validation for processing project files. | |||||