Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12623 | 1 Cisco | 1 Enterprise Network Functions Virtualization Infrastructure | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the web server functionality of Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform file enumeration on an affected system. The vulnerability is due to the web server responding with different error codes for existing and non-existing files. An attacker could exploit this vulnerability by sending GET requests for different file names. A successful exploit could allow the attacker to enumerate files residing on the system. | |||||
| CVE-2019-12661 | 1 Cisco | 1 Ios Xe | 2019-10-09 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in a Virtualization Manager (VMAN) related CLI command of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific VMAN CLI command on the affected device. An attacker who has administrator access to an affected device could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges, which may lead to complete system compromise. | |||||
| CVE-2019-11032 | 1 Hr-technologies | 1 Easytorecruit | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In EasyToRecruit (E2R) before 2.11, the upload feature and the Candidate Profile Management feature are prone to Cross Site Scripting (XSS) injection in multiple locations. | |||||
| CVE-2019-10990 | 1 Redlion | 1 Crimson | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files. | |||||
| CVE-2019-10992 | 1 Deltaww | 1 Cnssoft Screeneditor | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| Delta Electronics CNCSoft ScreenEditor, Versions 1.00.89 and prior. Multiple out-of-bounds read vulnerabilities may cause information disclosure due to lacking user input validation for processing project files. | |||||
| CVE-2019-10975 | 1 Fujielectric | 2 Alpha7 Pc Loader, Alpha7 Pc Loader Firmware | 2019-10-09 | 3.3 LOW | 6.6 MEDIUM |
| An out-of-bounds read vulnerability has been identified in Fuji Electric Alpha7 PC Loader Versions 1.1 and prior, which may crash the system. | |||||
| CVE-2019-11274 | 1 Cloudfoundry | 1 User Account And Authentication | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. A remote unauthenticated malicious attacker could craft a URL that contains a SCIM filter that contains malicious JavaScript, which older browsers may execute. | |||||
| CVE-2019-10976 | 1 Mitsubishielectric | 2 Electric Fr Configurator2, Electric Fr Configurator2 Firmware | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files. | |||||
| CVE-2019-1010237 | 1 Ilias | 1 Ilias | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections view (victim). The fixed version is: 5.3.12. | |||||
| CVE-2019-10150 | 1 Redhat | 1 Openshift Container Platform | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output. | |||||
| CVE-2019-10408 | 1 Jenkins | 1 Project Inheritance | 2019-10-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates. | |||||
| CVE-2019-10410 | 1 Jenkins | 1 Log Parser | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules. | |||||
| CVE-2019-10153 | 2 Clusterlabs, Redhat | 4 Fence-agents, Enterprise Linux, Enterprise Linux Server and 1 more | 2019-10-09 | 4.0 MEDIUM | 5.0 MEDIUM |
| A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. In cluster environments, this could lead to preventing automated recovery or otherwise denying service to clusters of which that VM is a member. | |||||
| CVE-2019-10157 | 1 Redhat | 2 Keycloak, Single Sign-on | 2019-10-09 | 2.1 LOW | 5.5 MEDIUM |
| It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely. | |||||
| CVE-2019-10289 | 1 Jenkins | 1 Netsparker Cloud Scan | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-10278 | 1 Jenkins | 1 Jenkins-reviewbot | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-10304 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-10346 | 1 Jenkins | 1 Embeddable Build Status | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin. | |||||
| CVE-2019-10349 | 1 Jenkins | 1 Dependency Graph Viewer | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | |||||
| CVE-2019-10359 | 1 Jenkins | 1 M2release | 2019-10-09 | 6.8 MEDIUM | 6.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options. | |||||
| CVE-2019-10360 | 1 Jenkins | 1 M2 Release | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | |||||
| CVE-2019-10365 | 1 Google | 1 Kubernetes Engine | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission. | |||||
| CVE-2019-10367 | 1 Jenkins | 1 Configuration As Code | 2019-10-09 | 2.1 LOW | 5.5 MEDIUM |
| Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. | |||||
| CVE-2019-10372 | 1 Jenkins | 1 Gitlab Oauth | 2019-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login. | |||||
| CVE-2019-10373 | 1 Jenkins | 1 Build Pipeline | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | |||||
| CVE-2019-10402 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. | |||||
| CVE-2019-1003026 | 1 Jenkins | 1 Mattermost | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message. | |||||
| CVE-2019-1003027 | 1 Jenkins | 1 Octopusdeploy | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise. | |||||
| CVE-2019-1003012 | 2 Jenkins, Redhat | 2 Blue Ocean, Openshift Container Platform | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. | |||||
| CVE-2019-1003013 | 2 Jenkins, Redhat | 2 Blue Ocean, Openshift Container Platform | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. | |||||
| CVE-2019-1003014 | 2 Jenkins, Redhat | 2 Config File Provider, Openshift Container Platform | 2019-10-09 | 3.5 LOW | 4.8 MEDIUM |
| An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. | |||||
| CVE-2019-1003017 | 1 Jenkins | 1 Job Import | 2019-10-09 | 2.6 LOW | 5.3 MEDIUM |
| A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration. | |||||
| CVE-2019-1003018 | 1 Jenkins | 1 Github Oauth | 2019-10-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret. | |||||
| CVE-2019-10405 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | |||||
| CVE-2019-10407 | 1 Jenkins | 1 Project Inheritance | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin. | |||||
| CVE-2019-1003019 | 1 Jenkins | 1 Github Oauth | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | |||||
| CVE-2019-1003020 | 1 Jenkins | 1 Kanboard | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL. | |||||
| CVE-2019-1003021 | 1 Jenkins | 1 Openid Connect Authentication | 2019-10-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret. | |||||
| CVE-2019-1003022 | 1 Jenkins | 1 Monitoring | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master. | |||||
| CVE-2019-1003023 | 1 Jenkins | 1 Warnings Next Generation | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML. | |||||
| CVE-2019-1010018 | 1 Zammad | 1 Zammad | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3. | |||||
| CVE-2019-10415 | 1 Jenkins | 1 Violation Comments To Gitlab | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10403 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. | |||||
| CVE-2019-10413 | 1 Jenkins | 1 Data Theorem Mobile App Security | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10374 | 1 Jenkins | 1 Pegdown Formatter | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI. | |||||
| CVE-2019-10376 | 1 Jenkins | 1 Wall Display | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. | |||||
| CVE-2019-10432 | 1 Jenkins | 1 Html Publisher | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those. | |||||
| CVE-2019-10414 | 1 Jenkins | 1 Git Changelog | 2019-10-09 | 3.5 LOW | 6.5 MEDIUM |
| Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10404 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | |||||
| CVE-2019-10401 | 1 Jenkins | 1 Jenkins | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). | |||||