Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16725 | 1 Joomla | 1 Joomla\! | 2019-09-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. | |||||
| CVE-2019-7308 | 3 Canonical, Linux, Opensuse | 3 Ubuntu Linux, Linux Kernel, Leap | 2019-09-24 | 4.7 MEDIUM | 5.6 MEDIUM |
| kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks. | |||||
| CVE-2019-1262 | 1 Microsoft | 1 Sharepoint Foundation | 2019-09-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. | |||||
| CVE-2019-16681 | 1 Traveloka | 1 Traveloka | 2019-09-24 | 2.6 LOW | 4.7 MEDIUM |
| The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. (When in physical possession of the device, opening local files is also possible.) NOTE: As of 2019-09-23, the vendor has not agreed that this issue has serious impact. The vendor states that the issue is not critical because it does not allow Elevation of Privilege, Sensitive Data Leakage, or any critical unauthorized activity from a malicious user. The vendor also states that a victim must first install a malicious APK to their application. | |||||
| CVE-2018-9090 | 1 Redhat | 1 Tectonic | 2019-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured by Tectonic administrators. An attacker can insert an XSS payload into the dashboards. | |||||
| CVE-2018-10839 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2019-09-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. | |||||
| CVE-2018-21008 | 1 Linux | 1 Linux Kernel | 2019-09-24 | 4.9 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in the Linux kernel before 4.16.7. A use-after-free can be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c. | |||||
| CVE-2019-9456 | 1 Google | 1 Android | 2019-09-24 | 4.6 MEDIUM | 6.7 MEDIUM |
| In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2019-10755 | 1 Pac4j | 1 Pac4j | 2019-09-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml. | |||||
| CVE-2019-16679 | 1 Gilacms | 1 Gila Cms | 2019-09-23 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion. | |||||
| CVE-2019-16518 | 1 Vandyvape | 2 Swell Kit Mod, Swell Kit Mod Firmware | 2019-09-23 | 3.3 LOW | 4.3 MEDIUM |
| An issue was discovered on Swell Kit Mod devices that use the Vandy Vape platform. An attacker may be able to trigger an unintended temperature in the victim's mouth and throat via Bluetooth Low Energy (BLE) packets that specify large power or voltage values. | |||||
| CVE-2017-14988 | 1 Openexr | 1 Openexr | 2019-09-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| ** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid. | |||||
| CVE-2019-10090 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-12407 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-12404 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-10089 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-16669 | 1 Pagekit | 1 Pagekit | 2019-09-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Reset Password feature in Pagekit 1.0.17 gives a different response depending on whether the e-mail address of a valid user account is entered, which might make it easier for attackers to enumerate accounts. | |||||
| CVE-2019-16677 | 1 Idreamsoft | 1 Icms | 2019-09-23 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF. | |||||
| CVE-2019-10087 | 1 Apache | 1 Jspwiki | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | |||||
| CVE-2019-16721 | 1 5none | 1 Nonecms | 2019-09-23 | 5.8 MEDIUM | 6.5 MEDIUM |
| NoneCMS v1.3 has CSRF in public/index.php/admin/admin/dele.html, as demonstrated by deleting the admin user. | |||||
| CVE-2018-18381 | 1 Zblogcn | 1 Z-blogphp | 2019-09-23 | 3.5 LOW | 5.4 MEDIUM |
| Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments. | |||||
| CVE-2019-16703 | 1 Phpmywind | 1 Phpmywind | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. | |||||
| CVE-2019-11327 | 1 Topcon | 2 Net-g5, Net-g5 Firmware | 2019-09-23 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system. | |||||
| CVE-2015-9388 | 1 Mtouch Quiz Project | 1 Mtouch Quiz | 2019-09-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.php CSRF with resultant XSS. | |||||
| CVE-2015-9387 | 1 Mtouch Quiz Project | 1 Mtouch Quiz | 2019-09-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options-general.php CSRF. | |||||
| CVE-2015-9390 | 1 Admin Management Xtended Project | 1 Admin Management Xtended | 2019-09-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| The admin-management-xtended plugin before 2.4.0.1 for WordPress has privilege escalation because wp_ajax functions are mishandled. | |||||
| CVE-2019-16678 | 1 Yzmcms | 1 Yzmcms | 2019-09-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route. | |||||
| CVE-2019-16704 | 1 Phpmywind | 1 Phpmywind | 2019-09-23 | 3.5 LOW | 4.8 MEDIUM |
| admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. | |||||
| CVE-2015-9403 | 1 Neuvoo | 1 Neuvoo-jobroll | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS. | |||||
| CVE-2019-16657 | 1 Tuzicms | 1 Tuzicms | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/. | |||||
| CVE-2019-16661 | 1 Digimute | 1 Ogma Cms | 2019-09-23 | 3.5 LOW | 5.4 MEDIUM |
| Ogma CMS 0.5 has XSS via creation of a new blog. | |||||
| CVE-2019-14915 | 1 Prise | 1 Adas | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. Certificate data are not properly escaped. This leads to XSS when submitting a rogue certificate. | |||||
| CVE-2019-14913 | 1 Prise | 1 Adas | 2019-09-23 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. Log data are not properly escaped, leading to persistent XSS in the administration panel. | |||||
| CVE-2018-16379 | 1 Digimute | 1 Ogma Cms | 2019-09-23 | 3.5 LOW | 4.8 MEDIUM |
| Ogma CMS 0.4 Beta has XSS via the "Footer Text footer" field on the "Theme/Theme Options" screen. | |||||
| CVE-2019-14912 | 1 Prise | 1 Adas | 2019-09-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does not properly check the goto parameter, leading to an open redirect that leaks the session cookie. | |||||
| CVE-2019-14911 | 1 Prise | 1 Adas | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does not properly escape output on error, leading to reflected XSS. | |||||
| CVE-2019-16664 | 1 Thinksaas | 1 Thinksaas | 2019-09-23 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter. | |||||
| CVE-2019-16665 | 1 Thinksaas | 1 Thinksaas | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ThinkSAAS 2.91. There is XSS via the content to the index.php?app=group&ac=comment&ts=do&js=1 URI, as demonstrated by a crafted SVG document in the SRC attribute of an EMBED element. | |||||
| CVE-2018-11200 | 1 Acquia | 1 Mautic | 2019-09-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field. | |||||
| CVE-2015-9405 | 1 Wp-piwik Project | 1 Wp-piwik | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-piwik plugin before 1.0.5 for WordPress has XSS. | |||||
| CVE-2015-9404 | 1 Neuvoo | 1 Neuvoo-jobroll | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS. | |||||
| CVE-2019-11559 | 1 Hrworks | 1 Hrworks | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16.1 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to the Login component. | |||||
| CVE-2015-9385 | 1 Bestwebsoft | 1 Quotes And Tips | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The quotes-and-tips plugin before 1.20 for WordPress has XSS. | |||||
| CVE-2019-16643 | 1 Zrlog | 1 Zrlog | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerability in the article_edit area. | |||||
| CVE-2015-9397 | 1 Webmaster-source | 1 Gocodes | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS. | |||||
| CVE-2015-9401 | 1 Websimon-tables Project | 1 Websimon-tables | 2019-09-20 | 3.5 LOW | 4.8 MEDIUM |
| The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS. | |||||
| CVE-2015-9391 | 1 Ostenta | 1 Yawpp | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 parameter. | |||||
| CVE-2015-9386 | 1 Mtouch Quiz Project | 1 Mtouch Quiz | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via the quiz parameter during a Quiz Manage operation. | |||||
| CVE-2015-9396 | 1 Attosoft | 1 Auto Thickbox Plus | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content/plugins/auto-thickbox-plus/download.min.php?file= XSS. | |||||
| CVE-2019-15086 | 1 Prise | 1 Adas | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. The newentityID parameter is not properly escaped, leading to a reflected XSS in the error message. | |||||