Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-9408 | 1 Cyberseo | 1 Xpinner Lite | 2019-09-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS. | |||||
| CVE-2015-9407 | 1 Cyberseo | 1 Xpinner Lite | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS. | |||||
| CVE-2015-9393 | 1 Usersultra | 1 Users Ultra Membership | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter. | |||||
| CVE-2015-9392 | 1 Usersultra | 1 Users Ultra Membership | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter. | |||||
| CVE-2016-11011 | 1 Usabilitydynamics | 1 Wp-invoice | 2019-09-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_option privilege escalation. | |||||
| CVE-2016-10999 | 1 Momizat | 1 Goodnews | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Goodnews theme through 2016-02-28 for WordPress has XSS via the s parameter. | |||||
| CVE-2016-11013 | 1 Agentevolution | 1 Impress Listings | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-listings plugin before 2.0.2 for WordPress has includes/views/single-listing.php XSS. | |||||
| CVE-2016-11012 | 1 Solaplugins | 1 Sola Support Tickets | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| The sola-support-tickets plugin before 3.13 for WordPress has incorrect access control for /wp-admin with resultant XSS. | |||||
| CVE-2016-10997 | 1 Yourinspirationweb | 1 Beauty-premium | 2019-09-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| The beauty-premium theme 1.0.8 for WordPress has CSRF with resultant arbitrary file upload in includes/sendmail.php. | |||||
| CVE-2016-11010 | 1 Usabilitydynamics | 1 Wp-invoice | 2019-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_twocheckout payer metadata updates. | |||||
| CVE-2016-11009 | 1 Usabilitydynamics | 1 Wp-invoice | 2019-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_interkassa payer metadata updates. | |||||
| CVE-2015-9389 | 1 Mtouch Quiz Project | 1 Mtouch Quiz | 2019-09-20 | 3.5 LOW | 5.4 MEDIUM |
| The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name. | |||||
| CVE-2016-11007 | 1 Usabilitydynamics | 1 Wp-invoice | 2019-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_user_id for invoice retrieval. | |||||
| CVE-2016-11008 | 1 Usabilitydynamics | 1 Wp-invoice | 2019-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_paypal payer metadata updates. | |||||
| CVE-2015-9384 | 1 Bestwebsoft | 1 Relevant | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The relevant plugin before 1.0.8 for WordPress has XSS. | |||||
| CVE-2016-11005 | 1 Elfsight | 1 Instalinker | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The instalinker plugin before 1.1.2 for WordPress has includes/instalinker-admin-preview.php?client_id= XSS. | |||||
| CVE-2016-11001 | 1 Plugin-planet | 1 User Submitted Posts | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field. | |||||
| CVE-2016-10998 | 1 Ocimscripts | 1 Ocim-mp3 | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/plugins/ocim-mp3/source/pages.php?id= XSS. | |||||
| CVE-2016-10996 | 1 Optinmonster | 1 Optinmonster | 2019-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak. | |||||
| CVE-2016-11006 | 1 Usabilitydynamics | 1 Wp-invoice | 2019-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control for admin_init settings changes. | |||||
| CVE-2019-16525 | 1 Checklist | 1 Checklist | 2019-09-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code. | |||||
| CVE-2019-15032 | 1 Pydio | 1 Pydio | 2019-09-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information. | |||||
| CVE-2019-11662 | 1 Microfocus | 1 Service Manager | 2019-09-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| Class and method names in error message in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. This vulnerability could be exploited in some special cases to allow information exposure through an error message. | |||||
| CVE-2018-1000814 | 1 Aiohttp-session Project | 1 Aiohttp-session | 2019-09-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value. | |||||
| CVE-2018-18660 | 1 Arcserve | 1 Udp | 2019-09-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-21 Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp issue. | |||||
| CVE-2019-16333 | 1 Get-simple | 1 Getsimple Cms | 2019-09-19 | 3.5 LOW | 5.4 MEDIUM |
| GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php. | |||||
| CVE-2016-10992 | 1 Codepeople | 1 Music Store | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports from_year parameter. | |||||
| CVE-2019-16216 | 1 Zulip | 1 Zulip Server | 2019-09-18 | 3.5 LOW | 5.4 MEDIUM |
| Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself. | |||||
| CVE-2019-16215 | 1 Zulip | 1 Zulip Server | 2019-09-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages. | |||||
| CVE-2016-10976 | 1 Kodebyraaet | 1 Safe Editor | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS. | |||||
| CVE-2016-10983 | 1 Ghost | 1 Ghost | 2019-09-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The ghost plugin before 0.5.6 for WordPress has no access control for wp-admin/tools.php?ghostexport=true downloads of exported data. | |||||
| CVE-2018-14329 | 1 Htslib | 1 Htslib | 2019-09-18 | 3.3 LOW | 4.7 MEDIUM |
| In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack. | |||||
| CVE-2019-15848 | 1 Jetbrains | 1 Teamcity | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XSS), potentially making it possible to send an arbitrary HTTP request to a TeamCity server under the name of the currently logged-in user. | |||||
| CVE-2019-15727 | 1 Gitlab | 1 Gitlab | 2019-09-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.2 through 12.2.1. Insufficient permission checks were being applied when displaying CI results, potentially exposing some CI metrics data to unauthorized users. | |||||
| CVE-2019-16320 | 1 Cobham | 22 Sailor 600 Vsat Ku, Sailor 600 Vsat Ku Firmware, Sailor 800 Vsat and 19 more | 2019-09-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers to obtain potentially sensitive information, such as a vessel's latitude and longitude, via the public SNMP community. | |||||
| CVE-2019-16321 | 1 Scadabr | 1 Scadabr | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. | |||||
| CVE-2019-15734 | 1 Gitlab | 1 Gitlab | 2019-09-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1. Under very specific conditions, commit titles and team member comments could become viewable to users who did not have permission to access these. | |||||
| CVE-2018-13136 | 1 Ultimatemember | 1 Ultimate Member | 2019-09-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. | |||||
| CVE-2019-10176 | 1 Redhat | 1 Openshift Container Platform | 2019-09-17 | 5.8 MEDIUM | 5.4 MEDIUM |
| A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack. | |||||
| CVE-2016-10977 | 1 Neliosoftware | 1 Nelio Ab Testing | 2019-09-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| The nelio-ab-testing plugin before 4.5.0 for WordPress has filename=..%2f directory traversal. | |||||
| CVE-2016-10990 | 1 Wpcerber | 1 Cerber Security Antispam \& Malware Scan | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header. | |||||
| CVE-2016-10975 | 1 Tonjoostudio | 1 Fluid-responsive-slideshow | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter. | |||||
| CVE-2016-10985 | 1 Smackcoders | 1 Echo Sign | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter. | |||||
| CVE-2019-16349 | 1 Axiosys | 1 Bento4 | 2019-09-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class. | |||||
| CVE-2019-16197 | 1 Dolibarr | 1 Dolibarr | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS. | |||||
| CVE-2016-10988 | 1 Leenk | 1 Leenk.me | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The leenkme plugin before 2.6.0 for WordPress has stored XSS via facebook_message, facebook_linkname, facebook_caption, facebook_description, default_image, or _wp_http_referer. | |||||
| CVE-2019-15721 | 1 Gitlab | 1 Gitlab | 2019-09-17 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings. | |||||
| CVE-2016-10986 | 1 Nerdcow | 1 Tweet Wheel | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret. | |||||
| CVE-2019-16355 | 1 Beego | 1 Beego | 2019-09-17 | 2.1 LOW | 5.5 MEDIUM |
| The File Session Manager in Beego 1.10.0 allows local users to read session files because of weak permissions for individual files. | |||||
| CVE-2016-10984 | 1 Smackcoders | 1 Echo Sign | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter. | |||||