Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-0990 | 1 Microsoft | 5 Chakracore, Edge, Windows 10 and 2 more | 2019-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1023. | |||||
| CVE-2019-1015 | 1 Microsoft | 3 Windows 7, Windows Server 2008, Windows Server 2012 | 2019-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0968, CVE-2019-0977, CVE-2019-1009, CVE-2019-1010, CVE-2019-1011, CVE-2019-1012, CVE-2019-1013, CVE-2019-1016, CVE-2019-1046, CVE-2019-1047, CVE-2019-1048, CVE-2019-1049, CVE-2019-1050. | |||||
| CVE-2019-1081 | 1 Microsoft | 10 Edge, Internet Explorer, Windows 10 and 7 more | 2019-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory, aka 'Microsoft Browser Information Disclosure Vulnerability'. | |||||
| CVE-2019-1032 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2019-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2019-1031, CVE-2019-1033, CVE-2019-1036. | |||||
| CVE-2019-1031 | 1 Microsoft | 4 Project Server, Sharepoint Enterprise Server, Sharepoint Foundation and 1 more | 2019-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2019-1032, CVE-2019-1033, CVE-2019-1036. | |||||
| CVE-2019-1033 | 1 Microsoft | 4 Project Server, Sharepoint Enterprise Server, Sharepoint Foundation and 1 more | 2019-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2019-1031, CVE-2019-1032, CVE-2019-1036. | |||||
| CVE-2019-10336 | 1 Jenkins | 1 Electricflow | 2019-06-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin. | |||||
| CVE-2019-10335 | 1 Jenkins | 1 Electricflow | 2019-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages. | |||||
| CVE-2019-10331 | 1 Jenkins | 1 Electricflow | 2019-06-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10334 | 1 Jenkins | 1 Electricflow | 2019-06-13 | 5.8 MEDIUM | 6.5 MEDIUM |
| Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files. | |||||
| CVE-2019-1036 | 1 Microsoft | 4 Project Server, Sharepoint Enterprise Server, Sharepoint Foundation and 1 more | 2019-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2019-1031, CVE-2019-1032, CVE-2019-1033. | |||||
| CVE-2019-1016 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2019-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0968, CVE-2019-0977, CVE-2019-1009, CVE-2019-1010, CVE-2019-1011, CVE-2019-1012, CVE-2019-1013, CVE-2019-1015, CVE-2019-1046, CVE-2019-1047, CVE-2019-1048, CVE-2019-1049, CVE-2019-1050. | |||||
| CVE-2019-0977 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2019-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0968, CVE-2019-1009, CVE-2019-1010, CVE-2019-1011, CVE-2019-1012, CVE-2019-1013, CVE-2019-1015, CVE-2019-1016, CVE-2019-1046, CVE-2019-1047, CVE-2019-1048, CVE-2019-1049, CVE-2019-1050. | |||||
| CVE-2019-6588 | 1 Liferay | 1 Liferay Portal | 2019-06-12 | 2.6 LOW | 4.7 MEDIUM |
| In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable. | |||||
| CVE-2019-0713 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2019-06-12 | 5.5 MEDIUM | 6.8 MEDIUM |
| A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0710, CVE-2019-0711. | |||||
| CVE-2019-0711 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2019-06-12 | 5.5 MEDIUM | 6.8 MEDIUM |
| A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0710, CVE-2019-0713. | |||||
| CVE-2019-0710 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2019-06-12 | 5.5 MEDIUM | 6.8 MEDIUM |
| A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0711, CVE-2019-0713. | |||||
| CVE-2019-12308 | 1 Djangoproject | 1 Django | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. | |||||
| CVE-2019-12766 | 1 Joomla | 1 Joomla\! | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. | |||||
| CVE-2018-1325 | 1 Wicket-jquery-ui Project | 1 Wicket-jquery-ui | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display. | |||||
| CVE-2017-15719 | 1 Wicket-jquery-ui Project | 1 Wicket-jquery-ui | 2019-06-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor. | |||||
| CVE-2018-10934 | 1 Redhat | 3 Enterprise Linux Server, Jboss Enterprise Application Platform, Single Sign-on | 2019-06-11 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users. | |||||
| CVE-2019-10320 | 1 Jenkins | 1 Credentials | 2019-06-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate. | |||||
| CVE-2017-1000113 | 1 Jenkins | 1 Deploy | 2019-06-11 | 2.1 LOW | 5.5 MEDIUM |
| The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with Credentials Plugin to store passwords securely, and automatically migrates existing passwords. | |||||
| CVE-2017-1000386 | 1 Jenkins | 1 Active Choices | 2019-06-11 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Active Choices now sanitizes the HTML inserted on the 'Build With Parameters' page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up to the administrator to allow or disallow problematic script output. | |||||
| CVE-2015-9282 | 1 Grafana | 1 Piechart-panel | 2019-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard. | |||||
| CVE-2018-6185 | 1 Cloudera | 2 Cloudera Manager, Navigator Key Trustee Kms | 2019-06-11 | 5.5 MEDIUM | 4.9 MEDIUM |
| In Cloudera Navigator Key Trustee KMS 5.12 and 5.13, incorrect default ACL values allow remote access to purge and undelete API calls on encryption zone keys. The Navigator Key Trustee KMS includes 2 API calls in addition to those in Apache Hadoop KMS: purge and undelete. The KMS ACL values for these commands are keytrustee.kms.acl.PURGE and keytrustee.kms.acl.UNDELETE respectively. The default value for the ACLs in Key Trustee KMS 5.12.0 and 5.13.0 is "*" which allows anyone with knowledge of the name of an encryption zone key and network access to the Key Trustee KMS to make those calls against known encryption zone keys. This can result in the recovery of a previously deleted, but not purged, key (undelete) or the deletion of a key in active use (purge) resulting in loss of access to encrypted HDFS data. | |||||
| CVE-2019-9881 | 1 Wpgraphql | 1 Wpgraphql | 2019-06-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. | |||||
| CVE-2018-12127 | 2 Fedoraproject, Intel | 3 Fedora, Microarchitectural Load Port Data Sampling, Microarchitectural Load Port Data Sampling Firmware | 2019-06-11 | 4.7 MEDIUM | 5.6 MEDIUM |
| Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf | |||||
| CVE-2018-12126 | 2 Fedoraproject, Intel | 3 Fedora, Microarchitectural Store Buffer Data Sampling, Microarchitectural Store Buffer Data Sampling Firmware | 2019-06-11 | 4.7 MEDIUM | 5.6 MEDIUM |
| Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf | |||||
| CVE-2018-12130 | 2 Fedoraproject, Intel | 3 Fedora, Microarchitectural Fill Buffer Data Sampling, Microarchitectural Fill Buffer Data Sampling Firmware | 2019-06-11 | 4.7 MEDIUM | 5.6 MEDIUM |
| Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf | |||||
| CVE-2019-11517 | 1 Wampserver | 1 Wampserver | 2019-06-11 | 5.8 MEDIUM | 6.5 MEDIUM |
| WampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner. | |||||
| CVE-2019-12477 | 1 Supra | 2 Stv-lc40lt0020f, Stv-lc40lt0020f Firmware | 2019-06-11 | 2.1 LOW | 5.5 MEDIUM |
| Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri= URI. | |||||
| CVE-2018-11469 | 2 Canonical, Haproxy | 2 Ubuntu Linux, Haproxy | 2019-06-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function. | |||||
| CVE-2019-11877 | 1 Pix-link | 2 Lv-wr09, Lv-wr09 Firmware | 2019-06-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID. | |||||
| CVE-2018-5264 | 1 Ui | 2 Unifi 52, Unifi Firmware | 2019-06-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| Ubiquiti UniFi 52 devices, when Hotspot mode is used, allow remote attackers to bypass intended restrictions on "free time" Wi-Fi usage by sending a /guest/s/default/ request to obtain a cookie, and then using this cookie in a /guest/s/default/login request with the byfree parameter. | |||||
| CVE-2019-11398 | 1 Ulicms | 1 Ulicms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon. | |||||
| CVE-2018-10700 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection. | |||||
| CVE-2018-10692 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. | |||||
| CVE-2019-7215 | 1 Progress | 1 Sitefinity | 2019-06-10 | 6.4 MEDIUM | 6.5 MEDIUM |
| Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. | |||||
| CVE-2018-7653 | 1 Yzmcms | 1 Yzmcms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. | |||||
| CVE-2019-12774 | 1 Enttec | 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A number of stored XSS vulnerabilities have been identified in the web configuration feature in ENTTEC Datagate Mk2 70044_update_05032019-482 that could allow an unauthenticated threat actor to inject malicious code directly into the application. This affects, for example, the Profile Description field in JSON data to the Profile Editor. | |||||
| CVE-2018-19465 | 1 Maccms | 1 Maccms | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html. | |||||
| CVE-2018-19432 | 2 Debian, Libsndfile Project | 2 Debian Linux, Libsndfile | 2019-06-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. | |||||
| CVE-2017-16942 | 1 Libsndfile Project | 1 Libsndfile | 2019-06-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists in the function wav_w64_read_fmt_chunk() in wav_w64.c, which may lead to DoS when playing a crafted audio file. | |||||
| CVE-2019-7149 | 2 Debian, Elfutils Project | 2 Debian Linux, Elfutils | 2019-06-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm. | |||||
| CVE-2018-5798 | 1 Cloudera | 1 Cloudera Manager | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager. | |||||
| CVE-2019-3477 | 1 Microfocus | 1 Solutions Business Manager | 2019-06-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| Micro Focus Solution Business Manager versions prior to 11.4.2 is susceptible to open redirect. | |||||
| CVE-2019-7554 | 1 Api Based Travel Booking Project | 1 Api Based Travel Booking | 2019-06-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter. | |||||
| CVE-2019-9797 | 1 Mozilla | 1 Firefox | 2019-06-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. This vulnerability affects Firefox < 66. | |||||