Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7295 | 1 Typora | 1 Typora | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| typora through 0.9.63 has XSS, with resultant remote command execution, during block rendering of a mathematical formula. | |||||
| CVE-2019-7296 | 1 Typora | 1 Typora | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| typora through 0.9.64 has XSS, with resultant remote command execution, during inline rendering of a mathematical formula. | |||||
| CVE-2018-12167 | 1 Intel | 2 Optane Ssd Dc P4800x, Optane Ssd Dc P4800x Firmware | 2019-02-01 | 2.1 LOW | 4.4 MEDIUM |
| Firmware update routine in bootloader for Intel(R) Optane(TM) SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access. | |||||
| CVE-2018-19040 | 1 Media File Manager Project | 1 Media File Manager | 2019-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Media File Manager plugin 1.4.2 for WordPress allows directory listing via a ../ directory traversal in the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI. | |||||
| CVE-2015-0861 | 2 Debian, Tryton | 2 Debian Linux, Trytond | 2019-02-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. | |||||
| CVE-2018-1000886 | 1 Nasm | 1 Netwide Assembler | 2019-02-01 | 4.3 MEDIUM | 5.5 MEDIUM |
| nasm version 2.14.01rc5, 2.15 contains a Buffer Overflow vulnerability in asm/stdscan.c:130 that can result in Stack-overflow caused by triggering endless macro generation, crash the program. This attack appear to be exploitable via a crafted nasm input file. | |||||
| CVE-2018-19042 | 1 Media File Manager Project | 1 Media File Manager | 2019-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Media File Manager plugin 1.4.2 for WordPress allows arbitrary file movement via a ../ directory traversal in the dir_from and dir_to parameters of an mrelocator_move action to the wp-admin/admin-ajax.php URI. | |||||
| CVE-2018-19043 | 1 Media File Manager Project | 1 Media File Manager | 2019-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Media File Manager plugin 1.4.2 for WordPress allows arbitrary file renaming (specifying a "from" and "to" filename) via a ../ directory traversal in the dir parameter of an mrelocator_rename action to the wp-admin/admin-ajax.php URI. | |||||
| CVE-2018-12166 | 1 Intel | 2 Optane Ssd Dc P4800x, Optane Ssd Dc P4800x Firmware | 2019-02-01 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient write protection in firmware for Intel(R) Optane(TM) SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access. | |||||
| CVE-2019-7250 | 1 Cross Reference Project | 1 Cross Reference | 2019-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the Cross Reference Add-on 36 for Google Docs. Stored XSS in the preview boxes in the configuration panel may allow a malicious user to use both label text and references text to inject arbitrary JavaScript code (via SCRIPT elements, event handlers, etc.). Since this code is stored by the plugin, the attacker may be able to target anyone who opens the configuration panel of the plugin. | |||||
| CVE-2018-12611 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.8.4 and earlier allows Directory Traversal. | |||||
| CVE-2018-12610 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-01-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| OX App Suite 7.8.4 and earlier allows Information Exposure. | |||||
| CVE-2018-12609 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-01-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery. | |||||
| CVE-2018-19792 | 1 Litespeedtech | 1 Openlitespeed | 2019-01-31 | 4.6 MEDIUM | 6.7 MEDIUM |
| The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../ characters), which is mishandled in the LshttpdMain::getServerRootFromExecutablePath function. | |||||
| CVE-2018-19876 | 1 Cairographics | 1 Cairo | 2019-01-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error. | |||||
| CVE-2018-19370 | 1 Yoast | 1 Yoast Seo | 2019-01-31 | 6.0 MEDIUM | 6.6 MEDIUM |
| A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import. | |||||
| CVE-2016-10740 | 1 Atlassian | 1 Crowd | 2019-01-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources. | |||||
| CVE-2018-19587 | 1 Cesanta | 1 Mongoose | 2019-01-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function. | |||||
| CVE-2018-16149 | 1 Axtls Project | 1 Axtls | 2019-01-31 | 4.3 MEDIUM | 5.9 MEDIUM |
| In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification blindly trusts the declared lengths in the ASN.1 structure. Consequently, when small public exponents are being used, a remote attacker can generate purposefully crafted signatures (and put them on X.509 certificates) to induce illegal memory access and crash the verifier. | |||||
| CVE-2018-20304 | 1 Libexcel Project | 1 Libexcel | 2019-01-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| wbook_addworksheet in workbook.c in libexcel.a in libexcel 0.01 allows attackers to cause a denial of service (SEGV) via a long second argument. NOTE: this is not a Microsoft product. | |||||
| CVE-2018-4179 | 1 Apple | 1 Mac Os X | 2019-01-30 | 2.1 LOW | 5.5 MEDIUM |
| In macOS High Sierra before 10.13.4, there was an issue with the handling of smartcard PINs. This issue was addressed with additional logic. | |||||
| CVE-2018-15706 | 1 Advantech | 1 Webaccess | 2019-01-30 | 6.8 MEDIUM | 6.5 MEDIUM |
| WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote authenticated attackers to read any file on the filesystem due to a directory traversal vulnerability in the readFile API. | |||||
| CVE-2018-20186 | 1 Axiosys | 1 Bento4 | 2019-01-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Bento4 1.5.1-627. AP4_Sample::ReadData in Core/Ap4Sample.cpp allows attackers to trigger an attempted excessive memory allocation, related to AP4_DataBuffer::SetDataSize and AP4_DataBuffer::ReallocateBuffer in Core/Ap4DataBuffer.cpp. | |||||
| CVE-2018-5811 | 2 Canonical, Libraw | 2 Ubuntu Linux, Libraw | 2019-01-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| An error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. | |||||
| CVE-2018-6091 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| Service Workers can intercept any request made by an <embed> or <object> tag in Fetch API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2018-6096 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| A JavaScript focused window could overlap the fullscreen notification in Fullscreen in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obscure the full screen warning via a crafted HTML page. | |||||
| CVE-2018-6100 | 4 Apple, Debian, Google and 1 more | 6 Mac Os X, Debian Linux, Chrome and 3 more | 2019-01-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect handling of confusable characters in URL Formatter in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||||
| CVE-2018-19782 | 1 Freshrss | 1 Freshrss | 2019-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter. | |||||
| CVE-2018-19829 | 1 Artica | 1 Integria Ims | 2019-01-30 | 5.8 MEDIUM | 6.5 MEDIUM |
| Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known. | |||||
| CVE-2018-6109 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| readAsText() can indefinitely read the file picked by the user, rather than only once at the time the file is picked in File API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to access data on the user file system without explicit consent via a crafted HTML page. | |||||
| CVE-2018-6133 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||||
| CVE-2018-6110 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-30 | 5.8 MEDIUM | 5.4 MEDIUM |
| Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page. | |||||
| CVE-2018-1000415 | 1 Rebuild Project | 1 Rebuild | 2019-01-30 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms. | |||||
| CVE-2018-1000422 | 1 Atlassian | 1 Crowd2 | 2019-01-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings. | |||||
| CVE-2018-1000421 | 1 Apache | 1 Mesos | 2019-01-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-20071 | 1 Google | 1 Chrome | 2019-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page. | |||||
| CVE-2018-20681 | 1 Mate-desktop | 1 Mate-screensaver | 2019-01-30 | 3.6 LOW | 6.1 MEDIUM |
| mate-screensaver before 1.20.2 in MATE Desktop Environment allows physically proximate attackers to view screen content and possibly control applications. By unplugging and re-plugging or power-cycling external output devices (such as additionally attached graphical outputs via HDMI, VGA, DVI, etc.) the content of a screensaver-locked session can be revealed. In some scenarios, the attacker can execute applications, such as by clicking with a mouse. | |||||
| CVE-2018-20367 | 1 Wstmart | 1 Wstmart | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "mall some commodity details: commodity consultation" component in WSTMart 2.0.8_181212 has stored XSS via the consultContent parameter, as demonstrated by the index.php/home/goodsconsult/add.html URI. | |||||
| CVE-2019-6983 | 2 Foxitsoftware, Microsoft | 2 3d, Windows | 2019-01-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for Foxit Reader and PhantomPDF. The application could encounter an Integer Overflow and crash during the handling of certain PDF files that embed specifically crafted 3D content, because of a free of valid memory. | |||||
| CVE-2019-6992 | 1 Zoneminder | 1 Zoneminder | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the index.php?view=controlcaps URI. | |||||
| CVE-2018-16088 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2019-01-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A missing check for JS-simulated input events in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to download arbitrary files with no user input via a crafted HTML page. | |||||
| CVE-2019-7172 | 1 Atutor | 1 Atutor | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php. | |||||
| CVE-2019-7168 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog. | |||||
| CVE-2019-7169 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/menus/menus/edit/3. | |||||
| CVE-2019-7170 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/taxonomy/vocabularies. | |||||
| CVE-2019-7171 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8. | |||||
| CVE-2018-6093 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient origin checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2019-7173 | 1 Croogo | 1 Croogo | 2019-01-29 | 3.5 LOW | 4.8 MEDIUM |
| A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4. | |||||
| CVE-2018-16078 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2019-01-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Unsafe handling of credit card details in Autofill in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2018-6147 | 4 Apple, Debian, Google and 1 more | 6 Mac Os X, Debian Linux, Chrome and 3 more | 2019-01-29 | 2.1 LOW | 5.5 MEDIUM |
| Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a local attacker to obtain potentially sensitive information from process memory via a local process. | |||||