Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16084 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default selected dialog button in CustomHandlers in Google Chrome prior to 69.0.3497.81 allowed a remote attacker who convinced the user to perform certain operations to open external programs via a crafted HTML page. | |||||
| CVE-2019-6979 | 1 Ip History Logs Project | 1 Ip History Logs | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the User IP History Logs (aka IP_History_Logs) plugin 1.0.2 for MyBB. There is XSS via the admin/modules/tools/ip_history_logs.php useragent field. | |||||
| CVE-2018-13115 | 1 Keruigroup | 2 Ypc99, Ypc99 Firmware | 2019-01-29 | 6.4 MEDIUM | 6.5 MEDIUM |
| Lack of an authentication mechanism in KERUI Wifi Endoscope Camera (YPC99) allows an attacker to watch or block the camera stream. The RTSP server on port 7070 accepts the command STOP to stop streaming, and the command SETSSID to disconnect a user. | |||||
| CVE-2019-6990 | 1 Zoneminder | 1 Zoneminder | 2019-01-29 | 3.5 LOW | 5.4 MEDIUM |
| A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zones&action=zoneImage&mid=1 URI. | |||||
| CVE-2018-19727 | 1 Adobe | 1 Experience Manager | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-19724 | 1 Adobe | 1 Experience Manager | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-19726 | 1 Adobe | 1 Experience Manager | 2019-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-20502 | 1 Axiosys | 1 Bento4 | 2019-01-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Bento4 1.5.1-627. There is an attempt at excessive memory allocation in the AP4_DataBuffer class when called from AP4_HvccAtom::Create in Core/Ap4HvccAtom.cpp. | |||||
| CVE-2018-1000411 | 1 Jenkins | 1 Junit | 2019-01-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result. | |||||
| CVE-2019-6982 | 2 Foxitsoftware, Microsoft | 2 3d, Windows | 2019-01-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for Foxit Reader and PhantomPDF. The application could encounter an Out-of-Bounds Write and crash during the handling of certain PDF files that embed specifically crafted 3D content, because of the improper handling of a logic exception in the IFXASSERT function. | |||||
| CVE-2019-6780 | 1 Kaine | 1 Wise Chat | 2019-01-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| The Wise Chat plugin before 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer. | |||||
| CVE-2019-6803 | 1 Typora | 1 Typora | 2019-01-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| typora through 0.9.9.20.3 beta has XSS, with resultant remote command execution, via the left outline bar. | |||||
| CVE-2018-18380 | 1 Bigtreecms | 1 Bigtree Cms | 2019-01-25 | 5.8 MEDIUM | 5.4 MEDIUM |
| A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session. | |||||
| CVE-2017-14443 | 1 Insteon | 2 Hub 2245-222, Hub 2245-222 Firmware | 2019-01-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| An exploitable information leak vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the whole device memory. An attacker can send an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2018-7431 | 1 Splunk | 1 Splunk | 2019-01-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in the Splunk Django App in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote authenticated users to read arbitrary files via unspecified vectors. | |||||
| CVE-2017-18321 | 1 Qualcomm | 8 Mdm9650, Mdm9650 Firmware, Mdm9655 and 5 more | 2019-01-25 | 2.1 LOW | 5.5 MEDIUM |
| Security keys used by the terminal and NW for a session could be leaked in snapdragon mobile in versions MDM9650, MDM9655, SD 835, SDA660. | |||||
| CVE-2017-18332 | 1 Qualcomm | 56 Mdm9607, Mdm9607 Firmware, Mdm9635m and 53 more | 2019-01-25 | 2.1 LOW | 5.5 MEDIUM |
| Security keys are logged when any WCDMA call is configured or reconfigured in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130 | |||||
| CVE-2015-9276 | 1 Smartertools | 1 Smartermail | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could be reset by using an XSS attack, as the password reset page did not need the current password. | |||||
| CVE-2015-9281 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows reflected XSS on the Timeout page. | |||||
| CVE-2019-6777 | 1 Zoneminder | 1 Zoneminder | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter. | |||||
| CVE-2018-14846 | 1 Mondula | 1 Multi Step Form | 2019-01-24 | 3.5 LOW | 5.4 MEDIUM |
| The Mondula Multi Step Form plugin before 1.2.8 for WordPress has multiple stored XSS via wp-admin/admin-ajax.php. | |||||
| CVE-2018-19371 | 1 Sdl | 1 Web Content Manager | 2019-01-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system. | |||||
| CVE-2018-11999 | 1 Qualcomm | 42 Mdm9206, Mdm9206 Firmware, Mdm9607 and 39 more | 2019-01-24 | 4.9 MEDIUM | 5.5 MEDIUM |
| Improper input validation in trustzone can lead to denial of service in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 636, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDM630, SDM660, SDX24 | |||||
| CVE-2017-18358 | 1 Limesurvey | 1 Limesurvey | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel. | |||||
| CVE-2018-16199 | 1 Toshiba | 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more | 2019-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an remote attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-12161 | 1 Intel | 1 Raid Web Console | 2019-01-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient session validation in the webserver component of the Intel Rapid Web Server 3 may allow an unauthenticated user to potentially disclose information via network access. | |||||
| CVE-2017-6463 | 1 Ntp | 1 Ntp | 2019-01-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option. | |||||
| CVE-2016-7427 | 1 Ntp | 1 Ntp | 2019-01-24 | 3.3 LOW | 4.3 MEDIUM |
| The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet. | |||||
| CVE-2016-7428 | 1 Ntp | 1 Ntp | 2019-01-24 | 3.3 LOW | 4.3 MEDIUM |
| ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet. | |||||
| CVE-2016-9310 | 1 Ntp | 1 Ntp | 2019-01-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet. | |||||
| CVE-2016-9311 | 1 Ntp | 1 Ntp | 2019-01-24 | 7.1 HIGH | 5.9 MEDIUM |
| ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted packet. | |||||
| CVE-2018-0698 | 1 Weseek | 1 Growi | 2019-01-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-18287 | 1 Asus | 2 Rt-ac58u, Rt-ac58u Firmware | 2019-01-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discover hostnames and IP addresses by reading dhcpLeaseInfo data in the HTML source code of the Main_Login.asp page. | |||||
| CVE-2018-20576 | 1 Orange | 2 Arv7519rw22 Livebox 2.1, Arv7519rw22 Livebox 2.1 Firmware | 2019-01-23 | 5.8 MEDIUM | 5.4 MEDIUM |
| Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. | |||||
| CVE-2018-16206 | 1 Ohtanz | 1 Spam-byebye | 2019-01-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-20682 | 1 Fork-cms | 1 Fork Cms | 2019-01-23 | 3.5 LOW | 5.4 MEDIUM |
| Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka "Admin ids" input in the Facebook section). | |||||
| CVE-2018-19197 | 1 Xiaocms | 1 Xiaocms | 2019-01-23 | 5.5 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in XiaoCms 20141229. admin\controller\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths[]=../ directory traversal. | |||||
| CVE-2016-10737 | 1 S9y | 1 Serendipity | 2019-01-23 | 3.5 LOW | 5.4 MEDIUM |
| Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter. | |||||
| CVE-2017-2582 | 1 Redhat | 3 Enterprise Linux, Jboss Enterprise Application Platform, Keycloak | 2019-01-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. | |||||
| CVE-2018-19718 | 1 Adobe | 1 Connect | 2019-01-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| Adobe Connect versions 9.8.1 and earlier have a session token exposure vulnerability. Successful exploitation could lead to exposure of the privileges granted to a session. | |||||
| CVE-2018-20731 | 1 Nedi | 1 Nedi | 2019-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 allows remote attackers to inject arbitrary web script or HTML via User-Chat.php. | |||||
| CVE-2019-6442 | 1 Ntpsec | 1 Ntpsec | 2019-01-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can write one byte out of bounds in ntpd via a malformed config request, related to config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and yyerror in ntp_parser.y. | |||||
| CVE-2018-20729 | 1 Nedi | 1 Nedi | 2019-01-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 allows remote attackers to inject arbitrary web script or HTML via the reg parameter in mh.php. | |||||
| CVE-2019-6445 | 1 Ntpsec | 1 Ntpsec | 2019-01-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can cause a NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem. | |||||
| CVE-2019-0646 | 1 Microsoft | 1 Team Foundation Server | 2019-01-22 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team. | |||||
| CVE-2019-6278 | 1 Jpress | 1 Jpress | 2019-01-18 | 3.5 LOW | 5.4 MEDIUM |
| XSS exists in JPress v1.0.4 via Markdown input, or Markdown input with the code input option. | |||||
| CVE-2018-20535 | 1 Nasm | 1 Netwide Assembler | 2019-01-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a use-after-free at asm/preproc.c (function pp_getline) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service during a line-number increment attempt. | |||||
| CVE-2017-14517 | 1 Freedesktop | 1 Poppler | 2019-01-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Poppler 0.59.0, a NULL Pointer Dereference exists in the XRef::parseEntry() function in XRef.cc via a crafted PDF document. | |||||
| CVE-2018-11020 | 1 Amazon | 2 Fire Os, Kindle Fire Hd | 2019-01-17 | 4.9 MEDIUM | 4.4 MEDIUM |
| kernel/omap/drivers/rpmsg/rpmsg_omx.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device file /dev/rpmsg-omx1 with the command 3221772291, and cause a kernel crash. | |||||
| CVE-2019-6248 | 1 Citysearch \/ Hotfrog \/ Gelbeseiten Clone Script Project | 1 Citysearch \/ Hotfrog \/ Gelbeseiten Clone Script | 2019-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php. | |||||