Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9355 | 1 Puppet | 1 Puppet Enterprise | 2019-07-10 | 4.0 MEDIUM | N/A |
| Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint. | |||||
| CVE-2012-3864 | 2 Puppet, Puppetlabs | 3 Puppet, Puppet Enterprise, Puppet | 2019-07-10 | 4.0 MEDIUM | N/A |
| Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request. | |||||
| CVE-2012-3865 | 2 Puppet, Puppetlabs | 3 Puppet, Puppet Enterprise, Puppet | 2019-07-10 | 3.5 LOW | N/A |
| Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. | |||||
| CVE-2012-3866 | 2 Puppet, Puppetlabs | 3 Puppet, Puppet Enterprise, Puppet | 2019-07-10 | 2.1 LOW | N/A |
| lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file. | |||||
| CVE-2012-3867 | 6 Canonical, Debian, Opensuse and 3 more | 8 Ubuntu Linux, Debian Linux, Opensuse and 5 more | 2019-07-10 | 4.3 MEDIUM | N/A |
| lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. | |||||
| CVE-2012-5158 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 4.0 MEDIUM | N/A |
| Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. | |||||
| CVE-2013-1398 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 8.5 HIGH | N/A |
| The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role. | |||||
| CVE-2013-1399 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2013-1652 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 4.9 MEDIUM | N/A |
| Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. | |||||
| CVE-2013-1653 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 7.1 HIGH | N/A |
| Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. | |||||
| CVE-2013-2274 | 2 Puppet, Puppetlabs | 3 Puppet, Puppet Enterprise, Puppet | 2019-07-10 | 6.5 MEDIUM | N/A |
| Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. | |||||
| CVE-2013-2275 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 4.0 MEDIUM | N/A |
| The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. | |||||
| CVE-2013-2716 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 5.0 MEDIUM | N/A |
| Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie. | |||||
| CVE-2013-1654 | 3 Canonical, Puppet, Puppetlabs | 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more | 2019-07-10 | 5.0 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors. | |||||
| CVE-2013-1655 | 3 Puppet, Puppetlabs, Ruby-lang | 4 Puppet, Puppet Enterprise, Puppet and 1 more | 2019-07-10 | 7.5 HIGH | N/A |
| Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." | |||||
| CVE-2011-0528 | 1 Puppet | 1 Puppet | 2019-07-10 | 5.5 MEDIUM | N/A |
| Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors. | |||||
| CVE-2011-3848 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25. | |||||
| CVE-2011-3869 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 6.3 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file. | |||||
| CVE-2011-3870 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 6.3 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file. | |||||
| CVE-2011-3871 | 2 Puppet, Puppetlabs | 2 Puppet, Puppet | 2019-07-10 | 6.2 MEDIUM | N/A |
| Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files. | |||||
| CVE-2019-5044 | 2019-07-09 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2014-8567 | 2 Redhat, Uninett | 7 Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Server Aus and 4 more | 2019-07-09 | 9.4 HIGH | N/A |
| The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data. | |||||
| CVE-2015-5599 | 1 Powerplay Gallery Project | 1 Powerplay Gallery | 2019-07-09 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) albumid or (2) name parameter. | |||||
| CVE-2019-13367 | 2019-07-08 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2019-13368 | 2019-07-08 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2019-13369 | 2019-07-08 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2015-1055 | 1 10web | 1 Photo Gallery | 2019-07-08 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. | |||||
| CVE-2015-1393 | 1 10web | 1 Photo Gallery | 2019-07-08 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php. | |||||
| CVE-2015-4033 | 1 Samsung | 1 S-beam | 2019-07-03 | 3.3 LOW | N/A |
| Samsung SBeam allows remote attackers to read arbitrary images by leveraging an NFC connection to access the HTTP server on port 15000. | |||||
| CVE-2015-5065 | 1 Intelligent-it | 1 Paypal Currency Converter Basic For Woocommerce | 2019-07-03 | 5.0 MEDIUM | N/A |
| Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl parameter. | |||||
| CVE-2003-1582 | 1 Microsoft | 1 Internet Information Server | 2019-07-03 | 2.6 LOW | N/A |
| Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. | |||||
| CVE-2007-1278 | 2 Adobe, Microsoft | 3 Coldfusion, Jrun, Internet Information Server | 2019-07-03 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in the IIS connector in Adobe JRun 4.0 Updater 6, and ColdFusion MX 6.1 and 7.0 Enterprise, when using Microsoft IIS 6, allows remote attackers to cause a denial of service via unspecified vectors, involving the request of a file in the JRun web root. | |||||
| CVE-2001-0899 | 2 Phpnuke, Rick Fournier | 2 Php-nuke, Network Tools | 2019-07-01 | 7.5 HIGH | N/A |
| Network Tools 0.2 for PHP-Nuke allows remote attackers to execute commands on the server via shell metacharacters in the $hostinput variable. | |||||
| CVE-2008-1308 | 2 Phpnuke, Sudirman Angriawan | 2 Php-nuke, Nukec30 | 2019-07-01 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Sudirman Angriawan NukeC30 3.0 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id_catg parameter in a ViewCatg action to modules.php. | |||||
| CVE-2008-1314 | 2 Johannes Hass, Phpnuke | 2 Gaestebuch Module, Php-nuke | 2019-07-01 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Johannes Hass gaestebuch 2.2 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit action to modules.php. | |||||
| CVE-2008-4767 | 2 Php-nuke, Phpnuke | 2 Downloadsplus Module, Php-nuke | 2019-07-01 | 9.0 HIGH | N/A |
| Unrestricted file upload vulnerability in the DownloadsPlus module in PHP-Nuke allows remote attackers to execute arbitrary code by uploading a file with (1) .htm, (2) .html, or (3) .txt extensions, then accessing it via a direct request to the file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: it is unclear how allowing the upload of .html or .txt files supports arbitrary code execution; this might be legitimate functionality. | |||||
| CVE-2008-4804 | 2 Nukedgallery, Phpnuke | 2 Gallery, Php-nuke | 2019-07-01 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Gallery module 1.3 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the aid parameter in a showalbum action to index.php. NOTE: some of these details are obtained from third party information. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect. | |||||
| CVE-2008-5039 | 2 Php-nuke, Phpnuke | 2 League Module, Php-nuke | 2019-07-01 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the League module for PHP-Nuke, possibly 2.4, allows remote attackers to inject arbitrary web script or HTML via the tid parameter in a team action to modules.php. | |||||
| CVE-2008-6865 | 2 Php-nuke, Phpnuke | 2 Sections Module, Php-nuke | 2019-07-01 | 7.5 HIGH | N/A |
| SQL injection vulnerability in modules.php in the Sectionsnew module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the artid parameter in a printpage action. | |||||
| CVE-2008-7226 | 2 Php-nuke, Phpnuke | 2 Recipe Module, Php-nuke | 2019-07-01 | 7.5 HIGH | N/A |
| SQL injection vulnerability in index.php in the Recipes module 1.3, 1.4, and possibly other versions for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the recipeid parameter. | |||||
| CVE-2010-5083 | 1 Phpnuke | 2 Php-nuke, Web Links Module | 2019-07-01 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Web_Links module for PHP-Nuke 8.0 allows remote attackers to execute arbitrary SQL commands via the url parameter in an Add action to modules.php. | |||||
| CVE-2017-17456 | 2019-06-28 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-14245. Reason: This candidate is a duplicate of CVE-2017-14245. Notes: All CVE users should reference CVE-2017-14245 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2017-17457 | 2019-06-28 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-14246. Reason: This candidate is a duplicate of CVE-2017-14246. Notes: All CVE users should reference CVE-2017-14246 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2019-12983 | 2019-06-27 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11884. Reason: This candidate is a reservation duplicate of CVE-2019-11884. Notes: All CVE users should reference CVE-2019-11884 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2015-6828 | 1 Securemoz | 1 Security Audit | 2019-06-26 | 6.8 MEDIUM | N/A |
| The tweet_info function in class/__functions.php in the SecureMoz Security Audit plugin 1.0.5 and earlier for WordPress does not use an HTTPS session for downloading serialized data, which allows man-in-the-middle attackers to conduct PHP object injection attacks and execute arbitrary PHP code by modifying the client-server data stream. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2015-6946 | 1 Microfocus | 1 Accurev | 2019-06-26 | 9.3 HIGH | N/A |
| Multiple stack-based buffer overflows in the Reprise License Manager service in Borland AccuRev allow remote attackers to execute arbitrary code via the (1) akey or (2) actserver parameter to the activate_doit function or (3) licfile parameter to the service_startup_doit functionality. | |||||
| CVE-2014-9346 | 1 Hierarchical Select Project | 1 Hierarchical Select | 2019-06-26 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields. | |||||
| CVE-2015-3281 | 5 Canonical, Debian, Haproxy and 2 more | 12 Ubuntu Linux, Debian Linux, Haproxy and 9 more | 2019-06-26 | 5.0 MEDIUM | N/A |
| The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev does not properly realign a buffer that is used for pending outgoing data, which allows remote attackers to obtain sensitive information (uninitialized memory contents of previous requests) via a crafted request. | |||||
| CVE-2019-12888 | 2019-06-26 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-12887. Reason: This candidate is a reservation duplicate of CVE-2019-12887. Notes: All CVE users should reference CVE-2019-12887 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2015-4413 | 1 Nextendweb | 1 Facebook Connect | 2019-06-25 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the new_fb_sign_button function in nextend-facebook-connect.php in Nextend Facebook Connect plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter. | |||||