Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-4985 3 Adobe, Apple, Microsoft 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more 2020-02-13 5.0 MEDIUM 7.5 HIGH
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5063 3 Adobe, Apple, Microsoft 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more 2020-02-13 4.3 MEDIUM 6.5 MEDIUM
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5064 3 Adobe, Apple, Microsoft 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more 2020-02-13 10.0 HIGH 9.8 CRITICAL
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5065 3 Adobe, Apple, Microsoft 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more 2020-02-13 6.8 MEDIUM 8.8 HIGH
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-8476 1 Microsoft 4 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 1 more 2020-02-13 10.0 HIGH 9.8 CRITICAL
A remote code execution vulnerability exists in the way that Windows Deployment Services TFTP Server handles objects in memory, aka "Windows Deployment Services TFTP Server Remote Code Execution Vulnerability." This affects Windows Server 2012 R2, Windows Server 2008, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows Server 2008 R2, Windows 10 Servers.
CVE-2016-5710 1 Netapp 1 Snap Creator Framework 2020-02-13 3.5 LOW 4.6 MEDIUM
NetApp Snap Creator Framework before 4.3P1 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors.
CVE-2019-12518 1 Anviz 1 Crosschex 2020-02-13 10.0 HIGH 9.8 CRITICAL
Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 is vulnerable to a buffer overflow vulnerability.
CVE-2020-0693 1 Microsoft 1 Sharepoint Enterprise Server 2020-02-13 3.5 LOW 5.4 MEDIUM
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0694.
CVE-2020-0694 1 Microsoft 1 Sharepoint Enterprise Server 2020-02-13 3.5 LOW 5.4 MEDIUM
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0693.
CVE-2013-4521 1 Nuxeo 1 Nuxeo 2020-02-13 7.5 HIGH 9.8 CRITICAL
RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
CVE-2020-0661 1 Microsoft 3 Windows 10, Windows Server 2016, Windows Server 2019 2020-02-13 5.5 MEDIUM 6.8 MEDIUM
A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'. This CVE ID is unique from CVE-2020-0751.
CVE-2019-15615 1 Nextcloud 1 Nextcloud 2020-02-13 3.6 LOW 6.1 MEDIUM
A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past.
CVE-2018-7158 1 Nodejs 1 Node.js 2020-02-13 5.0 MEDIUM 7.5 HIGH
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.
CVE-2014-7863 1 Zohocorp 3 Manageengine Applications Manager, Manageengine It360, Manageengine Opmanager 2020-02-13 5.0 MEDIUM 7.5 HIGH
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
CVE-2019-19195 1 Microchip 2 Atmsamb11 Blusdk Smart, Atsamb11 2020-02-13 6.1 MEDIUM 6.5 MEDIUM
The Bluetooth Low Energy implementation on Microchip Technology BluSDK Smart through 6.2 for ATSAMB11 devices does not properly restrict link-layer data length on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.
CVE-2019-17060 1 Nxp 2 Kw41z, Mcuxpresso Software Development Kit 2020-02-13 6.1 MEDIUM 6.5 MEDIUM
The Bluetooth Low Energy (BLE) stack implementation on the NXP KW41Z (based on the MCUXpresso SDK with Bluetooth Low Energy Driver 2.2.1 and earlier) does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame.
CVE-2018-7159 1 Nodejs 1 Node.js 2020-02-13 5.0 MEDIUM 5.3 MEDIUM
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.
CVE-2013-0517 1 Ibm 1 Sterling External Authentication Server 2020-02-13 7.2 HIGH 7.8 HIGH
A Command Execution Vulnerability exists in IBM Sterling External Authentication Server 2.2.0, 2.3.01, 2.4.0, and 2.4.1 via an unspecified OS command, which could let a local malicious user execute arbitrary code.
CVE-2013-3684 1 Imagely 1 Nextgen Gallery 2020-02-13 10.0 HIGH 9.8 CRITICAL
NextGEN Gallery plugin before 1.9.13 for WordPress: ngggallery.php file upload
CVE-2019-1020007 1 Owasp 1 Dependency-track 2020-02-13 3.5 LOW 5.4 MEDIUM
Dependency-Track before 3.5.1 allows XSS.
CVE-2017-0938 1 Ui 4 Airmax Ac, Airos, Edgemax and 1 more 2020-02-13 5.0 MEDIUM 7.5 HIGH
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
CVE-2018-12590 1 Ui 2 Edgeswitch, Edgeswitch Firmware 2020-02-13 9.0 HIGH 7.2 HIGH
Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an externally controlled format-string vulnerability due to lack of protection on the admin CLI, leading to code execution and privilege escalation greater than administrators themselves are allowed. An attacker with access to an admin account could escape the restricted CLI and execute arbitrary code.
CVE-2012-6449 1 Cpanel 2 Cpanel, Whm 2020-02-13 3.5 LOW 5.4 MEDIUM
The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability.
CVE-2019-14514 1 Microvirt 1 Memu 2020-02-13 10.0 HIGH 9.8 CRITICAL
An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters.
CVE-2014-8347 1 Claris 2 Filemaker Pro, Filemaker Pro Advanced 2020-02-13 4.6 MEDIUM 7.8 HIGH
An Authentication Bypass vulnerability exists in the MatchPasswordData function in DBEngine.dll in Filemaker Pro 13.03 and Filemaker Pro Advanced 12.04, which could let a malicious user obtain elevated privileges.
CVE-2013-1360 1 Sonicwall 4 Analyzer, Global Management System, Universal Management Appliance and 1 more 2020-02-13 10.0 HIGH 9.8 CRITICAL
An Authentication Bypass vulnerability exists in DELL SonicWALL Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0, Analyzer 7.0, Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, and 6.0 via a crafted request to the SGMS interface, which could let a remote malicious user obtain administrative access.
CVE-2013-2198 1 Login Security Project 1 Login Security 2020-02-13 7.5 HIGH 9.8 CRITICAL
The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username.
CVE-2012-1124 1 Phxeventmanager Project 1 Phxeventmanager 2020-02-13 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.
CVE-2013-4535 2 Qemu, Redhat 6 Qemu, Enterprise Linux Desktop, Enterprise Linux Server and 3 more 2020-02-13 7.2 HIGH 8.8 HIGH
The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.
CVE-2020-6769 1 Bosch 8 Divar Ip 2000, Divar Ip 2000 Firmware, Divar Ip 3000 and 5 more 2020-02-12 6.4 MEDIUM 9.1 CRITICAL
Missing Authentication for Critical Function in the Bosch Video Streaming Gateway (VSG) allows an unauthenticated remote attacker to retrieve and set arbitrary configuration data of the Video Streaming Gateway. A successful attack can impact the confidentiality and availability of live and recorded video data of all cameras configured to be controlled by the VSG as well as the recording storage associated with the VSG. This affects Bosch Video Streaming Gateway versions 6.45 <= 6.45.08, 6.44 <= 6.44.022, 6.43 <= 6.43.0023 and 6.42.10 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable VSG version is installed with BVMS. This affects Bosch DIVAR IP 2000 <= 3.62.0019 and DIVAR IP 5000 <= 3.80.0039 if the corresponding port 8023 has been opened in the device's firewall.
CVE-2017-18642 1 Syska 2 Smartlight Rainbow Led Smart Bulb, Smartlight Rainbow Led Smart Bulb Firmware 2020-02-12 3.3 LOW 6.5 MEDIUM
Syska Smart Bulb devices through 2017-08-06 receive RGB parameters over cleartext Bluetooth Low Energy (BLE), leading to sniffing, reverse engineering, and replay attacks.
CVE-2019-1566 1 Paloaltonetworks 1 Pan-os 2020-02-12 4.3 MEDIUM 6.1 MEDIUM
The PAN-OS management web interface in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML.
CVE-2012-4519 1 Zenphoto 1 Zenphoto 2020-02-12 4.3 MEDIUM 6.1 MEDIUM
Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS.
CVE-2009-4067 2 Linux, Redhat 2 Linux Kernel, Enterprise Linux 2020-02-12 7.2 HIGH 6.8 MEDIUM
Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.
CVE-2015-2909 1 Netvu 40 Ds2 \(dvtr\), Ds2 \(dvtr\) Firmware, Ds2 \(dvtu\) and 37 more 2020-02-12 10.0 HIGH 9.8 CRITICAL
Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain access by leveraging situations in which this warning was not heeded. NOTE: the vendor states "The user is presented with clear warnings on the GUI that they should set usernames and passwords."
CVE-2017-0935 1 Ui 1 Edgeos 2020-02-12 9.0 HIGH 8.8 HIGH
Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker with access to an operator (read-only) account could escalate privileges to admin (root) access in the system.
CVE-2014-9753 1 Atutor 1 Atutor 2020-02-12 7.5 HIGH 9.8 CRITICAL
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
CVE-2019-11481 2 Apport Project, Canonical 2 Apport, Ubuntu Linux 2020-02-12 6.1 MEDIUM 7.8 HIGH
Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences.
CVE-2012-6720 1 Socialengine 1 Socialengine 2020-02-12 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine before 4.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to music/create, (2) location parameter to events/create, or (3) search parameter to widget/index/content_id/*.
CVE-2012-6721 1 Socialengine 1 Socialengine 2020-02-12 6.8 MEDIUM 6.3 MEDIUM
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) Forum, (2) Event, and (3) Classifieds plugins in SocialEngine before 4.2.4.
CVE-2015-5627 1 Yokogawa 29 B\/m9000 Vp, B\/m9000 Vp Firmware, B\/m9000cs and 26 more 2020-02-12 10.0 HIGH 9.8 CRITICAL
Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to cause a denial of service (process outage) via a crafted packet.
CVE-2014-2052 1 Owncloud 1 Owncloud 2020-02-12 7.5 HIGH 9.8 CRITICAL
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
CVE-2015-5628 1 Yokogawa 29 B\/m9000 Vp, B\/m9000 Vp Firmware, B\/m9000cs and 26 more 2020-02-12 10.0 HIGH 9.8 CRITICAL
Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to execute arbitrary code via a crafted packet.
CVE-2014-3827 1 Mybb 1 Mybb 2020-02-12 3.5 LOW 5.4 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php.
CVE-2013-4267 1 Pydio 1 Pydio 2020-02-12 10.0 HIGH 9.8 CRITICAL
Ajaxeplorer before 5.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) archive_name parameter to the Power FS module (plugins/action.powerfs/class.PowerFSController.php), a (2) file name to the getTrustSizeOnFileSystem function in the File System (Standard) module (plugins/access.fs/class.fsAccessWrapper.php), or the (3) revision parameter to the Subversion Repository module (plugins/meta.svn/class.SvnManager.php).
CVE-2020-8841 1 Testlink 1 Testlink 2020-02-12 6.5 MEDIUM 8.8 HIGH
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
CVE-2020-6768 1 Bosch 5 Divar Ip 3000, Divar Ip 7000, Divar Ip All-in-one 5000 and 2 more 2020-02-12 5.0 MEDIUM 7.5 HIGH
A path traversal vulnerability in the Bosch Video Management System (BVMS) NoTouch deployment allows an unauthenticated remote attacker to read arbitrary files from the Central Server. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch BVMS Viewer versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable BVMS version is installed.
CVE-2015-5626 1 Yokogawa 29 B\/m9000 Vp, B\/m9000 Vp Firmware, B\/m9000cs and 26 more 2020-02-12 10.0 HIGH 9.8 CRITICAL
Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to cause a denial of service (network-communications outage) via a crafted packet.
CVE-2013-1760 1 Thebuggenie 1 The Bug Genie 2020-02-12 4.3 MEDIUM 6.1 MEDIUM
The Bug Genie before 3.2.6 has Multiple XSS and HTML Injection Vulnerabilities
CVE-2014-2225 1 Ui 3 Airvision Controller, Mfi Controller, Unifi Controller 2020-02-12 6.8 MEDIUM 8.8 HIGH
Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity.