Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-3821 1 Arialsoftware 1 Campaign Enterprise 2020-01-22 4.0 MEDIUM 4.3 MEDIUM
A Security Bypass vulnerability exists in the activate.asp page in Arial Software Campaign Enterprise 11.0.551, which could let a remote malicious user modify the SerialNumber field.
CVE-2012-1562 1 Joomla 1 Joomla\! 2020-01-22 5.0 MEDIUM 7.5 HIGH
Joomla! core before 2.5.3 allows unauthorized password change.
CVE-2019-18588 1 Dell 2 Emc Powermax, Emc Unisphere For Powermax 2020-01-22 3.5 LOW 5.4 MEDIUM
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users' sessions.
CVE-2019-6320 1 Hp 16 Deskjet 3630 F5s43a, Deskjet 3630 F5s43a Firmware, Deskjet 3630 F5s57a and 13 more 2020-01-22 5.8 MEDIUM 8.1 HIGH
Certain HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery (CSRF) vulnerability that could lead to a denial of service (DOS) or device misconfiguration.
CVE-2019-6319 1 Hp 16 Deskjet 3630 F5s43a, Deskjet 3630 F5s43a Firmware, Deskjet 3630 F5s57a and 13 more 2020-01-22 5.8 MEDIUM 8.1 HIGH
HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery (CSRF) vulnerability that could lead to a denial of service (DOS) or device misconfiguration.
CVE-2015-8549 1 Pyamf 1 Pyamf 2020-01-22 5.8 MEDIUM 7.1 HIGH
XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.
CVE-2020-2092 1 Jenkins 1 Robot Framework 2020-01-22 6.5 MEDIUM 8.8 HIGH
Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents.
CVE-2012-1260 1 Plixer 1 Scrutinizer Netflow \& Sflow Analyzer 2020-01-22 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script.
CVE-2012-1258 1 Plixer 1 Scrutinizer Netflow \& Sflow Analyzer 2020-01-22 4.0 MEDIUM 6.5 MEDIUM
cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser, pwd, and selectedUserGroup parameters.
CVE-2012-2931 1 Tinywebgallery 1 Tinywebgallery 2020-01-22 6.5 MEDIUM 7.2 HIGH
PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file.
CVE-2015-6497 2 Magento, Php 2 Magento, Php 2020-01-22 6.5 MEDIUM 8.8 HIGH
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.
CVE-2017-3211 1 Yopify 1 Yopify 2020-01-22 5.0 MEDIUM 5.3 MEDIUM
Yopify, an e-commerce notification plugin, up to April 06, 2017, leaks the first name, last initial, city, and recent purchase data of customers, all without user authorization.
CVE-2013-6430 1 Pivotal Software 1 Spring Framework 2020-01-22 3.5 LOW 5.4 MEDIUM
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
CVE-2018-1351 1 Fortinet 1 Fortimanager 2020-01-22 3.5 LOW 4.8 MEDIUM
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.6 and below versions allows attacker to execute HTML/javascript code via managed remote devices CLI commands by viewing the remote device CLI config installation log.
CVE-2018-19442 1 Neatorobotics 2 Botvac Connected, Botvac Connected Firmware 2020-01-22 10.0 HIGH 9.8 CRITICAL
A Buffer Overflow in Network::AuthenticationClient::VerifySignature in /bin/astro in Neato Botvac Connected 2.2.0 allows a remote attacker to execute arbitrary code with root privileges via a crafted POST request to a vendors/neato/robots/[robot_serial]/messages Neato cloud URI on the nucleo.neatocloud.com web site (port 4443).
CVE-2019-19495 1 Technicolor 2 Tc7230 Steb, Tc7230 Steb Firmware 2020-01-22 10.0 HIGH 9.8 CRITICAL
The web interface on the Technicolor TC7230 STEB 01.25 is vulnerable to DNS rebinding, which allows a remote attacker to configure the cable modem via JavaScript in a victim's browser. The attacker can then configure the cable modem to port forward the modem's internal TELNET server, allowing external access to a root shell.
CVE-2019-19820 1 Kyrol 1 Internet Security 2020-01-22 7.2 HIGH 7.8 HIGH
An invalid pointer vulnerability in IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0.6.9 allows an attacker to achieve privilege escalation, denial-of-service, and code execution via usermode because 0x9C402405 using METHOD_NEITHER results in a read primitive.
CVE-2020-5195 1 Cerberusftp 1 Ftp Server 2020-01-22 4.3 MEDIUM 6.1 MEDIUM
Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker.
CVE-2017-5606 1 Xabber 1 Xabber 2020-01-22 4.3 MEDIUM 5.9 MEDIUM
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android).
CVE-2019-5082 1 Wago 4 Pfc100, Pfc100 Firmware, Pfc200 and 1 more 2020-01-22 7.5 HIGH 9.8 CRITICAL
An exploitable heap buffer overflow vulnerability exists in the iocheckd service I/O-Check functionality of WAGO PFC200 Firmware version 03.01.07(13), WAGO PFC200 Firmware version 03.00.39(12), and WAGO PFC100 Firmware version 03.00.39(12). A specially crafted set of packets can cause a heap buffer overflow, potentially resulting in code execution. An attacker can send unauthenticated packets to trigger this vulnerability.
CVE-2012-4750 1 Ezhometech 1 Ezserver 2020-01-22 7.5 HIGH 9.8 CRITICAL
A Code Execution vulnerability exists in the memcpy function when processing AMF requests in Ezhometech EzServer 7.0, which could let a remote malicious user execute arbitrary code or cause a Denial of Service
CVE-2012-4761 1 Safend 1 Data Protector Agent 2020-01-22 7.2 HIGH 7.8 HIGH
A Privilege Escalation vulnerability exists in the unquoted Service Binary in SDPAgent or SDBAgent in Safend Data Protector Agent 3.4.5586.9772, which could let a local malicious user obtain privileges.
CVE-2015-5952 1 Thomsonreuters 1 Fatca 2020-01-22 10.0 HIGH 9.8 CRITICAL
Directory traversal vulnerability in Thomson Reuters for FATCA before 5.2 allows remote attackers to execute arbitrary files via the item parameter.
CVE-2019-18583 2020-01-22 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
CVE-2019-18584 2020-01-22 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
CVE-2019-18585 2020-01-22 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
CVE-2019-18586 2020-01-22 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
CVE-2018-13042 1 1password 1 1password 2020-01-22 4.3 MEDIUM 5.9 MEDIUM
The 1Password application 6.8 for Android is affected by a Denial Of Service vulnerability. By starting the activity com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity or com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity from an external application (since they are exported), it is possible to crash the 1Password instance.
CVE-2012-6369 1 1password 1 1password 2020-01-22 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Troubleshooting Reporting System feature in AgileBits 1Password 3.9.9 might allow remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header that is not properly handled in a View Troubleshooting Report action.
CVE-2019-14034 1 Qualcomm 54 Apq8009, Apq8009 Firmware, Apq8053 and 51 more 2020-01-22 7.2 HIGH 7.8 HIGH
Use after free while processing eeprom query as there is a chance to not unlock mutex after error occurs in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8053, MSM8909W, MSM8917, MSM8953, Nicobar, QCS605, QM215, Rennell, SA6155P, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
CVE-2019-17650 1 Fortinet 1 Forticlient 2020-01-22 7.2 HIGH 7.8 HIGH
An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which FortiClient is running to execute unauthorized code as root by bypassing a security check.
CVE-2017-5591 3 Poezio, Sleekxmpp Project, Slixmpp Project 3 Poezio, Sleekxmpp, Slixmpp 2020-01-22 4.3 MEDIUM 5.9 MEDIUM
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.
CVE-2020-6859 1 Ultimatemember 1 Ultimate Member 2020-01-22 5.0 MEDIUM 5.3 MEDIUM
Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image.
CVE-2012-4284 1 Sparklabs 1 Viscosity 2020-01-22 10.0 HIGH 9.8 CRITICAL
A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac OS X due to a path name validation issue in the setuid-set ViscosityHelper binary, which could let a remote malicious user execute arbitrary code
CVE-2020-0617 1 Microsoft 3 Windows 10, Windows Server 2016, Windows Server 2019 2020-01-22 4.9 MEDIUM 6.0 MEDIUM
A denial of service vulnerability exists when Microsoft Hyper-V Virtual PCI on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Hyper-V Denial of Service Vulnerability'.
CVE-2020-6836 1 Hot-formula-parser Project 1 Hot-formula-parser 2020-01-22 7.5 HIGH 9.8 CRITICAL
grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server.
CVE-2020-5395 1 Fontforge 1 Fontforge 2020-01-22 6.8 MEDIUM 8.8 HIGH
FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c.
CVE-2020-5496 1 Fontforge 1 Fontforge 2020-01-22 6.8 MEDIUM 8.8 HIGH
FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c.
CVE-2018-16140 2 Canonical, Fig2dev Project 2 Ubuntu Linux, Fig2dev 2020-01-22 6.8 MEDIUM 7.8 HIGH
A buffer underwrite vulnerability in get_line() (read.c) in fig2dev 3.2.7a allows an attacker to write prior to the beginning of the buffer via a crafted .fig file.
CVE-2019-19555 1 Xfig Project 1 Xfig 2020-01-22 4.3 MEDIUM 5.5 MEDIUM
read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buffer overflow because of an incorrect sscanf.
CVE-2020-1810 1 Huawei 6 Cloudengine 12800, Cloudengine 12800 Firmware, S5700 and 3 more 2020-01-21 5.0 MEDIUM 5.3 MEDIUM
There is a weak algorithm vulnerability in some Huawei products. The affected products use the RSA algorithm in the SSL key exchange algorithm which have been considered as a weak algorithm. Attackers may exploit this vulnerability to leak some information.
CVE-2017-18207 1 Python 1 Python 2020-01-21 4.3 MEDIUM 6.5 MEDIUM
** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions."
CVE-2019-15691 1 Tigervnc 1 Tigervnc 2020-01-21 6.5 MEDIUM 7.2 HIGH
TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
CVE-2019-15692 1 Tigervnc 1 Tigervnc 2020-01-21 6.5 MEDIUM 7.2 HIGH
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow. Vulnerability could be triggered from CopyRectDecoder due to incorrect value checks. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
CVE-2019-15693 1 Tigervnc 1 Tigervnc 2020-01-21 6.5 MEDIUM 7.2 HIGH
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which occurs in TightDecoder::FilterGradient. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
CVE-2020-2096 1 Jenkins 1 Gitlab Hook 2020-01-21 4.3 MEDIUM 6.1 MEDIUM
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
CVE-2013-6231 1 Eng 1 Spagobi 2020-01-21 9.0 HIGH 8.8 HIGH
SpagoBI before 4.1 has Privilege Escalation via an error in the AdapterHTTP script
CVE-2020-0605 1 Microsoft 10 .net Core, .net Framework, Windows 10 and 7 more 2020-01-21 9.3 HIGH 8.8 HIGH
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0606.
CVE-2020-5498 2020-01-21 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2016-8204 1 Broadcom 1 Brocade Network Advisor 2020-01-21 10.0 HIGH 9.8 CRITICAL
A Directory Traversal vulnerability in FileReceiveServlet in the Brocade Network Advisor versions released prior to and including 14.0.2 could allow remote attackers to upload a malicious file in a section of the file system where it can be executed.