Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-6829 1 Gnupg 1 Libgcrypt 2020-01-15 5.0 MEDIUM 7.5 HIGH
cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.
CVE-2019-5718 2 Debian, Wireshark 2 Debian Linux, Wireshark 2020-01-15 4.3 MEDIUM 5.5 MEDIUM
In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the RTSE dissector and other ASN.1 dissectors could crash. This was addressed in epan/charsets.c by adding a get_t61_string length check.
CVE-2019-20348 1 Okerthai 2 G232v1, G232v1 Firmware 2020-01-15 7.2 HIGH 6.8 MEDIUM
OKER G232V1 v1.03.02.20161129 devices provide a root terminal on a UART serial interface without proper access control. This allows attackers with physical access to interrupt the boot sequence in order to execute arbitrary commands with root privileges and conduct further attacks.
CVE-2016-6585 1 Symantec 1 Norton Mobile Security 2020-01-15 3.5 LOW 5.3 MEDIUM
A Denial of Service vulnerability exists in Symantec Norton Mobile Security for Android prior to 3.16, which could let a remote malicious user conduct a man-in-the-middle attack via specially crafted JavaScript.
CVE-2012-3823 1 Arialsoftware 1 Campaign Enterprise 2020-01-15 5.0 MEDIUM 7.5 HIGH
Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved.
CVE-2013-4532 3 Canonical, Debian, Qemu 3 Ubuntu Linux, Debian Linux, Qemu 2020-01-15 4.6 MEDIUM 7.8 HIGH
Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
CVE-2012-3822 1 Arialsoftware 1 Campaign Enterprise 2020-01-15 5.0 MEDIUM 7.5 HIGH
Arial Campaign Enterprise before 11.0.551 has unauthorized access to the User-Edit.asp page, which allows remote attackers to enumerate users' credentials.
CVE-2017-17309 1 Huawei 2 Hg255s-10, Hg255s-10 Firmware 2020-01-15 7.8 HIGH 7.5 HIGH
Huawei HG255s-10 V100R001C163B025SP02 has a path traversal vulnerability due to insufficient validation of the received HTTP requests, a remote attacker may access the local files on the device without authentication.
CVE-2019-19817 1 Gonitro 1 Nitro Free Pdf Reader 2020-01-15 4.3 MEDIUM 5.5 MEDIUM
The JBIG2Decode library in npdf.dll in Nitro Free PDF Reader 12.0.0.112 has a CAPPDAnnotHandlerUtils::PDAnnotHandlerDestroyData2+0x2e8a Out-of-Bounds Read via crafted Unicode content.
CVE-2019-20179 1 Soplanning 1 Soplanning 2020-01-15 6.5 MEDIUM 8.8 HIGH
SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter.
CVE-2020-6848 1 Axper 2 Vision Ii, Vision Ii Firmware 2020-01-15 4.3 MEDIUM 6.1 MEDIUM
Axper Vision II 4 devices allow XSS via the DEVICE_NAME (aka Device Name) parameter to the configWebParams.cgi URI.
CVE-2019-19819 1 Gonitro 1 Nitropdf 2020-01-15 4.3 MEDIUM 5.5 MEDIUM
The JBIG2Globals library in npdf.dll in Nitro Free PDF Reader 12.0.0.112 has a CAPPDAnnotHandlerUtils::PDAnnotHandlerDestroyData2+0x90ec NULL Pointer Dereference via crafted Unicode content.
CVE-2016-6586 1 Symantec 1 Norton Mobile Security 2020-01-15 4.3 MEDIUM 3.7 LOW
A security bypass vulnerability exists in Symantec Norton Mobile Security for Android before 3.16, which could let a malicious user conduct a man-in-the-middle via specially crafted JavaScript to add arbitrary URLs to the URL whitelist.
CVE-2012-2142 4 Freedesktop, Opensuse, Redhat and 1 more 4 Poppler, Opensuse, Enterprise Linux and 1 more 2020-01-15 6.8 MEDIUM 7.8 HIGH
The error function in Error.cc in poppler before 0.21.4 allows remote attackers to execute arbitrary commands via a PDF containing an escape sequence for a terminal emulator.
CVE-2018-18811 2020-01-15 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2018. Notes: none.
CVE-2019-14843 1 Redhat 2 Jboss Enterprise Application Platform, Single Sign-on 2020-01-15 6.5 MEDIUM 8.8 HIGH
A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.
CVE-2011-5250 1 Prophecyinternational 1 Snare 2020-01-15 4.3 MEDIUM 6.5 MEDIUM
Snare for Linux before 1.7.0 has CSRF in the web interface.
CVE-2020-6758 1 Rasilient 2 Pixelstor 5000, Pixelstor 5000 Firmware 2020-01-15 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in Option/optionsAll.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows remote attackers to inject arbitrary web script or HTML via the ContentFrame parameter.
CVE-2019-1332 1 Microsoft 3 Power Bi Report Server, Sql Server 2017 Reporting Services, Sql Server 2019 Reporting Services 2020-01-15 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'.
CVE-2019-20343 1 Mojohaus 1 Exec Maven 2020-01-15 7.5 HIGH 9.8 CRITICAL
The MojoHaus Exec Maven plugin 1.1.1 for Maven allows code execution via a crafted XML document because a configuration element (within a plugin element) can specify an arbitrary program in an executable element (and can also specify arbitrary command-line arguments in an arguments element).
CVE-2020-5519 1 Litespeedtech 1 Openlitespeed 2020-01-15 7.5 HIGH 9.8 CRITICAL
The WebAdmin Console in OpenLiteSpeed before v1.6.5 does not strictly check request URLs, as demonstrated by the "Server Configuration > External App" screen.
CVE-2012-5878 1 Bulbsecurity 1 Smartphone Pentest Framework 2020-01-15 10.0 HIGH 9.8 CRITICAL
Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the hostingPath parameter to (1) SEAttack.pl or (2) CSAttack.pl in frameworkgui/ or the (3) appURLPath parameter to frameworkgui/attachMobileModem.pl.
CVE-2020-5499 1 Apache 1 Rust Sgx Sdk 2020-01-15 7.5 HIGH 9.8 CRITICAL
Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non-deterministic results in which, sometimes, two global IDs are the same.
CVE-2019-10205 1 Redhat 1 Quay 2020-01-15 4.6 MEDIUM 6.3 MEDIUM
A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry.
CVE-2018-12417 2020-01-15 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2019-15910 1 Asus 14 As-101, As-101 Firmware, Dl-101 and 11 more 2020-01-15 5.0 MEDIUM 7.5 HIGH
An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Attackers can utilize the "discover ZigBee network procedure" to perform a denial of service attack.
CVE-2019-14837 1 Redhat 2 Keycloak, Single Sign-on 2020-01-15 6.4 MEDIUM 9.1 CRITICAL
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.
CVE-2019-16716 1 Open-xchange 1 Open-xchange Appsuite 2020-01-15 8.5 HIGH 6.6 MEDIUM
OX App Suite through 7.10.2 has Incorrect Access Control.
CVE-2019-6331 1 Hp 1 Samsung Mobile Print 2020-01-15 2.1 LOW 3.3 LOW
An issue was found in Samsung Mobile Print (Android) versions prior to 4.08.007. A potential security vulnerability caused by incomplete obfuscation of application configuration information.
CVE-2014-8337 1 Helpdezk 1 Helpdezk 2020-01-15 7.5 HIGH 9.8 CRITICAL
Unrestricted file upload vulnerability in includes/classes/uploadify-v2.1.4/uploadify.php in HelpDEZk 1.0.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the folder parameter.
CVE-2020-1786 1 Huawei 2 Mate 20 Pro, Mate 20 Pro Firmware 2020-01-15 2.1 LOW 4.6 MEDIUM
HUAWEI Mate 20 Pro smartphones versions earlier than 10.0.0.175(C00E69R3P8) have an improper authentication vulnerability. The software does not sufficiently validate the name of apk file in a special condition which could allow an attacker to forge a crafted application as a normal one. Successful exploit could allow the attacker to bypass digital balance function.
CVE-2015-1850 2020-01-15 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not an exploitable issue. Notes: none.
CVE-2014-8516 1 Cloudfastpath 1 Netcharts Server 2020-01-15 10.0 HIGH 9.8 CRITICAL
Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
CVE-2020-6632 1 Prestashop 1 Prestashop 2020-01-15 4.3 MEDIUM 6.1 MEDIUM
In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js.
CVE-2020-6163 1 Mediawiki 1 Mediawiki 2020-01-15 4.3 MEDIUM 6.1 MEDIUM
The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because of improper template syntax within the PropertySuggestionsWidget template (in the templates/search/PropertySuggestionsWidget.mustache+dom file).
CVE-2019-19995 1 Intelbras 2 Iwr 3000n, Iwr 3000n Firmware 2020-01-15 9.3 HIGH 8.8 HIGH
A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user.
CVE-2013-4982 1 Avtech 2 Avn801 Dvr, Avn801 Dvr Firmware 2020-01-15 7.5 HIGH 9.8 CRITICAL
AVTECH AVN801 DVR has a security bypass via the administration login captcha
CVE-2019-18842 1 Usriot 8 Usr-wifi232-g2, Usr-wifi232-g2 Firmware, Usr-wifi232-h and 5 more 2020-01-15 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID.
CVE-2020-1925 1 Apache 1 Olingo 2020-01-15 5.0 MEDIUM 7.5 HIGH
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.
CVE-2013-3939 1 Xnview 1 Xnview 2020-01-15 6.8 MEDIUM 7.8 HIGH
xnview.exe in XnView before 2.13 does not properly handle RLE strip lengths during processing of RGB files, which allows remote attackers to execute arbitrary code via the RLE strip size field in a RGB file, which leads to an unexpected sign extension error and a heap-based buffer overflow.
CVE-2019-18466 1 Libpod Project 1 Libpod 2020-01-15 5.8 MEDIUM 5.5 MEDIUM
An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
CVE-2019-20175 1 Qemu 1 Qemu 2020-01-15 5.0 MEDIUM 7.5 HIGH
** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert."
CVE-2013-3619 2 Citrix, Supermicro 10 Netscaler, Netscaler Firmware, Netscaler Sd-wan and 7 more 2020-01-15 4.3 MEDIUM 8.1 HIGH
Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before SMT_X9_317 and firmware for Supermicro X8 generation motherboards before SMT X8 312 contain harcoded private encryption keys for the (1) Lighttpd web server SSL interface and the (2) Dropbear SSH daemon.
CVE-2019-2224 2020-01-15 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-15140. Reason: This candidate is a duplicate of CVE-2019-15140. Notes: All CVE users should reference CVE-2019-15140 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2019-19950 1 Graphicsmagick 1 Graphicsmagick 2020-01-15 7.5 HIGH 9.8 CRITICAL
In GraphicsMagick 1.4 snapshot-20190403 Q8, there is a use-after-free in ThrowException and ThrowLoggedException of magick/error.c.
CVE-2019-19951 1 Graphicsmagick 1 Graphicsmagick 2020-01-15 7.5 HIGH 9.8 CRITICAL
In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function ImportRLEPixels of coders/miff.c.
CVE-2019-19953 1 Graphicsmagick 1 Graphicsmagick 2020-01-15 6.4 MEDIUM 9.1 CRITICAL
In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.
CVE-2019-17149 2020-01-15 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was accidentally assigned. Notes: All CVE users should ignore this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2019-17150 2020-01-15 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was accidentally assigned. Notes: All CVE users should ignore this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2019-20182 1 Fooplugins 1 Foogallery 2020-01-14 3.5 LOW 4.8 MEDIUM
The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.