Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20212 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form. | |||||
| CVE-2014-1860 | 1 Contao | 1 Contao Cms | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities | |||||
| CVE-2011-5018 | 1 Koala-framework | 1 Koala Framework | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Koala Framework before 2011-11-21 has XSS via the request_uri parameter. | |||||
| CVE-2019-20377 | 1 Tophub | 1 Toplist | 2020-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| TopList before 2019-09-03 allows XSS via a title. | |||||
| CVE-2014-5093 | 1 Status2k | 1 Status2k | 2020-01-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Status2k does not remove the install directory allowing credential reset. | |||||
| CVE-2011-5020 | 1 Online Tv Database Project | 1 Online Tv Database | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011. | |||||
| CVE-2018-19831 | 1 Cryptbond Network Project | 1 Cryptbond Network | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The ToOwner() function of a smart contract implementation for Cryptbond Network (CBN), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19833 | 1 Ddq Project | 1 Ddq | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The owned function of a smart contract implementation for DDQ, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19834 | 1 Bombba Project | 1 Bombba | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The quaker function of a smart contract implementation for BOMBBA (BOMB), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19832 | 1 Newinteltechmedia Project | 1 Newinteltechmedia | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The NETM() function of a smart contract implementation for NewIntelTechMedia (NETM), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19830 | 1 Business Alliance Financial Circle Project | 1 Business Alliance Financial Circle | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The UBSexToken() function of a smart contract implementation for Business Alliance Financial Circle (BAFC), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function is public (by default) and does not check the caller's identity. | |||||
| CVE-2019-19880 | 1 Sqlite | 1 Sqlite | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled. | |||||
| CVE-2019-19923 | 1 Sqlite | 1 Sqlite | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results). | |||||
| CVE-2019-19925 | 1 Sqlite | 1 Sqlite | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. | |||||
| CVE-2018-13305 | 1 Ffmpeg | 1 Ffmpeg | 2020-01-14 | 5.8 MEDIUM | 8.1 HIGH |
| In FFmpeg 4.0.1, due to a missing check for negative values of the mquant variable, the vc1_put_blocks_clamped function in libavcodec/vc1_block.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to an information disclosure or a denial of service. | |||||
| CVE-2019-19191 | 1 Shibboleth | 1 Service Provider | 2020-01-14 | 7.2 HIGH | 7.8 HIGH |
| Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow. | |||||
| CVE-2019-19579 | 2 Fedoraproject, Xen | 2 Fedora, Xen | 2020-01-14 | 7.2 HIGH | 6.8 MEDIUM |
| An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not used), because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these "alternate" methods are used will still leave the system in a vulnerable state after the device comes back from a guest. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable. | |||||
| CVE-2019-19269 | 3 Debian, Fedoraproject, Proftpd | 3 Debian Linux, Fedora, Proftpd | 2020-01-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup. | |||||
| CVE-2019-19270 | 2 Fedoraproject, Proftpd | 2 Fedora, Proftpd | 2020-01-13 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server. | |||||
| CVE-2014-9908 | 1 Google | 1 Android | 2020-01-13 | 3.3 LOW | 6.5 MEDIUM |
| A Denial of Service vulnerability exists in Google Android 4.4.4, 5.0.2, and 5.1.1, which allows malicious users to block Bluetooh access (Android Bug ID A-28672558). | |||||
| CVE-2014-5013 | 1 Dompdf Project | 1 Dompdf | 2020-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383. | |||||
| CVE-2014-5012 | 1 Dompdf Project | 1 Dompdf | 2020-01-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| DOMPDF before 0.6.2 allows denial of service. | |||||
| CVE-2014-5011 | 1 Dompdf Project | 1 Dompdf | 2020-01-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| DOMPDF before 0.6.2 allows Information Disclosure. | |||||
| CVE-2011-1933 | 1 Jifty\ | 1 \ | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Jifty::DBI before 0.68. | |||||
| CVE-2014-4561 | 1 Ultimate-weather Project | 1 Ultimate-weather | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ultimate-weather plugin 1.0 for WordPress has XSS | |||||
| CVE-2019-17015 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2020-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. | |||||
| CVE-2019-17016 | 4 Canonical, Debian, Mozilla and 1 more | 9 Ubuntu Linux, Debian Linux, Firefox and 6 more | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. | |||||
| CVE-2019-17017 | 4 Canonical, Debian, Mozilla and 1 more | 9 Ubuntu Linux, Debian Linux, Firefox and 6 more | 2020-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. | |||||
| CVE-2019-17022 | 4 Canonical, Debian, Mozilla and 1 more | 9 Ubuntu Linux, Debian Linux, Firefox and 6 more | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. | |||||
| CVE-2019-18859 | 1 Digi | 2 Anywhereusb\/14, Anywhereusb\/14 Firmware | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Digi AnywhereUSB 14 allows XSS via a link for the Digi Page. | |||||
| CVE-2019-20378 | 1 Ganglia | 1 Ganglia-web | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter. | |||||
| CVE-2019-20379 | 1 Ganglia | 1 Ganglia-web | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter. | |||||
| CVE-2014-3211 | 1 Publify Project | 1 Publify | 2020-01-13 | 5.0 MEDIUM | 7.5 HIGH |
| Publify before 8.0.1 is vulnerable to a Denial of Service attack | |||||
| CVE-2020-6838 | 1 Mruby | 1 Mruby | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems/mruby-hash-ext/src/hash-ext.c. | |||||
| CVE-2020-6839 | 1 Mruby | 1 Mruby | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In mruby 2.1.0, there is a stack-based buffer overflow in mrb_str_len_to_dbl in string.c. | |||||
| CVE-2020-6840 | 1 Mruby | 1 Mruby | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In mruby 2.1.0, there is a use-after-free in hash_slice in mrbgems/mruby-hash-ext/src/hash-ext.c. | |||||
| CVE-2012-3807 | 1 Samsung | 1 Kies | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution. | |||||
| CVE-2016-6587 | 1 Symantec | 1 Norton Mobile Security | 2020-01-13 | 2.1 LOW | 5.5 MEDIUM |
| An Information Disclosure vulnerability exists in the mid.dat file stored on the SD card in Symantec Norton Mobile Security for Android before 3.16, which could let a local malicious user obtain sensitive information. | |||||
| CVE-2019-4559 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM QRadar SIEM 7.3.0 through 7.3.3 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 166355. | |||||
| CVE-2019-4508 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-01-13 | 2.1 LOW | 7.8 HIGH |
| IBM QRadar SIEM 7.3.0 through 7.3.3 uses weak credential storage in some instances which could be decrypted by a local attacker. IBM X-Force ID: 164429. | |||||
| CVE-2018-11805 | 2 Apache, Debian | 2 Spamassassin, Debian Linux | 2020-01-13 | 7.2 HIGH | 6.7 MEDIUM |
| In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. | |||||
| CVE-2019-12420 | 2 Apache, Debian | 2 Spamassassin, Debian Linux | 2020-01-13 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. | |||||
| CVE-2014-9405 | 1 Free | 1 Freebox Os | 2020-01-13 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code. | |||||
| CVE-2019-17018 | 1 Mozilla | 1 Firefox | 2020-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. This vulnerability affects Firefox < 72. | |||||
| CVE-2015-4039 | 1 E-plugins | 1 Wp Membership | 2020-01-13 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the WP Membership plugin 1.2.3 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via unspecified (1) profile fields or (2) new post content. NOTE: CVE-2015-4038 can be used to bypass the administrator confirmation step for vector 2. | |||||
| CVE-2014-3743 | 1 Marked Project | 1 Marked | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. | |||||
| CVE-2012-1915 | 1 Codeigniter | 1 Codeigniter | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks. | |||||
| CVE-2013-1420 | 1 Get-simple | 1 Getsimple Cms | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. NOTE: the path parameter in admin/upload.php vector is already covered by CVE-2012-6621. | |||||
| CVE-2011-4595 | 1 Caseproof | 1 Pretty Link | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pretty-Link WordPress plugin 1.5.2 has XSS | |||||
| CVE-2014-4530 | 1 Flog Project | 1 Flog | 2020-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| flog plugin 0.1 for WordPress has XSS | |||||
