Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-20212 1 Cththemes 3 Citybook, Easybook, Townhub 2020-01-14 4.3 MEDIUM 6.1 MEDIUM
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form.
CVE-2014-1860 1 Contao 1 Contao Cms 2020-01-14 7.5 HIGH 9.8 CRITICAL
Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities
CVE-2011-5018 1 Koala-framework 1 Koala Framework 2020-01-14 4.3 MEDIUM 6.1 MEDIUM
Koala Framework before 2011-11-21 has XSS via the request_uri parameter.
CVE-2019-20377 1 Tophub 1 Toplist 2020-01-14 4.3 MEDIUM 6.1 MEDIUM
TopList before 2019-09-03 allows XSS via a title.
CVE-2014-5093 1 Status2k 1 Status2k 2020-01-14 5.0 MEDIUM 9.8 CRITICAL
Status2k does not remove the install directory allowing credential reset.
CVE-2011-5020 1 Online Tv Database Project 1 Online Tv Database 2020-01-14 7.5 HIGH 9.8 CRITICAL
An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011.
CVE-2018-19831 1 Cryptbond Network Project 1 Cryptbond Network 2020-01-14 5.0 MEDIUM 7.5 HIGH
The ToOwner() function of a smart contract implementation for Cryptbond Network (CBN), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity.
CVE-2018-19833 1 Ddq Project 1 Ddq 2020-01-14 5.0 MEDIUM 7.5 HIGH
The owned function of a smart contract implementation for DDQ, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity.
CVE-2018-19834 1 Bombba Project 1 Bombba 2020-01-14 5.0 MEDIUM 7.5 HIGH
The quaker function of a smart contract implementation for BOMBBA (BOMB), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity.
CVE-2018-19832 1 Newinteltechmedia Project 1 Newinteltechmedia 2020-01-14 5.0 MEDIUM 7.5 HIGH
The NETM() function of a smart contract implementation for NewIntelTechMedia (NETM), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity.
CVE-2018-19830 1 Business Alliance Financial Circle Project 1 Business Alliance Financial Circle 2020-01-14 5.0 MEDIUM 7.5 HIGH
The UBSexToken() function of a smart contract implementation for Business Alliance Financial Circle (BAFC), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function is public (by default) and does not check the caller's identity.
CVE-2019-19880 1 Sqlite 1 Sqlite 2020-01-14 5.0 MEDIUM 7.5 HIGH
exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.
CVE-2019-19923 1 Sqlite 1 Sqlite 2020-01-14 5.0 MEDIUM 7.5 HIGH
flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).
CVE-2019-19925 1 Sqlite 1 Sqlite 2020-01-14 5.0 MEDIUM 7.5 HIGH
zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVE-2018-13305 1 Ffmpeg 1 Ffmpeg 2020-01-14 5.8 MEDIUM 8.1 HIGH
In FFmpeg 4.0.1, due to a missing check for negative values of the mquant variable, the vc1_put_blocks_clamped function in libavcodec/vc1_block.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to an information disclosure or a denial of service.
CVE-2019-19191 1 Shibboleth 1 Service Provider 2020-01-14 7.2 HIGH 7.8 HIGH
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
CVE-2019-19579 2 Fedoraproject, Xen 2 Fedora, Xen 2020-01-14 7.2 HIGH 6.8 MEDIUM
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not used), because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these "alternate" methods are used will still leave the system in a vulnerable state after the device comes back from a guest. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
CVE-2019-19269 3 Debian, Fedoraproject, Proftpd 3 Debian Linux, Fedora, Proftpd 2020-01-13 4.0 MEDIUM 4.9 MEDIUM
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
CVE-2019-19270 2 Fedoraproject, Proftpd 2 Fedora, Proftpd 2020-01-13 5.0 MEDIUM 7.5 HIGH
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.
CVE-2014-9908 1 Google 1 Android 2020-01-13 3.3 LOW 6.5 MEDIUM
A Denial of Service vulnerability exists in Google Android 4.4.4, 5.0.2, and 5.1.1, which allows malicious users to block Bluetooh access (Android Bug ID A-28672558).
CVE-2014-5013 1 Dompdf Project 1 Dompdf 2020-01-13 6.8 MEDIUM 8.8 HIGH
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.
CVE-2014-5012 1 Dompdf Project 1 Dompdf 2020-01-13 4.3 MEDIUM 6.5 MEDIUM
DOMPDF before 0.6.2 allows denial of service.
CVE-2014-5011 1 Dompdf Project 1 Dompdf 2020-01-13 4.3 MEDIUM 6.5 MEDIUM
DOMPDF before 0.6.2 allows Information Disclosure.
CVE-2011-1933 1 Jifty\ 1 \ 2020-01-13 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in Jifty::DBI before 0.68.
CVE-2014-4561 1 Ultimate-weather Project 1 Ultimate-weather 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
The ultimate-weather plugin 1.0 for WordPress has XSS
CVE-2019-17015 2 Microsoft, Mozilla 3 Windows, Firefox, Firefox Esr 2020-01-13 6.8 MEDIUM 8.8 HIGH
During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
CVE-2019-17016 4 Canonical, Debian, Mozilla and 1 more 9 Ubuntu Linux, Debian Linux, Firefox and 6 more 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
CVE-2019-17017 4 Canonical, Debian, Mozilla and 1 more 9 Ubuntu Linux, Debian Linux, Firefox and 6 more 2020-01-13 6.8 MEDIUM 8.8 HIGH
Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
CVE-2019-17022 4 Canonical, Debian, Mozilla and 1 more 9 Ubuntu Linux, Debian Linux, Firefox and 6 more 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer does not escape &lt; and &gt; characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
CVE-2019-18859 1 Digi 2 Anywhereusb\/14, Anywhereusb\/14 Firmware 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.
CVE-2019-20378 1 Ganglia 1 Ganglia-web 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter.
CVE-2019-20379 1 Ganglia 1 Ganglia-web 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter.
CVE-2014-3211 1 Publify Project 1 Publify 2020-01-13 5.0 MEDIUM 7.5 HIGH
Publify before 8.0.1 is vulnerable to a Denial of Service attack
CVE-2020-6838 1 Mruby 1 Mruby 2020-01-13 7.5 HIGH 9.8 CRITICAL
In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems/mruby-hash-ext/src/hash-ext.c.
CVE-2020-6839 1 Mruby 1 Mruby 2020-01-13 7.5 HIGH 9.8 CRITICAL
In mruby 2.1.0, there is a stack-based buffer overflow in mrb_str_len_to_dbl in string.c.
CVE-2020-6840 1 Mruby 1 Mruby 2020-01-13 7.5 HIGH 9.8 CRITICAL
In mruby 2.1.0, there is a use-after-free in hash_slice in mrbgems/mruby-hash-ext/src/hash-ext.c.
CVE-2012-3807 1 Samsung 1 Kies 2020-01-13 7.5 HIGH 9.8 CRITICAL
Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution.
CVE-2016-6587 1 Symantec 1 Norton Mobile Security 2020-01-13 2.1 LOW 5.5 MEDIUM
An Information Disclosure vulnerability exists in the mid.dat file stored on the SD card in Symantec Norton Mobile Security for Android before 3.16, which could let a local malicious user obtain sensitive information.
CVE-2019-4559 1 Ibm 1 Qradar Security Information And Event Manager 2020-01-13 5.0 MEDIUM 5.3 MEDIUM
IBM QRadar SIEM 7.3.0 through 7.3.3 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 166355.
CVE-2019-4508 1 Ibm 1 Qradar Security Information And Event Manager 2020-01-13 2.1 LOW 7.8 HIGH
IBM QRadar SIEM 7.3.0 through 7.3.3 uses weak credential storage in some instances which could be decrypted by a local attacker. IBM X-Force ID: 164429.
CVE-2018-11805 2 Apache, Debian 2 Spamassassin, Debian Linux 2020-01-13 7.2 HIGH 6.7 MEDIUM
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
CVE-2019-12420 2 Apache, Debian 2 Spamassassin, Debian Linux 2020-01-13 5.0 MEDIUM 7.5 HIGH
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2014-9405 1 Free 1 Freebox Os 2020-01-13 3.5 LOW 5.4 MEDIUM
A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code.
CVE-2019-17018 1 Mozilla 1 Firefox 2020-01-13 5.0 MEDIUM 5.3 MEDIUM
When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. This vulnerability affects Firefox < 72.
CVE-2015-4039 1 E-plugins 1 Wp Membership 2020-01-13 3.5 LOW 5.4 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in the WP Membership plugin 1.2.3 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via unspecified (1) profile fields or (2) new post content. NOTE: CVE-2015-4038 can be used to bypass the administrator confirmation step for vector 2.
CVE-2014-3743 1 Marked Project 1 Marked 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
CVE-2012-1915 1 Codeigniter 1 Codeigniter 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks.
CVE-2013-1420 1 Get-simple 1 Getsimple Cms 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. NOTE: the path parameter in admin/upload.php vector is already covered by CVE-2012-6621.
CVE-2011-4595 1 Caseproof 1 Pretty Link 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
Pretty-Link WordPress plugin 1.5.2 has XSS
CVE-2014-4530 1 Flog Project 1 Flog 2020-01-13 4.3 MEDIUM 6.1 MEDIUM
flog plugin 0.1 for WordPress has XSS