Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20153 | 1 Determine | 1 Contract Lifecycle Management | 2020-01-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. An XML external entity (XXE) vulnerability in the upload definition feature in definition_upload_attach.jsp allows authenticated remote attackers to read arbitrary files (including configuration files containing administrative credentials). | |||||
| CVE-2019-17001 | 1 Mozilla | 1 Firefox | 2020-01-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70. | |||||
| CVE-2019-17000 | 1 Mozilla | 1 Firefox | 2020-01-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| An object tag with a data URI did not correctly inherit the document's Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document's policy explicitly allowed data: URIs. This vulnerability affects Firefox < 70. | |||||
| CVE-2019-11765 | 1 Mozilla | 1 Firefox | 2020-01-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70. | |||||
| CVE-2019-11756 | 1 Mozilla | 1 Firefox | 2020-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. | |||||
| CVE-2013-4867 | 1 Ea | 2 Karotz Smart Rabbit, Karotz Smart Rabbit Firmware | 2020-01-13 | 6.2 MEDIUM | 6.3 MEDIUM |
| Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module hijacking | |||||
| CVE-2019-10777 | 1 Amazon | 1 Aws Lambda | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName". | |||||
| CVE-2014-5287 | 1 Kemptechnologies | 1 Loadmaster | 2020-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| A Bash script injection vulnerability exists in Kemp Load Master 7.1-16 and earlier due to a failure to sanitize input in the Web User Interface (WUI). | |||||
| CVE-2020-5179 | 1 Comtechtel | 2 Stampede Fx-1010, Stampede Fx-1010 Firmware | 2020-01-13 | 9.0 HIGH | 7.2 HIGH |
| Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to execute arbitrary OS commands by navigating to the Diagnostics Ping page and entering shell metacharacters in the Target IP address field. (In some cases, authentication can be achieved with the comtech password for the comtech account.) | |||||
| CVE-2019-17076 | 1 Jamf | 1 Jamf | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server. | |||||
| CVE-2019-10778 | 1 Devcert-sanscache Project | 1 Devcert-sanscache | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| devcert-sanscache before 0.4.7 allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable `commonName` controlled by user input is used as part of the `exec` function without any sanitization. | |||||
| CVE-2017-11568 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a heap-based buffer over-read in PSCharStringToSplines (psread.c) resulting in DoS or code execution via a crafted otf file. | |||||
| CVE-2017-11570 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a buffer over-read in umodenc (parsettf.c) resulting in DoS or code execution via a crafted otf file. | |||||
| CVE-2017-11571 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a stack-based buffer overflow in addnibble (parsettf.c) resulting in DoS or code execution via a crafted otf file. | |||||
| CVE-2017-11572 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a heap-based buffer over-read in readcfftopdicts (parsettf.c) resulting in DoS or code execution via a crafted otf file. | |||||
| CVE-2017-11573 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a buffer over-read in ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution via a crafted otf file. | |||||
| CVE-2017-11574 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a heap-based buffer overflow in readcffset (parsettf.c) resulting in DoS or code execution via a crafted otf file. | |||||
| CVE-2017-11575 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (char.c) resulting in DoS or code execution via a crafted otf file, related to a call from the readttfcopyrights function in parsettf.c. | |||||
| CVE-2017-11576 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| FontForge 20161012 does not ensure a positive size in a weight vector memcpy call in readcfftopdict (parsettf.c) resulting in DoS via a crafted otf file. | |||||
| CVE-2017-11577 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| FontForge 20161012 is vulnerable to a buffer over-read in getsid (parsettf.c) resulting in DoS or code execution via a crafted otf file. | |||||
| CVE-2017-17521 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17534. | |||||
| CVE-2019-15785 | 1 Fontforge | 1 Fontforge | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c. | |||||
| CVE-2019-13699 | 1 Google | 1 Chrome | 2020-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2019-13701 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2019-13702 | 1 Google | 1 Chrome | 2020-01-13 | 6.8 MEDIUM | 7.8 HIGH |
| Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable. | |||||
| CVE-2019-13703 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2019-13704 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2019-13708 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2019-13709 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||||
| CVE-2019-13715 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||||
| CVE-2019-13716 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2019-13717 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||||
| CVE-2019-13719 | 1 Google | 1 Chrome | 2020-01-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||||
| CVE-2019-6529 | 1 Kunbus | 2 Pr100088 Modbus Gateway, Pr100088 Modbus Gateway Firmware | 2020-01-12 | 6.8 MEDIUM | 4.9 MEDIUM |
| An attacker could specially craft an FTP request that could crash the PR100088 Modbus gateway versions prior to release R02 (or Software Version 1.1.13166). | |||||
| CVE-2019-10776 | 1 Git-diff-apply Project | 1 Git-diff-apply | 2020-01-12 | 7.5 HIGH | 9.8 CRITICAL |
| In "index.js" file line 240, the run command executes the git command with a user controlled variable called remoteUrl. This affects git-diff-apply all versions prior to 0.22.2. | |||||
| CVE-2019-19544 | 1 Broadcom | 1 Ca Automic Dollar Universe | 2020-01-12 | 7.2 HIGH | 7.8 HIGH |
| CA Automic Dollar Universe 5.3.3 contains a vulnerability, related to the uxdqmsrv binary being setuid root, that allows local attackers to elevate privileges. This vulnerability was reported to CA several years after CA Automic Dollar Universe 5.3.3 reached End of Life (EOL) status on April 1, 2015. | |||||
| CVE-2019-18652 | 1 Watchguard | 2 Xmt515, Xmt515 Firmware | 2020-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A DOM based XSS vulnerability has been identified on the WatchGuard XMT515 through 12.1.3, allowing a remote attacker to execute JavaScript in the victim's browser by tricking the victim into clicking on a crafted link. The payload was tested in Microsoft Internet Explorer 11.418.18362.0 and Microsoft Edge 44.18362.387.0 (Microsoft EdgeHTML 18.18362). | |||||
| CVE-2016-5346 | 1 Google | 3 Android, Pixel, Pixel Xl | 2020-01-12 | 2.1 LOW | 5.5 MEDIUM |
| An Information Disclosure vulnerability exists in the Google Pixel/Pixel SL Qualcomm Avtimer Driver due to a NULL pointer dereference when processing an accept system call by the user process on AF_MSM_IPC sockets, which could let a local malicious user obtain sensitive information (Android Bug ID A-32551280). | |||||
| CVE-2010-2247 | 1 Makepasswd Project | 1 Makepasswd | 2020-01-12 | 5.0 MEDIUM | 7.5 HIGH |
| makepasswd 1.10 default settings generate insecure passwords | |||||
| CVE-2018-9018 | 2 Debian, Graphicsmagick | 2 Debian Linux, Graphicsmagick | 2020-01-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function of coders/png.c. Remote attackers could leverage this vulnerability to cause a crash and denial of service via a crafted mng file. | |||||
| CVE-2012-3806 | 1 Samsung | 1 Kies | 2020-01-11 | 5.0 MEDIUM | 7.5 HIGH |
| Samsung Kies before 2.5.0.12094_27_11 contains a NULL pointer dereference vulnerability which could allow remote attackers to perform a denial of service. | |||||
| CVE-2012-3808 | 1 Samsung | 1 Kies | 2020-01-11 | 5.0 MEDIUM | 7.5 HIGH |
| Samsung Kies before 2.5.0.12094_27_11 has arbitrary file modification. | |||||
| CVE-2012-3809 | 1 Samsung | 1 Kies | 2020-01-11 | 5.0 MEDIUM | 7.5 HIGH |
| Samsung Kies before 2.5.0.12094_27_11 has arbitrary directory modification. | |||||
| CVE-2012-3810 | 1 Samsung | 1 Kies | 2020-01-11 | 5.0 MEDIUM | 7.5 HIGH |
| Samsung Kies before 2.5.0.12094_27_11 has registry modification. | |||||
| CVE-2019-6032 | 1 Ntv | 1 News 24 | 2020-01-10 | 5.8 MEDIUM | 7.4 HIGH |
| The NTV News24 prior to Ver.3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2019-20042 | 1 Wordpress | 1 Wordpress | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. | |||||
| CVE-2019-20154 | 1 Determine | 1 Contract Lifecycle Management | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. A cross-site scripting (XSS) vulnerability in multiple getchart.jsp parameters allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2019-20043 | 1 Wordpress | 1 Wordpress | 2020-01-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. | |||||
| CVE-2019-15602 | 1 Itwork | 1 Fileview | 2020-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cross-Site Scripting (XSS) vulnerability in files it serves. | |||||
| CVE-2013-3249 | 1 Solarwinds | 1 Dameware Remote Support | 2020-01-10 | 9.3 HIGH | N/A |
| Stack-based buffer overflow in the "Add from text file" feature in the DameWare Exporter tool (DWExporter.exe) in DameWare Remote Support 10.0.0.372, 9.0.1.247, and earlier allows user-assisted attackers to execute arbitrary code via unspecified vectors. | |||||
