Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-20153 1 Determine 1 Contract Lifecycle Management 2020-01-13 4.0 MEDIUM 4.9 MEDIUM
An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. An XML external entity (XXE) vulnerability in the upload definition feature in definition_upload_attach.jsp allows authenticated remote attackers to read arbitrary files (including configuration files containing administrative credentials).
CVE-2019-17001 1 Mozilla 1 Firefox 2020-01-13 5.8 MEDIUM 6.1 MEDIUM
A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This flaw only affected Firefox 69 and was not present in earlier versions.*. This vulnerability affects Firefox < 70.
CVE-2019-17000 1 Mozilla 1 Firefox 2020-01-13 5.8 MEDIUM 6.1 MEDIUM
An object tag with a data URI did not correctly inherit the document's Content Security Policy. This allowed a CSP bypass in a cross-origin frame if the document's policy explicitly allowed data: URIs. This vulnerability affects Firefox < 70.
CVE-2019-11765 1 Mozilla 1 Firefox 2020-01-13 4.3 MEDIUM 6.5 MEDIUM
A compromised content process could send a message to the parent process that would cause the 'Click to Play' permission prompt to be shown. However, due to lack of validation from the parent process, if the user accepted the permission request an attacker-controlled permission would be granted rather than the 'Click to Play' permission. This vulnerability affects Firefox < 70.
CVE-2019-11756 1 Mozilla 1 Firefox 2020-01-13 6.8 MEDIUM 8.8 HIGH
Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71.
CVE-2013-4867 1 Ea 2 Karotz Smart Rabbit, Karotz Smart Rabbit Firmware 2020-01-13 6.2 MEDIUM 6.3 MEDIUM
Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module hijacking
CVE-2019-10777 1 Amazon 1 Aws Lambda 2020-01-13 7.5 HIGH 9.8 CRITICAL
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName".
CVE-2014-5287 1 Kemptechnologies 1 Loadmaster 2020-01-13 6.8 MEDIUM 8.8 HIGH
A Bash script injection vulnerability exists in Kemp Load Master 7.1-16 and earlier due to a failure to sanitize input in the Web User Interface (WUI).
CVE-2020-5179 1 Comtechtel 2 Stampede Fx-1010, Stampede Fx-1010 Firmware 2020-01-13 9.0 HIGH 7.2 HIGH
Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to execute arbitrary OS commands by navigating to the Diagnostics Ping page and entering shell metacharacters in the Target IP address field. (In some cases, authentication can be achieved with the comtech password for the comtech account.)
CVE-2019-17076 1 Jamf 1 Jamf 2020-01-13 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server.
CVE-2019-10778 1 Devcert-sanscache Project 1 Devcert-sanscache 2020-01-13 7.5 HIGH 9.8 CRITICAL
devcert-sanscache before 0.4.7 allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable `commonName` controlled by user input is used as part of the `exec` function without any sanitization.
CVE-2017-11568 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a heap-based buffer over-read in PSCharStringToSplines (psread.c) resulting in DoS or code execution via a crafted otf file.
CVE-2017-11570 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a buffer over-read in umodenc (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVE-2017-11571 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a stack-based buffer overflow in addnibble (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVE-2017-11572 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a heap-based buffer over-read in readcfftopdicts (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVE-2017-11573 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a buffer over-read in ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVE-2017-11574 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a heap-based buffer overflow in readcffset (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVE-2017-11575 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (char.c) resulting in DoS or code execution via a crafted otf file, related to a call from the readttfcopyrights function in parsettf.c.
CVE-2017-11576 1 Fontforge 1 Fontforge 2020-01-13 4.3 MEDIUM 5.5 MEDIUM
FontForge 20161012 does not ensure a positive size in a weight vector memcpy call in readcfftopdict (parsettf.c) resulting in DoS via a crafted otf file.
CVE-2017-11577 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 7.8 HIGH
FontForge 20161012 is vulnerable to a buffer over-read in getsid (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVE-2017-17521 1 Fontforge 1 Fontforge 2020-01-13 6.8 MEDIUM 8.8 HIGH
uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17534.
CVE-2019-15785 1 Fontforge 1 Fontforge 2020-01-13 7.5 HIGH 9.8 CRITICAL
FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c.
CVE-2019-13699 1 Google 1 Chrome 2020-01-13 6.8 MEDIUM 8.8 HIGH
Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
CVE-2019-13701 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2019-13702 1 Google 1 Chrome 2020-01-13 6.8 MEDIUM 7.8 HIGH
Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable.
CVE-2019-13703 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2019-13704 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-13708 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2019-13709 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 6.5 MEDIUM
Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page.
CVE-2019-13715 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
CVE-2019-13716 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2019-13717 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.
CVE-2019-13719 1 Google 1 Chrome 2020-01-13 4.3 MEDIUM 4.3 MEDIUM
Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.
CVE-2019-6529 1 Kunbus 2 Pr100088 Modbus Gateway, Pr100088 Modbus Gateway Firmware 2020-01-12 6.8 MEDIUM 4.9 MEDIUM
An attacker could specially craft an FTP request that could crash the PR100088 Modbus gateway versions prior to release R02 (or Software Version 1.1.13166).
CVE-2019-10776 1 Git-diff-apply Project 1 Git-diff-apply 2020-01-12 7.5 HIGH 9.8 CRITICAL
In "index.js" file line 240, the run command executes the git command with a user controlled variable called remoteUrl. This affects git-diff-apply all versions prior to 0.22.2.
CVE-2019-19544 1 Broadcom 1 Ca Automic Dollar Universe 2020-01-12 7.2 HIGH 7.8 HIGH
CA Automic Dollar Universe 5.3.3 contains a vulnerability, related to the uxdqmsrv binary being setuid root, that allows local attackers to elevate privileges. This vulnerability was reported to CA several years after CA Automic Dollar Universe 5.3.3 reached End of Life (EOL) status on April 1, 2015.
CVE-2019-18652 1 Watchguard 2 Xmt515, Xmt515 Firmware 2020-01-12 4.3 MEDIUM 6.1 MEDIUM
A DOM based XSS vulnerability has been identified on the WatchGuard XMT515 through 12.1.3, allowing a remote attacker to execute JavaScript in the victim's browser by tricking the victim into clicking on a crafted link. The payload was tested in Microsoft Internet Explorer 11.418.18362.0 and Microsoft Edge 44.18362.387.0 (Microsoft EdgeHTML 18.18362).
CVE-2016-5346 1 Google 3 Android, Pixel, Pixel Xl 2020-01-12 2.1 LOW 5.5 MEDIUM
An Information Disclosure vulnerability exists in the Google Pixel/Pixel SL Qualcomm Avtimer Driver due to a NULL pointer dereference when processing an accept system call by the user process on AF_MSM_IPC sockets, which could let a local malicious user obtain sensitive information (Android Bug ID A-32551280).
CVE-2010-2247 1 Makepasswd Project 1 Makepasswd 2020-01-12 5.0 MEDIUM 7.5 HIGH
makepasswd 1.10 default settings generate insecure passwords
CVE-2018-9018 2 Debian, Graphicsmagick 2 Debian Linux, Graphicsmagick 2020-01-12 4.3 MEDIUM 6.5 MEDIUM
In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function of coders/png.c. Remote attackers could leverage this vulnerability to cause a crash and denial of service via a crafted mng file.
CVE-2012-3806 1 Samsung 1 Kies 2020-01-11 5.0 MEDIUM 7.5 HIGH
Samsung Kies before 2.5.0.12094_27_11 contains a NULL pointer dereference vulnerability which could allow remote attackers to perform a denial of service.
CVE-2012-3808 1 Samsung 1 Kies 2020-01-11 5.0 MEDIUM 7.5 HIGH
Samsung Kies before 2.5.0.12094_27_11 has arbitrary file modification.
CVE-2012-3809 1 Samsung 1 Kies 2020-01-11 5.0 MEDIUM 7.5 HIGH
Samsung Kies before 2.5.0.12094_27_11 has arbitrary directory modification.
CVE-2012-3810 1 Samsung 1 Kies 2020-01-11 5.0 MEDIUM 7.5 HIGH
Samsung Kies before 2.5.0.12094_27_11 has registry modification.
CVE-2019-6032 1 Ntv 1 News 24 2020-01-10 5.8 MEDIUM 7.4 HIGH
The NTV News24 prior to Ver.3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2019-20042 1 Wordpress 1 Wordpress 2020-01-10 4.3 MEDIUM 6.1 MEDIUM
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
CVE-2019-20154 1 Determine 1 Contract Lifecycle Management 2020-01-10 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. A cross-site scripting (XSS) vulnerability in multiple getchart.jsp parameters allows remote attackers to inject arbitrary web script or HTML.
CVE-2019-20043 1 Wordpress 1 Wordpress 2020-01-10 5.0 MEDIUM 5.3 MEDIUM
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
CVE-2019-15602 1 Itwork 1 Fileview 2020-01-10 4.3 MEDIUM 6.1 MEDIUM
The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cross-Site Scripting (XSS) vulnerability in files it serves.
CVE-2013-3249 1 Solarwinds 1 Dameware Remote Support 2020-01-10 9.3 HIGH N/A
Stack-based buffer overflow in the "Add from text file" feature in the DameWare Exporter tool (DWExporter.exe) in DameWare Remote Support 10.0.0.372, 9.0.1.247, and earlier allows user-assisted attackers to execute arbitrary code via unspecified vectors.