Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2010-5278 1 Modx 1 Modx Revolution 2020-01-10 4.3 MEDIUM N/A
Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter. NOTE: some of these details are obtained from third party information.
CVE-1999-1593 1 Microsoft 3 Windows 2000, Windows 95, Windows 98 2020-01-10 7.6 HIGH N/A
Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable.
CVE-2012-0797 1 Moodle 1 Moodle 2020-01-10 5.5 MEDIUM N/A
The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token.
CVE-2010-2116 1 Mcafee 2 Email Gateway, Secure Mail 2020-01-10 6.5 MEDIUM N/A
The web interface in McAfee Email Gateway (formerly IronMail) 6.7.1 allows remote authenticated users, with only Read privileges, to gain Write privileges to modify configuration via the save action in a direct request to admin/systemWebAdminConfig.do.
CVE-2017-7323 1 Modx 1 Modx Revolution 2020-01-10 6.8 MEDIUM 8.1 HIGH
The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the lack of the HTTPS protection mechanism.
CVE-2017-7324 1 Modx 1 Modx Revolution 2020-01-10 7.5 HIGH 9.8 CRITICAL
setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter.
CVE-2019-14466 2 Debian, Gosa Project 2 Debian Linux, Gosa 2020-01-10 5.5 MEDIUM 6.5 MEDIUM
The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie.
CVE-2017-7322 1 Modx 1 Modx Revolution 2020-01-10 6.8 MEDIUM 8.1 HIGH
The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate.
CVE-2017-7321 1 Modx 1 Modx Revolution 2020-01-10 7.5 HIGH 9.8 CRITICAL
setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI.
CVE-2013-4752 2 Fedoraproject, Sensiolabs 2 Fedora, Symfony 2020-01-10 4.3 MEDIUM 6.1 MEDIUM
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
CVE-2015-5951 1 Thomsonreuters 1 Fatca 2020-01-10 9.0 HIGH 9.9 CRITICAL
A file upload issue exists in the specid parameter in Thomson Reuters FATCH before 5.2, which allows malicious users to upload arbitrary PHP files to the web root and execute system commands.
CVE-2011-1474 1 Linux 1 Linux Kernel 2020-01-10 4.9 MEDIUM 5.5 MEDIUM
A locally locally exploitable DOS vulnerability was found in pax-linux versions 2.6.32.33-test79.patch, 2.6.38-test3.patch, and 2.6.37.4-test14.patch. A bad bounds check in arch_get_unmapped_area_topdown triggered by programs doing an mmap after a MAP_GROWSDOWN mmap will create an infinite loop condition without releasing the VM semaphore eventually leading to a system crash.
CVE-2017-7320 1 Modx 1 Modx Revolution 2020-01-10 4.3 MEDIUM 6.1 MEDIUM
setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value.
CVE-2012-4025 1 Squashfs Project 1 Squashfs 2020-01-10 6.8 MEDIUM N/A
Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted block_log field in the superblock of a .sqsh file, leading to a heap-based buffer overflow.
CVE-2012-4024 1 Squashfs Project 1 Squashfs 2020-01-10 6.8 MEDIUM N/A
Stack-based buffer overflow in the get_component function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted list file (aka a crafted file for the -ef option). NOTE: probably in most cases, the list file is a trusted file constructed by the program's user; however, there are some realistic situations in which a list file would be obtained from an untrusted remote source.
CVE-2009-2044 2 Linux, Mozilla 2 Linux Kernel, Firefox 2020-01-10 4.3 MEDIUM N/A
Mozilla Firefox 3.0.10 and earlier on Linux allows remote attackers to cause a denial of service (application crash) via a URI for a large GIF image in the BACKGROUND attribute of a BODY element.
CVE-2019-6025 1 Sixapart 1 Movable Type 2020-01-10 5.8 MEDIUM 6.1 MEDIUM
Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
CVE-2014-1454 1 Pearson 1 Esis Enterprise Student Information System 2020-01-10 3.5 LOW 4.8 MEDIUM
Pearson eSIS (Enterprise Student Information System) message board has stored XSS due to improper validation of user input
CVE-2012-4434 1 Cipherdyne 1 Fwknop 2020-01-10 6.5 MEDIUM 8.8 HIGH
fwknop before 2.0.3 allow remote authenticated users to cause a denial of service (server crash) or possibly execute arbitrary code.
CVE-2014-1598 1 Centurystar Project 1 Centurystar 2020-01-10 10.0 HIGH 9.8 CRITICAL
centurystar 7.12 ActiveX Control has a Stack Buffer Overflow
CVE-2014-8674 1 Soplanning 1 Soplanning 2020-01-10 3.5 LOW 5.4 MEDIUM
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cookie in nb_mois and mb_ligness and the debug GET parameter to export.php, which allows malicious users to execute arbitrary code.
CVE-2019-5989 1 Anglers-net 1 Cgi An-anlyzer 2020-01-10 4.3 MEDIUM 6.1 MEDIUM
DOM-based cross-site scripting vulnerability in Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote attackers to inject arbitrary web script or HTML via the Analysis Object Page.
CVE-2014-0183 1 Redhat 1 Subscription Asset Manager 2020-01-10 4.3 MEDIUM 6.1 MEDIUM
Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering.
CVE-2019-19628 1 Gitlab 1 Gitlab 2020-01-10 7.5 HIGH 9.8 CRITICAL
In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
CVE-2019-19314 1 Gitlab 1 Gitlab 2020-01-10 5.0 MEDIUM 7.5 HIGH
GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext.
CVE-2011-3585 2 Redhat, Samba 2 Enterprise Linux, Samba 2020-01-10 1.9 LOW 4.7 MEDIUM
Multiple race conditions in the (1) mount.cifs and (2) umount.cifs programs in Samba 3.6 allow local users to cause a denial of service (mounting outage) via a SIGKILL signal during a time window when the /etc/mtab~ file exists.
CVE-2019-9668 1 Rovinbhandari Ftp Project 1 Rovinbhandari Ftp 2020-01-10 5.0 MEDIUM 7.5 HIGH
An issue was discovered in rovinbhandari FTP through 2012-03-28. receive_file in file_transfer_functions.c allows remote attackers to cause a denial of service (daemon crash) via a 0xffff datalen field value.
CVE-2014-1409 1 Mobileiron 2 Sentry, Virtual Smartphone Platform 2020-01-10 6.4 MEDIUM 9.1 CRITICAL
MobileIron VSP versions prior to 5.9.1 and Sentry versions prior to 5.0 have an authentication bypass vulnerability due to an XML file with obfuscated passwords
CVE-2012-2580 1 Postieplugin 1 Postie 2020-01-10 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Postie plugin 1.4.3, and possibly before 1.5.15, for WordPress allows remote attackers to inject arbitrary web script or HTML via the From field of an email.
CVE-2019-17667 1 Comtechtel 2 H8 Heights Remote Gateway, H8 Heights Remote Gateway Firmware 2020-01-10 3.5 LOW 5.4 MEDIUM
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
CVE-2020-6166 1 Webfactoryltd 1 Minimal Coming Soon \& Maintenance Mode 2020-01-10 5.5 MEDIUM 5.4 MEDIUM
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes.
CVE-2016-6588 1 Symantec 1 It Management Suite 2020-01-10 3.5 LOW 5.4 MEDIUM
A Cross-Site Scripting (XSS) vulnerability exists in the ITMS workflow process manager console in Symantec IT Management Suite 8.0.
CVE-2012-5663 1 Openbsd 1 Textproc\/isearch 2020-01-10 5.0 MEDIUM 7.5 HIGH
The isearch package (textproc/isearch) before 1.47.01nb1 uses the tempnam() function to create insecure temporary files into a publicly-writable area (/tmp).
CVE-2013-0264 1 Redhat 1 Mrg Management Console 2020-01-10 5.0 MEDIUM 7.5 HIGH
An import error was introduced in Cumin in the code refactoring in r5310. Server certificate validation is always disabled when connecting to Aviary servers, even if the installed packages on a system support it.
CVE-2014-0104 1 Clusterlabs 1 Fence-agents 2020-01-10 4.3 MEDIUM 5.9 MEDIUM
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates.
CVE-2014-0161 1 Ovirt-engine-sdk-python Project 1 Ovirt-engine-sdk-python 2020-01-10 4.3 MEDIUM 5.9 MEDIUM
ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.
CVE-2020-6167 1 Webfactoryltd 1 Minimal Coming Soon \& Maintenance Mode 2020-01-10 6.8 MEDIUM 8.8 HIGH
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo.
CVE-2019-14866 2 Gnu, Redhat 2 Cpio, Enterprise Linux 2020-01-10 6.9 MEDIUM 7.3 HIGH
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
CVE-2019-14819 1 Redhat 1 Openshift Container Platform 2020-01-10 6.5 MEDIUM 8.8 HIGH
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
CVE-2014-5118 3 Fedoraproject, Redhat, Trusted Boot Project 3 Fedora, Enterprise Linux, Trusted Boot 2020-01-10 2.1 LOW 5.5 MEDIUM
Trusted Boot (tboot) before 1.8.2 has a 'loader.c' Security Bypass Vulnerability
CVE-2013-4764 1 Samsung 4 Galaxy S3, Galaxy S3 Firmware, Galaxy S4 and 1 more 2020-01-10 2.1 LOW 4.3 MEDIUM
Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission.
CVE-2013-4763 1 Samsung 4 Galaxy S3, Galaxy S3 Firmware, Galaxy S4 and 1 more 2020-01-10 2.1 LOW 4.6 MEDIUM
Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitrary SMS text messages without requesting permission.
CVE-2019-5844 1 Google 1 Chrome 2020-01-10 4.3 MEDIUM 6.5 MEDIUM
Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2019-5845 1 Google 1 Chrome 2020-01-10 4.3 MEDIUM 6.5 MEDIUM
Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2019-5846 1 Google 1 Chrome 2020-01-10 4.3 MEDIUM 6.5 MEDIUM
Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2013-4976 1 Hikvision 2 Ds-2cd7153-e, Ds-2cd7153-e Firmware 2020-01-10 7.5 HIGH 9.8 CRITICAL
Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials
CVE-2019-18263 1 Philips 6 Endura, Endura Firmware, Pulsera and 3 more 2020-01-10 3.3 LOW 6.5 MEDIUM
An issue was found in Philips Veradius Unity, Pulsera, and Endura Dual WAN Router, Veradius Unity (718132) with wireless option (shipped between 2016-August 2018), Veradius Unity (718132) with ViewForum option (shipped between 2016-August 2018), Pulsera (718095) and Endura (718075) with wireless option (shipped between 26-June-2017 through 07-August 2018), Pulsera (718095) and Endura (718075) with ViewForum option (shipped between 26-June-2017 through 07-August 2018). The router software uses an encryption scheme that is not strong enough for the level of protection required.
CVE-2014-7297 1 Kriesi 1 Enfold 2020-01-10 10.0 HIGH N/A
Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and attack vectors.
CVE-2018-0576 1 Wp-events-plugin 1 Events Manager 2020-01-10 3.5 LOW 5.4 MEDIUM
Cross-site scripting vulnerability in Events Manager plugin prior to version 5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-6622 1 Nothings 1 Stb Truetype.h 2020-01-10 6.8 MEDIUM 8.8 HIGH
stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__buf_peek8.