Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-19265 1 Icewarp 1 Mail Server 2020-01-08 4.3 MEDIUM 6.1 MEDIUM
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 1 of 2) in notes for contacts.
CVE-2019-19266 1 Icewarp 1 Mail Server 2020-01-08 3.5 LOW 5.4 MEDIUM
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects.
CVE-2019-10672 1 Symonics 1 Libmysofa 2020-01-08 7.5 HIGH 9.8 CRITICAL
treeRead in hdf/btree.c in libmysofa before 0.7 does not properly validate multiplications and additions.
CVE-2019-19310 1 Gitlab 1 Gitlab 2020-01-08 4.0 MEDIUM 4.9 MEDIUM
GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.
CVE-2018-20488 1 Gitlab 1 Gitlab 2020-01-08 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
CVE-2019-19722 1 Dovecot 1 Dovecot 2020-01-08 5.0 MEDIUM 5.3 MEDIUM
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
CVE-2018-20490 1 Gitlab 1 Gitlab 2020-01-08 3.5 LOW 5.4 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
CVE-2018-20491 1 Gitlab 1 Gitlab 2020-01-08 3.5 LOW 5.4 MEDIUM
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
CVE-2018-20498 1 Gitlab 1 Gitlab 2020-01-08 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
CVE-2018-20501 1 Gitlab 1 Gitlab 2020-01-08 6.5 MEDIUM 6.3 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
CVE-2013-4744 1 Phpunit Project 1 Phpunit 2020-01-08 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2019-16780 1 Wordpress 1 Wordpress 2020-01-08 3.5 LOW 5.4 MEDIUM
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
CVE-2019-16781 1 Wordpress 1 Wordpress 2020-01-08 3.5 LOW 5.4 MEDIUM
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
CVE-2019-17672 1 Wordpress 1 Wordpress 2020-01-08 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
CVE-2019-17674 1 Wordpress 1 Wordpress 2020-01-08 3.5 LOW 5.4 MEDIUM
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
CVE-2019-20041 1 Wordpress 1 Wordpress 2020-01-08 7.5 HIGH 9.8 CRITICAL
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
CVE-2019-19844 2 Canonical, Djangoproject 2 Ubuntu Linux, Django 2020-01-08 5.0 MEDIUM 9.8 CRITICAL
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
CVE-2013-3937 1 Xnview 1 Xnview 2020-01-08 6.8 MEDIUM 7.8 HIGH
Heap-based buffer overflow in xnview.exe in XnView before 2.13 allows remote attackers to execute arbitrary code via the biBitCount field in a BMP file.
CVE-2013-5637 1 Pqigroup 2 Air Card, Air Card Firmware 2020-01-08 3.5 LOW 5.4 MEDIUM
PQI AirCard has persistent XSS
CVE-2013-5638 1 Transcend-info 2 Wifisd, Wifisd Firmware 2020-01-08 3.5 LOW 5.4 MEDIUM
Transcend WiFiSD 1.8 has persistent XSS
CVE-2013-5657 1 Aultware 1 Pwstore 2020-01-08 5.0 MEDIUM 7.5 HIGH
AultWare pwStore 2010.8.30.0 has DoS via an empty HTTP request
CVE-2013-5658 1 Aultware 1 Pwstore 2020-01-08 4.3 MEDIUM 6.1 MEDIUM
AultWare pwStore 2010.8.30.0 has XSS
CVE-2018-20496 1 Gitlab 1 Gitlab 2020-01-07 3.5 LOW 5.4 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
CVE-2018-20495 1 Gitlab 1 Gitlab 2020-01-07 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure.
CVE-2017-18514 1 Simplerealtytheme 1 Simple Login Log 2020-01-07 7.5 HIGH 9.8 CRITICAL
The simple-login-log plugin before 1.1.2 for WordPress has SQL injection.
CVE-2019-20047 1 Al-enterprise 2 Omnivista 4760, Omnivista 8770 2020-01-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and 8770 devices before 4.1.2. An incorrect web server configuration allows a remote unauthenticated attacker to retrieve the content of its own session files. Every session file contains the administrative LDAP credentials encoded in a reversible format. Sessions are stored in /sessions/sess_<sessionid>.
CVE-2014-4558 1 Cybercompany 1 Swipehq-payment-gateway-woocommerce 2020-01-07 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter.
CVE-2019-20140 1 Libsixel Project 1 Libsixel 2020-01-07 6.8 MEDIUM 8.8 HIGH
An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_out_code at fromgif.c.
CVE-2019-20048 1 Al-enterprise 1 Omnivista 8770 2020-01-07 9.0 HIGH 7.2 HIGH
An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remote Code Execution as SYSTEM.
CVE-2019-19734 1 Mfscripts 1 Yetishare 2020-01-07 6.5 MEDIUM 8.8 HIGH
_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
CVE-2018-20493 1 Gitlab 1 Gitlab 2020-01-07 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
CVE-2018-20499 1 Gitlab 1 Gitlab 2020-01-07 6.4 MEDIUM 7.2 HIGH
An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.
CVE-2019-19737 1 Mfscripts 1 Yetishare 2020-01-07 6.8 MEDIUM 8.8 HIGH
MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks.
CVE-2019-20049 1 Al-enterprise 1 Omnivista 4760 2020-01-07 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Alcatel-Lucent OmniVista 4760 devices. A remote unauthenticated attacker can chain a directory traversal (which helps to bypass authentication) with an insecure file upload to achieve Remote Code Execution as SYSTEM. The directory traversal is in the __construct() whereas the insecure file upload is in SetSkinImages().
CVE-2019-19736 1 Mfscripts 1 Yetishare 2020-01-07 4.3 MEDIUM 6.1 MEDIUM
MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting.
CVE-2015-6671 1 Edx 1 Edx-platform 2020-01-07 4.3 MEDIUM 5.9 MEDIUM
Open edX edx-platform before 2015-08-25 requires use of the database for storage of SAML SSO secrets, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging access to a database backup.
CVE-2015-6960 1 Edx 1 Edx-platform 2020-01-07 4.3 MEDIUM 6.1 MEDIUM
edx-platform before 2015-09-17 allows XSS via a team name.
CVE-2017-18380 1 Edx 1 Edx-platform 2020-01-07 5.0 MEDIUM 7.5 HIGH
edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name.
CVE-2018-20494 1 Gitlab 1 Gitlab 2020-01-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.
CVE-2014-4567 1 Videowhisper 1 Video Comments Webcam Recorder 2020-01-07 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_logout.php in the Video Comments Webcam Recorder plugin 1.55, as downloaded before 20140116 for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2016-10766 1 Edx 1 Edx-platform 2020-01-07 6.8 MEDIUM 8.8 HIGH
edx-platform before 2016-06-06 allows CSRF.
CVE-2015-5595 1 Zenphoto 1 Zenphoto 2020-01-07 4.3 MEDIUM 6.5 MEDIUM
Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).
CVE-2016-10765 1 Edx 1 Edx-platform 2020-01-07 5.0 MEDIUM 5.3 MEDIUM
edx-platform before 2016-06-10 allows account activation with a spoofed e-mail address.
CVE-2014-3136 1 Dlink 2 Dwr-113, Dwr-113 Firmware 2020-01-07 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in D-Link DWR-113 (Rev. Ax) with firmware before 2.03b02 allows remote attackers to hijack the authentication of administrators for requests that change the admin password via unspecified vectors.
CVE-2015-5593 1 Zenphoto 1 Zenphoto 2020-01-07 4.3 MEDIUM 6.1 MEDIUM
The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event.
CVE-2013-3935 1 Opsview 2 Opsview, Opsview Core 2020-01-07 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors.
CVE-2019-15912 1 Asus 14 As-101, As-101 Firmware, Dl-101 and 11 more 2020-01-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Attackers can use the ZigBee trust center rejoin procedure to perform mutiple denial of service attacks.
CVE-2015-5592 1 Zenphoto 1 Zenphoto 2020-01-07 4.3 MEDIUM 6.1 MEDIUM
Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks.
CVE-2019-18267 1 Ge 4 S2020, S2020 Firmware, S2020g and 1 more 2020-01-07 3.5 LOW 5.4 MEDIUM
An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution.
CVE-2019-19788 1 Opera 1 Opera 2020-01-07 2.1 LOW 5.5 MEDIUM
Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction from a third-party context.