Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19265 | 1 Icewarp | 1 Mail Server | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 1 of 2) in notes for contacts. | |||||
| CVE-2019-19266 | 1 Icewarp | 1 Mail Server | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects. | |||||
| CVE-2019-10672 | 1 Symonics | 1 Libmysofa | 2020-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| treeRead in hdf/btree.c in libmysofa before 0.7 does not properly validate multiplications and additions. | |||||
| CVE-2019-19310 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure. | |||||
| CVE-2018-20488 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. | |||||
| CVE-2019-19722 | 1 Dovecot | 1 Dovecot | 2020-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. | |||||
| CVE-2018-20490 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||||
| CVE-2018-20491 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||||
| CVE-2018-20498 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2018-20501 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2013-4744 | 1 Phpunit Project | 1 Phpunit | 2020-01-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2019-16780 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. | |||||
| CVE-2019-16781 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. | |||||
| CVE-2019-17672 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. | |||||
| CVE-2019-17674 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. | |||||
| CVE-2019-20041 | 1 Wordpress | 1 Wordpress | 2020-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. | |||||
| CVE-2019-19844 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2020-01-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) | |||||
| CVE-2013-3937 | 1 Xnview | 1 Xnview | 2020-01-08 | 6.8 MEDIUM | 7.8 HIGH |
| Heap-based buffer overflow in xnview.exe in XnView before 2.13 allows remote attackers to execute arbitrary code via the biBitCount field in a BMP file. | |||||
| CVE-2013-5637 | 1 Pqigroup | 2 Air Card, Air Card Firmware | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| PQI AirCard has persistent XSS | |||||
| CVE-2013-5638 | 1 Transcend-info | 2 Wifisd, Wifisd Firmware | 2020-01-08 | 3.5 LOW | 5.4 MEDIUM |
| Transcend WiFiSD 1.8 has persistent XSS | |||||
| CVE-2013-5657 | 1 Aultware | 1 Pwstore | 2020-01-08 | 5.0 MEDIUM | 7.5 HIGH |
| AultWare pwStore 2010.8.30.0 has DoS via an empty HTTP request | |||||
| CVE-2013-5658 | 1 Aultware | 1 Pwstore | 2020-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| AultWare pwStore 2010.8.30.0 has XSS | |||||
| CVE-2018-20496 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. | |||||
| CVE-2018-20495 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. | |||||
| CVE-2017-18514 | 1 Simplerealtytheme | 1 Simple Login Log | 2020-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| The simple-login-log plugin before 1.1.2 for WordPress has SQL injection. | |||||
| CVE-2019-20047 | 1 Al-enterprise | 2 Omnivista 4760, Omnivista 8770 | 2020-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and 8770 devices before 4.1.2. An incorrect web server configuration allows a remote unauthenticated attacker to retrieve the content of its own session files. Every session file contains the administrative LDAP credentials encoded in a reversible format. Sessions are stored in /sessions/sess_<sessionid>. | |||||
| CVE-2014-4558 | 1 Cybercompany | 1 Swipehq-payment-gateway-woocommerce | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter. | |||||
| CVE-2019-20140 | 1 Libsixel Project | 1 Libsixel | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_out_code at fromgif.c. | |||||
| CVE-2019-20048 | 1 Al-enterprise | 1 Omnivista 8770 | 2020-01-07 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remote Code Execution as SYSTEM. | |||||
| CVE-2019-19734 | 1 Mfscripts | 1 Yetishare | 2020-01-07 | 6.5 MEDIUM | 8.8 HIGH |
| _account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. | |||||
| CVE-2018-20493 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2018-20499 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 6.4 MEDIUM | 7.2 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | |||||
| CVE-2019-19737 | 1 Mfscripts | 1 Yetishare | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks. | |||||
| CVE-2019-20049 | 1 Al-enterprise | 1 Omnivista 4760 | 2020-01-07 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Alcatel-Lucent OmniVista 4760 devices. A remote unauthenticated attacker can chain a directory traversal (which helps to bypass authentication) with an insecure file upload to achieve Remote Code Execution as SYSTEM. The directory traversal is in the __construct() whereas the insecure file upload is in SetSkinImages(). | |||||
| CVE-2019-19736 | 1 Mfscripts | 1 Yetishare | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting. | |||||
| CVE-2015-6671 | 1 Edx | 1 Edx-platform | 2020-01-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| Open edX edx-platform before 2015-08-25 requires use of the database for storage of SAML SSO secrets, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging access to a database backup. | |||||
| CVE-2015-6960 | 1 Edx | 1 Edx-platform | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| edx-platform before 2015-09-17 allows XSS via a team name. | |||||
| CVE-2017-18380 | 1 Edx | 1 Edx-platform | 2020-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name. | |||||
| CVE-2018-20494 | 1 Gitlab | 1 Gitlab | 2020-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2014-4567 | 1 Videowhisper | 1 Video Comments Webcam Recorder | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_logout.php in the Video Comments Webcam Recorder plugin 1.55, as downloaded before 20140116 for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter. | |||||
| CVE-2016-10766 | 1 Edx | 1 Edx-platform | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| edx-platform before 2016-06-06 allows CSRF. | |||||
| CVE-2015-5595 | 1 Zenphoto | 1 Zenphoto | 2020-01-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption). | |||||
| CVE-2016-10765 | 1 Edx | 1 Edx-platform | 2020-01-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| edx-platform before 2016-06-10 allows account activation with a spoofed e-mail address. | |||||
| CVE-2014-3136 | 1 Dlink | 2 Dwr-113, Dwr-113 Firmware | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in D-Link DWR-113 (Rev. Ax) with firmware before 2.03b02 allows remote attackers to hijack the authentication of administrators for requests that change the admin password via unspecified vectors. | |||||
| CVE-2015-5593 | 1 Zenphoto | 1 Zenphoto | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event. | |||||
| CVE-2013-3935 | 1 Opsview | 2 Opsview, Opsview Core | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors. | |||||
| CVE-2019-15912 | 1 Asus | 14 As-101, As-101 Firmware, Dl-101 and 11 more | 2020-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Attackers can use the ZigBee trust center rejoin procedure to perform mutiple denial of service attacks. | |||||
| CVE-2015-5592 | 1 Zenphoto | 1 Zenphoto | 2020-01-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks. | |||||
| CVE-2019-18267 | 1 Ge | 4 S2020, S2020 Firmware, S2020g and 1 more | 2020-01-07 | 3.5 LOW | 5.4 MEDIUM |
| An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution. | |||||
| CVE-2019-19788 | 1 Opera | 1 Opera | 2020-01-07 | 2.1 LOW | 5.5 MEDIUM |
| Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction from a third-party context. | |||||
