Weekly Vulnerabilities Reports > May 13 to 19, 2019

Overview

411 new vulnerabilities reported during this period, including 44 critical vulnerabilities and 94 high severity vulnerabilities. This weekly summary report vulnerabilities in 1258 products from 128 vendors including Microsoft, Cisco, Intel, Cybozu, and Gitlab. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Out-of-bounds Write", "OS Command Injection", and "Path Traversal".

  • 321 reported vulnerabilities are remotely exploitables.
  • 19 reported vulnerabilities have public exploit available.
  • 145 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 320 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 82 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 22 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

44 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-05-17 CVE-2019-4279 IBM Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources.

10.0
2019-05-16 CVE-2019-0708 Microsoft USE After Free vulnerability in Microsoft products

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

10.0
2019-05-16 CVE-2019-1821 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system.

10.0
2019-05-14 CVE-2018-11691 Emerson USE of Hard-Coded Credentials vulnerability in Emerson Ve6046 Firmware 09.0.12

Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches’ management password upon commissioning.

10.0
2019-05-13 CVE-2018-4018 Anker IN Improper Input Validation vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version RoavA1SWV1.9.

10.0
2019-05-13 CVE-2018-19990 D Link OS Command Injection vulnerability in D-Link Dir-822 Firmware 202Krb06

In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices.

10.0
2019-05-13 CVE-2018-19989 D Link OS Command Injection vulnerability in D-Link Dir-822 Firmware 202Krb06/3.10B06

In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices.

10.0
2019-05-13 CVE-2018-19987 D Link OS Command Injection vulnerability in D-Link products

D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode.

10.0
2019-05-13 CVE-2018-19986 D Link OS Command Injection vulnerability in D-Link Dir-818Lw Firmware and Dir-822 Firmware

In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices.

10.0
2019-05-13 CVE-2018-15128 Polycom Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Polycom Group Series, HDX and Pano

An issue was discovered in Polycom Group Series 6.1.6.1 and earlier, HDX 3.1.12 and earlier, and Pano 1.1.1 and earlier.

10.0
2019-05-13 CVE-2018-14714 Asus Unspecified vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010

System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter.

10.0
2019-05-16 CVE-2019-0953 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0947 Microsoft Data Processing Errors vulnerability in Microsoft Office 2010

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0946 Microsoft Data Processing Errors vulnerability in Microsoft Office and Office 365 Proplus

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0945 Microsoft Data Processing Errors vulnerability in Microsoft Office and Office 365

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0903 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0902 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0901 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0900 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0899 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0898 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0897 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0896 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0895 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0894 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0893 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0891 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0890 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0889 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0885 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.

9.3
2019-05-16 CVE-2019-0734 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully decode and replace authentication request using Kerberos, allowing an attacker to be validated as an Administrator.The update addresses this vulnerability by changing how these requests are validated., aka 'Windows Elevation of Privilege Vulnerability'.

9.3
2019-05-15 CVE-2019-1773 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-05-15 CVE-2019-1772 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-05-15 CVE-2019-5526 Vmware Uncontrolled Search Path Element vulnerability in VMWare Workstation

VMware Workstation (15.x before 15.1.0) contains a DLL hijacking issue because some DLL files are improperly loaded by the application.

9.3
2019-05-17 CVE-2019-12170 Atutor Unrestricted Upload of File With Dangerous Type vulnerability in Atutor

ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component.

9.0
2019-05-17 CVE-2019-12168 Four Faith Missing Authorization vulnerability in Four-Faith F3X24 Firmware 1.0

Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.

9.0
2019-05-16 CVE-2019-0971 Microsoft Improper Encoding OR Escaping of Output vulnerability in Microsoft Azure Devops Server and Team Foundation Server

An information disclosure vulnerability exists when Azure DevOps Server and Microsoft Team Foundation Server do not properly sanitize a specially crafted authentication request to an affected server, aka 'Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability'.

9.0
2019-05-16 CVE-2019-1823 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system.

9.0
2019-05-16 CVE-2019-1822 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system.

9.0
2019-05-14 CVE-2019-12099 PHP Fusion Unrestricted Upload of File With Dangerous Type vulnerability in PHP-Fusion

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.

9.0
2019-05-14 CVE-2019-11328 Sylabs Incorrect Permission Assignment FOR Critical Resource vulnerability in Sylabs Singularity 3.1.0/3.1.1/3.2.0

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g.

9.0
2019-05-14 CVE-2019-10918 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3).

9.0
2019-05-14 CVE-2019-10916 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3).

9.0
2019-05-13 CVE-2019-1862 Cisco Improper Input Validation vulnerability in Cisco IOS XE 16.3.7

A vulnerability in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.

9.0

94 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-05-13 CVE-2018-4017 Anker IN USE of Hard-Coded Credentials vulnerability in Anker-In Roav Dashcam A1 Firmware Roava1Swv1.9

An exploitable vulnerability exists in the Wi-Fi Access Point feature of the Roav A1 Dashcam running version RoavA1SWV1.9.

8.3
2019-05-13 CVE-2018-4028 Anker IN Incorrect Permission Assignment FOR Critical Resource vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9.

7.8
2019-05-13 CVE-2018-4027 Anker IN Improper Synchronization vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable denial-of-service vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9.

7.8
2019-05-13 CVE-2018-4026 Anker IN Improper Input Validation vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable denial-of-service vulnerability exists in the XML_GetScreen Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9.

7.8
2019-05-13 CVE-2018-4025 Anker IN Buffer Errors vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable denial-of-service vulnerability exists in the XML_GetRawEncJpg Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9.

7.8
2019-05-13 CVE-2018-4024 Anker IN Null Pointer Dereference vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable denial-of-service vulnerability exists in the thumbnail display functionality of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9.

7.8
2019-05-16 CVE-2019-0940 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge and Internet Explorer

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0937 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0933 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0929 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Internet Explorer 11

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0927 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0926 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka 'Microsoft Edge Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0925 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0924 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0923 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0922 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0918 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0917 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0916 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0915 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0914 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0913 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0912 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0911 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-16 CVE-2019-0884 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge and Internet Explorer

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-05-17 CVE-2019-12160 Gohttp Project USE After Free vulnerability in Gohttp Project Gohttp

GoHTTP through 2017-07-25 has a sendHeader use-after-free.

7.5
2019-05-17 CVE-2019-12158 Gohttp Project Out-Of-Bounds Write vulnerability in Gohttp Project Gohttp

GoHTTP through 2017-07-25 has a GetExtension heap-based buffer overflow via a long extension.

7.5
2019-05-17 CVE-2019-11887 Simplybook Unrestricted Upload of File With Dangerous Type vulnerability in Simplybook 20190423/20190511

SimplyBook.me through 2019-05-11 does not properly restrict File Upload which could allow remote code execution.

7.5
2019-05-17 CVE-2019-5953 GNU Out-Of-Bounds Write vulnerability in GNU Wget

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors.

7.5
2019-05-17 CVE-2019-0172 Intel Unspecified vulnerability in Intel Unite 3.1.0/3.1.1

A logic issue in Intel Unite(R) Client for Android prior to version 4.0 may allow a remote attacker to potentially enable escalation of privilege via network access.

7.5
2019-05-17 CVE-2019-0153 Intel Buffer Errors vulnerability in Intel Converged Security Management Engine Firmware 12.0.5

Buffer overflow in subsystem in Intel(R) CSME 12.0.0 through 12.0.34 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

7.5
2019-05-17 CVE-2018-17181 Open EMR SQL Injection vulnerability in Open-Emr Openemr

An issue was discovered in OpenEMR before 5.0.1 Patch 7.

7.5
2019-05-17 CVE-2018-17179 Open EMR SQL Injection vulnerability in Open-Emr Openemr

An issue was discovered in OpenEMR before 5.0.1 Patch 7.

7.5
2019-05-16 CVE-2019-10913 Sensiolabs Cross-Site Scripting vulnerability in Sensiolabs Symfony

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.

7.5
2019-05-16 CVE-2019-10910 Sensiolabs SQL Injection vulnerability in Sensiolabs Symfony

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution.

7.5
2019-05-16 CVE-2019-0725 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

7.5
2019-05-15 CVE-2013-7285 Xstream Project Command Injection vulnerability in Xstream Project Xstream

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format.

7.5
2019-05-15 CVE-2019-3725 RSA OS Command Injection vulnerability in RSA Netwitness and Security Analytics

RSA Netwitness Platform versions prior to 11.2.1.1 and RSA Security Analytics versions prior to 10.6.6.1 are vulnerable to a Command Injection vulnerability due to missing input validation in the product.

7.5
2019-05-14 CVE-2018-14839 LG OS Command Injection vulnerability in LG N1A1 Firmware 3718.510

LG N1A1 NAS 3718.510 is affected by: Remote Command Execution.

7.5
2019-05-14 CVE-2019-3568 Whatsapp Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Whatsapp

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

7.5
2019-05-14 CVE-2019-10922 Siemens Improper Access Control vulnerability in Siemens Simatic PCS 7 and Simatic Wincc

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 and newer (All versions), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 and newer (All versions).

7.5
2019-05-14 CVE-2019-10919 Siemens Missing Authentication for Critical Function vulnerability in Siemens Logo!8 BM Firmware

A vulnerability has been identified in LOGO! 8 BM (incl.

7.5
2019-05-14 CVE-2018-8940 Enghouse XXE vulnerability in Enghouse Contact Center: Service Provider 7.2.5

ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.

7.5
2019-05-14 CVE-2019-8923 Apachefriends SQL Injection vulnerability in Apachefriends Xampp 1.5.2/1.7.0/5.6.8

XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter.

7.5
2019-05-14 CVE-2018-18800 Tubigan SQL Injection vulnerability in Tubigan Welcome TO OUR Resort 1.0

The Tubigan "Welcome to our Resort" 1.0 software allows SQL Injection via index.php?p=accomodation&q=[SQL], index.php?p=rooms&q=[SQL], or admin/login.php.

7.5
2019-05-13 CVE-2019-9618 Gracemedia Media Player Project Path Traversal vulnerability in Gracemedia Media Player Project Gracemedia Media Player 1.0

The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.

7.5
2019-05-13 CVE-2019-10053 Suricata IDS Integer Underflow (Wrap OR Wraparound) vulnerability in Suricata-Ids Suricata 4.1.0

An issue was discovered in Suricata 4.1.x before 4.1.4.

7.5
2019-05-13 CVE-2018-18912 Sharing File Out-Of-Bounds Write vulnerability in Sharing-File Easy File Sharing web Server 7.2

An issue was discovered in Easy File Sharing (EFS) Web Server 7.2.

7.5
2019-05-13 CVE-2019-11680 Konakart Unspecified vulnerability in Konakart 8.9.0.0

KonaKart 8.9.0.0 is vulnerable to Remote Code Execution by uploading a web shell as a product category image.

7.5
2019-05-13 CVE-2018-4029 Anker IN Out-Of-Bounds Write vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable code execution vulnerability exists in the HTTP request-parsing function of the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9.

7.5
2019-05-13 CVE-2018-4023 Anker IN Out-Of-Bounds Write vulnerability in Anker-In Roav Dashcam A1 Firmware 1.9

An exploitable code execution vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9.

7.5
2019-05-13 CVE-2018-4016 Anker IN Out-Of-Bounds Write vulnerability in Anker-In Roav Dashcam A1 Firmware Roava1Swv1.9

An exploitable code execution vulnerability exists in the URL-parsing functionality of the Roav A1 Dashcam running version RoavA1SWV1.9.

7.5
2019-05-13 CVE-2018-4014 Anker IN Out-Of-Bounds Write vulnerability in Anker-In Roav Dashcam A1 Firmware Roava1Swv1.9

An exploitable code execution vulnerability exists in Wi-Fi Command 9999 of the Roav A1 Dashcam running version RoavA1SWV1.9.

7.5
2019-05-13 CVE-2018-19988 D Link OS Command Injection vulnerability in D-Link Dir-868L Firmware 2.05B02

In the /HNAP1/SetClientInfoDemo message, the AudioMute and AudioEnable parameters are vulnerable, and the vulnerabilities affect D-Link DIR-868L Rev.B 2.05B02 devices.

7.5
2019-05-13 CVE-2012-6652 Page Flip Book Project Path Traversal vulnerability in Page Flip Book Project Page Flip Book

Directory traversal vulnerability in pageflipbook.php script from index.php in Page Flip Book plugin for WordPress (wppageflip) allows remote attackers to include and execute arbitrary local files via a ..

7.5
2019-05-13 CVE-2018-12295 Seagate SQL Injection vulnerability in Seagate NAS OS 4.3.15.1

SQL injection in folderViewSpecific.psp in Seagate NAS OS version 4.3.15.1 allows attackers to execute arbitrary SQL commands via the dirId URL parameter.

7.5
2019-05-13 CVE-2019-11888 Golang
Microsoft
Improper Privilege Management vulnerability in Golang GO

Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.

7.5
2019-05-17 CVE-2018-16156 Fujitsu Untrusted Search Path vulnerability in Fujitsu Paperstream IP (Twain) 1.42.0.5685

In PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7), the FJTWSVIC service running with SYSTEM privilege processes unauthenticated messages received over the FjtwMkic_Fjicube_32 named pipe.

7.2
2019-05-17 CVE-2019-0126 Intel Unspecified vulnerability in Intel products

Insufficient access control in silicon reference firmware for Intel(R) Xeon(R) Scalable Processor, Intel(R) Xeon(R) Processor D Family may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access.

7.2
2019-05-17 CVE-2019-0119 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel products

Buffer overflow vulnerability in system firmware for Intel(R) Xeon(R) Processor D Family, Intel(R) Xeon(R) Scalable Processor, Intel(R) Server Board, Intel(R) Server System and Intel(R) Compute Module may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access.

7.2
2019-05-17 CVE-2019-0098 Intel Unspecified vulnerability in Intel products

Logic bug vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) TXE before 3.1.65, 4.0.15 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

7.2
2019-05-17 CVE-2019-0091 Intel Code Injection vulnerability in Intel products

Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.

7.2
2019-05-16 CVE-2019-0936 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Microsoft Windows when Windows fails to properly handle certain symbolic links, aka 'Windows Elevation of Privilege Vulnerability'.

7.2
2019-05-16 CVE-2019-0892 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2019-05-16 CVE-2019-0881 Microsoft Insufficiently Protected Credentials vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Kernel improperly handles key enumeration, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2019-05-16 CVE-2019-0863 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'.

7.2
2019-05-16 CVE-2019-0727 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability'.

7.2
2019-05-16 CVE-2018-20007 Yeelight Incorrect Permission Assignment for Critical Resource vulnerability in Yeelight Smart AI Speaker Firmware 3.3.100074

Yeelight Smart AI Speaker 3.3.10_0074 devices have improper access control over the UART interface, allowing physical attackers to obtain a root shell.

7.2
2019-05-16 CVE-2019-1780 Cisco Argument Injection OR Modification vulnerability in Cisco Fxos and Nx-Os

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying operating system of an affected device with elevated privileges.

7.2
2019-05-16 CVE-2019-1768 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the implementation of a specific CLI command for Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to cause a buffer overflow condition or perform command injection.

7.2
2019-05-15 CVE-2019-1813 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Nx-Os

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device.

7.2
2019-05-15 CVE-2019-1812 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Nx-Os

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device.

7.2
2019-05-15 CVE-2019-1811 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Nx-Os

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device.

7.2
2019-05-15 CVE-2019-1795 Cisco Argument Injection OR Modification vulnerability in Cisco Fx-Os and Nx-Os

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root.

7.2
2019-05-15 CVE-2019-1791 Cisco Argument Injection OR Modification vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands with elevated privileges on the underlying operating system of an affected device.

7.2
2019-05-15 CVE-2019-1790 Cisco Argument Injection OR Modification vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with valid administrator credentials to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-05-15 CVE-2019-1784 Cisco Argument Injection OR Modification vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root.

7.2
2019-05-15 CVE-2019-1783 Cisco Argument Injection OR Modification vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying Linux operating system with the privilege level of root.

7.2
2019-05-15 CVE-2019-1782 Cisco Argument Injection OR Modification vulnerability in Cisco Fx-Os and Nx-Os

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-05-15 CVE-2019-1781 Cisco Argument Injection OR Modification vulnerability in Cisco Fx-Os and Nx-Os

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-05-15 CVE-2019-1779 Cisco Argument Injection OR Modification vulnerability in Cisco Fxos and Nx-Os

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device with elevated privileges.

7.2
2019-05-15 CVE-2019-1778 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root.

7.2
2019-05-15 CVE-2019-1776 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root.

7.2
2019-05-15 CVE-2019-1775 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-05-15 CVE-2019-1774 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-05-15 CVE-2019-1770 Cisco OS Command Injection vulnerability in Cisco Ns-Ox

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying Linux operating system with the privilege level of root.

7.2
2019-05-15 CVE-2019-1769 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying Linux operating system of an attached line card with the privilege level of root.

7.2
2019-05-15 CVE-2019-1767 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the implementation of a specific CLI command for Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to cause a buffer overflow condition or perform command injection.

7.2
2019-05-15 CVE-2019-1735 Cisco Argument Injection OR Modification vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges on the underlying operating system of an affected device.

7.2
2019-05-15 CVE-2019-1730 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Nx-Os

A vulnerability in the Bash shell implementation for Cisco NX-OS Software could allow an authenticated, local attacker to bypass the limited command set of the restricted Guest Shell and execute commands at the privilege level of a network-admin user outside of the Guest Shell.

7.2
2019-05-15 CVE-2019-1728 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Nx-Os

A vulnerability in the Secure Configuration Validation functionality of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to run arbitrary commands at system boot time with the privileges of root.

7.2
2019-05-15 CVE-2019-1727 Cisco OS Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and issue arbitrary commands to elevate the attacker's privilege level.

7.2
2019-05-15 CVE-2019-3727 Dell OS Command Injection vulnerability in Dell products

Dell EMC RecoverPoint versions prior to 5.1.3 and RecoverPoint for VMs versions prior to 5.2.0.2 contain an OS command injection vulnerability in the installation feature of Boxmgmt CLI.

7.2
2019-05-13 CVE-2019-1649 Cisco Improper Locking vulnerability in Cisco products

A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component.

7.2

220 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-05-16 CVE-2019-0931 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations, aka 'Windows Storage Service Elevation of Privilege Vulnerability'.

6.9
2019-05-16 CVE-2019-0707 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it.To exploit the vulnerability, in a local attack scenario, an attacker could run a specially crafted application to elevate the attacker's privilege level, aka 'Windows NDIS Elevation of Privilege Vulnerability'.

6.9
2019-05-15 CVE-2019-1771 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

6.9
2019-05-15 CVE-2019-1732 Cisco OS Command Injection vulnerability in Cisco Nx-Os and NX OS

A vulnerability in the Remote Package Manager (RPM) subsystem of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to leverage a time-of-check, time-of-use (TOCTOU) race condition to corrupt local variables, which could lead to arbitrary command injection.

6.9
2019-05-13 CVE-2018-18558 Espressif Improper Input Validation vulnerability in Espressif Esp-Idf

An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1.

6.9
2019-05-18 CVE-2019-12173 Macdown Project Path Traversal vulnerability in Macdown Project Macdown 0.7.1

MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element.

6.8
2019-05-17 CVE-2019-12172 Typora
Apple
Linux
Microsoft
Path Traversal vulnerability in Typora 0.9.9.21.1

Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows.

6.8
2019-05-17 CVE-2019-11644 F Secure Uncontrolled Search Path Element vulnerability in F-Secure products

In the F-Secure installer in F-Secure SAFE for Windows before 17.6, F-Secure Internet Security before 17.6, F-Secure Anti-Virus before 17.6, F-Secure Client Security Standard and Premium before 14.10, F-Secure PSB Workstation Security before 12.01, and F-Secure Computer Protection Standard and Premium before 19.3, a local user can escalate their privileges through a DLL hijacking attack against the installer.

6.8
2019-05-17 CVE-2019-5958 Soumu Untrusted Search Path vulnerability in Soumu Electronic Reception and Examination of Application FOR Radio Licenses

Untrusted search path vulnerability in Electronic reception and examination of application for radio licenses Offline 1.0.9.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

6.8
2019-05-17 CVE-2019-5957 Soumu Untrusted Search Path vulnerability in Soumu Electronic Reception and Examination of Application FOR Radio Licenses

Untrusted search path vulnerability in Installer of Electronic reception and examination of application for radio licenses Online 1.0.9.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

6.8
2019-05-16 CVE-2019-3839 Artifex
Debian
Opensuse
Fedoraproject
Canonical
Redhat
It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix.
6.8
2019-05-16 CVE-2019-0995 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 11

A security feature bypass vulnerability exists when urlmon.dll improperly handles certain Mark of the Web queries, aka 'Internet Explorer Security Feature Bypass Vulnerability'.

6.8
2019-05-16 CVE-2019-0938 Microsoft Unspecified vulnerability in Microsoft Edge

An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka 'Microsoft Edge Elevation of Privilege Vulnerability'.

6.8
2019-05-16 CVE-2019-12137 Typora
Apple
Path Traversal vulnerability in Typora 0.9.9.24.6

Typora 0.9.9.24.6 on macOS allows directory traversal, for execution of arbitrary programs, via a file:/// or ../ substring in a shared note.

6.8
2019-05-15 CVE-2019-1806 Cisco Allocation of Resources Without Limits OR Throttling vulnerability in Cisco products

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Small Business Sx200, Sx300, Sx500, ESW2 Series Managed Switches and Small Business Sx250, Sx350, Sx550 Series Switches could allow an authenticated, remote attacker to cause the SNMP application of an affected device to cease processing traffic, resulting in the CPU utilization reaching one hundred percent.

6.8
2019-05-14 CVE-2019-0287 SAP Unspecified vulnerability in SAP Businessobjects 4.2/4.3

Under certain conditions SAP BusinessObjects Business Intelligence platform (Central Management Server), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.

6.8
2019-05-14 CVE-2019-10924 Siemens Deserialization of Untrusted Data vulnerability in Siemens Logo! Soft Comfort

A vulnerability has been identified in LOGO! Soft Comfort (All versions < V8.3).

6.8
2019-05-14 CVE-2019-8978 Ellucian Race Condition vulnerability in Ellucian products

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager.

6.8
2019-05-13 CVE-2018-16136 Ipbrick Cross-Site Request Forgery (CSRF) vulnerability in Ipbrick OS 6.3

An issue was discovered in the administrator interface in IPBRICK OS 6.3.

6.8
2019-05-13 CVE-2019-12083 Rust Lang Out-Of-Bounds Read vulnerability in Rust-Lang Rust 1.34.0/1.34.1

The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety.

6.8
2019-05-13 CVE-2019-11600 Openproject SQL Injection vulnerability in Openproject

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter.

6.8
2019-05-13 CVE-2019-11886 Yellowpencil Cross-Site Request Forgery (CSRF) vulnerability in Yellowpencil Visual CSS Style Editor

The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.

6.8
2019-05-15 CVE-2019-1729 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the CLI implementation of a specific command used for image maintenance for Cisco NX-OS Software could allow an authenticated, local attacker to overwrite any file on the file system including system files.

6.6
2019-05-17 CVE-2019-11057 Vtiger SQL Injection vulnerability in Vtiger CRM

SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.

6.5
2019-05-17 CVE-2019-5934 Cybozu SQL Injection vulnerability in Cybozu Garoon

SQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.0 allows attacker with administrator rights to execute arbitrary SQL commands via the Log Search function of application 'logging'.

6.5
2019-05-16 CVE-2019-10912 Sensiolabs Deserialization of Untrusted Data vulnerability in Sensiolabs Symfony

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input.

6.5
2019-05-16 CVE-2019-0958 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Elevation of Privilege Vulnerability'.

6.5
2019-05-16 CVE-2019-0957 Microsoft Improper Input Validation vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Elevation of Privilege Vulnerability'.

6.5
2019-05-16 CVE-2019-0952 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls, aka 'Microsoft SharePoint Server Remote Code Execution Vulnerability'.

6.5
2019-05-15 CVE-2019-11224 Harman OS Command Injection vulnerability in Harman AMX Mvp5150 Firmware 2.87.13

HARMAN AMX MVP5150 v2.87.13 devices allow remote OS Command Injection.

6.5
2019-05-14 CVE-2019-0301 SAP Improper Privilege Management vulnerability in SAP Identity Management 2.0

Under certain conditions, it is possible to request the modification of role or privilege assignments through SAP Identity Management REST Interface Version 2, which would otherwise be restricted only for viewing.

6.5
2019-05-14 CVE-2019-0280 SAP Missing Authorization vulnerability in SAP Treasury and Risk Management

SAP Treasury and Risk Management (EA-FINSERV 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18 and 8.0; S4CORE 1.01, 1.02 and 1.03), does not perform necessary authorization checks for authorization objects T_DEAL_DP and T_DEAL_PD , resulting in escalation of privileges.

6.5
2019-05-13 CVE-2018-16137 Ipbrick SQL Injection vulnerability in Ipbrick OS 6.3

An issue was discovered in the Web Management Console in IPBRICK OS 6.3.

6.5
2019-05-13 CVE-2019-3702 Lifesize Improper Input Validation vulnerability in Lifesize products

A Remote Code Execution issue in the DNS Query Web UI in Lifesize Icon LS_RM3_3.7.0 (2421) allows remote authenticated attackers to execute arbitrary commands via a crafted DNS Query address field in a JSON API request.

6.5
2019-05-17 CVE-2019-7353 Gitlab Information Exposure vulnerability in Gitlab

An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 11.7.x before 11.7.4.

6.4
2019-05-17 CVE-2019-5954 Jreast Unspecified vulnerability in Jreast JR East Japan 1.0/1.2.0/1.2.4

JR East Japan train operation information push notification App for Android version 1.2.4 and earlier allows remote attackers to bypass access restriction to obtain or alter the user's registered information via unspecified vectors.

6.4
2019-05-17 CVE-2019-5883 Gitlab Unspecified vulnerability in Gitlab

An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 6.0 and later but before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1.

6.4
2019-05-15 CVE-2019-5597 Freebsd Improper Input Validation vulnerability in Freebsd 11.2/12.0

In FreeBSD 11.3-PRERELEASE and 12.0-STABLE before r347591, 11.2-RELEASE before 11.2-RELEASE-p10, and 12.0-RELEASE before 12.0-RELEASE-p4, a bug in the pf IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of the first packet allowing maliciously crafted IPv6 packets to cause a crash or potentially bypass the packet filter.

6.4
2019-05-14 CVE-2019-6572 Siemens Permissions, Privileges, and Access Controls vulnerability in Siemens products

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions < V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions < V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions).

6.4
2019-05-16 CVE-2019-1849 Cisco Improper Check FOR Unusual OR Exceptional Conditions vulnerability in Cisco IOS XR

A vulnerability in the Border Gateway Patrol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device.

6.1
2019-05-16 CVE-2019-1846 Cisco Improper Input Validation vulnerability in Cisco IOS XR 5.3.3

A vulnerability in the Multiprotocol Label Switching (MPLS) Operations, Administration, and Maintenance (OAM) implementation of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device.

6.1
2019-05-16 CVE-2019-10911 Sensiolabs Information Exposure vulnerability in Sensiolabs Symfony

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

6.0
2019-05-17 CVE-2019-5955 Create SD Unspecified vulnerability in Create-Sd Create SD 1.0.2

CREATE SD official App for Android version 1.0.2 and earlier allows remote attackers to bypass access restriction to lead a user to access an arbitrary website via vulnerable application and conduct phishing attacks.

5.8
2019-05-17 CVE-2019-5946 Cybozu Open Redirect vulnerability in Cybozu Garoon

Open redirect vulnerability in Cybozu Garoon 4.2.4 to 4.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the Login Screen.

5.8
2019-05-16 CVE-2019-10117 Gitlab Open Redirect vulnerability in Gitlab

An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

5.8
2019-05-15 CVE-2019-12098 Heimdal Project KEY Management Errors vulnerability in Heimdal Project Heimdal

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack.

5.8
2019-05-14 CVE-2019-0289 SAP Unspecified vulnerability in SAP Businessobjects 4.2/4.3

Under certain conditions SAP BusinessObjects Business Intelligence platform (Analysis for OLAP), versions 4.2 and 4.3, allows an attacker to access information which would otherwise be restricted.

5.8
2019-05-13 CVE-2019-8951 Bosch Open Redirect vulnerability in Bosch products

An Open Redirect vulnerability located in the webserver affects several Bosch hardware and software products.

5.8
2019-05-13 CVE-2018-12300 Seagate Open Redirect vulnerability in Seagate NAS OS 4.3.15.1

Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.

5.8
2019-05-17 CVE-2019-5936 Cybozu Path Traversal vulnerability in Cybozu Garoon

Directory traversal vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to obtain files without access privileges via the application 'Work Flow'.

5.5
2019-05-17 CVE-2019-5931 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.6.3 allows authenticated attackers to alter the information with privileges invoking the installer via unspecified vectors.

5.5
2019-05-16 CVE-2019-1825 Cisco SQL Injection vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries.

5.5
2019-05-16 CVE-2019-1824 Cisco SQL Injection vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries.

5.5
2019-05-15 CVE-2019-10108 Gitlab Authorization Bypass Through User-Controlled KEY vulnerability in Gitlab

An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

5.5
2019-05-14 CVE-2019-8404 Webiness Inventory Project Unrestricted Upload of File With Dangerous Type vulnerability in Webiness Inventory Project Webiness Inventory 2.3

An issue was discovered in Webiness Inventory 2.3.

5.5
2019-05-13 CVE-2018-14713 Asus USE of Externally-Controlled Format String vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010

Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter.

5.5
2019-05-17 CVE-2019-0096 Intel Out-Of-Bounds Write vulnerability in Intel Active Management Technology 12.0.5

Out of bound write vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an authenticated user to potentially enable escalation of privilege via adjacent network access.

5.2
2019-05-15 CVE-2019-3586 Mcafee Unspecified vulnerability in Mcafee Endpoint Security

Protection Mechanism Failure in the Firewall in McAfee Endpoint Security (ENS) 10.x prior to 10.6.1 May 2019 update allows context-dependent attackers to circumvent ENS protection where GTI flagged IP addresses are not blocked by the ENS Firewall via specially crafted malicious sites where the GTI reputation is carefully manipulated and does not correctly trigger the ENS Firewall to block the connection.

5.1
2019-05-17 CVE-2019-12163 Gatship Unspecified vulnerability in Gatship web Module 1.30

GAT-Ship Web Module through 1.30 allows remote attackers to obtain potentially sensitive information via {} in a ws/gatshipWs.asmx/SqlVersion request.

5.0
2019-05-17 CVE-2019-12159 Gohttp Project Out-Of-Bounds Read vulnerability in Gohttp Project Gohttp

GoHTTP through 2017-07-25 has a stack-based buffer over-read in the scan function (when called from getRequestType) via a long URL.

5.0
2019-05-17 CVE-2019-12086 Fasterxml
Debian
Deserialization of Untrusted Data vulnerability in multiple products

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.

5.0
2019-05-17 CVE-2019-6797 Gitlab Unspecified vulnerability in Gitlab

An information disclosure issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1.

5.0
2019-05-17 CVE-2019-6781 Gitlab Open Redirect vulnerability in Gitlab

An Improper Input Validation issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1.

5.0
2019-05-17 CVE-2019-5945 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.2.4 to 4.10.1 allow remote attackers to obtain the users' credential information via the authentication of Cybozu Garoon.

5.0
2019-05-17 CVE-2019-4119 IBM Improper Input Validation vulnerability in IBM Cloud Private

IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 can be used as an HTTP proxy to not only cluster internal but also external target IP addresses.

5.0
2019-05-17 CVE-2019-0132 Intel Improper Input Validation vulnerability in Intel Unite

Data Corruption in Intel Unite(R) Client before version 3.3.176.13 may allow an unauthenticated user to potentially cause a denial of service via network access.

5.0
2019-05-17 CVE-2018-20500 Gitlab Incorrect Permission Assignment FOR Critical Resource vulnerability in Gitlab

An insecure permissions issue was discovered in GitLab Community and Enterprise Edition 9.4 and later but before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1.

5.0
2019-05-17 CVE-2018-19585 Gitlab Crlf Injection vulnerability in Gitlab

GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.

5.0
2019-05-17 CVE-2018-17180 Open EMR Path Traversal vulnerability in Open-Emr Openemr

An issue was discovered in OpenEMR before 5.0.1 Patch 7.

5.0
2019-05-17 CVE-2018-20839 Freedesktop Information Exposure vulnerability in Freedesktop Systemd 242

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2.

5.0
2019-05-16 CVE-2019-0982 Microsoft Data Processing Errors vulnerability in Microsoft Asp.Net Core 2.1/2.2

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

5.0
2019-05-16 CVE-2019-0981 Microsoft Data Processing Errors vulnerability in Microsoft .Net Core and .Net Framework

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'.

5.0
2019-05-16 CVE-2019-0980 Microsoft Data Processing Errors vulnerability in Microsoft .Net Core and .Net Framework

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'.

5.0
2019-05-16 CVE-2019-0820 Microsoft Resource Exhaustion vulnerability in Microsoft .Net Core and .Net Framework

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'.

5.0
2019-05-16 CVE-2019-10112 Gitlab KEY Management Errors vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

5.0
2019-05-16 CVE-2019-10114 Gitlab Information Exposure Through Discrepancy vulnerability in Gitlab

An Information Exposure issue (issue 2 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

5.0
2019-05-16 CVE-2019-10113 Gitlab Resource Exhaustion vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

5.0
2019-05-16 CVE-2018-17048 Fangfa SQL Injection vulnerability in Fangfa Fdcms 4.2

admin/Lib/Action/FpluginAction.class.php in FDCMS (aka Fangfa Content Manage System) 4.2 allows SQL Injection.

5.0
2019-05-16 CVE-2019-1858 Cisco Improper Handling of Exceptional Conditions vulnerability in Cisco Fx-Os and Nx-Os

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the SNMP application to leak system memory, which could cause an affected device to restart unexpectedly.

5.0
2019-05-16 CVE-2019-1853 Cisco Out-Of-Bounds Read vulnerability in Cisco Anyconnect Secure Mobility Client 4.6(2074)

A vulnerability in the HostScan component of Cisco AnyConnect Secure Mobility Client for Linux could allow an unauthenticated, remote attacker to read sensitive information on an affected system.

5.0
2019-05-16 CVE-2019-1833 Cisco Protection Mechanism Failure vulnerability in Cisco Firepower Management Center

A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol parser of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured policies.

5.0
2019-05-16 CVE-2019-1832 Cisco Protection Mechanism Failure vulnerability in Cisco Firepower Management Center

A vulnerability in the detection engine of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured access control policies.

5.0
2019-05-16 CVE-2019-1814 Cisco Allocation of Resources Without Limits OR Throttling vulnerability in Cisco products

A vulnerability in the interactions between the DHCP and TFTP features for Cisco Small Business 300 Series (Sx300) Managed Switches could allow an unauthenticated, remote attacker to cause the device to become low on system memory, which in turn could lead to an unexpected reload of the device and result in a denial of service (DoS) condition on an affected device.

5.0
2019-05-15 CVE-2019-12111 Miniupnp Project
Debian
Null Pointer Dereference vulnerability in multiple products

A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in copyIPv6IfDifferent in pcpserver.c.

5.0
2019-05-15 CVE-2019-12110 Miniupnp Free Null Pointer Dereference vulnerability in Miniupnp.Free Miniupnpd

An AddPortMapping Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in upnpredirect.c.

5.0
2019-05-15 CVE-2019-12109 Miniupnp Project Null Pointer Dereference vulnerability in Miniupnp Project Miniupnpd

A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in GetOutboundPinholeTimeout in upnpsoap.c for rem_port.

5.0
2019-05-15 CVE-2019-12108 Miniupnp Project Null Pointer Dereference vulnerability in Miniupnp Project Miniupnpd

A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in GetOutboundPinholeTimeout in upnpsoap.c for int_port.

5.0
2019-05-15 CVE-2019-12107 Miniupnp Free Unchecked Return Value vulnerability in Miniupnp.Free Miniupnpd

The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd through 2.1 allows a remote attacker to leak information from the heap due to improper validation of an snprintf return value.

5.0
2019-05-15 CVE-2019-12106 Miniupnp Project USE After Free vulnerability in Miniupnp Project Miniupnpd 1.4/1.5

The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and 1.5 allows a remote attacker to crash the process due to a Use After Free vulnerability.

5.0
2019-05-15 CVE-2019-9196 Aware Unspecified vulnerability in Aware Knomi 2.2.0/2.2.1

The Face authentication component in Aware mobile liveness 2.2.1 sdk 2.2.0 for Knomi allows a Biometrical Liveness authentication bypass via parameter tampering of the /knomi/analyze security_level field.

5.0
2019-05-15 CVE-2019-10109 Gitlab Information Exposure vulnerability in Gitlab

An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

5.0
2019-05-15 CVE-2019-10640 Gitlab Command Injection vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.7.10, 11.8.x before 11.8.6, and 11.9.x before 11.9.4.

5.0
2019-05-15 CVE-2019-1717 Cisco Path Traversal vulnerability in Cisco Video Surveillance Manager 7.21

A vulnerability in the web-based management interface of Cisco Video Surveillance Manager could allow an unauthenticated, remote attacker to access sensitive information.

5.0
2019-05-15 CVE-2019-8936 Netapp
Freebsd
Fedoraproject
Opensuse
NTP
HPE
Null Pointer Dereference vulnerability in multiple products

NTP through 4.2.8p12 has a NULL Pointer Dereference.

5.0
2019-05-15 CVE-2019-5598 Freebsd Improper Input Validation vulnerability in Freebsd 11.2/12.0

In FreeBSD 11.3-PRERELEASE before r345378, 12.0-STABLE before r345377, 11.2-RELEASE before 11.2-RELEASE-p10, and 12.0-RELEASE before 12.0-RELEASE-p4, a bug in pf does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet allowing a maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable.

5.0
2019-05-15 CVE-2016-7043 Redhat Credentials Management vulnerability in Redhat Kie-Server

It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties.

5.0
2019-05-15 CVE-2019-12101 Libnyoci Project Null Pointer Dereference vulnerability in Libnyoci Project Libnyoci 0.07.00

coap_decode_option in coap.c in LibNyoci 0.07.00rc1 mishandles certain packets with "Uri-Path: (null)" and consequently allows remote attackers to cause a denial of service (segmentation fault).

5.0
2019-05-14 CVE-2019-6578 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2...-, 6SR3...-, 6SR4...- (All Versions with option G28), SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2...-, 6SR3...-, 6SR4...- (All Versions with option G28).

5.0
2019-05-14 CVE-2019-6576 Siemens Cryptographic Issues vulnerability in Siemens products

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions < V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions < V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions).

5.0
2019-05-14 CVE-2019-6574 Siemens Improper Access Control vulnerability in Siemens products

A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2...-, 6SR3...-, 6SR4...- (All Versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46), SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2...-, 6SR3...-, 6SR4...- (All Versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46).

5.0
2019-05-14 CVE-2019-11206 Tibco Unspecified vulnerability in Tibco products

The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains vulnerabilities that theoretically allow a malicious user to undermine the integrity of comments and bookmarks.

5.0
2019-05-14 CVE-2019-10921 Siemens Unprotected Storage of Credentials vulnerability in Siemens Logo!8 BM Firmware

A vulnerability has been identified in LOGO! 8 BM (incl.

5.0
2019-05-14 CVE-2019-10920 Siemens USE of Hard-Coded Cryptographic KEY vulnerability in Siemens Logo!8 BM Firmware

A vulnerability has been identified in LOGO! 8 BM (incl.

5.0
2019-05-14 CVE-2018-16656 Kyocera Information Exposure vulnerability in Kyocera Taskalfa 4002I Firmware and Taskalfa 6002I Firmware

DoBox_CstmBox_Info.model.htm on Kyocera TASKalfa 4002i and 6002i devices allows remote attackers to read the documents of arbitrary users via a modified HTTP request.

5.0
2019-05-14 CVE-2018-6885 Microstrategy Path Traversal vulnerability in Microstrategy web Services 10.4

An issue was discovered in MicroStrategy Web Services (the Microsoft Office plugin) before 10.4 Hotfix 7, and before 10.11.

5.0
2019-05-14 CVE-2019-6516 Wso2 Server-Side Request Forgery (SSRF) vulnerability in Wso2 Dashboard Server 2.0.0

An issue was discovered in WSO2 Dashboard Server 2.0.0.

5.0
2019-05-14 CVE-2019-6515 Wso2 Unspecified vulnerability in Wso2 API Manager 2.6.0

An issue was discovered in WSO2 API Manager 2.6.0.

5.0
2019-05-13 CVE-2019-7217 Citrix Information Exposure Through Discrepancy vulnerability in Citrix Sharefile

Citrix ShareFile before 19.12 allows User Enumeration.

5.0
2019-05-13 CVE-2019-9727 EQ 3 Missing Authentication FOR Critical Function vulnerability in Eq-3 Ccu3 Firmware

Unauthenticated password hash disclosure in the User.getUserPWD method in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to retrieve the GUI password hashes of GUI users.

5.0
2019-05-13 CVE-2019-9726 EQ 3 Path Traversal vulnerability in Eq-3 Ccu3 Firmware

Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem.

5.0
2019-05-13 CVE-2019-10050 Oisf Out-Of-Bounds Read vulnerability in Oisf Suricata

A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4.

5.0
2019-05-13 CVE-2019-7690 Mobatek Credentials Management vulnerability in Mobatek Mobaxterm 11.1

In MobaTek MobaXterm Personal Edition v11.1 Build 3860, the SSH private key and its password can be retrieved from process memory for the lifetime of the process, even after the user disconnects from the remote SSH server.

5.0
2019-05-13 CVE-2015-9287 CAM Path Traversal vulnerability in CAM the University of Cambridge web Authentication System Apache Authentication Agent

Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2.

5.0
2019-05-13 CVE-2019-7404 LG Information Exposure vulnerability in LG products

An issue was discovered on LG GAMP-7100, GAPM-7200, and GAPM-8000 routers.

5.0
2019-05-13 CVE-2019-12041 Remarkable Project Resource Management Errors vulnerability in Remarkable Project Remarkable 1.7.1

lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section.

5.0
2019-05-13 CVE-2018-19037 Virginmedia Resource Exhaustion vulnerability in Virginmedia HUB 3.0 Firmware

On Virgin Media wireless router 3.0 hub devices, the web interface is vulnerable to denial of service.

5.0
2019-05-13 CVE-2018-12301 Seagate Information Exposure vulnerability in Seagate NAS OS 4.3.15.1

Unvalidated URL in Download Manager in Seagate NAS OS version 4.3.15.1 allows attackers to access the loopback interface via a Download URL of 127.0.0.1 or localhost.

5.0
2019-05-13 CVE-2018-12298 Seagate Path Traversal vulnerability in Seagate NAS OS 4.3.15.1

Directory Traversal in filebrowser in Seagate NAS OS 4.3.15.1 allows attackers to read files within the application's container via a URL path.

5.0
2019-05-13 CVE-2018-12296 Seagate Incorrect Permission Assignment for Critical Resource vulnerability in Seagate NAS OS 4.3.15.1

Insufficient access control in /api/external/7.0/system.System.get_infos in Seagate NAS OS version 4.3.15.1 allows attackers to obtain information about the NAS without authentication via empty POST requests.

5.0
2019-05-17 CVE-2018-7191 Linux Null Pointer Dereference vulnerability in Linux Kernel

In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice.

4.9
2019-05-14 CVE-2019-12087 Samsung Resource Management Errors vulnerability in Samsung S10 Firmware, S9+ Firmware and Xcover 4 Firmware

** DISPUTED ** Samsung S9+, S10, and XCover 4 P(9.0) devices can become temporarily inoperable because of an unprotected intent in the ContainerAgent application.

4.9
2019-05-14 CVE-2019-9861 Abus Cryptographic Issues vulnerability in Abus Secvest Wireless Alarm System Fuaa50000 Firmware 3.01.01

Due to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest FUAA50000 wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way.

4.8
2019-05-17 CVE-2019-11094 Intel Improper Input Validation vulnerability in Intel NUC KIT Firmware

Insufficient input validation in system firmware for Intel (R) NUC Kit may allow an authenticated user to potentially enable escalation of privilege, denial of service, and/or information disclosure via local access.

4.6
2019-05-17 CVE-2019-11093 Intel Unquoted Search Path OR Element vulnerability in Intel SCS Discovery Utility 12.0.0.129

Unquoted service path in the installer for the Intel(R) SCS Discovery Utility version 12.0.0.129 and earlier may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-05-17 CVE-2019-11085 Intel Improper Input Validation vulnerability in Intel I915 Firmware

Insufficient input validation in Kernel Mode Driver in Intel(R) i915 Graphics for Linux before version 5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-05-17 CVE-2019-0171 Intel Incorrect Permission Assignment FOR Critical Resource vulnerability in Intel Quartus II and Quartus Prime

Improper directory permissions in the installer for Intel(R) Quartus(R) software may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-05-17 CVE-2019-0170 Intel Buffer Errors vulnerability in Intel Converged Security Management Engine Firmware 12.0.5

Buffer overflow in subsystem in Intel(R) DAL before version 12.0.35 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2019-05-17 CVE-2019-0138 Intel Incorrect Permission Assignment FOR Critical Resource vulnerability in Intel ACU Wizard 12.0.0.129

Improper directory permissions in Intel(R) ACU Wizard version 12.0.0.129 and earlier may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-05-17 CVE-2019-0099 Intel Unspecified vulnerability in Intel Server Platform Services Firmware

Insufficient access control vulnerability in subsystem in Intel(R) SPS before version SPS_E3_05.00.04.027.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

4.6
2019-05-17 CVE-2019-0092 Intel Improper Input Validation vulnerability in Intel Active Management Technology 12.0.5

Insufficient input validation vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

4.6
2019-05-17 CVE-2019-0089 Intel Data Processing Errors vulnerability in Intel Server Platform Services Spse304.01.04.054.0/Spse504.00.04.381.0/Spssoca04.00.04.181.0

Improper data sanitization vulnerability in subsystem in Intel(R) SPS before versions SPS_E5_04.00.04.381.0, SPS_E3_04.01.04.054.0, SPS_SoC-A_04.00.04.181.0, and SPS_SoC-X_04.00.04.086.0 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2019-05-17 CVE-2019-0086 Intel Incorrect Permission Assignment FOR Critical Resource vulnerability in Intel products

Insufficient access control vulnerability in Dynamic Application Loader software for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.

4.6
2019-05-17 CVE-2018-3701 Intel Incorrect Permission Assignment FOR Critical Resource vulnerability in Intel Proset/Wireless Wifi

Improper directory permissions in the installer for Intel(R) PROSet/Wireless WiFi Software version 20.100 and earlier may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-05-16 CVE-2019-0733 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement, aka 'Windows Defender Application Control Security Feature Bypass Vulnerability'.

4.6
2019-05-16 CVE-2019-12138 Macdown Project Path Traversal vulnerability in Macdown Project Macdown 0.7.1

MacDown 0.7.1 allows directory traversal, for execution of arbitrary programs, via a file:/// or ../ substring in a shared note.

4.6
2019-05-15 CVE-2019-1810 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Nx-Os

A vulnerability in the Image Signature Verification feature used in an NX-OS CLI command in Cisco Nexus 3000 Series and 9000 Series Switches could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device.

4.6
2019-05-15 CVE-2019-1809 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Nx-Os

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device.

4.6
2019-05-15 CVE-2019-1726 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to access internal services that should be restricted on an affected device, such as the NX-API.

4.6
2019-05-13 CVE-2019-8342 Foxitsoftware
Apple
Incorrect Permission Assignment FOR Critical Resource vulnerability in Foxitsoftware Foxit Reader 3.1.0.0111

A Local Privilege Escalation in libqcocoa.dylib in Foxit Reader 3.1.0.0111 on macOS has been discovered due to an incorrect permission set.

4.6
2019-05-17 CVE-2019-0090 Intel Unspecified vulnerability in Intel products

Insufficient access control vulnerability in subsystem for Intel(R) CSME before versions 11.x, 12.0.35 Intel(R) TXE 3.x, 4.x, Intel(R) Server Platform Services 3.x, 4.x, Intel(R) SPS before version SPS_E3_05.00.04.027.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

4.4
2019-05-17 CVE-2019-5940 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Scheduler'.

4.3
2019-05-17 CVE-2019-5939 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Portal'.

4.3
2019-05-17 CVE-2019-5938 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Mail'.

4.3
2019-05-17 CVE-2019-5929 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to inject arbitrary web script or HTML via the application 'Memo'.

4.3
2019-05-17 CVE-2019-5928 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to inject arbitrary web script or HTML via Customize Item function.

4.3
2019-05-17 CVE-2019-8937 Digitaldruid Cross-Site Scripting vulnerability in Digitaldruid Hoteldruid 2.3.0

HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php.

4.3
2019-05-17 CVE-2019-8929 Zohocorp Cross-Site Scripting vulnerability in Zohocorp Manageengine Netflow Analyzer 7.0.0.2

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2.

4.3
2019-05-17 CVE-2019-8928 Zohocorp Cross-Site Scripting vulnerability in Zohocorp Manageengine Netflow Analyzer 7.0.0.2

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2.

4.3
2019-05-17 CVE-2019-8927 Zohocorp Cross-Site Scripting vulnerability in Zohocorp Manageengine Netflow Analyzer 7.0.0.2

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2.

4.3
2019-05-17 CVE-2019-8926 Zohocorp Cross-Site Scripting vulnerability in Zohocorp Manageengine Netflow Analyzer 7.0.0.2

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2.

4.3
2019-05-17 CVE-2019-8924 Apachefriends Cross-Site Scripting vulnerability in Apachefriends Xampp 1.5.2/1.7.0/5.6.8

XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter.

4.3
2019-05-16 CVE-2019-1008 Microsoft Unspecified vulnerability in Microsoft Dynamics 365 and Dynamics CRM 2015

A security feature bypass vulnerability exists in Dynamics On Premise, aka 'Microsoft Dynamics On-Premise Security Feature Bypass'.

4.3
2019-05-16 CVE-2019-0961 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-05-16 CVE-2019-0932 Microsoft Unspecified vulnerability in Microsoft Skype 8.35

An information disclosure vulnerability exists in Skype for Android, aka 'Skype for Android Information Disclosure Vulnerability'.

4.3
2019-05-16 CVE-2019-0930 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 10/11/9

An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory, aka 'Internet Explorer Information Disclosure Vulnerability'.

4.3
2019-05-16 CVE-2019-0921 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 10/11/9

An spoofing vulnerability exists when Internet Explorer improperly handles URLs, aka 'Internet Explorer Spoofing Vulnerability'.

4.3
2019-05-16 CVE-2019-0882 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-05-16 CVE-2019-0758 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-05-16 CVE-2019-8338 GPG PGP Project Improper Verification of Cryptographic Signature vulnerability in Gpg-Pgp Project Gpg-Pgp 1.0/1.0(9)

The signature verification routine in the Airmail GPG-PGP Plugin, versions 1.0 (9) and earlier, does not verify the status of the signature at all, which allows remote attackers to spoof arbitrary email signatures by crafting a signed email with an invalid signature.

4.3
2019-05-16 CVE-2018-12556 Yarnpkg Improper Verification of Cryptographic Signature vulnerability in Yarnpkg Website

The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.

4.3
2019-05-16 CVE-2019-12139 EZ Cross-Site Scripting vulnerability in EZ Ezplatform-Admin-Ui and Ezplatform-Page-Builder

An XSS issue was discovered in the Admin UI in eZ Platform 2.x.

4.3
2019-05-16 CVE-2019-11033 Applaudsolutions Cross-Site Scripting vulnerability in Applaudsolutions Applaud HCM 4.0.42+

Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form.

4.3
2019-05-15 CVE-2019-1010258 Nanosvg Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nanosvg Project Nanosvg

nanosvg library nanosvg after commit c1f6e209c16b18b46aa9f45d7e619acf42c29726 is affected by: Buffer Overflow.

4.3
2019-05-15 CVE-2016-7151 Capstone Engine Out-Of-Bounds Read vulnerability in Capstone-Engine Capstone 3.0.4

Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a read memory access) in X86_insn_reg_intel in arch/X86/X86Mapping.c.

4.3
2019-05-15 CVE-2016-10719 TP Link Cross-Site Scripting vulnerability in Tp-Link Archer Cr700 Firmware 1.0.6

TP-Link Archer CR-700 1.0.6 devices have an XSS vulnerability that can be introduced into the admin account through a DHCP request, allowing the attacker to steal the cookie information, which contains the base64 encoded username and password.

4.3
2019-05-15 CVE-2014-9919 Bilboplanet Cross-Site Scripting vulnerability in Bilboplanet 2.0

An issue was discovered in Bilboplanet 2.0.

4.3
2019-05-15 CVE-2014-9918 Bilboplanet Cross-Site Scripting vulnerability in Bilboplanet 2.0

An issue was discovered in Bilboplanet 2.0.

4.3
2019-05-15 CVE-2014-9917 Bilboplanet Cross-Site Scripting vulnerability in Bilboplanet 2.0

An issue was discovered in Bilboplanet 2.0.

4.3
2019-05-14 CVE-2019-0298 SAP Cross-Site Scripting vulnerability in SAP E-Commerce

SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2019-05-14 CVE-2019-11205 Tibco Cross-Site Scripting vulnerability in Tibco products

The web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains vulnerabilities that theoretically allow reflected cross-site scripting (XSS) attacks.

4.3
2019-05-14 CVE-2019-11419 Tencent Null Pointer Dereference vulnerability in Tencent Wechat

vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service (application crash) by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file.

4.3
2019-05-14 CVE-2019-11846 Dotcms Cross-Site Scripting vulnerability in Dotcms 5.1.1

/servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.

4.3
2019-05-14 CVE-2019-11845 Ricoh Cross-Site Scripting vulnerability in Ricoh SP 4510Dn Firmware

An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.

4.3
2019-05-14 CVE-2019-11844 Ricoh Cross-Site Scripting vulnerability in Ricoh SP 4520Dn Firmware

An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn or entryDisplayNameIn parameter.

4.3
2019-05-14 CVE-2019-8391 Qdpm Cross-Site Scripting vulnerability in Qdpm 9.1

qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.

4.3
2019-05-14 CVE-2019-8390 Qdpm Cross-Site Scripting vulnerability in Qdpm 9.1

qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.

4.3
2019-05-14 CVE-2019-11336 Sony Information Exposure Through LOG Files vulnerability in Sony Photo Sharing Plus

Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.

4.3
2019-05-13 CVE-2018-16139 Bibliosoft Cross-Site Scripting vulnerability in Bibliosoft Bibliopac 2008

Cross-site scripting (XSS) vulnerability in BIBLIOsoft BIBLIOpac 2008 allows remote attackers to inject arbitrary web script or HTML via the db or action parameter to to bin/wxis.exe/bibliopac/.

4.3
2019-05-13 CVE-2019-7218 Citrix Improper Authentication vulnerability in Citrix Sharefile

Citrix ShareFile before 19.23 allows a downgrade from two-factor authentication to one-factor authentication.

4.3
2019-05-13 CVE-2019-3684 Suse Insecure Storage of Sensitive Information vulnerability in Suse Manager 1.7/4.0.7

SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade created world-readable swap files on systems that don't have a swap already configured and don't have btrfs as filesystem

4.3
2019-05-13 CVE-2019-12047 Gridea Cross-Site Scripting vulnerability in Gridea 0.8.0

Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by child_process.exec and the "<img src=# onerror='eval(new Buffer(" substring.

4.3
2019-05-13 CVE-2019-7409 Vegadesign Cross-Site Scripting vulnerability in Vegadesign Profiledesign CMS 6.0.2.5

Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page, (2) gbs, (3) side, (4) id, (5) imgid, (6) cat, or (7) orderby parameter.

4.3
2019-05-13 CVE-2019-12043 Remarkable Project Cross-Site Scripting vulnerability in Remarkable Project Remarkable 1.7.1

In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.

4.3
2019-05-13 CVE-2018-19048 Mycolorway Cross-Site Scripting vulnerability in Mycolorway Simditor

Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element.

4.3
2019-05-13 CVE-2018-18524 Evernote Cross-Site Scripting vulnerability in Evernote 6.15

Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability.

4.3
2019-05-13 CVE-2018-15530 Xerox Cross-Site Scripting vulnerability in Xerox Colorqube 8580 Firmware

Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code.

4.3
2019-05-13 CVE-2018-14711 Asus Cross-Site Request Forgery (CSRF) vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010

Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs.

4.3
2019-05-13 CVE-2018-14710 Asus Cross-Site Scripting vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010

Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter.

4.3
2019-05-13 CVE-2018-12304 Seagate Cross-Site Scripting vulnerability in Seagate NAS OS 4.3.15.1

Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL.

4.3
2019-05-13 CVE-2018-12302 Seagate Cross-Site Scripting vulnerability in Seagate NAS OS 4.3.15.1

Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting.

4.3
2019-05-13 CVE-2018-12297 Seagate Cross-Site Scripting vulnerability in Seagate NAS OS 4.3.15.1

Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names.

4.3
2019-05-17 CVE-2019-12161 Webpagetest Server-Side Request Forgery (SSRF) vulnerability in Webpagetest 19.04

WPO WebPageTest 19.04 allows SSRF because ValidateURL in www/runtest.php does not consider octal encoding of IP addresses (such as 0300.0250 as a replacement for 192.168).

4.0
2019-05-17 CVE-2019-6790 Gitlab Missing Authorization vulnerability in Gitlab

An Incorrect Access Control (issue 2 of 3) issue was discovered in GitLab Community and Enterprise Edition 8.14 and later but before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1.

4.0
2019-05-17 CVE-2019-6787 Gitlab Unspecified vulnerability in Gitlab

An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1.

4.0
2019-05-17 CVE-2019-5944 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to bypass access restriction alter the contents of application 'Address' without modify privileges via the application 'Address'.

4.0
2019-05-17 CVE-2019-5943 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to bypass access restriction to view the information without view privileges via the application 'Bulletin' and the application 'Cabinet'.

4.0
2019-05-17 CVE-2019-5942 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to bypass access restriction to obtain files without access privileges via the Multiple Files Download function of application 'Cabinet'.

4.0
2019-05-17 CVE-2019-5941 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to bypass access restriction alter the Report without access privileges via the application 'Multi Report'.

4.0
2019-05-17 CVE-2019-5935 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to bypass access restriction to change user information without access privileges via the Item function of User Information.

4.0
2019-05-17 CVE-2019-5933 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.10.0 allows remote authenticated attackers to bypass access restriction to view the Bulletin Board without view privileges via the application 'Bulletin'.

4.0
2019-05-17 CVE-2019-5930 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to bypass access restriction to browse unauthorized pages via the application 'Management of Basic System'.

4.0
2019-05-17 CVE-2019-0097 Intel Improper Input Validation vulnerability in Intel Active Management Technology Firmware 12.0.20

Insufficient input validation vulnerability in subsystem for Intel(R) AMT before version 12.0.35 may allow a privileged user to potentially enable denial of service via network access.

4.0
2019-05-17 CVE-2019-8925 Zohocorp Path Traversal vulnerability in Zohocorp Manageengine Netflow Analyzer 7.0.0.2

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2.

4.0
2019-05-16 CVE-2019-0956 Microsoft Improper Encoding OR Escaping of Output vulnerability in Microsoft products

An information disclosure vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Server Information Disclosure Vulnerability'.

4.0
2019-05-16 CVE-2019-0819 Microsoft Unspecified vulnerability in Microsoft SQL Server 2017

An information disclosure vulnerability exists in Microsoft SQL Server Analysis Services when it improperly enforces metadata permissions, aka 'Microsoft SQL Server Analysis Services Information Disclosure Vulnerability'.

4.0
2019-05-16 CVE-2019-10116 Gitlab Incorrect Permission Assignment FOR Critical Resource vulnerability in Gitlab

An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

4.0
2019-05-16 CVE-2019-10115 Gitlab Incorrect Permission Assignment FOR Critical Resource vulnerability in Gitlab

An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

4.0
2019-05-16 CVE-2019-1860 Cisco Resource Injection vulnerability in Cisco Unified Intelligence Center 12.0(1)

A vulnerability in the dashboard gadget rendering of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to obtain or manipulate sensitive information between a user&rsquo;s browser and Cisco Unified Intelligence Center.

4.0
2019-05-16 CVE-2019-1851 Cisco Unspecified vulnerability in Cisco Identity Services Engine 2.2(0.470)/2.3(0.298)/2.4(0.357)

A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the Internal Certificate Authority (CA) Services on ISE.

4.0
2019-05-16 CVE-2019-1820 Cisco Path Traversal vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted.

4.0
2019-05-16 CVE-2019-1819 Cisco Path Traversal vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted.

4.0
2019-05-16 CVE-2019-1818 Cisco Path Traversal vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted.

4.0
2019-05-15 CVE-2019-10110 Gitlab Incorrect Permission Assignment FOR Critical Resource vulnerability in Gitlab

An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

4.0
2019-05-15 CVE-2019-3724 RSA Unspecified vulnerability in RSA Netwitness Platform and Security Analytics

RSA Netwitness Platform versions prior to 11.2.1.1 is vulnerable to an Authorization Bypass vulnerability.

4.0
2019-05-14 CVE-2019-11397 Rapidflows
Microsoft
Path Traversal vulnerability in multiple products

GetFile.aspx in Rapid4 RapidFlows Enterprise Application Builder 4.5M.23 (when used with .NET Framework 4.5) allows Local File Inclusion via the FileDesc parameter.

4.0
2019-05-14 CVE-2019-0293 SAP Missing Authorization vulnerability in SAP Solution Manager System 20081700/20081710/20081740

Read of RFC destination does not always perform necessary authorization checks, resulting in escalation of privileges to access information on RFC destinations on managed systems and SAP Solution Manager system (ST-PI, before versions 2008_1_700, 2008_1_710, and 740).

4.0
2019-05-14 CVE-2019-11204 Tibco Unspecified vulnerability in Tibco Spotfire Statistics Services

The web interface component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that might theoretically allow an authenticated user to access sensitive information needed by the Spotfire Statistics Services server.

4.0
2019-05-14 CVE-2019-6512 Wso2 Server-Side Request Forgery (SSRF) vulnerability in Wso2 API Manager 2.6.0

An issue was discovered in WSO2 API Manager 2.6.0.

4.0
2019-05-13 CVE-2019-8952 Bosch Path Traversal vulnerability in Bosch products

A Path Traversal vulnerability located in the webserver affects several Bosch hardware and software products.

4.0
2019-05-13 CVE-2018-14712 Asus Buffer Errors vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010

Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter.

4.0

53 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-05-19 CVE-2019-12184 Boostio Cross-Site Scripting vulnerability in Boostio Boostnote 0.11.15

There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.

3.5
2019-05-17 CVE-2019-5947 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the application 'Cabinet'.

3.5
2019-05-17 CVE-2019-5937 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the user information.

3.5
2019-05-17 CVE-2019-5932 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the application 'Portal'.

3.5
2019-05-16 CVE-2019-10909 Sensiolabs
Drupal
Cross-Site Scripting vulnerability in multiple products

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included.

3.5
2019-05-16 CVE-2019-1000 Microsoft Improper Privilege Management vulnerability in Microsoft Azure Active Directory Connect

An elevation of privilege vulnerability exists in Microsoft Azure Active Directory Connect build 1.3.20.0, which allows an attacker to execute two PowerShell cmdlets in context of a privileged account, and perform privileged actions.To exploit this, an attacker would need to authenticate to the Azure AD Connect server, aka 'Microsoft Azure AD Connect Elevation of Privilege Vulnerability'.

3.5
2019-05-16 CVE-2019-0979 Microsoft Cross-Site Scripting vulnerability in Microsoft Azure Devops Server and Team Foundation Server

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability'.

3.5
2019-05-16 CVE-2019-0963 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Foundation 2013

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

3.5
2019-05-16 CVE-2019-0951 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Foundation 2010/2013

A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'.

3.5
2019-05-16 CVE-2019-0950 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server

A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'.

3.5
2019-05-16 CVE-2019-0949 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server

A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'.

3.5
2019-05-16 CVE-2019-0872 Microsoft Cross-Site Scripting vulnerability in Microsoft Azure Devops Server and Team Foundation Server

A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability'.

3.5
2019-05-16 CVE-2018-1975 IBM Cross-Site Scripting vulnerability in IBM Rational Doors web Access

IBM Rational DOORS Web Access 9.5.1 through 9.5.2.9, and 9.6 through 9.6.1.9 is vulnerable to cross-site scripting.

3.5
2019-05-16 CVE-2019-12136 Boostio Cross-Site Scripting vulnerability in Boostio Boostnote 0.11.15

There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, as demonstrated by a crafted SRC attribute of an IFRAME element.

3.5
2019-05-15 CVE-2019-10111 Gitlab Cross-Site Scripting vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2.

3.5
2019-05-15 CVE-2019-1733 Cisco Cross-Site Scripting vulnerability in Cisco Nx-Os

A vulnerability in the NX API (NX-API) Sandbox interface for Cisco NX-OS Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the NX-API Sandbox interface of an affected device.

3.5
2019-05-15 CVE-2019-3602 Mcafee Cross-Site Scripting vulnerability in Mcafee Network Security Manager

Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML.

3.5
2019-05-14 CVE-2019-6577 Siemens Cross-Site Scripting vulnerability in Siemens products

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions < V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions < V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions).

3.5
2019-05-14 CVE-2019-6514 Wso2 Cross-Site Scripting vulnerability in Wso2 Dashboard Server 2.0.0

An issue was discovered in WSO2 Dashboard Server 2.0.0.

3.5
2019-05-13 CVE-2018-16138 Ipbrick Cross-Site Scripting vulnerability in Ipbrick OS 6.3

An issue was discovered in the administration page in IPBRICK OS 6.3.

3.5
2019-05-13 CVE-2019-11429 Centos Webpanel Cross-Site Scripting vulnerability in Centos-Webpanel Centos web Panel 0.9.8.753/0.9.8.793/0.9.8.807

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.

3.5
2019-05-13 CVE-2019-7411 Mythemeshop Cross-Site Scripting vulnerability in Mythemeshop Launcher 1.0.8

Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL).

3.5
2019-05-13 CVE-2018-18872 Kieranoshea Cross-Site Scripting vulnerability in Kieranoshea Calendar

The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories URI.

3.5
2019-05-13 CVE-2018-16639 Typesettercms Cross-Site Scripting vulnerability in Typesettercms Typesetter 5.1

Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.

3.5
2019-05-13 CVE-2018-16626 Typesettercms Cross-Site Scripting vulnerability in Typesettercms Typesetter 5.1

index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name.

3.5
2019-05-13 CVE-2018-16625 Typesettercms Cross-Site Scripting vulnerability in Typesettercms Typesetter 5.1

index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.

3.5
2019-05-13 CVE-2018-16624 Getkirby Cross-Site Scripting vulnerability in Getkirby Kirby 2.5.12

panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page.

3.5
2019-05-13 CVE-2018-16623 Getkirby Cross-Site Scripting vulnerability in Getkirby Kirby 2.5.12

Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown.

3.5
2019-05-13 CVE-2018-12303 Seagate Cross-Site Scripting vulnerability in Seagate NAS OS 4.3.15.1

Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names.

3.5
2019-05-13 CVE-2018-12299 Seagate Cross-Site Scripting vulnerability in Seagate NAS OS 4.3.15.1

Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names.

3.5
2019-05-13 CVE-2018-20838 Magazine3 Cross-Site Scripting vulnerability in Magazine3 AMP FOR WP

ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS.

3.5
2019-05-17 CVE-2019-0094 Intel Improper Input Validation vulnerability in Intel Active Management Technology 12.0.5

Insufficient input validation vulnerability in subsystem for Intel(R) AMT before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 may allow an unauthenticated user to potentially enable denial of service via adjacent network access.

3.3
2019-05-16 CVE-2019-0886 Microsoft Improper Input Validation vulnerability in Microsoft products

An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Information Disclosure Vulnerability'.

2.7
2019-05-17 CVE-2019-8339 Falco USE After Free vulnerability in Falco

An issue was discovered in Falco through 0.14.0.

2.1
2019-05-17 CVE-2019-11114 Intel Improper Input Validation vulnerability in Intel Driver & Support Assistant 3.5.0.1

Insufficient input validation in Intel(R) Driver & Support Assistant version 19.3.12.3 and before may allow a privileged user to potentially enable denial of service via local access.

2.1
2019-05-17 CVE-2019-11095 Intel Unspecified vulnerability in Intel Driver & Support Assistant 19.3.12.3/3.1.1/3.5.0.1

Insufficient access control in Intel(R) Driver & Support Assistant version 19.3.12.3 and before may allow a privileged user to potentially enable information disclosure via local access.

2.1
2019-05-17 CVE-2019-10139 Ovirt Credentials Management vulnerability in Ovirt Cockpit-Ovirt

During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text.

2.1
2019-05-17 CVE-2019-0120 Intel Insufficiently Protected Credentials vulnerability in Intel products

Insufficient key protection vulnerability in silicon reference firmware for Intel(R) Pentium(R) Processor J Series, Intel(R) Pentium(R) Processor N Series, Intel(R) Celeron(R) J Series, Intel(R) Celeron(R) N Series, Intel(R) Atom(R) Processor A Series, Intel(R) Atom(R) Processor E3900 Series, Intel(R) Pentium(R) Processor Silver Series may allow a privileged user to potentially enable denial of service via local access.

2.1
2019-05-17 CVE-2019-0116 Intel Out-Of-Bounds Read vulnerability in Intel Graphics Driver

An out of bound read in KMD module for Intel(R) Graphics Driver before version 10.18.14.5067 (aka 15.36.x.5067) and 10.18.10.5069 (aka 15.33.x.5069) may allow a privileged user to potentially enable denial of service via local access.

2.1
2019-05-17 CVE-2019-0115 Intel Improper Input Validation vulnerability in Intel Graphics Driver

Insufficient input validation in KMD module for Intel(R) Graphics Driver before version 10.18.14.5067 (aka 15.36.x.5067) and 10.18.10.5069 (aka 15.33.x.5069) may allow an authenticated user to potentially enable denial of service via local access.

2.1
2019-05-17 CVE-2019-0113 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel Graphics Driver

Insufficient bounds checking in Intel(R) Graphics Drivers before version 10.18.14.5067 (aka 15.36.x.5067) and 10.18.10.5069 (aka 15.33.x.5069) may allow an authenticated user to potentially enable a denial of service via local access.

2.1
2019-05-17 CVE-2019-0093 Intel Unspecified vulnerability in Intel Converged Security and Management Engine

Insufficient data sanitization vulnerability in HECI subsystem for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) SPS before version SPS_E3_05.00.04.027.0 may allow a privileged user to potentially enable information disclosure via local access.

2.1
2019-05-16 CVE-2019-0976 Microsoft
Apple
Linux
Unspecified vulnerability in Microsoft Nuget 5.0.2

A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default "obj"), aka 'NuGet Package Manager Tampering Vulnerability'.

2.1
2019-05-16 CVE-2019-0942 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Unified Write Filter (UWF) feature for Windows 10 when it improperly restricts access to the registry, aka 'Unified Write Filter Elevation of Privilege Vulnerability'.

2.1
2019-05-16 CVE-2019-0864 Microsoft Unspecified vulnerability in Microsoft .Net Framework

A denial of service vulnerability exists when .NET Framework improperly handles objects in heap memory, aka '.NET Framework Denial of Service Vulnerability'.

2.1
2019-05-15 CVE-2019-1808 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Nx-Os

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device.

2.1
2019-05-15 CVE-2019-1731 Cisco Information Exposure vulnerability in Cisco Nx-Os

A vulnerability in the SSH CLI key management functionality of Cisco NX-OS Software could allow an authenticated, local attacker to expose a user's private SSH key to all authenticated users on the targeted device.

2.1
2019-05-15 CVE-2019-11833 Linux USE of Uninitialized Resource vulnerability in Linux Kernel

fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.

2.1
2019-05-14 CVE-2019-0291 SAP Unspecified vulnerability in SAP Solution Manager 7.2

Under certain conditions Solution Manager, version 7.2, allows an attacker to access information which would otherwise be restricted.

2.1
2019-05-14 CVE-2019-10917 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3).

2.1
2019-05-13 CVE-2019-4259 IBM Unspecified vulnerability in IBM Spectrum Scale

A security vulnerability has been identified in IBM Spectrum Scale 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 with CES stack enabled that could allow sensitive data to be included with service snaps.

2.1
2019-05-13 CVE-2019-8350 Simple Insufficiently Protected Credentials vulnerability in Simple Better Banking 2.45.0/2.45.2/2.45.3

The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed in 2.46.0) for Android was affected by an information disclosure vulnerability that leaked the user's password to the keyboard autocomplete functionality.

2.1
2019-05-17 CVE-2019-0114 Intel Race Condition vulnerability in Intel Graphics Driver

A race condition in Intel(R) Graphics Drivers before version 10.18.14.5067 (aka 15.36.x.5067) and 10.18.10.5069 (aka 15.33.x.5069) may allow an authenticated user to potentially enable a denial of service via local access.

1.9