Weekly Vulnerabilities Reports > July 29 to August 4, 2019

Overview

557 new vulnerabilities reported during this period, including 18 critical vulnerabilities and 62 high severity vulnerabilities. This weekly summary report vulnerabilities in 278 products from 127 vendors including Cpanel, Magento, Redhat, Jenkins, and Denx. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Information Exposure", "Improper Access Control", and "Out-of-bounds Write".

  • 446 reported vulnerabilities are remotely exploitables.
  • 207 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 333 reported vulnerabilities are exploitable by an anonymous user.
  • Cpanel has the most reported vulnerabilities, with 249 reported vulnerabilities.
  • Cpanel has the most reported critical vulnerabilities, with 13 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

18 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-01 CVE-2016-10817 Cpanel SQL Injection vulnerability in Cpanel

cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123).

10.0
2019-08-01 CVE-2016-10855 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).

10.0
2019-07-30 CVE-2019-14313 10Web SQL Injection vulnerability in 10Web Photo Gallery

A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress.

10.0
2019-08-01 CVE-2016-10824 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 55.9999.141 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-90).

9.3
2019-08-01 CVE-2016-10858 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-64).

9.3
2019-08-02 CVE-2019-7930 Magento Unrestricted Upload of File With Dangerous Type vulnerability in Magento

A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

9.0
2019-08-02 CVE-2017-18433 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows code execution by webmail and demo accounts via a store_filter API call (SEC-236).

9.0
2019-08-02 CVE-2017-18387 Cpanel Injection vulnerability in Cpanel

cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in a Reseller style upload (SEC-314).

9.0
2019-08-02 CVE-2017-18386 Cpanel Injection vulnerability in Cpanel

cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in PostgresAdmin (SEC-313).

9.0
2019-08-01 CVE-2016-10820 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 55.9999.141 allows daemons to access their controlling TTYs (SEC-31).

9.0
2019-08-01 CVE-2016-10828 Cpanel Path Traversal vulnerability in Cpanel

cPanel before 55.9999.141 allows arbitrary code execution because of an unsafe @INC path (SEC-97).

9.0
2019-08-01 CVE-2016-10823 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89).

9.0
2019-08-01 CVE-2016-10848 Cpanel Improper Authorization vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/quotacheck (SEC-81).

9.0
2019-08-01 CVE-2016-10840 Cpanel Exposure of Resource TO Wrong Sphere vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary code execution during locale duplication (SEC-72).

9.0
2019-08-01 CVE-2016-10850 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83).

9.0
2019-08-01 CVE-2019-0193 Apache Code Injection vulnerability in Apache Solr

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter.

9.0
2019-07-29 CVE-2019-14417 Veritas Unspecified vulnerability in Veritas Resiliency Platform

An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1.

9.0
2019-07-29 CVE-2019-14416 Veritas Unspecified vulnerability in Veritas Resiliency Platform

An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1.

9.0

62 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-01 CVE-2016-10846 Cpanel Permission Issues vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary file-chown and file-chmod operations during Roundcube database conversions (SEC-79).

8.5
2019-08-01 CVE-2016-10837 Cpanel Untrusted Search Path vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary code execution because of an unsafe @INC path (SEC-46).

8.5
2019-07-29 CVE-2019-11201 Dolibarr Code Injection vulnerability in Dolibarr Erp/Crm 9.0.1

Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor.

8.5
2019-07-31 CVE-2019-1901 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Nx-Os

A vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an adjacent, unauthenticated attacker to cause a denial of service (DoS) condition or execute arbitrary code with root privileges.

8.3
2019-08-01 CVE-2018-20945 Cpanel Improper Authorization vulnerability in Cpanel

bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354).

7.9
2019-08-02 CVE-2019-10171 Fedoraproject
Redhat
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

It was found that the fix for CVE-2018-14648 in 389-ds-base, versions 1.4.0.x before 1.4.0.17, was incorrectly applied in RHEL 7.5.

7.8
2019-08-01 CVE-2019-14260 AL Enterprise OS Command Injection vulnerability in Al-Enterprise 8008 Firmware 1.50.13

On the Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection (missing input validation) issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.

7.7
2019-08-01 CVE-2019-14259 Polycom OS Command Injection vulnerability in Polycom Obihai Obi1022 Firmware 5.1.11

On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.

7.7
2019-08-03 CVE-2019-14551 Daskeyboard Cross-Site Request Forgery (CSRF) vulnerability in Daskeyboard DAS Q Software

Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers download and execution of code within a ZIP archive.

7.5
2019-08-02 CVE-2019-7890 Magento Authorization Bypass Through User-Controlled KEY vulnerability in Magento

An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

7.5
2019-08-02 CVE-2019-14544 Gogs Missing Authorization vulnerability in Gogs 0.11.86

routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.

7.5
2019-08-02 CVE-2019-7163 TCL Improper Authentication vulnerability in TCL Alcatel Linkzone Firmware Mw40Vv1.0Mw40Lu02.0002

The web interface of Alcatel LINKZONE MW40-V-V1.0 MW40_LU_02.00_02 devices is vulnerable to an authentication bypass that allows an unauthenticated user to have access to the web interface without knowing the administrator's password.

7.5
2019-08-02 CVE-2019-9141 Imgtech Improper Input Validation vulnerability in Imgtech Zoneplayer 2.0.1.3/2.0.1.4/2018.02

ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains a vulnerability that could allow remote attackers to execute arbitrary files by setting the arguments to the ActiveX method.

7.5
2019-08-02 CVE-2017-18435 Cpanel Unrestricted Upload of File With Dangerous Type vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to execute code via the BoxTrapper API (SEC-238).

7.5
2019-08-02 CVE-2019-14532 Sleuthkit Integer Underflow (Wrap OR Wraparound) vulnerability in Sleuthkit the Sleuth KIT 4.6.6

An issue was discovered in The Sleuth Kit (TSK) 4.6.6.

7.5
2019-08-02 CVE-2019-14531 Sleuthkit Out-Of-Bounds Read vulnerability in Sleuthkit the Sleuth KIT 4.6.6

An issue was discovered in The Sleuth Kit (TSK) 4.6.6.

7.5
2019-08-02 CVE-2019-14529 Open EMR SQL Injection vulnerability in Open-Emr Openemr

OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.

7.5
2019-08-02 CVE-2019-10938 Siemens Improper Access Control vulnerability in Siemens Siprotec 5 Digsi Device Driver

A vulnerability has been identified in SIPROTEC 5 devices with CPU variants CP200 (All versions < V7.59), SIPROTEC 5 devices with CPU variants CP300 and CP100 (All versions < V8.01), Siemens Power Meters Series 9410 (All versions < V2.2.1), Siemens Power Meters Series 9810 (All versions).

7.5
2019-08-01 CVE-2019-14495 3Proxy Out-Of-Bounds Write vulnerability in 3Proxy

webadmin.c in 3proxy before 0.8.13 has an out-of-bounds write in the admin interface.

7.5
2019-08-01 CVE-2018-20924 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 70.0.23 allows arbitrary file-read and file-unlink operations via WHM style uploads (SEC-378).

7.5
2019-08-01 CVE-2019-13572 Adenion SQL Injection vulnerability in Adenion Blog2Social

The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL Injection.

7.5
2019-08-01 CVE-2018-20887 Cpanel SQL Injection vulnerability in Cpanel

cPanel before 74.0.0 allows SQL injection during database backups (SEC-420).

7.5
2019-07-31 CVE-2019-14463 Libmodbus Out-Of-Bounds Read vulnerability in Libmodbus

An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1.5.

7.5
2019-07-31 CVE-2019-14462 Libmodbus Out-Of-Bounds Read vulnerability in Libmodbus

An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1.5.

7.5
2019-07-31 CVE-2015-5297 Pixman Integer Overflow OR Wraparound vulnerability in Pixman

An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8.

7.5
2019-07-31 CVE-2019-12797 Elmelectronics USE of Hard-Coded Credentials vulnerability in Elmelectronics Elm27 Firmware

A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.

7.5
2019-07-31 CVE-2019-14204 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14203 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14202 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14201 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14200 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14199 Denx Integer Underflow (Wrap OR Wraparound) vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14198 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14196 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14195 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14194 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14193 Denx Out-Of-Bounds Write vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-31 CVE-2019-14192 Denx Integer Underflow (Wrap OR Wraparound) vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

7.5
2019-07-30 CVE-2019-5454 Nextcloud SQL Injection vulnerability in Nextcloud

SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account.

7.5
2019-07-30 CVE-2019-13026 Oxid Esales SQL Injection vulnerability in Oxid-Esales Eshop 6.0.0/6.1.0

OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker.

7.5
2019-07-30 CVE-2019-11202 Rancher Improper Authentication vulnerability in Rancher

An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 through 2.2.1.

7.5
2019-07-30 CVE-2018-20863 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).

7.5
2019-07-30 CVE-2015-9290 Freetype Out-Of-Bounds Read vulnerability in Freetype

In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.

7.5
2019-07-29 CVE-2019-14431 Matrixssl Improper Handling of Exceptional Conditions vulnerability in Matrixssl

In MatrixSSL 3.8.3 Open through 4.2.1 Open, the DTLS server mishandles incoming network messages leading to a heap-based buffer overflow of up to 256 bytes and possible Remote Code Execution in parseSSLHandshake in sslDecode.c.

7.5
2019-07-29 CVE-2018-11773 Apache Improper Input Validation vulnerability in Apache Virtual Computing LAB

Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation.

7.5
2019-07-29 CVE-2019-14271 Docker Code Injection vulnerability in Docker 19.03/19.03.0

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

7.5
2019-07-29 CVE-2019-13571 Vsourz SQL Injection vulnerability in Vsourz Advanced CF7 DB 1.6.1

A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress.

7.5
2019-07-29 CVE-2019-1020018 Discourse Improper Input Validation vulnerability in Discourse

Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link.

7.5
2019-07-29 CVE-2019-14379 Fasterxml
Debian
Netapp
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in multiple products

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

7.5
2019-08-02 CVE-2017-18463 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).

7.2
2019-08-02 CVE-2017-18460 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).

7.2
2019-08-02 CVE-2017-18459 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).

7.2
2019-08-02 CVE-2017-18434 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237).

7.2
2019-08-02 CVE-2017-18400 Cpanel Command Injection vulnerability in Cpanel

cPanel before 68.0.15 allows local root code execution via cpdavd (SEC-333).

7.2
2019-08-02 CVE-2017-18390 Cpanel Permission Issues vulnerability in Cpanel

cPanel before 68.0.15 allows code execution in the context of the root account because of weak permissions on incremental backups (SEC-322).

7.2
2019-08-02 CVE-2017-18388 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).

7.2
2019-08-01 CVE-2018-20926 Cpanel Unrestricted Upload of File With Dangerous Type vulnerability in Cpanel

cPanel before 70.0.23 allows local privilege escalation via the WHM Locale XML Upload interface (SEC-380).

7.2
2019-07-30 CVE-2019-10161 Redhat Improper Access Control vulnerability in Redhat Enterprise Linux and Libvirtd

It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process.

7.2
2019-07-30 CVE-2019-14242 Bitdefender
Microsoft
Code Injection vulnerability in Bitdefender products

An issue was discovered in Bitdefender products for Windows (Bitdefender Endpoint Security Tool versions prior to 6.6.8.115; and Bitdefender Antivirus Plus, Bitdefender Internet Security, and Bitdefender Total Security versions prior to 23.0.24.120) that can lead to local code injection.

7.2
2019-07-30 CVE-2019-14400 Cpanel Unspecified vulnerability in Cpanel

cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479).

7.2
2019-07-30 CVE-2018-20869 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).

7.2
2019-07-30 CVE-2019-14442 Libav Infinite Loop vulnerability in Libav 12.3

In mpc8_read_header in libavformat/mpc8.c in Libav 12.3, an input file can result in an avio_seek infinite loop and hang, with 100% CPU consumption.

7.1

339 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-02 CVE-2019-7865 Magento Cross-Site Request Forgery (CSRF) vulnerability in Magento

A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.8
2019-08-02 CVE-2019-14541 Gnucobol Project Out-Of-Bounds Write vulnerability in Gnucobol Project Gnucobol 2.2

GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_program_id in cobc/typeck.c via crafted COBOL source code.

6.8
2019-08-02 CVE-2019-10094 Apache Allocation of Resources Without Limits OR Throttling vulnerability in Apache Tika

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21.

6.8
2019-08-02 CVE-2019-10088 Apache Allocation of Resources Without Limits OR Throttling vulnerability in Apache Tika

A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21.

6.8
2019-08-02 CVE-2019-10961 Advantech Out-Of-Bounds Write vulnerability in Advantech Webaccess HMI Designer 2.1.7.32

In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution.

6.8
2019-08-02 CVE-2019-14528 Gnucobol Project Out-Of-Bounds Write vulnerability in Gnucobol Project Gnucobol 2.2

GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in cobc/scanner.l via crafted COBOL source code.

6.8
2019-08-02 CVE-2014-8184 Liblouis Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Liblouis

A vulnerability was found in liblouis, versions 2.5.x before 2.5.4.

6.8
2019-08-02 CVE-2019-14524 Schismtracker Out-Of-Bounds Write vulnerability in Schismtracker Schism Tracker

An issue was discovered in Schism Tracker through 20190722.

6.8
2019-08-02 CVE-2019-14523 Schismtracker Integer Underflow (Wrap OR Wraparound) vulnerability in Schismtracker Schism Tracker

An issue was discovered in Schism Tracker through 20190722.

6.8
2019-08-01 CVE-2019-14497 Milkytracker Project Out-Of-Bounds Write vulnerability in Milkytracker Project Milkytracker 1.02.00

ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker 1.02.00 has a heap-based buffer overflow.

6.8
2019-08-01 CVE-2019-14496 Milkytracker Project Out-Of-Bounds Write vulnerability in Milkytracker Project Milkytracker 1.02.00

LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 has a stack-based buffer overflow.

6.8
2019-08-01 CVE-2016-10829 Cpanel Files OR Directories Accessible TO External Parties vulnerability in Cpanel

cPanel before 55.9999.141 allows arbitrary file-read operations because of a multipart form processing error (SEC-99).

6.8
2019-08-01 CVE-2019-14486 Gnucobol Project Buffer Errors vulnerability in Gnucobol Project Gnucobol 2.2

GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in cobc/field.c via crafted COBOL source code.

6.8
2019-08-01 CVE-2016-10838 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary file-read operations via the bin/fmq script (SEC-70).

6.8
2019-08-01 CVE-2013-7473 Windu Cross-Site Request Forgery (CSRF) vulnerability in Windu CMS 2.2

Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account.

6.8
2019-08-01 CVE-2018-10899 Jolokia
Redhat
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

A flaw was found in Jolokia versions from 1.2 to before 1.6.1.

6.8
2019-08-01 CVE-2019-14468 Gnucobol Project Buffer Errors vulnerability in Gnucobol Project Gnucobol 2.2

GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c via crafted COBOL source code.

6.8
2019-07-31 CVE-2019-14465 Schismtracker Out-Of-Bounds Write vulnerability in Schismtracker Schism Tracker 20190722

fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-based buffer overflow.

6.8
2019-07-31 CVE-2019-10181 Icetea WEB Project Insufficient Verification of Data Authenticity vulnerability in Icetea-Web Project Icetea-Web 1.8.2

It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification.

6.8
2019-07-31 CVE-2019-10186 Moodle Cross-Site Request Forgery (CSRF) vulnerability in Moodle

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7.

6.8
2019-07-31 CVE-2019-3959 Wallaceit Cross-Site Request Forgery (CSRF) vulnerability in Wallaceit Wallacepos 1.4.3

Cross-site request forgery in WallacePOS 1.4.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.

6.8
2019-07-31 CVE-2019-5060 Libsdl
Opensuse
Integer Overflow OR Wraparound vulnerability in multiple products

An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4.

6.8
2019-07-31 CVE-2019-5059 Libsdl Integer Overflow OR Wraparound vulnerability in Libsdl Sdl2 Image 2.0.4

An exploitable code execution vulnerability exists in the XPM image rendering functionality of SDL2_image 2.0.4.

6.8
2019-07-31 CVE-2019-5058 Libsdl Out-Of-Bounds Write vulnerability in Libsdl Sdl2 Image 2.0.4

An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image 2.0.4.

6.8
2019-07-31 CVE-2019-5057 Libsdl Out-Of-Bounds Write vulnerability in Libsdl Sdl2 Image 2.0.4

An exploitable code execution vulnerability exists in the PCX image-rendering functionality of SDL2_image 2.0.4.

6.8
2019-07-31 CVE-2019-13568 Cimg Out-Of-Bounds Write vulnerability in Cimg

CImg through 2.6.7 has a heap-based buffer overflow in _load_bmp in CImg.h because of erroneous memory allocation for a malformed BMP image.

6.8
2019-07-31 CVE-2019-10359 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins M2Release

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

6.8
2019-07-30 CVE-2018-20871 Univa Incorrect Permission Assignment FOR Critical Resource vulnerability in Univa Grid Engine 8.6.3

In Univa Grid Engine before 8.6.3, when configured for Docker jobs and execd spooling on root_squash, weak file permissions ("other" write access) occur in certain cases (GE-6890).

6.8
2019-07-29 CVE-2016-10766 EDX Cross-Site Request Forgery (CSRF) vulnerability in EDX Edx-Platform

edx-platform before 2016-06-06 allows CSRF.

6.8
2019-07-29 CVE-2019-14267 Pdfresurrect Project Out-Of-Bounds Write vulnerability in Pdfresurrect Project Pdfresurrect 0.15

PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because data associated with startxref and %%EOF is mishandled.

6.8
2019-08-01 CVE-2018-20882 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).

6.6
2019-08-02 CVE-2019-7942 Magento Code Injection vulnerability in Magento

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7932 Magento Code Injection vulnerability in Magento

A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7923 Magento Server-Side Request Forgery (SSRF) vulnerability in Magento

A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7913 Magento Server-Side Request Forgery (SSRF) vulnerability in Magento

A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7912 Magento Unrestricted Upload of File With Dangerous Type vulnerability in Magento

A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7911 Magento Server-Side Request Forgery (SSRF) vulnerability in Magento

A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7903 Magento Code Injection vulnerability in Magento

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7896 Magento Unspecified vulnerability in Magento

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7895 Magento Unspecified vulnerability in Magento

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7892 Magento Server-Side Request Forgery (SSRF) vulnerability in Magento

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7885 Magento Improper Input Validation vulnerability in Magento

Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7876 Magento Unspecified vulnerability in Magento

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

6.5
2019-08-02 CVE-2019-7871 Magento Code Injection vulnerability in Magento

A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code.

6.5
2019-08-02 CVE-2017-18447 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251).

6.5
2019-08-02 CVE-2017-18446 Cpanel Out-Of-Bounds Read vulnerability in Cpanel

cPanel before 64.0.21 allows file-read and file-write operations for demo accounts via the SourceIPCheck API (SEC-250).

6.5
2019-08-02 CVE-2017-18439 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243).

6.5
2019-08-02 CVE-2017-18438 Cpanel XXE vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).

6.5
2019-08-02 CVE-2017-18403 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 68.0.15 allows code execution in the context of the nobody account via Mailman archives (SEC-337).

6.5
2019-08-02 CVE-2017-18389 Cpanel Injection vulnerability in Cpanel

cPanel before 68.0.15 allows string format injection in dovecot-xaps-plugin (SEC-318).

6.5
2019-08-01 CVE-2016-10826 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 55.9999.141 allows attackers to bypass Two Factor Authentication via DNS clustering requests (SEC-93).

6.5
2019-08-01 CVE-2016-10816 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).

6.5
2019-08-01 CVE-2016-10814 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).

6.5
2019-08-01 CVE-2016-10834 Cpanel Improperly Implemented Security Check FOR Standard vulnerability in Cpanel

cPanel before 55.9999.141 allows account-suspension bypass via ftp (SEC-105).

6.5
2019-08-01 CVE-2016-10831 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 55.9999.141 does not perform as two-factor authentication check when possessing another account (SEC-101).

6.5
2019-08-01 CVE-2018-20931 Cpanel Code Injection vulnerability in Cpanel

cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405).

6.5
2019-08-01 CVE-2016-10845 Cpanel Injection vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/check_system_storable (SEC-78).

6.5
2019-08-01 CVE-2018-20912 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).

6.5
2019-08-01 CVE-2018-20911 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).

6.5
2019-08-01 CVE-2018-20895 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).

6.5
2019-08-01 CVE-2014-8183 Theforeman
Redhat
Improper Access Control vulnerability in multiple products

It was found that foreman, versions 1.x.x before 1.15.6, in Satellite 6 did not properly enforce access controls on certain resources.

6.5
2019-08-01 CVE-2018-20879 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).

6.5
2019-07-31 CVE-2019-3960 Wallaceit Unrestricted Upload of File With Dangerous Type vulnerability in Wallaceit Wallacepos 1.4.3

Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file.

6.5
2019-07-31 CVE-2007-6763 SAS Improper Input Validation vulnerability in SAS Drug Development

SAS Drug Development (SDD) before 32DRG02 mishandles logout actions, which allows a user (who was previously logged in) to access resources by pressing a back or forward button in a web browser.

6.5
2019-07-31 CVE-2019-10356 Jenkins 7PK - Security Features vulnerability in Jenkins Script Security

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.

6.5
2019-07-31 CVE-2019-10355 Jenkins 7PK - Security Features vulnerability in Jenkins Script Security

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts.

6.5
2019-07-30 CVE-2017-18381 EDX
Mongodb
7PK - Security Features vulnerability in multiple products

The installation process in Open edX before 2017-01-10 exposes a MongoDB instance to external connections with default credentials.

6.5
2019-07-30 CVE-2019-10138 Python Improper Access Control vulnerability in Python Novajoin

A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform.

6.5
2019-07-30 CVE-2019-14405 Cpanel Unspecified vulnerability in Cpanel

cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).

6.5
2019-07-30 CVE-2019-14401 Cpanel Unspecified vulnerability in Cpanel

cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).

6.5
2019-07-30 CVE-2019-14398 Cpanel Unspecified vulnerability in Cpanel

cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).

6.5
2019-07-30 CVE-2019-14392 Cpanel Unspecified vulnerability in Cpanel

cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).

6.5
2019-07-29 CVE-2019-14418 Veritas Path Traversal vulnerability in Veritas Resiliency Platform

An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1.

6.5
2019-07-29 CVE-2018-11774 Apache SQL Injection vulnerability in Apache Virtual Computing LAB

Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts.

6.5
2019-07-29 CVE-2018-11772 Apache SQL Injection vulnerability in Apache Virtual Computing LAB

Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree.

6.5
2019-07-29 CVE-2019-12948 Polycom Exposed Dangerous Method OR Function vulnerability in Polycom products

A vulnerability in the web-based management interface of VVX, Trio, SoundStructure, SoundPoint, and SoundStation phones running Polycom UC Software, if exploited, could allow an authenticated, remote attacker with admin privileges to cause a denial of service (DoS) condition or execute arbitrary code.

6.5
2019-07-29 CVE-2019-11200 Dolibarr Unspecified vulnerability in Dolibarr Erp/Crm 9.0.1

Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file.

6.5
2019-07-29 CVE-2015-5601 EDX Unrestricted Upload of File With Dangerous Type vulnerability in EDX Edx-Platform

edx-platform before 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files.

6.5
2019-07-29 CVE-2019-1020011 Charcoal SE Improper Input Validation vulnerability in Charcoal-Se Smokedetector

SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority.

6.5
2019-07-29 CVE-2019-14378 Libslirp Project Improper Handling of Exceptional Conditions vulnerability in Libslirp Project Libslirp 4.0.0

ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.

6.5
2019-08-01 CVE-2019-14491 Opencv Out-Of-Bounds Read vulnerability in Opencv

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1.

6.4
2019-08-01 CVE-2018-20934 Cpanel Improperly Implemented Security Check FOR Standard vulnerability in Cpanel

cPanel before 70.0.23 does not prevent e-mail account suspensions from being applied to unowned accounts (SEC-411).

6.4
2019-08-01 CVE-2018-20930 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 70.0.23 allows .htaccess restrictions bypass when Htaccess Optimization is enabled (SEC-401).

6.4
2019-07-31 CVE-2019-10185 Icetea WEB Project Path Traversal vulnerability in Icetea-Web Project Icetea-Web 1.8.2

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file.

6.4
2019-07-31 CVE-2019-14197 Denx Out-Of-Bounds Read vulnerability in Denx U-Boot

An issue was discovered in Das U-Boot through 2019.07.

6.4
2019-07-30 CVE-2019-10141 Openstack
Redhat
SQL Injection vulnerability in multiple products

A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1.

6.4
2019-07-30 CVE-2018-20864 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).

6.4
2019-07-30 CVE-2019-13635 Wpfastestcache Path Traversal vulnerability in Wpfastestcache WP Fastest Cache

The WP Fastest Cache plugin through 0.8.9.5 for WordPress allows wpFastestCache.php and inc/cache.php Directory Traversal.

6.4
2019-07-30 CVE-2019-14399 Cpanel Information Exposure vulnerability in Cpanel

The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477).

6.1
2019-07-31 CVE-2018-16860 Samba
Heimdal Project
Improperly Implemented Security Check FOR Standard vulnerability in multiple products

A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode.

6.0
2019-08-02 CVE-2019-7873 Magento Cross-Site Request Forgery (CSRF) vulnerability in Magento

A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.8
2019-08-02 CVE-2019-7851 Magento Cross-Site Request Forgery (CSRF) vulnerability in Magento

A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.

5.8
2019-08-02 CVE-2019-10176 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat Openshift Container Platform 3.11/4.1

A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session.

5.8
2019-08-02 CVE-2017-18414 Cpanel Open Redirect vulnerability in Cpanel

cPanel before 67.9999.103 allows an open redirect in /unprotected/redirect.html (SEC-300).

5.8
2019-08-02 CVE-2017-18407 Cpanel Improper Verification of Cryptographic Signature vulnerability in Cpanel

cPanel before 67.9999.103 does not enforce SSL hostname verification for the support-agreement download (SEC-279).

5.8
2019-08-01 CVE-2019-9140 Happypointcard Open Redirect vulnerability in Happypointcard Happypoint 6.3.19

When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earlier versions doesn't check Deeplink URL correctly.

5.8
2019-08-01 CVE-2018-20929 Cpanel Open Redirect vulnerability in Cpanel

cPanel before 70.0.23 allows an open redirect via the /unprotected/redirect.html endpoint (SEC-392).

5.8
2019-08-01 CVE-2019-3890 Gnome
Redhat
Improper Certificate Validation vulnerability in multiple products

It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates.

5.8
2019-07-31 CVE-2019-7000 Avaya Cross-Site Scripting vulnerability in Avaya Aura Conferencing 7.0/7.2/8.0

A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura Conferencing may allow code execution and potentially disclose sensitive information.

5.8
2019-07-31 CVE-2019-10182 Icedtea WEB Project
Redhat
Path Traversal vulnerability in multiple products

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files.

5.8
2019-07-30 CVE-2019-7615 Elastic Improper Certificate Validation vulnerability in Elastic Apm-Agent-Ruby

A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0.

5.8
2019-07-30 CVE-2019-5459 Videolan Out-Of-Bounds Read vulnerability in Videolan VLC Media Player

An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read.

5.8
2019-07-30 CVE-2019-11775 Eclipse Race Condition vulnerability in Eclipse Openj9

All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop.

5.8
2019-07-30 CVE-2018-20867 Cpanel Open Redirect vulnerability in Cpanel

cPanel before 76.0.8 has an open redirect when resetting connections (SEC-462).

5.8
2019-07-29 CVE-2019-13498 Oneidentity Cleartext Transmission of Sensitive Information vulnerability in Oneidentity Cloud Access Manager 8.1.3

One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks.

5.8
2019-07-29 CVE-2019-6726 Wpfastestcache Path Traversal vulnerability in Wpfastestcache WP Fastest Cache

The WP Fastest Cache plugin through 0.8.9.0 for WordPress allows remote attackers to delete arbitrary files because wp_postratings_clear_fastest_cache and rm_folder_recursively in wpFastestCache.php mishandle ../ in an HTTP Referer header.

5.8
2019-07-29 CVE-2019-1020006 Inveniosoftware Injection vulnerability in Inveniosoftware Invenio-App

invenio-app before 1.1.1 allows host header injection.

5.8
2019-07-29 CVE-2019-1020016 ASH AIO Project Open Redirect vulnerability in Ash-Aio Project Ash-Aio 2.0.0.0/2.0.0.1/2.0.0.2

ASH-AIO before 2.0.0.3 allows an open redirect.

5.8
2019-08-02 CVE-2019-7925 Magento Authorization Bypass Through User-Controlled KEY vulnerability in Magento

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.5
2019-08-02 CVE-2019-7904 Magento Unspecified vulnerability in Magento

Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes.

5.5
2019-08-02 CVE-2019-7872 Magento Authorization Bypass Through User-Controlled KEY vulnerability in Magento

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks.

5.5
2019-08-02 CVE-2017-18398 Cpanel Improper Input Validation vulnerability in Cpanel

DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331).

5.5
2019-08-01 CVE-2016-10830 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 55.9999.141 allows ACL bypass for AppConfig applications via magic_revision (SEC-100).

5.5
2019-08-01 CVE-2016-10825 Cpanel Improperly Implemented Security Check FOR Standard vulnerability in Cpanel

cPanel before 55.9999.141 allows attackers to bypass a Security Policy by faking static documents (SEC-92).

5.5
2019-08-01 CVE-2016-10847 Cpanel Injection vulnerability in Cpanel

cPanel before 11.54.0.4 allows arbitrary file-read and file-write operations via scripts/fixmailboxpath (SEC-80).

5.5
2019-08-01 CVE-2016-10843 Cpanel Command Injection vulnerability in Cpanel

cPanel before 11.54.0.4 allows code execution in the context of shared users via JSON-API (SEC-76).

5.5
2019-08-01 CVE-2016-10839 Cpanel SQL Injection vulnerability in Cpanel

cPanel before 11.54.0.4 allows SQL injection in bin/horde_update_usernames (SEC-71).

5.5
2019-08-01 CVE-2018-20905 Cpanel Incorrect Permission Assignment FOR Critical Resource vulnerability in Cpanel

cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).

5.5
2019-08-01 CVE-2016-10860 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 11.54.0.0 allows unauthorized zone modification via the WHM API (SEC-66).

5.5
2019-08-01 CVE-2016-10859 Cpanel Improper Authorization vulnerability in Cpanel

cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).

5.5
2019-07-31 CVE-2019-10362 Jenkins Improper Input Validation vulnerability in Jenkins Configuration AS Code

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

5.5
2019-07-30 CVE-2019-10156 Redhat Information Exposure vulnerability in Redhat Ansible, Ceph Storage and Openstack

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution.

5.5
2019-07-30 CVE-2019-4456 IBM XXE vulnerability in IBM Daeja Viewone

IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

5.5
2019-07-30 CVE-2019-4062 IBM XXE vulnerability in IBM I2 Intelligent Analysis Platform

IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

5.5
2019-08-02 CVE-2019-7951 Magento Information Exposure vulnerability in Magento

An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7950 Magento Authorization Bypass Through User-Controlled KEY vulnerability in Magento

An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7928 Magento Unspecified vulnerability in Magento

A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7915 Magento Unspecified vulnerability in Magento

A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7899 Magento Improper Input Validation vulnerability in Magento

Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7898 Magento Improper Input Validation vulnerability in Magento

Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input.

5.0
2019-08-02 CVE-2019-7886 Magento Cryptographic Issues vulnerability in Magento

A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7864 Magento Authorization Bypass Through User-Controlled KEY vulnerability in Magento

An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7861 Magento Unrestricted Upload of File With Dangerous Type vulnerability in Magento

Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7860 Magento Cryptographic Issues vulnerability in Magento

A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7859 Magento Path Traversal vulnerability in Magento

A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control.

5.0
2019-08-02 CVE-2019-7858 Magento Cryptographic Issues vulnerability in Magento

A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks.

5.0
2019-08-02 CVE-2019-7855 Magento Cryptographic Issues vulnerability in Magento

A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.

5.0
2019-08-02 CVE-2019-7854 Magento Authorization Bypass Through User-Controlled KEY vulnerability in Magento

An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.

5.0
2019-08-02 CVE-2019-7852 Magento Information Exposure vulnerability in Magento

A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

5.0
2019-08-02 CVE-2019-7849 Magento Session Fixation vulnerability in Magento

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules.

5.0
2019-08-02 CVE-2019-6969 Dlink Cross-Site Scripting vulnerability in Dlink Dva-5592 Firmware 20180823

The web interface of the D-Link DVA-5592 20180823 is vulnerable to an authentication bypass that allows an unauthenticated user to have access to sensitive information such as the Wi-Fi password and the phone number (if VoIP is in use).

5.0
2019-08-02 CVE-2017-18461 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).

5.0
2019-08-02 CVE-2017-18451 Cpanel Permissions, Privileges, and Access Controls vulnerability in Cpanel

cPanel before 64.0.21 allows attackers to read a user's crontab file during a short time interval upon a cPAddon upgrade (SEC-257).

5.0
2019-08-02 CVE-2017-18448 Cpanel Path Traversal vulnerability in Cpanel

cPanel before 64.0.21 allows certain file-read operations via a Serverinfo_manpage API call (SEC-252).

5.0
2019-08-02 CVE-2017-18444 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).

5.0
2019-08-02 CVE-2017-18443 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).

5.0
2019-08-02 CVE-2017-18442 Cpanel Command Injection vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI API commands (SEC-246).

5.0
2019-08-02 CVE-2017-18431 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941).

5.0
2019-08-02 CVE-2019-5501 Netapp Unspecified vulnerability in Netapp Data Ontap

Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 may disclose sensitive LDAP account information to unauthenticated remote attackers.

5.0
2019-08-02 CVE-2019-14235 Djangoproject
Opensuse
Uncontrolled Recursion vulnerability in multiple products

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4.

5.0
2019-08-02 CVE-2019-14233 Djangoproject
Opensuse
Resource Exhaustion vulnerability in multiple products

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4.

5.0
2019-08-02 CVE-2019-14232 Djangoproject
Opensuse
Resource Exhaustion vulnerability in multiple products

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4.

5.0
2019-08-02 CVE-2017-18406 Cpanel SQL Injection vulnerability in Cpanel

cPanel before 67.9999.103 allows SQL injection during eximstats processing (SEC-276).

5.0
2019-08-01 CVE-2019-14513 Thekelleys Out-Of-Bounds Read vulnerability in Thekelleys Dnsmasq

Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that result in a read operation beyond the buffer allocated for the packet, a different vulnerability than CVE-2017-14491.

5.0
2019-08-01 CVE-2019-14493 Opencv Null Pointer Dereference vulnerability in Opencv

An issue was discovered in OpenCV before 4.1.1.

5.0
2019-08-01 CVE-2019-14492 Opencv
Opensuse
Out-Of-Bounds Read vulnerability in multiple products

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1.

5.0
2019-08-01 CVE-2016-10833 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 55.9999.141 mishandles username-based blocking for PRE requests in cPHulkd (SEC-104).

5.0
2019-08-01 CVE-2015-9291 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221).

5.0
2019-08-01 CVE-2019-3884 Redhat Improper Authentication vulnerability in Redhat Openshift

A vulnerability exists in the garbage collection mechanism of atomic-openshift.

5.0
2019-08-01 CVE-2018-20885 Cpanel Injection vulnerability in Cpanel

cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416).

5.0
2019-07-31 CVE-2019-14459 Nfdump Project Integer Overflow OR Wraparound vulnerability in Nfdump Project Nfdump

nfdump 1.6.17 and earlier is affected by an integer overflow in the function Process_ipfix_template_withdraw in ipfix.c that can be abused in order to crash the process remotely (denial of service).

5.0
2019-07-31 CVE-2019-4165 IBM Improper Input Validation vulnerability in IBM Storediq

IBM StoreIQ 7.6.0.0.

5.0
2019-07-31 CVE-2019-14452 Sigil Ebook
Flightcrew Project
Canonical
Path Traversal vulnerability in multiple products

Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

5.0
2019-07-30 CVE-2019-10162 Powerdns Improper Authorization vulnerability in Powerdns Authoritative

A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control.

5.0
2019-07-30 CVE-2018-16871 Linux
Redhat
Null Pointer Dereference vulnerability in Linux Kernel

A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20.

5.0
2019-07-30 CVE-2019-14411 Cpanel Unspecified vulnerability in Cpanel

cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473).

5.0
2019-07-30 CVE-2019-14397 Cpanel Unspecified vulnerability in Cpanel

cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496).

5.0
2019-07-30 CVE-2019-14388 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).

5.0
2019-07-30 CVE-2019-14381 Openmpt Null Pointer Dereference vulnerability in Openmpt Libopenmpt

libopenmpt before 0.4.3 allows a crash due to a NULL pointer dereference when doing a portamento from an OPL instrument to an empty instrument note map slot.

5.0
2019-07-30 CVE-2017-18380 EDX Improper Access Control vulnerability in EDX Edx-Platform

edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name.

5.0
2019-07-30 CVE-2019-14439 Fasterxml
Debian
Deserialization of Untrusted Data vulnerability in multiple products

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2.

5.0
2019-07-29 CVE-2019-3948 Amcrest
Dahua
Missing Authentication FOR Critical Function vulnerability in multiple products

The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk.

5.0
2019-07-29 CVE-2018-17211 Printeron Information Exposure vulnerability in Printeron Central Print Services 2.5/4.1.4

An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4.

5.0
2019-07-29 CVE-2019-13126 Nats Integer Overflow OR Wraparound vulnerability in Nats Server 2.0.0

An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request.

5.0
2019-07-29 CVE-2016-10765 EDX Improper Input Validation vulnerability in EDX Edx-Platform

edx-platform before 2016-06-10 allows account activation with a spoofed e-mail address.

5.0
2019-07-29 CVE-2019-12743 Humhub Information Exposure vulnerability in Humhub Social Network KIT 1.3.13

HumHub Social Network Kit Enterprise v1.3.13 allows remote attackers to find the user accounts existing on any Social Network Kits (including self-hosted ones) by brute-forcing the username after the /u/ initial URI substring, aka Response Discrepancy Information Exposure.

5.0
2019-07-29 CVE-2019-1020009 Kolide Insufficiently Protected Credentials vulnerability in Kolide Fleet 2.0.2/2.1.0/2.1.1

Fleet before 2.1.2 allows exposure of SMTP credentials.

5.0
2019-07-29 CVE-2019-1020004 Tridactyl Project KEY Management Errors vulnerability in Tridactyl Project Tridactyl 1.14.10/1.15.0

Tridactyl before 1.16.0 allows fake key events.

5.0
2019-07-29 CVE-2019-1020002 Pterodactyl Information Exposure Through Discrepancy vulnerability in Pterodactyl Panel

Pterodactyl before 0.7.14 with 2FA allows credential sniffing.

5.0
2019-07-29 CVE-2019-1020017 Discourse Unspecified vulnerability in Discourse

Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP.

5.0
2019-07-29 CVE-2019-1020015 Hasura Improper Input Validation vulnerability in Hasura Graphql Engine 1.0.0

graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.

5.0
2019-07-29 CVE-2019-1020013 Parseplatform Information Exposure Through AN Error Message vulnerability in Parseplatform Parse-Server

parse-server before 3.6.0 allows account enumeration.

5.0
2019-07-29 CVE-2019-1020012 Parseplatform Http Request Smuggling vulnerability in Parseplatform Parse-Server

parse-server before 3.4.1 allows DoS after any POST to a volatile class.

5.0
2019-07-29 CVE-2019-1020001 Yardoc Pathname Traversal and Equivalence Errors vulnerability in Yardoc Yard

yard before 0.9.20 allows path traversal.

5.0
2019-08-02 CVE-2017-18457 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).

4.9
2019-08-02 CVE-2017-18404 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 68.0.15 allows domain data to be deleted for domains with the .lock TLD (SEC-341).

4.9
2019-08-02 CVE-2017-18396 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.15 allows arbitrary file-read operations via Exim vdomainaliases (SEC-329).

4.9
2019-08-01 CVE-2018-20914 Cpanel Injection vulnerability in Cpanel

In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).

4.9
2019-08-01 CVE-2018-20891 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).

4.9
2019-08-01 CVE-2018-20888 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication (SEC-424).

4.9
2019-08-01 CVE-2019-14333 Dlink Unspecified vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices.

4.9
2019-07-30 CVE-2019-14404 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484).

4.9
2019-08-01 CVE-2018-20941 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.27 allows arbitrary file-read operations via restore adminbin (SEC-349).

4.7
2019-08-02 CVE-2017-18452 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).

4.6
2019-08-02 CVE-2017-18430 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294).

4.6
2019-08-02 CVE-2017-18415 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302).

4.6
2019-08-02 CVE-2017-18413 Cpanel Permissions, Privileges, and Access Controls vulnerability in Cpanel

In cPanel before 67.9999.103, the backup system overwrites root's home directory when a mount disappears (SEC-299).

4.6
2019-08-02 CVE-2019-10168 Redhat Path Traversal vulnerability in Redhat products

The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain.

4.6
2019-08-02 CVE-2019-10167 Redhat Path Traversal vulnerability in Redhat products

The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain.

4.6
2019-08-02 CVE-2019-10166 Redhat Unspecified vulnerability in Redhat products

It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files.

4.6
2019-08-02 CVE-2017-18383 Cpanel Permissions, Privileges, and Access Controls vulnerability in Cpanel

cPanel before 68.0.15 writes home-directory backups to an incorrect location (SEC-309).

4.6
2019-08-01 CVE-2018-20925 Cpanel Unrestricted Upload of File With Dangerous Type vulnerability in Cpanel

cPanel before 70.0.23 allows local privilege escalation via the WHM Legacy Language File Upload interface (SEC-379).

4.6
2019-08-01 CVE-2018-20886 Cpanel Insecure Storage of Sensitive Information vulnerability in Cpanel

cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-418).

4.6
2019-08-01 CVE-2019-14332 Dlink Inadequate Encryption Strength vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices.

4.6
2019-07-31 CVE-2019-12750 Symantec Out-Of-Bounds Read vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection, prior to 14.2 RU1 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition, prior to 12.1 RU6 MP10c (12.1.7491.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

4.6
2019-07-30 CVE-2019-5455 Nextcloud Improper Authentication vulnerability in Nextcloud 3.6.0

Bypassing lock protection exists in Nextcloud Android app 3.6.0 when creating a multi-account and aborting the process.

4.6
2019-07-30 CVE-2019-5450 Nextcloud Code Injection vulnerability in Nextcloud

Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3.7.0 allowed to style the directory name in the header bar when using basic HTML.

4.6
2019-07-30 CVE-2019-10142 Linux Integer Overflow OR Wraparound vulnerability in Linux Kernel

A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17.

4.6
2019-07-30 CVE-2019-14393 Cpanel Unspecified vulnerability in Cpanel

cPanel before 80.0.5 allows local code execution in the context of a different cPanel account because of insecure cpphp execution (SEC-486).

4.6
2019-07-29 CVE-2019-11868 Softether Out-Of-Bounds Write vulnerability in Softether See.Sys

See.sys, up to version 4.25, in SoftEther VPN Server versions 4.29 or older, allows a user to call an IOCTL specifying any kernel address to which arbitrary bytes are written to.

4.6
2019-08-02 CVE-2017-18450 Cpanel Permissions, Privileges, and Access Controls vulnerability in Cpanel

cPanel before 64.0.21 allows certain file-chmod operations via /scripts/convert_roundcube_mysql2sqlite (SEC-255).

4.4
2019-08-03 CVE-2019-14653 Ipandao Cross-Site Scripting vulnerability in Ipandao Editor.Md 1.5.0

pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP element.

4.3
2019-08-02 CVE-2019-7947 Magento Cross-Site Request Forgery (CSRF) vulnerability in Magento

A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

4.3
2019-08-02 CVE-2019-7939 Magento Cross-Site Scripting vulnerability in Magento

A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

4.3
2019-08-02 CVE-2019-7877 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

4.3
2019-08-02 CVE-2019-7874 Magento Cross-Site Request Forgery (CSRF) vulnerability in Magento

A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

4.3
2019-08-02 CVE-2019-7857 Magento Cross-Site Request Forgery (CSRF) vulnerability in Magento

A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.

4.3
2019-08-02 CVE-2019-6968 Dlink Cross-Site Scripting vulnerability in Dlink Dva-5592 Firmware 20180823

The web interface of the D-Link DVA-5592 20180823 is vulnerable to XSS because HTML form parameters are directly reflected.

4.3
2019-08-02 CVE-2019-10093 Apache Allocation of Resources Without Limits OR Throttling vulnerability in Apache Tika

In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs.

4.3
2019-08-02 CVE-2017-18456 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217).

4.3
2019-08-02 CVE-2019-5493 Netapp Unspecified vulnerability in Netapp Data Ontap

Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 are susceptible to a vulnerability which discloses information to an unauthenticated attacker.

4.3
2019-08-02 CVE-2017-18399 Cpanel Permissions, Privileges, and Access Controls vulnerability in Cpanel

cPanel before 68.0.15 allows attackers to read root's crontab file during a short time interval upon enabling or disabling sqloptimizer (SEC-332).

4.3
2019-08-01 CVE-2019-14517 Editor MD Project Cross-Site Scripting vulnerability in Editor.Md Project Editor.Md 1.5.0

pandao Editor.md 1.5.0 allows XSS via the Javas&#99;ript: string.

4.3
2019-08-01 CVE-2019-14494 Freedesktop
Canonical
Fedoraproject
Divide BY Zero vulnerability in multiple products

An issue was discovered in Poppler through 0.78.0.

4.3
2019-08-01 CVE-2018-20953 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389).

4.3
2019-08-01 CVE-2018-20951 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387).

4.3
2019-08-01 CVE-2018-20950 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386).

4.3
2019-08-01 CVE-2018-20949 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).

4.3
2019-08-01 CVE-2018-20948 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383).

4.3
2019-08-01 CVE-2018-20928 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).

4.3
2019-08-01 CVE-2019-14472 Zurmo Cross-Site Scripting vulnerability in Zurmo 3.2.72

Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO.

4.3
2019-08-01 CVE-2019-14471 Testlink Cross-Site Scripting vulnerability in Testlink 1.9.19

TestLink 1.9.19 has XSS via the error.php message parameter.

4.3
2019-08-01 CVE-2018-20923 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).

4.3
2019-08-01 CVE-2018-20922 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376).

4.3
2019-08-01 CVE-2018-20921 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375).

4.3
2019-08-01 CVE-2018-20920 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374).

4.3
2019-08-01 CVE-2018-20919 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373).

4.3
2019-08-01 CVE-2018-20918 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).

4.3
2019-08-01 CVE-2018-20910 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).

4.3
2019-08-01 CVE-2018-20903 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).

4.3
2019-08-01 CVE-2018-20901 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).

4.3
2019-08-01 CVE-2013-7474 Windu Cross-Site Scripting vulnerability in Windu CMS 2.2

Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users.

4.3
2019-08-01 CVE-2018-20900 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399).

4.3
2019-08-01 CVE-2018-20899 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface (SEC-398).

4.3
2019-08-01 CVE-2019-14338 Dlink Cross-Site Scripting vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices.

4.3
2019-07-31 CVE-2019-14464 Milkytracker Project Out-Of-Bounds Write vulnerability in Milkytracker Project Milkytracker 1.02.00

XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a heap-based buffer overflow.

4.3
2019-07-31 CVE-2018-20872 I LAN Cross-Site Request Forgery (CSRF) vulnerability in I-Lan Draytekl Firmware

DrayTek routers before 2018-05-23 allow CSRF attacks to change DNS or DHCP settings, a related issue to CVE-2017-11649.

4.3
2019-07-31 CVE-2019-5020 Virustotal Improper Input Validation vulnerability in Virustotal Yara 3.8.1

An exploitable denial of service vulnerability exists in the object lookup functionality of Yara 3.8.1.

4.3
2019-07-30 CVE-2019-7614 Elastic Race Condition vulnerability in Elastic Elasticsearch

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request.

4.3
2019-07-30 CVE-2019-5460 Videolan Double Free vulnerability in Videolan VLC Media Player

Double Free in VLC versions <= 3.0.6 leads to a crash.

4.3
2019-07-30 CVE-2019-5456 UI Credentials Management vulnerability in UI Unifi Controller

SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use later.

4.3
2019-07-30 CVE-2019-5448 Yarnpkg Cryptographic Issues vulnerability in Yarnpkg Yarn

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

4.3
2019-07-30 CVE-2019-14383 Openmpt Reachable Assertion vulnerability in Openmpt Libopenmpt

J2B in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.

4.3
2019-07-30 CVE-2019-14382 Openmpt Reachable Assertion vulnerability in Openmpt Libopenmpt

DSM in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.

4.3
2019-07-30 CVE-2019-14380 Openmpt Out-Of-Bounds Read vulnerability in Openmpt Libopenmpt

libopenmpt before 0.4.5 allows a crash during playback due to an out-of-bounds read in XM and MT2 files.

4.3
2019-07-30 CVE-2018-20861 Openmpt Improper Input Validation vulnerability in Openmpt Libopenmpt

libopenmpt before 0.3.11 allows a crash with certain malformed custom tunings in MPTM files.

4.3
2019-07-30 CVE-2018-20860 Openmpt Improper Input Validation vulnerability in Openmpt Libopenmpt

libopenmpt before 0.3.13 allows a crash with malformed MED files.

4.3
2019-07-30 CVE-2018-20859 EDX Cross-Site Scripting vulnerability in EDX Edx-Platform

edx-platform before 2018-07-18 allows XSS via a response to a Chemical Equation advanced problem.

4.3
2019-07-30 CVE-2019-14318 Cryptopp Channel and Path Errors vulnerability in Cryptopp Crypto++

Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation.

4.3
2019-07-30 CVE-2019-14406 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493).

4.3
2019-07-30 CVE-2019-14403 Cpanel Open Redirect vulnerability in Cpanel

cPanel before 78.0.18 offers an open mail relay because of incorrect domain-redirect routing (SEC-483).

4.3
2019-07-30 CVE-2018-20868 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464).

4.3
2019-07-30 CVE-2018-20866 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461).

4.3
2019-07-30 CVE-2018-20865 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459).

4.3
2019-07-30 CVE-2019-14444 GNU Integer Overflow OR Wraparound vulnerability in GNU Binutils 2.32

apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.

4.3
2019-07-30 CVE-2019-14443 Libav Divide BY Zero vulnerability in Libav 12.3

An issue was discovered in Libav 12.3.

4.3
2019-07-30 CVE-2019-14441 Libav Unspecified vulnerability in Libav 12.3

** DISPUTED ** An issue was discovered in Libav 12.3.

4.3
2019-07-30 CVE-2019-14387 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).

4.3
2019-07-30 CVE-2019-14327 Custom Simple RSS Project Cross-Site Request Forgery (CSRF) vulnerability in Custom Simple RSS Project Custom Simple RSS

A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings.

4.3
2019-07-29 CVE-2018-18570 Planonsoftware Cross-Site Scripting vulnerability in Planonsoftware Planon

Planon before Live Build 41 has XSS.

4.3
2019-07-29 CVE-2019-13655 Imgix Resource Exhaustion vulnerability in Imgix 20190619

Imgix through 2019-06-19 allows remote attackers to cause a denial of service (resource consumption) by manipulating a small JPEG file to specify dimensions of 64250x64250 pixels, which is mishandled during an attempt to load the 'whole image' into memory.

4.3
2019-07-29 CVE-2015-6960 EDX Cross-Site Scripting vulnerability in EDX Edx-Platform

edx-platform before 2015-09-17 allows XSS via a team name.

4.3
2019-07-29 CVE-2019-1020008 Stacktable JS Project Cross-Site Scripting vulnerability in Stacktable.Js Project Stacktable.Js

stacktable.js before 1.0.4 allows XSS.

4.3
2019-07-29 CVE-2019-1020019 Inveniosoftware Cross-Site Scripting vulnerability in Inveniosoftware Invenio-Previewer 0.1.0/1.0.0

invenio-previewer before 1.0.0a12 allows XSS.

4.3
2019-07-29 CVE-2019-1020010 Misskey Cross-Site Scripting vulnerability in Misskey

Misskey before 10.102.4 allows hijacking a user's token.

4.3
2019-08-02 CVE-2019-7929 Magento Information Exposure vulnerability in Magento

An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

4.0
2019-08-02 CVE-2019-7889 Magento Injection vulnerability in Magento

An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

4.0
2019-08-02 CVE-2019-7888 Magento Information Exposure vulnerability in Magento

An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

4.0
2019-08-02 CVE-2017-18455 Cpanel Permissions, Privileges, and Access Controls vulnerability in Cpanel

In cPanel before 62.0.17, addon domain conversion did not require a package for resellers (SEC-208).

4.0
2019-08-02 CVE-2017-18453 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).

4.0
2019-08-02 CVE-2017-18445 Cpanel 7PK - Security Features vulnerability in Cpanel

cPanel before 64.0.21 does not enforce demo restrictions for SSL API calls (SEC-249).

4.0
2019-08-02 CVE-2017-18441 Cpanel Open Redirect vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to redirect web traffic (SEC-245).

4.0
2019-08-02 CVE-2017-18440 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).

4.0
2019-08-02 CVE-2017-18426 Cpanel Information Exposure Through LOG Files vulnerability in Cpanel

cPanel before 66.0.2 allows resellers to read other accounts' domain log files (SEC-288).

4.0
2019-08-02 CVE-2017-18411 Cpanel Improper Input Validation vulnerability in Cpanel

The "addon domain conversion" feature in cPanel before 67.9999.103 can copy all MySQL databases to the new account (SEC-285).

4.0
2019-08-02 CVE-2017-18410 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284).

4.0
2019-08-02 CVE-2017-18409 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 67.9999.103, the backup interface could return a backup archive with all MySQL databases (SEC-283).

4.0
2019-08-02 CVE-2017-18401 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 allows user accounts to be partially created with invalid username formats (SEC-334).

4.0
2019-08-02 CVE-2017-18395 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 does not block a username of ssl (SEC-328).

4.0
2019-08-02 CVE-2017-18394 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327).

4.0
2019-08-02 CVE-2017-18393 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 does not block a username of postmaster, which might allow reception of private e-mail (SEC-326).

4.0
2019-08-02 CVE-2017-18382 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).

4.0
2019-08-01 CVE-2016-10821 Cpanel Credentials Management vulnerability in Cpanel

In cPanel before 55.9999.141, Scripts/addpop reveals a command-line password in a process list (SEC-75).

4.0
2019-08-01 CVE-2016-10819 Cpanel Information Exposure Through LOG Files vulnerability in Cpanel

In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).

4.0
2019-08-01 CVE-2016-10818 Cpanel Permission Issues vulnerability in Cpanel

cPanel before 57.9999.54 incorrectly sets log-file permissions in dnsadmin-startup and spamd-startup (SEC-124).

4.0
2019-08-01 CVE-2016-10815 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).

4.0
2019-08-01 CVE-2018-20952 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).

4.0
2019-08-01 CVE-2018-20938 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 68.0.27 does not enforce ownership during addpkgext and delpkgext WHM API calls (SEC-324).

4.0
2019-08-01 CVE-2018-20937 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 68.0.27 does not validate database and dbuser names during renames (SEC-321).

4.0
2019-08-01 CVE-2016-10835 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 55.9999.141 allows a POP/IMAP cPHulk bypass via account name munging (SEC-107).

4.0
2019-08-01 CVE-2016-10832 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 55.9999.141 allows FTP cPHulk bypass via account name munging (SEC-102).

4.0
2019-08-01 CVE-2018-20932 Cpanel File and Directory Information Exposure vulnerability in Cpanel

cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).

4.0
2019-08-01 CVE-2016-10849 Cpanel Command Injection vulnerability in Cpanel

cPanel before 11.54.0.4 allows certain file-chmod operations in scripts/secureit (SEC-82).

4.0
2019-08-01 CVE-2016-10844 Cpanel Information Exposure vulnerability in Cpanel

The chcpass script in cPanel before 11.54.0.4 reveals a password hash (SEC-77).

4.0
2019-08-01 CVE-2016-10842 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74).

4.0
2019-08-01 CVE-2016-10836 Cpanel Improper Authentication vulnerability in Cpanel

cPanel before 55.9999.141 allows arbitrary file-read operations during authentication with caldav (SEC-108).

4.0
2019-08-01 CVE-2018-20907 Cpanel Incorrect Permission Assignment FOR Critical Resource vulnerability in Cpanel

cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432).

4.0
2019-08-01 CVE-2018-20906 Cpanel Incorrect Permission Assignment FOR Critical Resource vulnerability in Cpanel

cPanel before 71.9980.37 allows attackers to make API calls that bypass the images feature restriction (SEC-430).

4.0
2019-08-01 CVE-2018-20904 Cpanel Incorrect Permission Assignment FOR Critical Resource vulnerability in Cpanel

cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427).

4.0
2019-08-01 CVE-2016-10857 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 11.54.0.0 allows a bypass of the e-mail sending limit (SEC-60).

4.0
2019-08-01 CVE-2016-10856 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 11.54.0.0 allows subaccounts to discover sensitive data through comet feeds (SEC-29).

4.0
2019-08-01 CVE-2016-10852 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 11.54.0.4 lacks ACL enforcement in the AppConfig subsystem (SEC-85).

4.0
2019-08-01 CVE-2018-20898 Cpanel Injection vulnerability in Cpanel

cPanel before 71.9980.37 allows e-mail injection during cPAddons moderation (SEC-396).

4.0
2019-08-01 CVE-2018-20892 Cpanel Unspecified vulnerability in Cpanel

cPanel before 74.0.0 allows arbitrary zone file modifications because of incorrect CAA record handling (SEC-439).

4.0
2019-08-01 CVE-2018-20890 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 74.0.0 allows arbitrary zone file modifications during record edits (SEC-426).

4.0
2019-08-01 CVE-2015-7559 Apache Improper Input Validation vulnerability in Apache Activemq

It was found that the Apache ActiveMQ client before 5.15.5 exposed a remote shutdown command in the ActiveMQConnection class.

4.0
2019-08-01 CVE-2018-20883 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 74.0.8 allows FTP access during account suspension (SEC-449).

4.0
2019-07-31 CVE-2019-10198 Theforeman Improper Authentication vulnerability in Theforeman Foreman-Tasks

An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7.

4.0
2019-07-31 CVE-2019-10189 Moodle Improper Access Control vulnerability in Moodle

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7.

4.0
2019-07-31 CVE-2019-10188 Moodle Improper Access Control vulnerability in Moodle

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7.

4.0
2019-07-31 CVE-2019-10187 Moodle Improper Access Control vulnerability in Moodle

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7.

4.0
2019-07-31 CVE-2019-4163 IBM Unspecified vulnerability in IBM Storediq

IBM StoreIQ 7.6.0.0.

4.0
2019-07-31 CVE-2019-10366 Jenkins Credentials Management vulnerability in Jenkins Skytap Cloud CI

Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-07-31 CVE-2019-10365 Google Information Exposure vulnerability in Google Kubernetes Engine

Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission.

4.0
2019-07-31 CVE-2019-10363 Jenkins Information Exposure vulnerability in Jenkins Configuration AS Code

Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form.

4.0
2019-07-31 CVE-2019-10358 Jenkins Improper Input Validation vulnerability in Jenkins Maven

Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log.

4.0
2019-07-31 CVE-2019-10357 Jenkins Permission Issues vulnerability in Jenkins Pipeline:Shared Groovy Libraries

A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.

4.0
2019-07-31 CVE-2019-10344 Jenkins Permission Issues vulnerability in Jenkins Configuration AS Code

Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins.

4.0
2019-07-30 CVE-2019-10163 Powerdns
Opensuse
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages.

4.0
2019-07-30 CVE-2019-10153 Clusterlabs
Redhat
Encoding Error vulnerability in multiple products

A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception.

4.0
2019-07-30 CVE-2019-7616 Elastic Server-Side Request Forgery (SSRF) vulnerability in Elastic Kibana

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer.

4.0
2019-07-30 CVE-2019-5449 Nextcloud Missing Authorization vulnerability in Nextcloud Server

A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events.

4.0
2019-07-30 CVE-2019-10130 Postgresql Improper Access Control vulnerability in Postgresql

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17.

4.0
2019-07-30 CVE-2019-10129 Postgresql Out-Of-Bounds Read vulnerability in Postgresql 11.0/11.1/11.2

A vulnerability was found in postgresql versions 11.x prior to 11.3.

4.0
2019-07-30 CVE-2019-14413 Cpanel Unspecified vulnerability in Cpanel

cPanel before 78.0.2 allows certain file-write operations as shared users during connection resets (SEC-476).

4.0
2019-07-30 CVE-2019-14408 Cpanel Unspecified vulnerability in Cpanel

cPanel before 78.0.2 allows a demo account to link with an OpenID provider (SEC-460).

4.0
2019-07-30 CVE-2019-14407 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-415).

4.0
2019-07-29 CVE-2018-17213 Printeron Improper Authentication vulnerability in Printeron Central Print Services 2.5/4.1.4

An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4.

4.0
2019-07-29 CVE-2015-9288 Unity Information Exposure vulnerability in Unity web Player

The Unity Web Player plugin before 4.6.6f2 and 5.x before 5.0.3f2 allows attackers to read messages or access online services via a victim's credentials

4.0

138 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-08-02 CVE-2017-18458 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).

3.6
2019-08-02 CVE-2017-18437 Cpanel Injection vulnerability in Cpanel

cPanel before 64.0.21 allows a Webmail account to execute code via forwarders (SEC-240).

3.6
2019-08-02 CVE-2017-18416 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 67.9999.103 allows arbitrary file-overwrite operations during a Roundcube SQLite schema update (SEC-303).

3.6
2019-08-01 CVE-2018-20909 Cpanel Incorrect Permission Assignment FOR Critical Resource vulnerability in Cpanel

cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).

3.6
2019-08-01 CVE-2018-20889 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425).

3.6
2019-07-30 CVE-2019-5453 Nextcloud Improper Authentication vulnerability in Nextcloud

Bypass lock protection in the Nextcloud Android app prior to version 3.3.0 allowed access to files when being prompted for the lock protection and switching to the Nextcloud file provider.

3.6
2019-07-29 CVE-2019-13103 Denx Uncontrolled Recursion vulnerability in Denx U-Boot

A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.

3.6
2019-08-02 CVE-2019-7945 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7944 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7940 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7938 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7937 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7936 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7935 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7934 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7927 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7926 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7921 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7909 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7908 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7897 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7887 Magento Cross-Site Scripting vulnerability in Magento

A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.

3.5
2019-08-02 CVE-2019-7882 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7881 Magento Cross-Site Scripting vulnerability in Magento

A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7880 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7875 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7869 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7868 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7867 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7866 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7863 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7862 Magento Cross-Site Scripting vulnerability in Magento

A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2019-7853 Magento Cross-Site Scripting vulnerability in Magento

A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

3.5
2019-08-02 CVE-2017-18454 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262).

3.5
2019-08-02 CVE-2017-18420 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing (SEC-269).

3.5
2019-08-02 CVE-2017-18419 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallation (SEC-266).

3.5
2019-08-02 CVE-2017-18418 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 66.0.2 allows stored XSS during WHM cPAddons file operations (SEC-265).

3.5
2019-08-02 CVE-2017-18417 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 66.0.2 allows stored XSS during WHM cPAddons installation (SEC-263).

3.5
2019-08-02 CVE-2017-18408 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Change interfaces (SEC-282).

3.5
2019-08-02 CVE-2017-18402 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 68.0.15 allows stored XSS during a cpaddons moderated upgrade (SEC-336).

3.5
2019-08-01 CVE-2019-5401 HP Cross-Site Scripting vulnerability in HP Hp2910Al-48G Firmware W.15.14.00.16

A potential security vulnerability has been identified in HP2910al-48G version W.15.14.0016.

3.5
2019-08-01 CVE-2016-10813 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118).

3.5
2019-08-01 CVE-2016-10827 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 55.9999.141 allows self stored XSS in WHM Edit System Mail Preferences (SEC-96).

3.5
2019-08-01 CVE-2016-10822 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 55.9999.141 allows self XSS in X3 Reseller Branding Images (SEC-88).

3.5
2019-08-01 CVE-2018-20935 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412).

3.5
2019-08-01 CVE-2018-20933 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410).

3.5
2019-08-01 CVE-2018-20916 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370).

3.5
2019-08-01 CVE-2018-20915 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369).

3.5
2019-08-01 CVE-2018-20913 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).

3.5
2019-08-01 CVE-2016-10854 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 11.54.0.4 allows self XSS in the X3 Entropy Banner interface (SEC-87).

3.5
2019-08-01 CVE-2016-10853 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 11.54.0.4 allows stored XSS in the WHM Feature Manager interface (SEC-86).

3.5
2019-08-01 CVE-2016-10851 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration editor interface (SEC-84).

3.5
2019-08-01 CVE-2018-20884 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367).

3.5
2019-08-01 CVE-2018-20881 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446).

3.5
2019-08-01 CVE-2018-20878 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Restoration" interface (SEC-441).

3.5
2019-08-01 CVE-2018-20877 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SEC-437).

3.5
2019-08-01 CVE-2018-20876 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434).

3.5
2019-08-01 CVE-2018-20875 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433).

3.5
2019-08-01 CVE-2018-20874 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface (SEC-428).

3.5
2019-07-31 CVE-2019-14456 Opengear Cross-Site Scripting vulnerability in Opengear

Opengear console server firmware releases prior to 4.5.0 have a stored XSS vulnerability related to serial port logging.

3.5
2019-07-31 CVE-2019-3958 Wallaceit Cross-Site Scripting vulnerability in Wallaceit Wallacepos 1.4.3

Insufficient output sanitization in WallacePOS 1.4.3 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks via a crafted sales transaction.

3.5
2019-07-31 CVE-2019-10360 Jenkins Cross-Site Scripting vulnerability in Jenkins M2 Release

A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

3.5
2019-07-30 CVE-2019-5458 Http File Server Project Cross-Site Scripting vulnerability in Http-File-Server Project Http-File-Server

Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

3.5
2019-07-30 CVE-2019-5457 MIN Http Server Project Cross-Site Scripting vulnerability in Min-Http-Server Project Min-Http-Server

Cross-site scripting (XSS) vulnerability in min-http-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

3.5
2019-07-30 CVE-2019-4285 IBM Improper Input Validation vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server - Liberty Admin Center could allow a remote attacker to hijack the clicking action of the victim.

3.5
2019-07-30 CVE-2019-14390 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).

3.5
2019-07-30 CVE-2019-14386 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).

3.5
2019-07-29 CVE-2019-14415 Veritas Cross-Site Scripting vulnerability in Veritas Resiliency Platform

An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1.

3.5
2019-07-29 CVE-2019-11199 Dolibarr Cross-Site Scripting vulnerability in Dolibarr Erp/Crm 9.0.1

Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files.

3.5
2019-07-29 CVE-2015-6253 EDX Cross-Site Scripting vulnerability in EDX Edx-Platform

edx-platform before 2015-08-17 allows XSS in the Studio listing of courses.

3.5
2019-07-29 CVE-2019-1020007 Owasp Cross-Site Scripting vulnerability in Owasp Dependency-Track

Dependency-Track before 3.5.1 allows XSS.

3.5
2019-07-29 CVE-2019-1020005 Inveniosoftware Cross-Site Scripting vulnerability in Inveniosoftware Invenio-Communities 1.0.0

invenio-communities before 1.0.0a20 allows XSS.

3.5
2019-07-29 CVE-2019-1020003 Inveniosoftware Cross-Site Scripting vulnerability in Inveniosoftware Invenio-Records

invenio-records before 1.2.2 allows XSS.

3.5
2019-07-29 CVE-2019-1105 Microsoft Cross-Site Scripting vulnerability in Microsoft Outlook

A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages, aka 'Outlook for Android Spoofing Vulnerability'.

3.5
2019-08-01 CVE-2018-20897 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).

3.3
2019-08-01 CVE-2018-20896 Cpanel Code Injection vulnerability in Cpanel

cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394).

3.3
2019-08-02 CVE-2017-18436 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 64.0.21 allows demo accounts to read files via a Fileman::getfileactions API2 call (SEC-239).

2.7
2019-07-30 CVE-2019-10152 Libpod Project Path Traversal vulnerability in Libpod Project Libpod

A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers.

2.6
2019-08-02 CVE-2017-18449 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).

2.1
2019-08-02 CVE-2017-18432 Cpanel Information Exposure vulnerability in Cpanel

In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234).

2.1
2019-08-02 CVE-2017-18429 Cpanel 7PK - Security Features vulnerability in Cpanel

In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291).

2.1
2019-08-02 CVE-2017-18427 Cpanel Permission Issues vulnerability in Cpanel

In cPanel before 66.0.2, weak log-file permissions can occur after account modification (SEC-289).

2.1
2019-08-02 CVE-2017-18424 Cpanel Information Exposure vulnerability in Cpanel

In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).

2.1
2019-08-02 CVE-2017-18423 Cpanel Information Exposure Through LOG Files vulnerability in Cpanel

In cPanel before 66.0.2, domain log files become readable after log processing (SEC-273).

2.1
2019-08-02 CVE-2017-18422 Cpanel Permission Issues vulnerability in Cpanel

In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog ownership and permissions (SEC-272).

2.1
2019-08-02 CVE-2017-18421 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271).

2.1
2019-08-02 CVE-2019-4275 IBM Unspecified vulnerability in IBM Jazz FOR Service Management 1.1.3/1.1.3.1/1.1.3.2

IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 could allow an unauthorized local user to create unique catalog names that could cause a denial of service.

2.1
2019-08-02 CVE-2017-18405 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 allows arbitrary file-read operations because of the backup .htaccess modification logic (SEC-345).

2.1
2019-08-02 CVE-2017-18397 Cpanel Permission Issues vulnerability in Cpanel

cPanel before 68.0.15 does not preserve permissions for local backup transport (SEC-330).

2.1
2019-08-02 CVE-2017-18392 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 68.0.15 allows collisions because PostgreSQL databases can be assigned to multiple accounts (SEC-325).

2.1
2019-08-02 CVE-2017-18385 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 68.0.15 allows unprivileged users to access restricted directories during account restores (SEC-311).

2.1
2019-08-02 CVE-2017-18384 Cpanel Improper Access Control vulnerability in Cpanel

cPanel before 68.0.15 allows jailed accounts to restore files that are outside of the jail (SEC-310).

2.1
2019-08-01 CVE-2018-20947 Cpanel Exposure of Resource TO Wrong Sphere vulnerability in Cpanel

cPanel before 68.0.27 allows certain file-write operations via the telnetcrt script (SEC-356).

2.1
2019-08-01 CVE-2018-20946 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355).

2.1
2019-08-01 CVE-2018-20944 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353).

2.1
2019-08-01 CVE-2018-20940 Cpanel Race Condition vulnerability in Cpanel

cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon the enabling of backups (SEC-342).

2.1
2019-08-01 CVE-2018-20939 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339).

2.1
2019-08-01 CVE-2018-20936 Cpanel Incorrect Permission Assignment FOR Critical Resource vulnerability in Cpanel

cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308).

2.1
2019-08-01 CVE-2018-20927 Cpanel Improper Authorization vulnerability in Cpanel

cPanel before 70.0.23 allows jailshell escape because of incorrect crontab parsing (SEC-382).

2.1
2019-08-01 CVE-2016-10841 Cpanel Information Management Errors vulnerability in Cpanel

The bin/mkvhostspasswd script in cPanel before 11.54.0.4 discloses password hashes (SEC-73).

2.1
2019-08-01 CVE-2018-20917 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 70.0.23 allows any user to disable Solr (SEC-371).

2.1
2019-08-01 CVE-2018-20908 Cpanel Incorrect Permission Assignment FOR Critical Resource vulnerability in Cpanel

cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).

2.1
2019-08-01 CVE-2018-20902 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).

2.1
2019-08-01 CVE-2018-20894 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443).

2.1
2019-08-01 CVE-2018-20893 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).

2.1
2019-08-01 CVE-2019-14337 Dlink OS Command Injection vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices.

2.1
2019-08-01 CVE-2019-14336 Dlink Unspecified vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices.

2.1
2019-08-01 CVE-2019-14334 Dlink Improper Certificate Validation vulnerability in Dlink products

An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices.

2.1
2019-08-01 CVE-2018-20880 Cpanel Unspecified vulnerability in Cpanel

cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file (SEC-445).

2.1
2019-08-01 CVE-2018-20873 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).

2.1
2019-07-31 CVE-2019-10364 Jenkins Information Exposure vulnerability in Jenkins EC2

Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.

2.1
2019-07-31 CVE-2019-10361 Jenkins Credentials Management vulnerability in Jenkins M2Release

Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.

2.1
2019-07-31 CVE-2019-10345 Jenkins Credentials Management vulnerability in Jenkins Configuration AS Code

Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.

2.1
2019-07-31 CVE-2019-10343 Jenkins Information Exposure Through LOG Files vulnerability in Jenkins Configuration AS Code

Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.

2.1
2019-07-30 CVE-2019-10165 Redhat Information Exposure vulnerability in Redhat Openshift Container Platform

OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server.

2.1
2019-07-30 CVE-2019-5452 Nextcloud Improper Input Validation vulnerability in Nextcloud

Bypass lock protection in the Nextcloud Android app prior to version 3.6.2 causes leaking of thumbnails when requesting the Android content provider although the lock protection was not solved.

2.1
2019-07-30 CVE-2019-5451 Nextcloud Improper Input Validation vulnerability in Nextcloud Server

Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time.

2.1
2019-07-30 CVE-2019-14414 Cpanel Unspecified vulnerability in Cpanel

In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478).

2.1
2019-07-30 CVE-2019-14412 Cpanel USE of Externally-Controlled Format String vulnerability in Cpanel

Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474).

2.1
2019-07-30 CVE-2019-14410 Cpanel USE of Externally-Controlled Format String vulnerability in Cpanel

Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472).

2.1
2019-07-30 CVE-2019-14409 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).

2.1
2019-07-30 CVE-2019-14402 Cpanel Unspecified vulnerability in Cpanel

cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).

2.1
2019-07-30 CVE-2019-14396 Cpanel Unspecified vulnerability in Cpanel

API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).

2.1
2019-07-30 CVE-2019-14395 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).

2.1
2019-07-30 CVE-2019-14394 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).

2.1
2019-07-30 CVE-2018-20870 Cpanel Information Exposure vulnerability in Cpanel

The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).

2.1
2019-07-30 CVE-2018-20862 Cpanel Unspecified vulnerability in Cpanel

cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366).

2.1
2019-07-30 CVE-2019-14391 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514).

2.1
2019-07-30 CVE-2019-14389 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).

2.1
2019-07-29 CVE-2019-1020014 Docker Double Free vulnerability in Docker Credential Helpers

docker-credential-helpers before 0.6.3 has a double free in the List functions.

2.1
2019-08-02 CVE-2017-18428 Cpanel Information Exposure vulnerability in Cpanel

In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily world-readable during log processing (SEC-290).

1.9
2019-08-02 CVE-2017-18425 Cpanel Permission Issues vulnerability in Cpanel

In cPanel before 66.0.2, the cpdavd_error_log file can be created with weak permissions (SEC-280).

1.9
2019-08-02 CVE-2018-1987 IBM Improper Authentication vulnerability in IBM Data Protection

IBM Spectrum Protect for Enterprise Resource Planning 7.1 and 8.1, if tracing is activated, the IBM Spectrum Protect node password may be displayed in plain text in the ERP trace file.

1.9
2019-08-02 CVE-2017-18412 Cpanel Information Exposure Through LOG Files vulnerability in Cpanel

cPanel before 67.9999.103 allows Apache HTTP Server log files to become world-readable because of mishandling on an account rename (SEC-296).

1.9
2019-08-02 CVE-2017-18391 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.15 allows attackers to read backup files because they are world-readable during a short time interval (SEC-323).

1.9
2019-08-01 CVE-2018-20943 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon a post-update task (SEC-352).

1.9
2019-08-01 CVE-2018-20942 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon configuring crontab (SEC-351).

1.9
2019-07-30 CVE-2019-1552 Openssl Improper Certificate Validation vulnerability in Openssl

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS.

1.9