Weekly Vulnerabilities Reports > July 29 to August 4, 2019
Overview
557 new vulnerabilities reported during this period, including 29 critical vulnerabilities and 89 high severity vulnerabilities. This weekly summary report vulnerabilities in 307 products from 127 vendors including Cpanel, Magento, Redhat, Debian, and Opensuse. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Information Exposure", "Improper Access Control", and "Out-of-bounds Write".
- 435 reported vulnerabilities are remotely exploitables.
- 212 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 324 reported vulnerabilities are exploitable by an anonymous user.
- Cpanel has the most reported vulnerabilities, with 249 reported vulnerabilities.
- Cpanel has the most reported critical vulnerabilities, with 13 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
29 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-01 | CVE-2016-10817 | Cpanel | SQL Injection vulnerability in Cpanel cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123). | 10.0 |
2019-08-01 | CVE-2016-10855 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91). | 10.0 |
2019-08-02 | CVE-2019-14532 | Sleuthkit Fedoraproject | Off-by-one Error vulnerability in multiple products An issue was discovered in The Sleuth Kit (TSK) 4.6.6. | 9.8 |
2019-08-02 | CVE-2019-14529 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php. | 9.8 |
2019-08-01 | CVE-2019-14495 | 3Proxy | Out-of-bounds Write vulnerability in 3Proxy webadmin.c in 3proxy before 0.8.13 has an out-of-bounds write in the admin interface. | 9.8 |
2019-08-01 | CVE-2019-13572 | Adenion | SQL Injection vulnerability in Adenion Blog2Social The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL Injection. | 9.8 |
2019-07-31 | CVE-2019-12797 | Elmelectronics | Use of Hard-coded Credentials vulnerability in Elmelectronics Elm27 Firmware A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle. | 9.8 |
2019-07-30 | CVE-2019-5454 | Nextcloud | SQL Injection vulnerability in Nextcloud SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account. | 9.8 |
2019-07-30 | CVE-2019-14313 | 10Web | SQL Injection vulnerability in 10Web Photo Gallery A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. | 9.8 |
2019-07-30 | CVE-2015-9290 | Freetype | Out-of-bounds Read vulnerability in Freetype In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again. | 9.8 |
2019-07-29 | CVE-2019-14431 | Matrixssl | Improper Handling of Exceptional Conditions vulnerability in Matrixssl In MatrixSSL 3.8.3 Open through 4.2.1 Open, the DTLS server mishandles incoming network messages leading to a heap-based buffer overflow of up to 256 bytes and possible Remote Code Execution in parseSSLHandshake in sslDecode.c. | 9.8 |
2019-07-29 | CVE-2018-11773 | Apache | Improper Input Validation vulnerability in Apache Virtual Computing LAB Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. | 9.8 |
2019-07-29 | CVE-2019-13571 | Vsourz | SQL Injection vulnerability in Vsourz Advanced CF7 DB A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress. | 9.8 |
2019-07-29 | CVE-2019-14379 | Fasterxml Debian Netapp Fedoraproject Redhat Oracle Apple | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | 9.8 |
2019-08-01 | CVE-2016-10824 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 55.9999.141 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-90). | 9.3 |
2019-08-01 | CVE-2016-10858 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-64). | 9.3 |
2019-07-31 | CVE-2019-14463 | Libmodbus Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1.5. | 9.1 |
2019-07-31 | CVE-2019-14462 | Libmodbus Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1.5. | 9.1 |
2019-08-02 | CVE-2019-7930 | Magento | Unrestricted Upload of File with Dangerous Type vulnerability in Magento A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 9.0 |
2019-08-02 | CVE-2017-18433 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows code execution by webmail and demo accounts via a store_filter API call (SEC-236). | 9.0 |
2019-08-02 | CVE-2017-18387 | Cpanel | Injection vulnerability in Cpanel cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in a Reseller style upload (SEC-314). | 9.0 |
2019-08-02 | CVE-2017-18386 | Cpanel | Injection vulnerability in Cpanel cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in PostgresAdmin (SEC-313). | 9.0 |
2019-08-01 | CVE-2016-10820 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 55.9999.141 allows daemons to access their controlling TTYs (SEC-31). | 9.0 |
2019-08-01 | CVE-2016-10828 | Cpanel | Path Traversal vulnerability in Cpanel cPanel before 55.9999.141 allows arbitrary code execution because of an unsafe @INC path (SEC-97). | 9.0 |
2019-08-01 | CVE-2016-10823 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89). | 9.0 |
2019-08-01 | CVE-2016-10848 | Cpanel | Improper Authorization vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/quotacheck (SEC-81). | 9.0 |
2019-08-01 | CVE-2016-10840 | Cpanel | Exposure of Resource to Wrong Sphere vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary code execution during locale duplication (SEC-72). | 9.0 |
2019-08-01 | CVE-2016-10850 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83). | 9.0 |
2019-07-29 | CVE-2019-14417 | Veritas | Unspecified vulnerability in Veritas Resiliency Platform An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. | 9.0 |
89 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-02 | CVE-2019-10088 | Apache | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tika A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. | 8.8 |
2019-08-02 | CVE-2019-10961 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess HMI Designer 2.1.7.32 In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution. | 8.8 |
2019-08-01 | CVE-2018-10899 | Jolokia Redhat | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A flaw was found in Jolokia versions from 1.2 to before 1.6.1. | 8.8 |
2019-07-31 | CVE-2019-10186 | Moodle | Cross-Site Request Forgery (CSRF) vulnerability in Moodle A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. | 8.8 |
2019-07-31 | CVE-2019-1901 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Nx-Os A vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an adjacent, unauthenticated attacker to cause a denial of service (DoS) condition or execute arbitrary code with root privileges. | 8.8 |
2019-07-31 | CVE-2019-10356 | Jenkins Redhat | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts. | 8.8 |
2019-07-31 | CVE-2019-10355 | Jenkins Redhat | Incorrect Type Conversion or Cast vulnerability in multiple products A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts. | 8.8 |
2019-07-29 | CVE-2019-14418 | Veritas | Path Traversal vulnerability in Veritas Resiliency Platform An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. | 8.8 |
2019-07-29 | CVE-2019-14378 | Libslirp Project | Improper Handling of Exceptional Conditions vulnerability in Libslirp Project Libslirp 4.0.0 ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. | 8.8 |
2019-07-31 | CVE-2019-10185 | Icedtea WEB Project Debian Opensuse | Path Traversal vulnerability in multiple products It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. | 8.6 |
2019-08-01 | CVE-2016-10846 | Cpanel | Permission Issues vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary file-chown and file-chmod operations during Roundcube database conversions (SEC-79). | 8.5 |
2019-08-01 | CVE-2016-10837 | Cpanel | Untrusted Search Path vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary code execution because of an unsafe @INC path (SEC-46). | 8.5 |
2019-07-29 | CVE-2019-11201 | Dolibarr | Code Injection vulnerability in Dolibarr Erp/Crm 9.0.1 Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. | 8.5 |
2019-08-01 | CVE-2019-14491 | Opencv | Out-of-bounds Read vulnerability in Opencv An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. | 8.2 |
2019-07-31 | CVE-2019-10181 | Icedtea WEB Project Debian Opensuse | Insufficient Verification of Data Authenticity vulnerability in multiple products It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. | 8.1 |
2019-07-30 | CVE-2019-5456 | UI | Credentials Management vulnerability in UI Unifi Controller and Unifi Network Controller SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use later. | 8.1 |
2019-08-01 | CVE-2018-20945 | Cpanel | Improper Authorization vulnerability in Cpanel bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354). | 7.9 |
2019-08-02 | CVE-2019-10094 | Apache | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tika A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. | 7.8 |
2019-08-02 | CVE-2014-8184 | Liblouis | Stack-based Buffer Overflow vulnerability in Liblouis A vulnerability was found in liblouis, versions 2.5.x before 2.5.4. | 7.8 |
2019-08-02 | CVE-2019-14524 | Schismtracker Opensuse | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Schism Tracker through 20190722. | 7.8 |
2019-08-02 | CVE-2019-14523 | Schismtracker | Integer Underflow (Wrap or Wraparound) vulnerability in Schismtracker Schism Tracker An issue was discovered in Schism Tracker through 20190722. | 7.8 |
2019-08-01 | CVE-2019-14497 | Milkytracker Project Canonical Debian | Out-of-bounds Write vulnerability in multiple products ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker 1.02.00 has a heap-based buffer overflow. | 7.8 |
2019-08-01 | CVE-2019-14496 | Milkytracker Project Canonical Debian | Out-of-bounds Write vulnerability in multiple products LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 has a stack-based buffer overflow. | 7.8 |
2019-07-31 | CVE-2019-14465 | Schismtracker | Out-of-bounds Write vulnerability in Schismtracker Schism Tracker 20190722 fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-based buffer overflow. | 7.8 |
2019-07-30 | CVE-2019-10161 | Redhat Canonical | Missing Authorization vulnerability in multiple products It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. | 7.8 |
2019-07-29 | CVE-2019-14267 | Pdfresurrect Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because data associated with startxref and %%EOF is mishandled. | 7.8 |
2019-08-01 | CVE-2019-14260 | AL Enterprise | OS Command Injection vulnerability in Al-Enterprise 8008 Firmware 1.50.13 On the Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection (missing input validation) issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request. | 7.7 |
2019-08-01 | CVE-2019-14259 | Polycom | OS Command Injection vulnerability in Polycom Obihai Obi1022 Firmware 5.1.11 On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request. | 7.7 |
2019-08-03 | CVE-2019-14551 | Daskeyboard | Cross-Site Request Forgery (CSRF) vulnerability in Daskeyboard DAS Q Software Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers download and execution of code within a ZIP archive. | 7.5 |
2019-08-02 | CVE-2019-7890 | Magento | Authorization Bypass Through User-Controlled Key vulnerability in Magento An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 7.5 |
2019-08-02 | CVE-2019-14544 | Gogs | Missing Authorization vulnerability in Gogs 0.11.86 routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks. | 7.5 |
2019-08-02 | CVE-2019-7163 | TCL | Improper Authentication vulnerability in TCL Alcatel Linkzone Firmware Mw40Vv1.0Mw40Lu02.0002 The web interface of Alcatel LINKZONE MW40-V-V1.0 MW40_LU_02.00_02 devices is vulnerable to an authentication bypass that allows an unauthenticated user to have access to the web interface without knowing the administrator's password. | 7.5 |
2019-08-02 | CVE-2019-9141 | Imgtech | Unspecified vulnerability in Imgtech Zoneplayer 2.0.1.3/2.0.1.4/2018.02 ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains a vulnerability that could allow remote attackers to execute arbitrary files by setting the arguments to the ActiveX method. | 7.5 |
2019-08-02 | CVE-2017-18435 | Cpanel | Unrestricted Upload of File with Dangerous Type vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to execute code via the BoxTrapper API (SEC-238). | 7.5 |
2019-08-02 | CVE-2019-14531 | Sleuthkit | Out-of-bounds Read vulnerability in Sleuthkit the Sleuth KIT 4.6.6 An issue was discovered in The Sleuth Kit (TSK) 4.6.6. | 7.5 |
2019-08-02 | CVE-2019-14235 | Djangoproject Opensuse | Uncontrolled Recursion vulnerability in multiple products An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. | 7.5 |
2019-08-02 | CVE-2019-14233 | Djangoproject Opensuse | Resource Exhaustion vulnerability in multiple products An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. | 7.5 |
2019-08-02 | CVE-2019-14232 | Djangoproject Opensuse | Resource Exhaustion vulnerability in multiple products An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. | 7.5 |
2019-08-02 | CVE-2019-10938 | Siemens | Improper Access Control vulnerability in Siemens Siprotec 5 Digsi Device Driver A vulnerability has been identified in SIPROTEC 5 devices with CPU variants CP200 (All versions < V7.59), SIPROTEC 5 devices with CPU variants CP300 and CP100 (All versions < V8.01), Siemens Power Meters Series 9410 (All versions < V2.2.1), Siemens Power Meters Series 9810 (All versions). | 7.5 |
2019-08-02 | CVE-2019-10171 | Fedoraproject Redhat | Allocation of Resources Without Limits or Throttling vulnerability in multiple products It was found that the fix for CVE-2018-14648 in 389-ds-base, versions 1.4.0.x before 1.4.0.17, was incorrectly applied in RHEL 7.5. | 7.5 |
2019-08-01 | CVE-2019-14513 | Thekelleys Debian | Out-of-bounds Read vulnerability in multiple products Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that result in a read operation beyond the buffer allocated for the packet, a different vulnerability than CVE-2017-14491. | 7.5 |
2019-08-01 | CVE-2019-14494 | Freedesktop Canonical Fedoraproject Debian Redhat | Divide By Zero vulnerability in multiple products An issue was discovered in Poppler through 0.78.0. | 7.5 |
2019-08-01 | CVE-2018-20924 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 70.0.23 allows arbitrary file-read and file-unlink operations via WHM style uploads (SEC-378). | 7.5 |
2019-08-01 | CVE-2018-20887 | Cpanel | SQL Injection vulnerability in Cpanel cPanel before 74.0.0 allows SQL injection during database backups (SEC-420). | 7.5 |
2019-07-31 | CVE-2015-5297 | Pixman | Integer Overflow or Wraparound vulnerability in Pixman An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8. | 7.5 |
2019-07-31 | CVE-2019-14459 | Nfdump Project Debian Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products nfdump 1.6.17 and earlier is affected by an integer overflow in the function Process_ipfix_template_withdraw in ipfix.c that can be abused in order to crash the process remotely (denial of service). | 7.5 |
2019-07-31 | CVE-2019-14204 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14203 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14202 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14201 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14200 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14199 | Denx | Integer Underflow (Wrap or Wraparound) vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14198 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14196 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14195 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14194 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14193 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-31 | CVE-2019-14192 | Denx | Integer Underflow (Wrap or Wraparound) vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 7.5 |
2019-07-30 | CVE-2019-13026 | Oxid Esales | SQL Injection vulnerability in Oxid-Esales Eshop 6.0.0/6.1.0 OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. | 7.5 |
2019-07-30 | CVE-2019-11202 | Suse | Improper Authentication vulnerability in Suse Rancher An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 through 2.2.1. | 7.5 |
2019-07-30 | CVE-2018-16871 | Linux Redhat Netapp | NULL Pointer Dereference vulnerability in multiple products A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20. | 7.5 |
2019-07-30 | CVE-2018-20863 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452). | 7.5 |
2019-07-30 | CVE-2017-18380 | EDX | Improper Access Control vulnerability in EDX Edx-Platform edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name. | 7.5 |
2019-07-30 | CVE-2019-14439 | Fasterxml Debian Fedoraproject Apache Redhat Oracle | Deserialization of Untrusted Data vulnerability in multiple products A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. | 7.5 |
2019-07-29 | CVE-2019-14271 | Docker Debian Opensuse | Improper Initialization vulnerability in multiple products In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. | 7.5 |
2019-07-29 | CVE-2019-13126 | Nats | Integer Overflow or Wraparound vulnerability in Nats Server An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. | 7.5 |
2019-07-29 | CVE-2019-1020018 | Discourse | Improper Authentication vulnerability in Discourse Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link. | 7.5 |
2019-07-29 | CVE-2019-1020001 | Yardoc | Path Traversal vulnerability in Yardoc Yard yard before 0.9.20 allows path traversal. | 7.5 |
2019-08-01 | CVE-2014-8183 | Theforeman Redhat | Improper Access Control vulnerability in multiple products It was found that foreman, versions 1.x.x before 1.15.6, in Satellite 6 did not properly enforce access controls on certain resources. | 7.4 |
2019-07-30 | CVE-2019-7615 | Elastic | Improper Certificate Validation vulnerability in Elastic Apm-Agent-Ruby A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. | 7.4 |
2019-07-29 | CVE-2019-13498 | Oneidentity | Cleartext Transmission of Sensitive Information vulnerability in Oneidentity Cloud Access Manager 8.1.3 One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. | 7.4 |
2019-08-02 | CVE-2017-18463 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225). | 7.2 |
2019-08-02 | CVE-2017-18460 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221). | 7.2 |
2019-08-02 | CVE-2017-18459 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220). | 7.2 |
2019-08-02 | CVE-2017-18434 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237). | 7.2 |
2019-08-02 | CVE-2017-18400 | Cpanel | Command Injection vulnerability in Cpanel cPanel before 68.0.15 allows local root code execution via cpdavd (SEC-333). | 7.2 |
2019-08-02 | CVE-2017-18390 | Cpanel | Permission Issues vulnerability in Cpanel cPanel before 68.0.15 allows code execution in the context of the root account because of weak permissions on incremental backups (SEC-322). | 7.2 |
2019-08-02 | CVE-2017-18388 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315). | 7.2 |
2019-08-01 | CVE-2018-20926 | Cpanel | Unrestricted Upload of File with Dangerous Type vulnerability in Cpanel cPanel before 70.0.23 allows local privilege escalation via the WHM Locale XML Upload interface (SEC-380). | 7.2 |
2019-08-01 | CVE-2019-0193 | Apache Debian | Code Injection vulnerability in multiple products In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. | 7.2 |
2019-07-30 | CVE-2017-18381 | EDX | Unspecified vulnerability in EDX Edx-Platform The installation process in Open edX before 2017-01-10 exposes a MongoDB instance to external connections with default credentials. | 7.2 |
2019-07-30 | CVE-2019-14242 | Bitdefender | Code Injection vulnerability in Bitdefender products An issue was discovered in Bitdefender products for Windows (Bitdefender Endpoint Security Tool versions prior to 6.6.8.115; and Bitdefender Antivirus Plus, Bitdefender Internet Security, and Bitdefender Total Security versions prior to 23.0.24.120) that can lead to local code injection. | 7.2 |
2019-07-30 | CVE-2019-14400 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479). | 7.2 |
2019-07-30 | CVE-2018-20869 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465). | 7.2 |
2019-07-29 | CVE-2019-14416 | Veritas | Unspecified vulnerability in Veritas Resiliency Platform An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. | 7.2 |
2019-07-29 | CVE-2018-11774 | Apache | SQL Injection vulnerability in Apache Virtual Computing LAB Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. | 7.2 |
2019-07-29 | CVE-2018-11772 | Apache | SQL Injection vulnerability in Apache Virtual Computing LAB Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. | 7.2 |
2019-07-30 | CVE-2019-4456 | IBM | XXE vulnerability in IBM Daeja Viewone IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 7.1 |
2019-07-30 | CVE-2019-4062 | IBM | XXE vulnerability in IBM I2 Intelligent Analysis Platform IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 7.1 |
309 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-02 | CVE-2019-7865 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.8 |
2019-08-02 | CVE-2019-14541 | Gnucobol Project | Out-of-bounds Write vulnerability in Gnucobol Project Gnucobol 2.2 GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_program_id in cobc/typeck.c via crafted COBOL source code. | 6.8 |
2019-08-02 | CVE-2019-14528 | Gnucobol Project | Out-of-bounds Write vulnerability in Gnucobol Project Gnucobol 2.2 GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in cobc/scanner.l via crafted COBOL source code. | 6.8 |
2019-08-01 | CVE-2016-10829 | Cpanel | Files or Directories Accessible to External Parties vulnerability in Cpanel cPanel before 55.9999.141 allows arbitrary file-read operations because of a multipart form processing error (SEC-99). | 6.8 |
2019-08-01 | CVE-2019-14486 | Gnucobol Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Gnucobol Project Gnucobol 2.2 GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in cobc/field.c via crafted COBOL source code. | 6.8 |
2019-08-01 | CVE-2016-10838 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary file-read operations via the bin/fmq script (SEC-70). | 6.8 |
2019-08-01 | CVE-2013-7473 | Windu | Cross-Site Request Forgery (CSRF) vulnerability in Windu CMS 2.2 Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account. | 6.8 |
2019-08-01 | CVE-2019-14468 | Gnucobol Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Gnucobol Project Gnucobol 2.2 GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c via crafted COBOL source code. | 6.8 |
2019-07-31 | CVE-2019-3959 | Wallaceit | Cross-Site Request Forgery (CSRF) vulnerability in Wallaceit Wallacepos 1.4.3 Cross-site request forgery in WallacePOS 1.4.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | 6.8 |
2019-07-31 | CVE-2019-5060 | Libsdl Opensuse | Integer Overflow or Wraparound vulnerability in multiple products An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4. | 6.8 |
2019-07-31 | CVE-2019-5059 | Libsdl Opensuse | Integer Overflow or Wraparound vulnerability in multiple products An exploitable code execution vulnerability exists in the XPM image rendering functionality of SDL2_image 2.0.4. | 6.8 |
2019-07-31 | CVE-2019-5058 | Libsdl Opensuse | Out-of-bounds Write vulnerability in multiple products An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image 2.0.4. | 6.8 |
2019-07-31 | CVE-2019-5057 | Libsdl Opensuse | Out-of-bounds Write vulnerability in multiple products An exploitable code execution vulnerability exists in the PCX image-rendering functionality of SDL2_image 2.0.4. | 6.8 |
2019-07-31 | CVE-2019-13568 | Cimg | Out-of-bounds Write vulnerability in Cimg CImg through 2.6.7 has a heap-based buffer overflow in _load_bmp in CImg.h because of erroneous memory allocation for a malformed BMP image. | 6.8 |
2019-07-30 | CVE-2019-5455 | Nextcloud | Improper Authentication vulnerability in Nextcloud 3.6.0 Bypassing lock protection exists in Nextcloud Android app 3.6.0 when creating a multi-account and aborting the process. | 6.8 |
2019-07-30 | CVE-2018-20871 | Univa | Incorrect Permission Assignment for Critical Resource vulnerability in Univa Grid Engine 8.6.3 In Univa Grid Engine before 8.6.3, when configured for Docker jobs and execd spooling on root_squash, weak file permissions ("other" write access) occur in certain cases (GE-6890). | 6.8 |
2019-07-29 | CVE-2016-10766 | EDX | Cross-Site Request Forgery (CSRF) vulnerability in EDX Edx-Platform edx-platform before 2016-06-06 allows CSRF. | 6.8 |
2019-08-01 | CVE-2018-20882 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447). | 6.6 |
2019-08-02 | CVE-2019-7942 | Magento | Code Injection vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7932 | Magento | Code Injection vulnerability in Magento A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7923 | Magento | Server-Side Request Forgery (SSRF) vulnerability in Magento A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7913 | Magento | Server-Side Request Forgery (SSRF) vulnerability in Magento A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7912 | Magento | Unrestricted Upload of File with Dangerous Type vulnerability in Magento A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7911 | Magento | Server-Side Request Forgery (SSRF) vulnerability in Magento A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7903 | Magento | Code Injection vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7896 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7895 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7892 | Magento | Server-Side Request Forgery (SSRF) vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7885 | Magento | Improper Input Validation vulnerability in Magento Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7876 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 6.5 |
2019-08-02 | CVE-2019-7871 | Magento | Code Injection vulnerability in Magento A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. | 6.5 |
2019-08-02 | CVE-2019-10093 | Apache | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tika In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. | 6.5 |
2019-08-02 | CVE-2017-18447 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251). | 6.5 |
2019-08-02 | CVE-2017-18446 | Cpanel | Out-of-bounds Read vulnerability in Cpanel cPanel before 64.0.21 allows file-read and file-write operations for demo accounts via the SourceIPCheck API (SEC-250). | 6.5 |
2019-08-02 | CVE-2017-18439 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243). | 6.5 |
2019-08-02 | CVE-2017-18438 | Cpanel | XXE vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242). | 6.5 |
2019-08-02 | CVE-2017-18403 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 68.0.15 allows code execution in the context of the nobody account via Mailman archives (SEC-337). | 6.5 |
2019-08-02 | CVE-2017-18389 | Cpanel | Injection vulnerability in Cpanel cPanel before 68.0.15 allows string format injection in dovecot-xaps-plugin (SEC-318). | 6.5 |
2019-08-01 | CVE-2016-10826 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 55.9999.141 allows attackers to bypass Two Factor Authentication via DNS clustering requests (SEC-93). | 6.5 |
2019-08-01 | CVE-2016-10816 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121). | 6.5 |
2019-08-01 | CVE-2016-10814 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119). | 6.5 |
2019-08-01 | CVE-2016-10834 | Cpanel | Improperly Implemented Security Check for Standard vulnerability in Cpanel cPanel before 55.9999.141 allows account-suspension bypass via ftp (SEC-105). | 6.5 |
2019-08-01 | CVE-2016-10831 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 55.9999.141 does not perform as two-factor authentication check when possessing another account (SEC-101). | 6.5 |
2019-08-01 | CVE-2018-20931 | Cpanel | Code Injection vulnerability in Cpanel cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405). | 6.5 |
2019-08-01 | CVE-2016-10845 | Cpanel | Injection vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/check_system_storable (SEC-78). | 6.5 |
2019-08-01 | CVE-2018-20912 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362). | 6.5 |
2019-08-01 | CVE-2018-20911 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359). | 6.5 |
2019-08-01 | CVE-2018-20895 | Cpanel | Improper Input Validation vulnerability in Cpanel In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393). | 6.5 |
2019-08-01 | CVE-2018-20879 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444). | 6.5 |
2019-07-31 | CVE-2019-10182 | Icedtea WEB Project Redhat | Code Injection vulnerability in multiple products It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. | 6.5 |
2019-07-31 | CVE-2019-3960 | Wallaceit | Unrestricted Upload of File with Dangerous Type vulnerability in Wallaceit Wallacepos 1.4.3 Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file. | 6.5 |
2019-07-31 | CVE-2007-6763 | SAS | Improper Input Validation vulnerability in SAS Drug Development SAS Drug Development (SDD) before 32DRG02 mishandles logout actions, which allows a user (who was previously logged in) to access resources by pressing a back or forward button in a web browser. | 6.5 |
2019-07-31 | CVE-2019-10366 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Skytap Cloud CI Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | 6.5 |
2019-07-31 | CVE-2019-10358 | Jenkins | Information Exposure Through Log Files vulnerability in Jenkins Maven Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. | 6.5 |
2019-07-30 | CVE-2019-14383 | Openmpt Opensuse | Reachable Assertion vulnerability in multiple products J2B in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs. | 6.5 |
2019-07-30 | CVE-2019-14382 | Openmpt | Reachable Assertion vulnerability in Openmpt Libopenmpt DSM in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs. | 6.5 |
2019-07-30 | CVE-2019-14380 | Openmpt Debian | Out-of-bounds Read vulnerability in multiple products libopenmpt before 0.4.5 allows a crash during playback due to an out-of-bounds read in XM and MT2 files. | 6.5 |
2019-07-30 | CVE-2018-20860 | Openmpt Opensuse | Improper Input Validation vulnerability in multiple products libopenmpt before 0.3.13 allows a crash with malformed MED files. | 6.5 |
2019-07-30 | CVE-2019-10138 | Python | Improper Access Control vulnerability in Python Novajoin A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. | 6.5 |
2019-07-30 | CVE-2019-10129 | Postgresql | Out-of-bounds Read vulnerability in Postgresql 11.0/11.1/11.2 A vulnerability was found in postgresql versions 11.x prior to 11.3. | 6.5 |
2019-07-30 | CVE-2019-14405 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487). | 6.5 |
2019-07-30 | CVE-2019-14401 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480). | 6.5 |
2019-07-30 | CVE-2019-14398 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498). | 6.5 |
2019-07-30 | CVE-2019-14392 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501). | 6.5 |
2019-07-30 | CVE-2019-14443 | Libav Debian | Divide By Zero vulnerability in multiple products An issue was discovered in Libav 12.3. | 6.5 |
2019-07-30 | CVE-2019-14442 | Libav Debian | Infinite Loop vulnerability in multiple products In mpc8_read_header in libavformat/mpc8.c in Libav 12.3, an input file can result in an avio_seek infinite loop and hang, with 100% CPU consumption. | 6.5 |
2019-07-30 | CVE-2019-14441 | Libav | Unspecified vulnerability in Libav 12.3 An issue was discovered in Libav 12.3. | 6.5 |
2019-07-29 | CVE-2019-12948 | Polycom | Exposed Dangerous Method or Function vulnerability in Polycom products A vulnerability in the web-based management interface of VVX, Trio, SoundStructure, SoundPoint, and SoundStation phones running Polycom UC Software, if exploited, could allow an authenticated, remote attacker with admin privileges to cause a denial of service (DoS) condition or execute arbitrary code. | 6.5 |
2019-07-29 | CVE-2019-11200 | Dolibarr | Unspecified vulnerability in Dolibarr Erp/Crm 9.0.1 Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. | 6.5 |
2019-07-29 | CVE-2015-5601 | EDX | Unrestricted Upload of File with Dangerous Type vulnerability in EDX Edx-Platform edx-platform before 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files. | 6.5 |
2019-07-29 | CVE-2019-1020011 | Charcoal SE | Incorrect Resource Transfer Between Spheres vulnerability in Charcoal-Se Smokedetector SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority. | 6.5 |
2019-08-01 | CVE-2018-20934 | Cpanel | Improperly Implemented Security Check for Standard vulnerability in Cpanel cPanel before 70.0.23 does not prevent e-mail account suspensions from being applied to unowned accounts (SEC-411). | 6.4 |
2019-08-01 | CVE-2018-20930 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 70.0.23 allows .htaccess restrictions bypass when Htaccess Optimization is enabled (SEC-401). | 6.4 |
2019-07-31 | CVE-2019-14197 | Denx | Out-of-bounds Read vulnerability in Denx U-Boot An issue was discovered in Das U-Boot through 2019.07. | 6.4 |
2019-07-30 | CVE-2019-10141 | Openstack Redhat | SQL Injection vulnerability in multiple products A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. | 6.4 |
2019-07-30 | CVE-2018-20864 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454). | 6.4 |
2019-07-30 | CVE-2019-13635 | Wpfastestcache | Path Traversal vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin through 0.8.9.5 for WordPress allows wpFastestCache.php and inc/cache.php Directory Traversal. | 6.4 |
2019-07-31 | CVE-2019-10359 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins M2Release A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options. | 6.3 |
2019-07-31 | CVE-2019-7000 | Avaya | Cross-site Scripting vulnerability in Avaya Aura Conferencing 7.0/7.2/8.0 A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura Conferencing may allow code execution and potentially disclose sensitive information. | 6.1 |
2019-07-30 | CVE-2018-20859 | EDX | Cross-site Scripting vulnerability in EDX Edx-Platform edx-platform before 2018-07-18 allows XSS via a response to a Chemical Equation advanced problem. | 6.1 |
2019-07-30 | CVE-2019-14399 | Cpanel | Information Exposure vulnerability in Cpanel The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477). | 6.1 |
2019-07-31 | CVE-2018-16860 | Samba Heimdal Project | Improperly Implemented Security Check for Standard vulnerability in multiple products A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. | 6.0 |
2019-07-30 | CVE-2019-7614 | Elastic | Race Condition vulnerability in Elastic Elasticsearch A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. | 5.9 |
2019-08-02 | CVE-2019-7873 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.8 |
2019-08-02 | CVE-2019-7851 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages. | 5.8 |
2019-08-02 | CVE-2017-18414 | Cpanel | Open Redirect vulnerability in Cpanel cPanel before 67.9999.103 allows an open redirect in /unprotected/redirect.html (SEC-300). | 5.8 |
2019-08-02 | CVE-2017-18407 | Cpanel | Improper Verification of Cryptographic Signature vulnerability in Cpanel cPanel before 67.9999.103 does not enforce SSL hostname verification for the support-agreement download (SEC-279). | 5.8 |
2019-08-01 | CVE-2019-9140 | Happypointcard | Open Redirect vulnerability in Happypointcard Happypoint 6.3.19 When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earlier versions doesn't check Deeplink URL correctly. | 5.8 |
2019-08-01 | CVE-2018-20929 | Cpanel | Open Redirect vulnerability in Cpanel cPanel before 70.0.23 allows an open redirect via the /unprotected/redirect.html endpoint (SEC-392). | 5.8 |
2019-08-01 | CVE-2019-3890 | Gnome Redhat | Improper Certificate Validation vulnerability in multiple products It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. | 5.8 |
2019-07-30 | CVE-2019-5459 | Videolan Opensuse | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read. | 5.8 |
2019-07-30 | CVE-2019-11775 | Eclipse | Race Condition vulnerability in Eclipse Openj9 All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop. | 5.8 |
2019-07-30 | CVE-2018-20867 | Cpanel | Open Redirect vulnerability in Cpanel cPanel before 76.0.8 has an open redirect when resetting connections (SEC-462). | 5.8 |
2019-07-29 | CVE-2019-6726 | Wpfastestcache | Path Traversal vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache plugin through 0.8.9.0 for WordPress allows remote attackers to delete arbitrary files because wp_postratings_clear_fastest_cache and rm_folder_recursively in wpFastestCache.php mishandle ../ in an HTTP Referer header. | 5.8 |
2019-07-29 | CVE-2019-1020006 | Inveniosoftware | Injection vulnerability in Inveniosoftware Invenio-App invenio-app before 1.1.1 allows host header injection. | 5.8 |
2019-07-29 | CVE-2019-1020016 | ASH AIO Project | Open Redirect vulnerability in Ash-Aio Project Ash-Aio 2.0.0.0/2.0.0.1/2.0.0.2 ASH-AIO before 2.0.0.3 allows an open redirect. | 5.8 |
2019-08-02 | CVE-2019-7925 | Magento | Authorization Bypass Through User-Controlled Key vulnerability in Magento An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.5 |
2019-08-02 | CVE-2019-7904 | Magento | Unspecified vulnerability in Magento Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes. | 5.5 |
2019-08-02 | CVE-2019-7872 | Magento | Authorization Bypass Through User-Controlled Key vulnerability in Magento An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. | 5.5 |
2019-08-02 | CVE-2019-4275 | IBM | Unspecified vulnerability in IBM Jazz for Service Management 1.1.3/1.1.3.1/1.1.3.2 IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 could allow an unauthorized local user to create unique catalog names that could cause a denial of service. | 5.5 |
2019-08-02 | CVE-2017-18398 | Cpanel | Improper Input Validation vulnerability in Cpanel DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331). | 5.5 |
2019-08-01 | CVE-2016-10830 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 55.9999.141 allows ACL bypass for AppConfig applications via magic_revision (SEC-100). | 5.5 |
2019-08-01 | CVE-2016-10825 | Cpanel | Improperly Implemented Security Check for Standard vulnerability in Cpanel cPanel before 55.9999.141 allows attackers to bypass a Security Policy by faking static documents (SEC-92). | 5.5 |
2019-08-01 | CVE-2016-10847 | Cpanel | Injection vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary file-read and file-write operations via scripts/fixmailboxpath (SEC-80). | 5.5 |
2019-08-01 | CVE-2016-10843 | Cpanel | Command Injection vulnerability in Cpanel cPanel before 11.54.0.4 allows code execution in the context of shared users via JSON-API (SEC-76). | 5.5 |
2019-08-01 | CVE-2016-10839 | Cpanel | SQL Injection vulnerability in Cpanel cPanel before 11.54.0.4 allows SQL injection in bin/horde_update_usernames (SEC-71). | 5.5 |
2019-08-01 | CVE-2018-20905 | Cpanel | Incorrect Permission Assignment for Critical Resource vulnerability in Cpanel cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429). | 5.5 |
2019-08-01 | CVE-2016-10860 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 11.54.0.0 allows unauthorized zone modification via the WHM API (SEC-66). | 5.5 |
2019-08-01 | CVE-2016-10859 | Cpanel | Improper Authorization vulnerability in Cpanel cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65). | 5.5 |
2019-07-31 | CVE-2019-14464 | Milkytracker Project Canonical Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a heap-based buffer overflow. | 5.5 |
2019-07-31 | CVE-2019-10364 | Jenkins | Information Exposure Through Log Files vulnerability in Jenkins EC2 Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. | 5.5 |
2019-07-31 | CVE-2019-10361 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins M2Release Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system. | 5.5 |
2019-07-31 | CVE-2019-10345 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Configuration AS Code Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. | 5.5 |
2019-07-30 | CVE-2019-10156 | Redhat Debian | Information Exposure vulnerability in multiple products A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. | 5.5 |
2019-07-30 | CVE-2019-5460 | Videolan Opensuse | Double Free vulnerability in multiple products Double Free in VLC versions <= 3.0.6 leads to a crash. | 5.5 |
2019-07-30 | CVE-2019-14444 | GNU Opensuse Canonical Netapp | Integer Overflow or Wraparound vulnerability in multiple products apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf. | 5.5 |
2019-07-29 | CVE-2019-1020014 | Docker Fedoraproject Canonical | Double Free vulnerability in multiple products docker-credential-helpers before 0.6.3 has a double free in the List functions. | 5.5 |
2019-08-02 | CVE-2019-10176 | Redhat | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Openshift Container Platform 3.11/4.1 A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. | 5.4 |
2019-08-01 | CVE-2019-3884 | Redhat | Authentication Bypass by Spoofing vulnerability in Redhat Openshift A vulnerability exists in the garbage collection mechanism of atomic-openshift. | 5.4 |
2019-07-31 | CVE-2019-10362 | Jenkins | Improper Encoding or Escaping of Output vulnerability in Jenkins Configuration AS Code Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. | 5.4 |
2019-07-31 | CVE-2019-10360 | Jenkins | Cross-site Scripting vulnerability in Jenkins M2 Release A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | 5.4 |
2019-07-30 | CVE-2019-5458 | Http File Server Project | Cross-site Scripting vulnerability in Http-File-Server Project Http-File-Server Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser. | 5.4 |
2019-07-30 | CVE-2019-5457 | MIN Http Server Project | Cross-site Scripting vulnerability in Min-Http-Server Project Min-Http-Server Cross-site scripting (XSS) vulnerability in min-http-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser. | 5.4 |
2019-07-29 | CVE-2019-1020017 | Discourse | Unspecified vulnerability in Discourse Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP. | 5.3 |
2019-08-02 | CVE-2019-7951 | Magento | Information Exposure vulnerability in Magento An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7950 | Magento | Authorization Bypass Through User-Controlled Key vulnerability in Magento An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7928 | Magento | Unspecified vulnerability in Magento A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7915 | Magento | Unspecified vulnerability in Magento A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7899 | Magento | Improper Input Validation vulnerability in Magento Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7898 | Magento | Improper Input Validation vulnerability in Magento Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input. | 5.0 |
2019-08-02 | CVE-2019-7886 | Magento | Cryptographic Issues vulnerability in Magento A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7864 | Magento | Authorization Bypass Through User-Controlled Key vulnerability in Magento An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7861 | Magento | Unrestricted Upload of File with Dangerous Type vulnerability in Magento Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7860 | Magento | Cryptographic Issues vulnerability in Magento A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7859 | Magento | Path Traversal vulnerability in Magento A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control. | 5.0 |
2019-08-02 | CVE-2019-7858 | Magento | Cryptographic Issues vulnerability in Magento A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks. | 5.0 |
2019-08-02 | CVE-2019-7855 | Magento | Cryptographic Issues vulnerability in Magento A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation. | 5.0 |
2019-08-02 | CVE-2019-7854 | Magento | Authorization Bypass Through User-Controlled Key vulnerability in Magento An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details. | 5.0 |
2019-08-02 | CVE-2019-7852 | Magento | Information Exposure vulnerability in Magento A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 5.0 |
2019-08-02 | CVE-2019-7849 | Magento | Session Fixation vulnerability in Magento A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. | 5.0 |
2019-08-02 | CVE-2019-6969 | Dlink | Cross-site Scripting vulnerability in Dlink Dva-5592 Firmware 20180823 The web interface of the D-Link DVA-5592 20180823 is vulnerable to an authentication bypass that allows an unauthenticated user to have access to sensitive information such as the Wi-Fi password and the phone number (if VoIP is in use). | 5.0 |
2019-08-02 | CVE-2017-18461 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223). | 5.0 |
2019-08-02 | CVE-2017-18451 | Cpanel | Permissions, Privileges, and Access Controls vulnerability in Cpanel cPanel before 64.0.21 allows attackers to read a user's crontab file during a short time interval upon a cPAddon upgrade (SEC-257). | 5.0 |
2019-08-02 | CVE-2017-18448 | Cpanel | Path Traversal vulnerability in Cpanel cPanel before 64.0.21 allows certain file-read operations via a Serverinfo_manpage API call (SEC-252). | 5.0 |
2019-08-02 | CVE-2017-18444 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248). | 5.0 |
2019-08-02 | CVE-2017-18443 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247). | 5.0 |
2019-08-02 | CVE-2017-18442 | Cpanel | Command Injection vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI API commands (SEC-246). | 5.0 |
2019-08-02 | CVE-2017-18431 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941). | 5.0 |
2019-08-02 | CVE-2019-5501 | Netapp | Unspecified vulnerability in Netapp Data Ontap Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 may disclose sensitive LDAP account information to unauthenticated remote attackers. | 5.0 |
2019-08-02 | CVE-2017-18406 | Cpanel | SQL Injection vulnerability in Cpanel cPanel before 67.9999.103 allows SQL injection during eximstats processing (SEC-276). | 5.0 |
2019-08-01 | CVE-2019-14493 | Opencv Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in OpenCV before 4.1.1. | 5.0 |
2019-08-01 | CVE-2019-14492 | Opencv Opensuse | Out-of-bounds Read vulnerability in multiple products An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. | 5.0 |
2019-08-01 | CVE-2016-10833 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 55.9999.141 mishandles username-based blocking for PRE requests in cPHulkd (SEC-104). | 5.0 |
2019-08-01 | CVE-2015-9291 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221). | 5.0 |
2019-08-01 | CVE-2018-20885 | Cpanel | Injection vulnerability in Cpanel cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416). | 5.0 |
2019-07-31 | CVE-2019-4165 | IBM | Unspecified vulnerability in IBM Storediq IBM StoreIQ 7.6.0.0. | 5.0 |
2019-07-31 | CVE-2019-14452 | Sigil Ebook Flightcrew Project Canonical | Path Traversal vulnerability in multiple products Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction. | 5.0 |
2019-07-30 | CVE-2019-10162 | Powerdns | Improper Authorization vulnerability in Powerdns Authoritative A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. | 5.0 |
2019-07-30 | CVE-2019-10153 | Clusterlabs Redhat | A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. | 5.0 |
2019-07-30 | CVE-2019-14411 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473). | 5.0 |
2019-07-30 | CVE-2019-14397 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496). | 5.0 |
2019-07-30 | CVE-2019-14388 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507). | 5.0 |
2019-07-30 | CVE-2019-14381 | Openmpt | NULL Pointer Dereference vulnerability in Openmpt Libopenmpt libopenmpt before 0.4.3 allows a crash due to a NULL pointer dereference when doing a portamento from an OPL instrument to an empty instrument note map slot. | 5.0 |
2019-07-29 | CVE-2019-3948 | Amcrest Dahua | Missing Authentication for Critical Function vulnerability in multiple products The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk. | 5.0 |
2019-07-29 | CVE-2018-17211 | Printeron | Information Exposure vulnerability in Printeron Central Print Services 2.5/4.1.4 An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. | 5.0 |
2019-07-29 | CVE-2016-10765 | EDX | Improper Input Validation vulnerability in EDX Edx-Platform edx-platform before 2016-06-10 allows account activation with a spoofed e-mail address. | 5.0 |
2019-07-29 | CVE-2019-12743 | Humhub | Information Exposure vulnerability in Humhub Social Network KIT 1.3.13 HumHub Social Network Kit Enterprise v1.3.13 allows remote attackers to find the user accounts existing on any Social Network Kits (including self-hosted ones) by brute-forcing the username after the /u/ initial URI substring, aka Response Discrepancy Information Exposure. | 5.0 |
2019-07-29 | CVE-2019-1020009 | Kolide | Insufficiently Protected Credentials vulnerability in Kolide Fleet 2.0.2/2.1.0/2.1.1 Fleet before 2.1.2 allows exposure of SMTP credentials. | 5.0 |
2019-07-29 | CVE-2019-1020004 | Tridactyl Project | Key Management Errors vulnerability in Tridactyl Project Tridactyl 1.14.10/1.15.0 Tridactyl before 1.16.0 allows fake key events. | 5.0 |
2019-07-29 | CVE-2019-1020002 | Pterodactyl | Information Exposure Through Discrepancy vulnerability in Pterodactyl Panel Pterodactyl before 0.7.14 with 2FA allows credential sniffing. | 5.0 |
2019-07-29 | CVE-2019-1020015 | Hasura | Improper Input Validation vulnerability in Hasura Graphql Engine 1.0.0 graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT. | 5.0 |
2019-07-29 | CVE-2019-1020013 | Parseplatform | Information Exposure Through an Error Message vulnerability in Parseplatform Parse-Server parse-server before 3.6.0 allows account enumeration. | 5.0 |
2019-07-29 | CVE-2019-1020012 | Parseplatform | HTTP Request Smuggling vulnerability in Parseplatform Parse-Server parse-server before 3.4.1 allows DoS after any POST to a volatile class. | 5.0 |
2019-08-02 | CVE-2017-18457 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218). | 4.9 |
2019-08-02 | CVE-2017-18404 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 68.0.15 allows domain data to be deleted for domains with the .lock TLD (SEC-341). | 4.9 |
2019-08-02 | CVE-2017-18396 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.15 allows arbitrary file-read operations via Exim vdomainaliases (SEC-329). | 4.9 |
2019-08-01 | CVE-2018-20914 | Cpanel | Injection vulnerability in Cpanel In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368). | 4.9 |
2019-08-01 | CVE-2018-20891 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436). | 4.9 |
2019-08-01 | CVE-2018-20888 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication (SEC-424). | 4.9 |
2019-08-01 | CVE-2019-14333 | Dlink | Unspecified vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. | 4.9 |
2019-07-31 | CVE-2019-10363 | Jenkins | Cleartext Transmission of Sensitive Information vulnerability in Jenkins Configuration AS Code Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form. | 4.9 |
2019-07-30 | CVE-2019-7616 | Elastic | Server-Side Request Forgery (SSRF) vulnerability in Elastic Kibana Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. | 4.9 |
2019-07-30 | CVE-2019-14404 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484). | 4.9 |
2019-07-29 | CVE-2019-14415 | Veritas | Cross-site Scripting vulnerability in Veritas Resiliency Platform An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. | 4.8 |
2019-08-01 | CVE-2018-20941 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.27 allows arbitrary file-read operations via restore adminbin (SEC-349). | 4.7 |
2019-08-02 | CVE-2017-18452 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259). | 4.6 |
2019-08-02 | CVE-2017-18430 | Cpanel | Improper Input Validation vulnerability in Cpanel In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294). | 4.6 |
2019-08-02 | CVE-2017-18415 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302). | 4.6 |
2019-08-02 | CVE-2017-18413 | Cpanel | Permissions, Privileges, and Access Controls vulnerability in Cpanel In cPanel before 67.9999.103, the backup system overwrites root's home directory when a mount disappears (SEC-299). | 4.6 |
2019-08-02 | CVE-2019-10168 | Redhat | Path Traversal vulnerability in Redhat products The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. | 4.6 |
2019-08-02 | CVE-2019-10167 | Redhat | Path Traversal vulnerability in Redhat products The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. | 4.6 |
2019-08-02 | CVE-2019-10166 | Redhat | Unspecified vulnerability in Redhat products It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. | 4.6 |
2019-08-02 | CVE-2017-18383 | Cpanel | Permissions, Privileges, and Access Controls vulnerability in Cpanel cPanel before 68.0.15 writes home-directory backups to an incorrect location (SEC-309). | 4.6 |
2019-08-01 | CVE-2018-20925 | Cpanel | Unrestricted Upload of File with Dangerous Type vulnerability in Cpanel cPanel before 70.0.23 allows local privilege escalation via the WHM Legacy Language File Upload interface (SEC-379). | 4.6 |
2019-08-01 | CVE-2018-20886 | Cpanel | Insecure Storage of Sensitive Information vulnerability in Cpanel cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-418). | 4.6 |
2019-08-01 | CVE-2019-14332 | Dlink | Inadequate Encryption Strength vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. | 4.6 |
2019-07-31 | CVE-2019-12750 | Symantec | Out-of-bounds Read vulnerability in Symantec Endpoint Protection Symantec Endpoint Protection, prior to 14.2 RU1 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition, prior to 12.1 RU6 MP10c (12.1.7491.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 4.6 |
2019-07-30 | CVE-2019-5450 | Nextcloud | Cross-site Scripting vulnerability in Nextcloud Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3.7.0 allowed to style the directory name in the header bar when using basic HTML. | 4.6 |
2019-07-30 | CVE-2019-10142 | Linux | Integer Overflow or Wraparound vulnerability in Linux Kernel A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. | 4.6 |
2019-07-30 | CVE-2019-14393 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 80.0.5 allows local code execution in the context of a different cPanel account because of insecure cpphp execution (SEC-486). | 4.6 |
2019-07-29 | CVE-2019-11868 | Softether | Out-of-bounds Write vulnerability in Softether See.Sys 4.25 See.sys, up to version 4.25, in SoftEther VPN Server versions 4.29 or older, allows a user to call an IOCTL specifying any kernel address to which arbitrary bytes are written to. | 4.6 |
2019-08-02 | CVE-2017-18450 | Cpanel | Permissions, Privileges, and Access Controls vulnerability in Cpanel cPanel before 64.0.21 allows certain file-chmod operations via /scripts/convert_roundcube_mysql2sqlite (SEC-255). | 4.4 |
2019-08-03 | CVE-2019-14653 | Ipandao | Cross-site Scripting vulnerability in Ipandao Editor.Md 1.5.0 pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP element. | 4.3 |
2019-08-02 | CVE-2019-7947 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 4.3 |
2019-08-02 | CVE-2019-7939 | Magento | Cross-site Scripting vulnerability in Magento A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 4.3 |
2019-08-02 | CVE-2019-7877 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 4.3 |
2019-08-02 | CVE-2019-7874 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 4.3 |
2019-08-02 | CVE-2019-7857 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation. | 4.3 |
2019-08-02 | CVE-2019-6968 | Dlink | Cross-site Scripting vulnerability in Dlink Dva-5592 Firmware 20180823 The web interface of the D-Link DVA-5592 20180823 is vulnerable to XSS because HTML form parameters are directly reflected. | 4.3 |
2019-08-02 | CVE-2017-18456 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217). | 4.3 |
2019-08-02 | CVE-2019-5493 | Netapp | Unspecified vulnerability in Netapp Data Ontap Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 are susceptible to a vulnerability which discloses information to an unauthenticated attacker. | 4.3 |
2019-08-02 | CVE-2017-18399 | Cpanel | Permissions, Privileges, and Access Controls vulnerability in Cpanel cPanel before 68.0.15 allows attackers to read root's crontab file during a short time interval upon enabling or disabling sqloptimizer (SEC-332). | 4.3 |
2019-08-01 | CVE-2019-14517 | Editor MD Project | Cross-site Scripting vulnerability in Editor.Md Project Editor.Md 1.5.0 pandao Editor.md 1.5.0 allows XSS via the Javascript: string. | 4.3 |
2019-08-01 | CVE-2018-20953 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389). | 4.3 |
2019-08-01 | CVE-2018-20951 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387). | 4.3 |
2019-08-01 | CVE-2018-20950 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386). | 4.3 |
2019-08-01 | CVE-2018-20949 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385). | 4.3 |
2019-08-01 | CVE-2018-20948 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383). | 4.3 |
2019-08-01 | CVE-2018-20928 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391). | 4.3 |
2019-08-01 | CVE-2019-14472 | Zurmo | Cross-site Scripting vulnerability in Zurmo 3.2.72 Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO. | 4.3 |
2019-08-01 | CVE-2019-14471 | Testlink | Cross-site Scripting vulnerability in Testlink 1.9.19 TestLink 1.9.19 has XSS via the error.php message parameter. | 4.3 |
2019-08-01 | CVE-2018-20923 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377). | 4.3 |
2019-08-01 | CVE-2018-20922 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376). | 4.3 |
2019-08-01 | CVE-2018-20921 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375). | 4.3 |
2019-08-01 | CVE-2018-20920 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374). | 4.3 |
2019-08-01 | CVE-2018-20919 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373). | 4.3 |
2019-08-01 | CVE-2018-20918 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372). | 4.3 |
2019-08-01 | CVE-2018-20910 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357). | 4.3 |
2019-08-01 | CVE-2018-20903 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421). | 4.3 |
2019-08-01 | CVE-2018-20901 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400). | 4.3 |
2019-08-01 | CVE-2013-7474 | Windu | Cross-site Scripting vulnerability in Windu CMS 2.2 Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users. | 4.3 |
2019-08-01 | CVE-2018-20900 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399). | 4.3 |
2019-08-01 | CVE-2018-20899 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface (SEC-398). | 4.3 |
2019-08-01 | CVE-2019-14338 | Dlink | Cross-site Scripting vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. | 4.3 |
2019-07-31 | CVE-2018-20872 | I LAN | Cross-Site Request Forgery (CSRF) vulnerability in I-Lan Draytekl Firmware DrayTek routers before 2018-05-23 allow CSRF attacks to change DNS or DHCP settings, a related issue to CVE-2017-11649. | 4.3 |
2019-07-31 | CVE-2019-5020 | Virustotal | Reachable Assertion vulnerability in Virustotal Yara 3.8.1 An exploitable denial of service vulnerability exists in the object lookup functionality of Yara 3.8.1. | 4.3 |
2019-07-31 | CVE-2019-4163 | IBM | Unspecified vulnerability in IBM Storediq IBM StoreIQ 7.6.0.0. | 4.3 |
2019-07-31 | CVE-2019-10365 | Exposure of Resource to Wrong Sphere vulnerability in Google Kubernetes Engine Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission. | 4.3 | |
2019-07-31 | CVE-2019-10357 | Jenkins Redhat | Missing Authorization vulnerability in multiple products A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries. | 4.3 |
2019-07-31 | CVE-2019-10344 | Jenkins | Missing Authorization vulnerability in Jenkins Configuration AS Code Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins. | 4.3 |
2019-07-30 | CVE-2019-10163 | Powerdns Opensuse | Allocation of Resources Without Limits or Throttling vulnerability in multiple products A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. | 4.3 |
2019-07-30 | CVE-2019-5448 | Yarnpkg | Cleartext Transmission of Sensitive Information vulnerability in Yarnpkg Yarn Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network. | 4.3 |
2019-07-30 | CVE-2018-20861 | Openmpt | Improper Input Validation vulnerability in Openmpt Libopenmpt libopenmpt before 0.3.11 allows a crash with certain malformed custom tunings in MPTM files. | 4.3 |
2019-07-30 | CVE-2019-14318 | Cryptopp | Channel and Path Errors vulnerability in Cryptopp Crypto++ Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. | 4.3 |
2019-07-30 | CVE-2019-14406 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493). | 4.3 |
2019-07-30 | CVE-2019-14403 | Cpanel | Open Redirect vulnerability in Cpanel cPanel before 78.0.18 offers an open mail relay because of incorrect domain-redirect routing (SEC-483). | 4.3 |
2019-07-30 | CVE-2018-20868 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464). | 4.3 |
2019-07-30 | CVE-2018-20866 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461). | 4.3 |
2019-07-30 | CVE-2018-20865 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459). | 4.3 |
2019-07-30 | CVE-2019-14387 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506). | 4.3 |
2019-07-30 | CVE-2019-14327 | Custom Simple RSS Project | Cross-Site Request Forgery (CSRF) vulnerability in Custom Simple RSS Project Custom Simple RSS A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings. | 4.3 |
2019-07-29 | CVE-2018-18570 | Planonsoftware | Cross-site Scripting vulnerability in Planonsoftware Planon Planon before Live Build 41 has XSS. | 4.3 |
2019-07-29 | CVE-2019-13655 | Imgix | Resource Exhaustion vulnerability in Imgix 20190619 Imgix through 2019-06-19 allows remote attackers to cause a denial of service (resource consumption) by manipulating a small JPEG file to specify dimensions of 64250x64250 pixels, which is mishandled during an attempt to load the 'whole image' into memory. | 4.3 |
2019-07-29 | CVE-2015-6960 | EDX | Cross-site Scripting vulnerability in EDX Edx-Platform edx-platform before 2015-09-17 allows XSS via a team name. | 4.3 |
2019-07-29 | CVE-2019-1020008 | Stacktable JS Project | Cross-site Scripting vulnerability in Stacktable.Js Project Stacktable.Js stacktable.js before 1.0.4 allows XSS. | 4.3 |
2019-07-29 | CVE-2019-1020019 | Inveniosoftware | Cross-site Scripting vulnerability in Inveniosoftware Invenio-Previewer 0.1.0/1.0.0 invenio-previewer before 1.0.0a12 allows XSS. | 4.3 |
2019-07-29 | CVE-2019-1020010 | Misskey | Cross-site Scripting vulnerability in Misskey Misskey before 10.102.4 allows hijacking a user's token. | 4.3 |
2019-08-02 | CVE-2019-7929 | Magento | Information Exposure vulnerability in Magento An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 4.0 |
2019-08-02 | CVE-2019-7889 | Magento | Injection vulnerability in Magento An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 4.0 |
2019-08-02 | CVE-2019-7888 | Magento | Information Exposure vulnerability in Magento An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 4.0 |
2019-08-02 | CVE-2017-18455 | Cpanel | Permissions, Privileges, and Access Controls vulnerability in Cpanel In cPanel before 62.0.17, addon domain conversion did not require a package for resellers (SEC-208). | 4.0 |
2019-08-02 | CVE-2017-18453 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260). | 4.0 |
2019-08-02 | CVE-2017-18445 | Cpanel | 7PK - Security Features vulnerability in Cpanel cPanel before 64.0.21 does not enforce demo restrictions for SSL API calls (SEC-249). | 4.0 |
2019-08-02 | CVE-2017-18441 | Cpanel | Open Redirect vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to redirect web traffic (SEC-245). | 4.0 |
2019-08-02 | CVE-2017-18440 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244). | 4.0 |
2019-08-02 | CVE-2017-18426 | Cpanel | Information Exposure Through Log Files vulnerability in Cpanel cPanel before 66.0.2 allows resellers to read other accounts' domain log files (SEC-288). | 4.0 |
2019-08-02 | CVE-2017-18411 | Cpanel | Improper Input Validation vulnerability in Cpanel The "addon domain conversion" feature in cPanel before 67.9999.103 can copy all MySQL databases to the new account (SEC-285). | 4.0 |
2019-08-02 | CVE-2017-18410 | Cpanel | Improper Input Validation vulnerability in Cpanel In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284). | 4.0 |
2019-08-02 | CVE-2017-18409 | Cpanel | Improper Input Validation vulnerability in Cpanel In cPanel before 67.9999.103, the backup interface could return a backup archive with all MySQL databases (SEC-283). | 4.0 |
2019-08-02 | CVE-2017-18401 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 allows user accounts to be partially created with invalid username formats (SEC-334). | 4.0 |
2019-08-02 | CVE-2017-18395 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 does not block a username of ssl (SEC-328). | 4.0 |
2019-08-02 | CVE-2017-18394 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327). | 4.0 |
2019-08-02 | CVE-2017-18393 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 does not block a username of postmaster, which might allow reception of private e-mail (SEC-326). | 4.0 |
2019-08-02 | CVE-2017-18382 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306). | 4.0 |
2019-08-01 | CVE-2016-10821 | Cpanel | Credentials Management vulnerability in Cpanel In cPanel before 55.9999.141, Scripts/addpop reveals a command-line password in a process list (SEC-75). | 4.0 |
2019-08-01 | CVE-2016-10819 | Cpanel | Information Exposure Through Log Files vulnerability in Cpanel In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125). | 4.0 |
2019-08-01 | CVE-2016-10818 | Cpanel | Permission Issues vulnerability in Cpanel cPanel before 57.9999.54 incorrectly sets log-file permissions in dnsadmin-startup and spamd-startup (SEC-124). | 4.0 |
2019-08-01 | CVE-2016-10815 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120). | 4.0 |
2019-08-01 | CVE-2018-20952 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388). | 4.0 |
2019-08-01 | CVE-2018-20938 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 68.0.27 does not enforce ownership during addpkgext and delpkgext WHM API calls (SEC-324). | 4.0 |
2019-08-01 | CVE-2018-20937 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 68.0.27 does not validate database and dbuser names during renames (SEC-321). | 4.0 |
2019-08-01 | CVE-2016-10835 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 55.9999.141 allows a POP/IMAP cPHulk bypass via account name munging (SEC-107). | 4.0 |
2019-08-01 | CVE-2016-10832 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 55.9999.141 allows FTP cPHulk bypass via account name munging (SEC-102). | 4.0 |
2019-08-01 | CVE-2018-20932 | Cpanel | File and Directory Information Exposure vulnerability in Cpanel cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406). | 4.0 |
2019-08-01 | CVE-2016-10849 | Cpanel | Command Injection vulnerability in Cpanel cPanel before 11.54.0.4 allows certain file-chmod operations in scripts/secureit (SEC-82). | 4.0 |
2019-08-01 | CVE-2016-10844 | Cpanel | Information Exposure vulnerability in Cpanel The chcpass script in cPanel before 11.54.0.4 reveals a password hash (SEC-77). | 4.0 |
2019-08-01 | CVE-2016-10842 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74). | 4.0 |
2019-08-01 | CVE-2016-10836 | Cpanel | Improper Authentication vulnerability in Cpanel cPanel before 55.9999.141 allows arbitrary file-read operations during authentication with caldav (SEC-108). | 4.0 |
2019-08-01 | CVE-2018-20907 | Cpanel | Incorrect Permission Assignment for Critical Resource vulnerability in Cpanel cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432). | 4.0 |
2019-08-01 | CVE-2018-20906 | Cpanel | Incorrect Permission Assignment for Critical Resource vulnerability in Cpanel cPanel before 71.9980.37 allows attackers to make API calls that bypass the images feature restriction (SEC-430). | 4.0 |
2019-08-01 | CVE-2018-20904 | Cpanel | Incorrect Permission Assignment for Critical Resource vulnerability in Cpanel cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427). | 4.0 |
2019-08-01 | CVE-2016-10857 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 11.54.0.0 allows a bypass of the e-mail sending limit (SEC-60). | 4.0 |
2019-08-01 | CVE-2016-10856 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 11.54.0.0 allows subaccounts to discover sensitive data through comet feeds (SEC-29). | 4.0 |
2019-08-01 | CVE-2016-10852 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 11.54.0.4 lacks ACL enforcement in the AppConfig subsystem (SEC-85). | 4.0 |
2019-08-01 | CVE-2018-20898 | Cpanel | Injection vulnerability in Cpanel cPanel before 71.9980.37 allows e-mail injection during cPAddons moderation (SEC-396). | 4.0 |
2019-08-01 | CVE-2018-20892 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 74.0.0 allows arbitrary zone file modifications because of incorrect CAA record handling (SEC-439). | 4.0 |
2019-08-01 | CVE-2018-20890 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 74.0.0 allows arbitrary zone file modifications during record edits (SEC-426). | 4.0 |
2019-08-01 | CVE-2018-20883 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 74.0.8 allows FTP access during account suspension (SEC-449). | 4.0 |
2019-07-31 | CVE-2019-10198 | Theforeman | Improper Authentication vulnerability in Theforeman Foreman-Tasks An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. | 4.0 |
2019-07-31 | CVE-2019-10189 | Moodle | Improper Access Control vulnerability in Moodle A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. | 4.0 |
2019-07-31 | CVE-2019-10188 | Moodle | Improper Access Control vulnerability in Moodle A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. | 4.0 |
2019-07-31 | CVE-2019-10187 | Moodle | Improper Access Control vulnerability in Moodle A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. | 4.0 |
2019-07-30 | CVE-2019-5449 | Nextcloud | Missing Authorization vulnerability in Nextcloud Server A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events. | 4.0 |
2019-07-30 | CVE-2019-10130 | Postgresql | Improper Access Control vulnerability in Postgresql A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. | 4.0 |
2019-07-30 | CVE-2019-14413 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 78.0.2 allows certain file-write operations as shared users during connection resets (SEC-476). | 4.0 |
2019-07-30 | CVE-2019-14408 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 78.0.2 allows a demo account to link with an OpenID provider (SEC-460). | 4.0 |
2019-07-30 | CVE-2019-14407 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-415). | 4.0 |
2019-07-29 | CVE-2018-17213 | Printeron | Improper Authentication vulnerability in Printeron Central Print Services 2.5/4.1.4 An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. | 4.0 |
2019-07-29 | CVE-2015-9288 | Unity | Information Exposure vulnerability in Unity web Player The Unity Web Player plugin before 4.6.6f2 and 5.x before 5.0.3f2 allows attackers to read messages or access online services via a victim's credentials | 4.0 |
130 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-08-02 | CVE-2017-18458 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219). | 3.6 |
2019-08-02 | CVE-2017-18437 | Cpanel | Injection vulnerability in Cpanel cPanel before 64.0.21 allows a Webmail account to execute code via forwarders (SEC-240). | 3.6 |
2019-08-02 | CVE-2017-18416 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 67.9999.103 allows arbitrary file-overwrite operations during a Roundcube SQLite schema update (SEC-303). | 3.6 |
2019-08-01 | CVE-2018-20909 | Cpanel | Incorrect Permission Assignment for Critical Resource vulnerability in Cpanel cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338). | 3.6 |
2019-08-01 | CVE-2018-20889 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425). | 3.6 |
2019-07-30 | CVE-2019-5453 | Nextcloud | Improper Authentication vulnerability in Nextcloud Bypass lock protection in the Nextcloud Android app prior to version 3.3.0 allowed access to files when being prompted for the lock protection and switching to the Nextcloud file provider. | 3.6 |
2019-07-29 | CVE-2019-13103 | Denx | Uncontrolled Recursion vulnerability in Denx U-Boot A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data. | 3.6 |
2019-08-02 | CVE-2019-7945 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7944 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7940 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7938 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7937 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7936 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7935 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7934 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7927 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7926 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7921 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7909 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7908 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7897 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7887 | Magento | Cross-site Scripting vulnerability in Magento A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled. | 3.5 |
2019-08-02 | CVE-2019-7882 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7881 | Magento | Cross-site Scripting vulnerability in Magento A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7880 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7875 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7869 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7868 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7867 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7866 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7863 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7862 | Magento | Cross-site Scripting vulnerability in Magento A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2019-7853 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | 3.5 |
2019-08-02 | CVE-2017-18454 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262). | 3.5 |
2019-08-02 | CVE-2017-18420 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing (SEC-269). | 3.5 |
2019-08-02 | CVE-2017-18419 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallation (SEC-266). | 3.5 |
2019-08-02 | CVE-2017-18418 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 66.0.2 allows stored XSS during WHM cPAddons file operations (SEC-265). | 3.5 |
2019-08-02 | CVE-2017-18417 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 66.0.2 allows stored XSS during WHM cPAddons installation (SEC-263). | 3.5 |
2019-08-02 | CVE-2017-18408 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Change interfaces (SEC-282). | 3.5 |
2019-08-02 | CVE-2017-18402 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 68.0.15 allows stored XSS during a cpaddons moderated upgrade (SEC-336). | 3.5 |
2019-08-01 | CVE-2019-5401 | HP | Cross-site Scripting vulnerability in HP Hp2910Al-48G Firmware W.15.14.00.16 A potential security vulnerability has been identified in HP2910al-48G version W.15.14.0016. | 3.5 |
2019-08-01 | CVE-2016-10813 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118). | 3.5 |
2019-08-01 | CVE-2016-10827 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 55.9999.141 allows self stored XSS in WHM Edit System Mail Preferences (SEC-96). | 3.5 |
2019-08-01 | CVE-2016-10822 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 55.9999.141 allows self XSS in X3 Reseller Branding Images (SEC-88). | 3.5 |
2019-08-01 | CVE-2018-20935 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412). | 3.5 |
2019-08-01 | CVE-2018-20933 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410). | 3.5 |
2019-08-01 | CVE-2018-20916 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370). | 3.5 |
2019-08-01 | CVE-2018-20915 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369). | 3.5 |
2019-08-01 | CVE-2018-20913 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364). | 3.5 |
2019-08-01 | CVE-2016-10854 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 11.54.0.4 allows self XSS in the X3 Entropy Banner interface (SEC-87). | 3.5 |
2019-08-01 | CVE-2016-10853 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 11.54.0.4 allows stored XSS in the WHM Feature Manager interface (SEC-86). | 3.5 |
2019-08-01 | CVE-2016-10851 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration editor interface (SEC-84). | 3.5 |
2019-08-01 | CVE-2018-20884 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367). | 3.5 |
2019-08-01 | CVE-2018-20881 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446). | 3.5 |
2019-08-01 | CVE-2018-20878 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Restoration" interface (SEC-441). | 3.5 |
2019-08-01 | CVE-2018-20877 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SEC-437). | 3.5 |
2019-08-01 | CVE-2018-20876 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434). | 3.5 |
2019-08-01 | CVE-2018-20875 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433). | 3.5 |
2019-08-01 | CVE-2018-20874 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface (SEC-428). | 3.5 |
2019-07-31 | CVE-2019-14456 | Opengear | Cross-site Scripting vulnerability in Opengear Opengear console server firmware releases prior to 4.5.0 have a stored XSS vulnerability related to serial port logging. | 3.5 |
2019-07-31 | CVE-2019-3958 | Wallaceit | Cross-site Scripting vulnerability in Wallaceit Wallacepos 1.4.3 Insufficient output sanitization in WallacePOS 1.4.3 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks via a crafted sales transaction. | 3.5 |
2019-07-30 | CVE-2019-4285 | IBM | Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM Websphere Application Server IBM WebSphere Application Server - Liberty Admin Center could allow a remote attacker to hijack the clicking action of the victim. | 3.5 |
2019-07-30 | CVE-2019-14390 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512). | 3.5 |
2019-07-30 | CVE-2019-14386 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504). | 3.5 |
2019-07-29 | CVE-2019-11199 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr Erp/Crm 9.0.1 Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. | 3.5 |
2019-07-29 | CVE-2015-6253 | EDX | Cross-site Scripting vulnerability in EDX Edx-Platform edx-platform before 2015-08-17 allows XSS in the Studio listing of courses. | 3.5 |
2019-07-29 | CVE-2019-1020007 | Owasp | Cross-site Scripting vulnerability in Owasp Dependency-Track Dependency-Track before 3.5.1 allows XSS. | 3.5 |
2019-07-29 | CVE-2019-1020005 | Inveniosoftware | Cross-site Scripting vulnerability in Inveniosoftware Invenio-Communities 1.0.0 invenio-communities before 1.0.0a20 allows XSS. | 3.5 |
2019-07-29 | CVE-2019-1020003 | Inveniosoftware | Cross-site Scripting vulnerability in Inveniosoftware Invenio-Records invenio-records before 1.2.2 allows XSS. | 3.5 |
2019-07-29 | CVE-2019-1105 | Microsoft | Cross-site Scripting vulnerability in Microsoft Outlook A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages, aka 'Outlook for Android Spoofing Vulnerability'. | 3.5 |
2019-08-01 | CVE-2018-20897 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395). | 3.3 |
2019-08-01 | CVE-2018-20896 | Cpanel | Code Injection vulnerability in Cpanel cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394). | 3.3 |
2019-07-31 | CVE-2019-10343 | Jenkins | Information Exposure Through Log Files vulnerability in Jenkins Configuration AS Code Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. | 3.3 |
2019-07-30 | CVE-2019-1552 | Openssl | Improper Certificate Validation vulnerability in Openssl OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. | 3.3 |
2019-08-02 | CVE-2017-18436 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 64.0.21 allows demo accounts to read files via a Fileman::getfileactions API2 call (SEC-239). | 2.7 |
2019-08-01 | CVE-2015-7559 | Apache Redhat | Improper Input Validation vulnerability in multiple products It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. | 2.7 |
2019-07-30 | CVE-2019-10152 | Libpod Project | Path Traversal vulnerability in Libpod Project Libpod A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. | 2.6 |
2019-08-02 | CVE-2017-18449 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254). | 2.1 |
2019-08-02 | CVE-2017-18432 | Cpanel | Information Exposure vulnerability in Cpanel In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234). | 2.1 |
2019-08-02 | CVE-2017-18429 | Cpanel | 7PK - Security Features vulnerability in Cpanel In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291). | 2.1 |
2019-08-02 | CVE-2017-18427 | Cpanel | Permission Issues vulnerability in Cpanel In cPanel before 66.0.2, weak log-file permissions can occur after account modification (SEC-289). | 2.1 |
2019-08-02 | CVE-2017-18424 | Cpanel | Information Exposure vulnerability in Cpanel In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274). | 2.1 |
2019-08-02 | CVE-2017-18423 | Cpanel | Information Exposure Through Log Files vulnerability in Cpanel In cPanel before 66.0.2, domain log files become readable after log processing (SEC-273). | 2.1 |
2019-08-02 | CVE-2017-18422 | Cpanel | Permission Issues vulnerability in Cpanel In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog ownership and permissions (SEC-272). | 2.1 |
2019-08-02 | CVE-2017-18421 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271). | 2.1 |
2019-08-02 | CVE-2017-18405 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 allows arbitrary file-read operations because of the backup .htaccess modification logic (SEC-345). | 2.1 |
2019-08-02 | CVE-2017-18397 | Cpanel | Permission Issues vulnerability in Cpanel cPanel before 68.0.15 does not preserve permissions for local backup transport (SEC-330). | 2.1 |
2019-08-02 | CVE-2017-18392 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 68.0.15 allows collisions because PostgreSQL databases can be assigned to multiple accounts (SEC-325). | 2.1 |
2019-08-02 | CVE-2017-18385 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 68.0.15 allows unprivileged users to access restricted directories during account restores (SEC-311). | 2.1 |
2019-08-02 | CVE-2017-18384 | Cpanel | Improper Access Control vulnerability in Cpanel cPanel before 68.0.15 allows jailed accounts to restore files that are outside of the jail (SEC-310). | 2.1 |
2019-08-01 | CVE-2018-20947 | Cpanel | Exposure of Resource to Wrong Sphere vulnerability in Cpanel cPanel before 68.0.27 allows certain file-write operations via the telnetcrt script (SEC-356). | 2.1 |
2019-08-01 | CVE-2018-20946 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355). | 2.1 |
2019-08-01 | CVE-2018-20944 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353). | 2.1 |
2019-08-01 | CVE-2018-20940 | Cpanel | Race Condition vulnerability in Cpanel cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon the enabling of backups (SEC-342). | 2.1 |
2019-08-01 | CVE-2018-20939 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339). | 2.1 |
2019-08-01 | CVE-2018-20936 | Cpanel | Incorrect Permission Assignment for Critical Resource vulnerability in Cpanel cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308). | 2.1 |
2019-08-01 | CVE-2018-20927 | Cpanel | Improper Authorization vulnerability in Cpanel cPanel before 70.0.23 allows jailshell escape because of incorrect crontab parsing (SEC-382). | 2.1 |
2019-08-01 | CVE-2016-10841 | Cpanel | Information Management Errors vulnerability in Cpanel The bin/mkvhostspasswd script in cPanel before 11.54.0.4 discloses password hashes (SEC-73). | 2.1 |
2019-08-01 | CVE-2018-20917 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 70.0.23 allows any user to disable Solr (SEC-371). | 2.1 |
2019-08-01 | CVE-2018-20908 | Cpanel | Incorrect Permission Assignment for Critical Resource vulnerability in Cpanel cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435). | 2.1 |
2019-08-01 | CVE-2018-20902 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408). | 2.1 |
2019-08-01 | CVE-2018-20894 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443). | 2.1 |
2019-08-01 | CVE-2018-20893 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442). | 2.1 |
2019-08-01 | CVE-2019-14337 | Dlink | OS Command Injection vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. | 2.1 |
2019-08-01 | CVE-2019-14336 | Dlink | Unspecified vulnerability in Dlink 6600-Ap Firmware and Dwl-3600Ap Firmware An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. | 2.1 |
2019-08-01 | CVE-2019-14334 | Dlink | Improper Certificate Validation vulnerability in Dlink products An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices. | 2.1 |
2019-08-01 | CVE-2018-20880 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file (SEC-445). | 2.1 |
2019-08-01 | CVE-2018-20873 | Cpanel | Improper Input Validation vulnerability in Cpanel cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409). | 2.1 |
2019-07-30 | CVE-2019-10165 | Redhat | Information Exposure vulnerability in Redhat Openshift Container Platform OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. | 2.1 |
2019-07-30 | CVE-2019-5452 | Nextcloud | Unspecified vulnerability in Nextcloud Bypass lock protection in the Nextcloud Android app prior to version 3.6.2 causes leaking of thumbnails when requesting the Android content provider although the lock protection was not solved. | 2.1 |
2019-07-30 | CVE-2019-5451 | Nextcloud | Missing Authentication for Critical Function vulnerability in Nextcloud Server Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time. | 2.1 |
2019-07-30 | CVE-2019-14414 | Cpanel | Unspecified vulnerability in Cpanel In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478). | 2.1 |
2019-07-30 | CVE-2019-14412 | Cpanel | Use of Externally-Controlled Format String vulnerability in Cpanel Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474). | 2.1 |
2019-07-30 | CVE-2019-14410 | Cpanel | Use of Externally-Controlled Format String vulnerability in Cpanel Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472). | 2.1 |
2019-07-30 | CVE-2019-14409 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466). | 2.1 |
2019-07-30 | CVE-2019-14402 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481). | 2.1 |
2019-07-30 | CVE-2019-14396 | Cpanel | Unspecified vulnerability in Cpanel API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495). | 2.1 |
2019-07-30 | CVE-2019-14395 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494). | 2.1 |
2019-07-30 | CVE-2019-14394 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489). | 2.1 |
2019-07-30 | CVE-2018-20870 | Cpanel | Information Exposure vulnerability in Cpanel The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467). | 2.1 |
2019-07-30 | CVE-2018-20862 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366). | 2.1 |
2019-07-30 | CVE-2019-14391 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514). | 2.1 |
2019-07-30 | CVE-2019-14389 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510). | 2.1 |
2019-08-02 | CVE-2017-18428 | Cpanel | Information Exposure vulnerability in Cpanel In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily world-readable during log processing (SEC-290). | 1.9 |
2019-08-02 | CVE-2017-18425 | Cpanel | Permission Issues vulnerability in Cpanel In cPanel before 66.0.2, the cpdavd_error_log file can be created with weak permissions (SEC-280). | 1.9 |
2019-08-02 | CVE-2018-1987 | IBM | Improper Authentication vulnerability in IBM Data Protection IBM Spectrum Protect for Enterprise Resource Planning 7.1 and 8.1, if tracing is activated, the IBM Spectrum Protect node password may be displayed in plain text in the ERP trace file. | 1.9 |
2019-08-02 | CVE-2017-18412 | Cpanel | Information Exposure Through Log Files vulnerability in Cpanel cPanel before 67.9999.103 allows Apache HTTP Server log files to become world-readable because of mishandling on an account rename (SEC-296). | 1.9 |
2019-08-02 | CVE-2017-18391 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.15 allows attackers to read backup files because they are world-readable during a short time interval (SEC-323). | 1.9 |
2019-08-01 | CVE-2018-20943 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon a post-update task (SEC-352). | 1.9 |
2019-08-01 | CVE-2018-20942 | Cpanel | Information Exposure vulnerability in Cpanel cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon configuring crontab (SEC-351). | 1.9 |