Weekly Vulnerabilities Reports > September 23 to 29, 2019

In libexif, there is a possible out of bounds write due to an integer overflow.

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device.

In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check.

LibreOffice documents can contain macros.

A denial of service vulnerability was reported in Lenovo System Update versions prior to 5.07.0088 that could allow configuration files to be written to non-standard locations.

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS).

A vulnerability in the RADIUS Change of Authorization (CoA) code of Cisco TrustSec, a feature within Cisco IOS XE Software, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

A vulnerability in the Cisco TrustSec (CTS) Protected Access Credential (PAC) provisioning module of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition.

A vulnerability in the filesystem resource management code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to exhaust filesystem resources on an affected device and cause a denial of service (DoS) condition.

A vulnerability in Unified Threat Defense (UTD) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

A vulnerability in the FTP application layer gateway (ALG) functionality used by Network Address Translation (NAT), NAT IPv6 to IPv4 (NAT64), and the Zone-Based Policy Firewall (ZBFW) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

A vulnerability in the Raw Socket Transport feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

A vulnerability in the ingress packet processing function of Cisco IOS Software for Cisco Catalyst 4000 Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header.

A vulnerability in the Ident protocol handler of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that can reference memory after it has been freed.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that causes the program to mishandle pointers.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that operates outside of the designated memory area.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

Dell EMC ECS versions prior to 3.4.0.0 contain an improper restriction of excessive authentication attempts vulnerability.

In libttspico, there is a possible OOB write due to a heap buffer overflow.

In Bluetooth, there is a possible deserialization error due to missing string validation.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libvpx, there is a possible out of bounds read due to a missing bounds check.

Mozilla developers and community members reported memory safety bugs present in Firefox 68.

CF UAA versions prior to 74.1.0, allow external input to be directly queried against.

An issue was discovered in pfSense through 2.4.4-p3.

download.php in inoERP 4.15 allows SQL injection through insecure deserialization.

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted application.

A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including 1.17.x, in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes".

The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers.

A vulnerability in the Dialer interface feature for ISDN connections in Cisco IOS XE Software for Cisco 4000 Series Integrated Services Routers (ISRs) could allow an unauthenticated, adjacent attacker to pass IPv4 traffic through an ISDN channel prior to successful PPP authentication.

A vulnerability in the common Session Initiation Protocol (SIP) library of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files.

OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request.

A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

An unsafe authentication interface was discovered in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 .

In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

An issue was discovered in the portaudio-rs crate through 0.3.1 for Rust.

An issue was discovered in the linea crate through 0.9.4 for Rust.

SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.

Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Jenkins Inedo ProGet Plugin 1.2 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Jenkins Inedo BuildMaster Plugin 2.4.0 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

emlog through 6.0.0beta has an arbitrary file deletion vulnerability via an admin/data.php?action=dell_all_bak request with directory traversal sequences in the bak[] parameter.

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331.

ONTAP Select Deploy administration utility versions 2.12 & 2.12.1 ship with an HTTP service bound to the network allowing unauthenticated remote attackers to perform administrative actions.

An issue was discovered in Suricata 4.1.4.

MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database.

In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking.

The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control.

ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation.

In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.

Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI.

In LockPatternUtils, there is a possible escalation of privilege due to an improper permissions check.

In sensorservice, there is a possible out of bounds write due to a missing bounds check.

In the Bluetooth stack, there is a possible out of bounds write due to a use after free.

The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default.

The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost.

The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost.

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference.

The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 and 3.0.00.101 for Android allows a local attacker to escalate privileges, e.g., to system privileges.

A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges.

A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges.

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges.

A vulnerability in the Guest Shell of Cisco IOS XE Software could allow an authenticated, local attacker to perform directory traversal on the base Linux operating system of Cisco IOS XE Software.

A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device.

A vulnerability in a Virtualization Manager (VMAN) related CLI command of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root.

A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to install and boot a malicious software image or execute unsigned binaries on an affected device.

In libstagefright, there is a possible resource exhaustion due to a missing bounds check.

In libstagefright, there is a possible resource exhaustion due to a missing bounds check.

In libskia, there is a possible crash due to a missing null check.

In libstagefright, there is a possible resource exhaustion due to improper input validation.

In libstagefright, there is a possible resource exhaustion due to improper input validation.

In NFC server, there is a possible out of bounds write due to a missing bounds check.

In hostapd, there is a possible out of bounds write due to a race condition.

In the NFC stack, there is a possible out of bounds write due to a missing bounds check.

In the Easel driver, there is possible memory corruption due to race conditions.

In the Easel driver, there is possible memory corruption due to race conditions.

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document.

An integer overflow in WhatsApp media parsing libraries allows a remote attacker to perform an out-of-bounds write on the heap via specially-crafted EXIF tags in WEBP images.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libeffects, there is a possible out of bounds write due to a missing bounds check.

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libstagefright, there is a possible out of bounds write due to a heap buffer overflow.

In libFDK, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libMpegTPDec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libMpegTPDec, there is a possible out of bounds write due to an integer overflow.

In libFDK, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In Bluetooth, there is a possible remote code execution due to an improper memory allocation.

In libhidcommand_jni, there is a possible out of bounds write due to a missing bounds check.

In MPEG4Extractor, there is a possible out of bounds write due to an integer overflow.

In libmediaextractor there is a possible out of bounds write due to an integer overflow.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write to missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application.

A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use.

Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8.

Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68.

diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands.

The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin-ajax.php in a unitegallery_ajax_action operation.

In IrfanView 4.53, Data from a Faulting Address controls a subsequent Write Address starting at image00400000+0x000000000001dcfc.

In Rockwell Automation Arena Simulation Software Cat.

In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c.

kkcms v1.3 has a CSRF vulnerablity that can add an user account via admin/cms_user_add.php.

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3.

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do not limit the number of authentication attempts to the ACM API.

In libvpx, there is a possible information disclosure due to improper input validation.

In libvpx, there is a possible resource exhaustion due to improper input validation.

In libvpx, there is a possible out of bounds read due to a missing bounds check.

IBM MQ 7.1.0.0 - 7.1.0.9, 7.5.0.0 - 7.5.0.9, 8.0.0.0 - 8.0.0.11, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.1 - 9.1.2 is vulnerable to a denial of service attack caused by a memory leak in the clustering code.

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes.

The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter.

The unite-gallery-lite plugin before 1.5 for WordPress has SQL injection via data[galleryID] to wp-admin/admin-ajax.php.

The microblog-poster plugin before 1.6.2 for WordPress has SQL Injection via the wp-admin/options-general.php?page=microblogposter.php account_id parameter.

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature.

In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS).

Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.

IBM Security Key Lifecycle Manager 3.0 and 3.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.

Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx.

In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.

An issue was discovered in Suricata 4.1.4.

An issue was discovered in app-layer-ssl.c in Suricata 4.1.4.

Ming (aka libming) 0.4.8 has an out of bounds read vulnerability in the function OpCode() in the decompile.c file in libutil.a.

An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers.

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field.

Flower 0.9.3 has XSS via a crafted worker name.

Flower 0.9.3 has XSS via the name parameter in an @app.task call.

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page.

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

An HTTP Host header injection vulnerability exists in YzmCMS V5.3.

The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows an attacker to delete quizzes.

A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to read and modify data that should normally have been sent via an encrypted channel.

HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations.

NoneCMS v1.3 has CSRF in public/index.php/admin/admin/dele.html, as demonstrated by deleting the admin user.

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774.

IBM Security Key Lifecycle Manager 3.0 and 3.0.1 stores user credentials in plain in clear text which can be read by a local user.

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection.

Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php.

Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php.

Dolibarr 9.0.5 has stored XSS in a User Note section to note.php.

Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php.

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.

IBM Content Navigator 3.0CD is vulnerable to cross-site scripting.

There is a Stored Cross Site Scripting vulnerability in the undisclosed page of a BIG-IQ 6.0.0-6.1.0 or 5.2.0-5.4.0 system.

Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.

On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data.

In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.5.1-11.6.4, BIG-IQ 7.0.0, 6.0.0-6.1.0,5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, the Configuration utility login page may not follow best security practices when handling a malicious request.

Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a full node that owns a shielded address, related to mishandling of exceptions during deserialization of note plaintexts.

In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check.

In Bluetooth, there is a possible out of bounds read due to improper input validation.

In Bluetooth, there is a possible null pointer dereference due to a missing null check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is a possible null pointer dereference due to a missing null check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In netd, there is a possible out of bounds read due to a use after free.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to uninitialized data.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In the Wallpaper Manager service, there is a possible information disclosure due to a missing permission check.

In Bluetooth, there is a possible crash due to an integer overflow.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In GoogleContactsSyncAdapter, there is a possible path traversal due to improper input sanitization.

In the wifi hotspot service, there is a possible denial of service due to a null pointer dereference.

In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check.

In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In wpa_supplicant_8, there is a possible out of bounds read due to a missing bounds check.

In wpa_supplicant_8, there is a possible out of bounds read due to an incorrect bounds check.

A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message.

If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content.

When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog.

ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Security bypass vulnerability.

SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.

In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.

An issue was discovered in CKFinder through 2.6.2.1 and 3.x through 3.5.0.

An issue was discovered in CKFinder through 2.6.2.1.

An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M.

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL.

In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network.

In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to Server Side Request Forgery (SSRF).

In SilverStripe assets 4.0, there is broken access control on files.

Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /..

Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain corruption starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4.

Advantech WebAccess/HMI Designer 2.1.9.31 has a User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c.

In Advantech WebAccess/HMI Designer 2.1.9.31, Data from a Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918.

The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.

A vulnerability in the HTTP server code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the HTTP server to crash.

A vulnerability in the IOx application environment of multiple Cisco platforms could allow an unauthenticated, remote attacker to cause the IOx web server to stop processing HTTPS requests, resulting in a denial of service (DoS) condition.

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile().

An issue was discovered in the string-interner crate before 0.7.1 for Rust.

ONTAP Select Deploy administration utility versions 2.2 through 2.12.1 transmit credentials in plaintext.

RIOT 2019.07 contains a NULL pointer dereference in the MQTT-SN implementation (asymcute), potentially allowing an attacker to crash a network node running RIOT.

SICK FX0-GPNT00000 and FX0-GENT00000 devices through 3.4.0 have a Buffer Overflow

A denial of service vulnerability exists when Microsoft Defender improperly handles files, aka 'Microsoft Defender Denial of Service Vulnerability'.

Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.

Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page.

ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file.

In Account of Account.java, there is a possible boot loop due to improper input validation.

In the TEE, there's a possible out of bounds read due to a missing bounds check.

In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag.

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to write values to the underlying memory of an affected device.

An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

In profman, there is a possible out of bounds write due to memory corruption.

In notification management of the service manager, there is a possible permissions bypass.

In the Activity Manager service, there is a possible permission bypass due to incorrect permission check.

In Keymaster, there is a possible EoP due to a use after free.

In com.android.apps.tag, there is a possible bypass of user interaction requirements due to a missing permission check.

In tzdata there is possible memory corruption due to a mismatch between allocation and deallocation functions.

In telephony, there is a possible bypass of user interaction requirements due to missing permission checks.

In wifilogd, there is a possible out of bounds write due to a missing bounds check.

In Bluetooth, there is a possible out of bounds write due to an integer overflow.

In Platform, there is a possible bypass of user interaction requirements due to missing permission checks.

The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware.

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device.

On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by leveraging a load instruction inside the execute-only region to expose the protected code into a CPU register.

On STMicroelectronics STM32F7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated with a debug probe via the Instruction Tightly Coupled Memory (ITCM) bus.

In Total Defense Anti-virus 9.0.0.773, resource acquisition from the untrusted search path C:\ used by caschelp.exe allows local attackers to hijack ccGUIFrm.dll, which leads to code execution.

In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\bd\TDUpdate2\ used by AMRT.exe allows local attackers to hijack bdcore.dll, which leads to privilege escalation when the AMRT service loads the DLL.

In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\ used by ccschedulersvc.exe allows local attackers to hijack dotnetproxy.exe, which leads to privilege escalation when the ccSchedulerSVC service runs the executable.

In Platform, there is a possible bypass of user interaction requirements due to background app interception.

In NFC, there is a possible out of bounds write due to a missing bounds check.

In NFC, there is a possible out of bounds write due to a missing bounds check.

In System Settings, there is a possible permissions bypass due to a cached Linux user ID.

The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory, allowing for the replacement of local files, including the Maintenance Service executable, which is run with privileged access.

Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the TextPage::findGaps function in TextOutputDev.cc, a different vulnerability than CVE-2019-9877.

In the Framework, it is possible to set up BROWSEABLE intents to take over certain URLs.

In the Screen Lock, there is a possible information disclosure due to an unusual root cause.

In libhevc, there is a possible out of bounds read due to an integer overflow.

In libstagefright there is a possible information disclosure due to uninitialized data.

In libstagefright there is a possible information disclosure due to uninitialized data.

In wpa_supplicant, there is a possible man in the middle vulnerability due to improper input validation of the basicConstraints field of intermediary certificates.

In libSBRdec there is a possible out of bounds read due to incorrect bounds check.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libhevc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libhevc there is a possible information disclosure due to uninitialized data.

In cn-cbor, there is a possible out of bounds read due to improper casting.

The Print Service is susceptible to man in the middle attacks due to improperly used crypto.

In libxaac, there is a possible out of bounds read due to uninitialized data.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In the settings UI, there is a possible spoofing vulnerability due to a missing permission check.

In sonivox, there is a possible out of bounds read due to an incorrect bounds check.

In libSBRdec there is a possible out of bounds read due to a missing bounds check.

In libSACdec, there is a possible out of bounds read due to a missing bounds check.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In NFC server, there's a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In libstagefright, there is a possible resource exhaustion due to a missing bounds check.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libhevc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc, there is a missing variable initialization.

In libavc, there is a missing variable initialization.

In libavc, there is a missing variable initialization.

In libhevc, there is a missing variable initialization.

In libstagefright, there is a missing variable initialization.

In libstagefright, there is a missing variable initialization.

In libhevc, there is a missing variable initialization.

In libavc, there is a missing variable initialization.

In libstagefright, there is a missing variable initialization.

In libstagefright, there is a possible out of bounds read due to a missing bounds check.

In libstagefright, there is a possible out of bounds read due to a missing bounds check.

In AAC Codec, there is a possible resource exhaustion due to improper input validation.

In skia, there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to missing bounds check.

In libxaac there is a possible out of bounds read due to missing bounds check.

In libavc there is a possible out of bounds read due to uninitialized data.

In AAC Codec, there is a missing variable initialization.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible information disclosure due to uninitialized data.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given.

A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash.

A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification.

WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context.

The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site.

Some HTML elements, such as &lt;title&gt; and &lt;textarea&gt;, can contain literal angle brackets without treating them as markup.

Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin.

A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a &lt;canvas&gt; element due to an error in how same-origin policy is applied to cached image content.

A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process.

Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward.

kkcms 1.3 has jx.php?url= XSS.

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature.

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page.

An XSS issue was discovered in pfSense through 2.4.4-p3.

The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin.php galleryid or id parameters.

The altos-connect plugin 1.3.0 for WordPress has XSS via the wp-content/plugins/altos-connect/jquery-validate/demo/demo/captcha/index.php/ PATH_SELF.

The accurate-form-data-real-time-form-validation plugin 1.2 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=Accu_Data_WP.

The avenirsoft-directdownload plugin 1.0 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=avenir_plugin.

The bookmarkify plugin 2.9.2 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=bookmarkify.php.

The monetize plugin through 1.03 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=monetize-zones-new.

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter.

The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings tab or tab_flags_order parameter.

The wp-social-bookmarking-light plugin before 1.7.10 for WordPress has CSRF with resultant XSS via configuration parameters for Tumblr, Twitter, Facebook, etc.

The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings tab parameter.

The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config parameter.

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header.

The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter.

The wplegalpages plugin before 1.1 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=legal-pages lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche parameters.

The googmonify plugin through 0.5.1 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=googmonify.php PID or AID parameter.

The social-locker plugin before 4.2.5 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next licensekey parameter.

The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php global_url or admin_url parameter.

The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CSRF with resultant XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load plugnedit_width, pnemedcount, PlugneditBGColor, PlugneditEditorMargin, or plugneditcontent parameters.

The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omsc_popup id parameter.

The soundcloud-is-gold plugin before 2.3.2 for WordPress has XSS via the wp-admin/admin-ajax.php?action=get_soundcloud_player id parameter.

The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or Caption section.

The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS.

The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header.

The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter.

The eshop plugin through 6.3.13 for WordPress has CSRF with resultant XSS via the wp-admin/admin.php?page=eshop-downloads.php title parameter.

The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rstype parameter.

The Postmatic plugin before 1.4.6 for WordPress has XSS.

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.

The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php.

Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates.

A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.

In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.

An issue was discovered in Devise Token Auth through 1.1.2.

CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret.

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with resultant XSS.

ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.

ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.

ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.

ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.

ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.

ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.

admin/infolist_add.php in PHPMyWind 5.6 has stored XSS.

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a password storage vulnerability in the ACM component.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a use after free.

In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.

IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 command server is vulnerable to a denial of service attack caused by an authenticated and authorized user using specially crafted PCF messages.

In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

An issue was discovered in Grafana 5.4.0.

In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode.

SilverStripe through 4.3.3 allows session fixation in the "change password" form.

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a stored cross-site scripting vulnerability.

The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters.

TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin.

In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.

The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter.

The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter.

The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter.

The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter.

The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters.

Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.

A vulnerability in the web framework code of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software using the banner parameter.

A vulnerability in the web framework code of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software.

admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.

The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock.

On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface).

An issue was discovered on Swell Kit Mod devices that use the Vandy Vape platform.

It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library.

In AOSP Email, there is a possible information disclosure due to a confused deputy.

In the Package Manager service, there is a possible information disclosure due to a confused deputy.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible information disclosure due to a use after free.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In FingerprintService, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check.

In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute.

In Bluetooth, there is a use of uninitialized variable.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In AudioService, there is a possible trigger of background user audio due to a permissions bypass.

In SyncStatusObserver, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check.

In the m4v_h263 codec, there is a possible out of bounds read due to a use after free.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In the Activity Manager service, there is a possible information disclosure due to a confused deputy.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In keyguard, there is a possible escalation of privilege due to improper permission checks.

In the proc filesystem, there is a possible information disclosure due to log information disclosure.

In WiFi, there is a possible leak of WiFi state due to a permissions bypass.

In libstagefright, there is a possible use-after-free due to improper locking.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In wpa_supplicant_8, there is a possible out of bounds read due to a missing bounds check.

In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check.

In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check.

In WiFi, the RSSI value and SSID information is broadcast as part of android.net.wifi.RSSI_CHANGE and android.net.wifi.STATE_CHANGE intents.

A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).

In libandroidfw, there is a possible OOB read due to an integer overflow.

In NFC server, there is a possible out of bounds read due to a missing bounds check.

In NFC server, there is a possible out of bounds read due to a missing bounds check.

In NFC server, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.