Weekly Vulnerabilities Reports > October 28 to November 3, 2019
Overview
261 new vulnerabilities reported during this period, including 55 critical vulnerabilities and 95 high severity vulnerabilities. This weekly summary report vulnerabilities in 381 products from 155 vendors including Debian, Redhat, Fedoraproject, Schneider Electric, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "SQL Injection", "Path Traversal", and "Information Exposure".
- 225 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 91 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 185 reported vulnerabilities are exploitable by an anonymous user.
- Debian has the most reported vulnerabilities, with 36 reported vulnerabilities.
- Debian has the most reported critical vulnerabilities, with 8 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
55 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-10-31 | CVE-2018-4031 | Getcujo | Code Injection vulnerability in Getcujo Smart Firewall 7003 An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. | 10.0 |
2019-10-31 | CVE-2019-5049 | AMD | Out-of-bounds Write vulnerability in AMD products An exploitable memory corruption vulnerability exists in AMD ATIDXX64.DLL driver, versions 25.20.15031.5004 and 25.20.15031.9002. | 10.0 |
2019-11-02 | CVE-2019-18662 | Youphptube | SQL Injection vulnerability in Youphptube An issue was discovered in YouPHPTube through 7.7. | 9.8 |
2019-11-01 | CVE-2013-1666 | Foswiki | Code Injection vulnerability in Foswiki Foswiki before 1.1.8 contains a code injection vulnerability in the MAKETEXT macro. | 9.8 |
2019-11-01 | CVE-2011-3923 | Apache Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. | 9.8 |
2019-11-01 | CVE-2013-2739 | Readymedia Project Debian | Out-of-bounds Write vulnerability in multiple products MiniDLNA has heap-based buffer overflow | 9.8 |
2019-11-01 | CVE-2005-3056 | Twiki | Injection vulnerability in Twiki 200409023 TWiki allows arbitrary shell command execution via the Include function | 9.8 |
2019-11-01 | CVE-2013-2738 | Readymedia Project | SQL Injection vulnerability in Readymedia Project Readymedia minidlna has SQL Injection that may allow retrieval of arbitrary files | 9.8 |
2019-10-31 | CVE-2019-18226 | Honeywell | Authentication Bypass by Capture-replay vulnerability in Honeywell products Honeywell equIP series and Performance series IP cameras and recorders, A vulnerability exists in the affected products where IP cameras and recorders have a potential replay attack vulnerability as a weak authentication method is retained for compatibility with legacy products. | 9.8 |
2019-10-31 | CVE-2019-13551 | Advantech | Path Traversal vulnerability in Advantech Wise-Paas/Rmm 3.3.29 Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. | 9.8 |
2019-10-31 | CVE-2019-13547 | Advantech | Missing Authentication for Critical Function vulnerability in Advantech Wise-Paas/Rmm 3.3.29 Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. | 9.8 |
2019-10-31 | CVE-2019-13508 | Freetds Canonical | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products FreeTDS through 1.1.11 has a Buffer Overflow. | 9.8 |
2019-10-31 | CVE-2012-6125 | Call CC | Improper Input Validation vulnerability in Call-Cc Chicken Chicken before 4.8.0 is susceptible to algorithmic complexity attacks related to hash table collisions. | 9.8 |
2019-10-31 | CVE-2019-5151 | Youphptube | SQL Injection vulnerability in Youphptube 7.7 An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. | 9.8 |
2019-10-31 | CVE-2013-1910 | Baseurl Debian | Improper Input Validation vulnerability in multiple products yum does not properly handle bad metadata, which allows an attacker to cause a denial of service and possibly have other unspecified impact via a Trojan horse file in the metadata of a remote repository. | 9.8 |
2019-10-31 | CVE-2019-18465 | Ipswitch | Missing Authentication for Critical Function vulnerability in Ipswitch Moveit Transfer 11.1/11.1.1 In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in without full credentials via the SSH (SFTP) interface. | 9.8 |
2019-10-31 | CVE-2019-18464 | Ipswitch | SQL Injection vulnerability in Ipswitch Moveit Transfer In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. | 9.8 |
2019-10-31 | CVE-2009-5043 | Burn Project Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products burn allows file names to escape via mishandled quotation marks | 9.8 |
2019-10-31 | CVE-2009-5041 | Debian | Classic Buffer Overflow vulnerability in Debian Overkill overkill has buffer overflow via long player names that can corrupt data on the server machine | 9.8 |
2019-10-31 | CVE-2019-18364 | Jetbrains | Deserialization of Untrusted Data vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution. | 9.8 |
2019-10-31 | CVE-2019-18425 | XEN Debian Fedoraproject Opensuse | Improper Privilege Management vulnerability in multiple products An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. | 9.8 |
2019-10-30 | CVE-2010-0748 | Transmissionbt Debian | Improper Input Validation vulnerability in multiple products Transmission before 1.92 allows an attacker to cause a denial of service (crash) or possibly have other unspecified impact via a large number of tr arguments in a magnet link. | 9.8 |
2019-10-30 | CVE-2019-18633 | Europa | Improper Certificate Validation vulnerability in Europa Eidas-Node Integration Package 2.1 European Commission eIDAS-Node Integration Package before 2.3.1 has Missing Certificate Validation because a certain ExplicitKeyTrustEvaluator return value is not checked. | 9.8 |
2019-10-30 | CVE-2019-18632 | Europa | Improper Certificate Validation vulnerability in Europa Eidas-Node Integration Package European Commission eIDAS-Node Integration Package before 2.3.1 allows Certificate Faking because an attacker can sign a manipulated SAML response with a forged certificate. | 9.8 |
2019-10-30 | CVE-2019-10762 | Medoo | SQL Injection vulnerability in Medoo columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping. | 9.8 |
2019-10-30 | CVE-2018-21029 | Systemd Project Fedoraproject | Improper Certificate Validation vulnerability in multiple products systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. | 9.8 |
2019-10-29 | CVE-2012-0694 | Sugarcrm | Improper Input Validation vulnerability in Sugarcrm 6.3.1 SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code. | 9.8 |
2019-10-29 | CVE-2019-8287 | Tightvnc | Classic Buffer Overflow vulnerability in Tightvnc 1.3.10 TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. | 9.8 |
2019-10-29 | CVE-2019-18624 | Opera | Unspecified vulnerability in Opera Mini 44.1.2254.142553/44.1.2254.142659/44.1.2254.143214 Opera Mini for Android allows attackers to bypass intended restrictions on .apk file download/installation via an RTLO (aka Right to Left Override) approach, as demonstrated by misinterpretation of malicious%E2%80%AEtxt.apk as maliciouskpa.txt. | 9.8 |
2019-10-29 | CVE-2019-18604 | Axohelp C Project Axodraw2 Project | In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distributed in TeXLive and other collections, sprintf is mishandled. | 9.8 |
2019-10-29 | CVE-2019-15683 | Turbovnc | Out-of-bounds Write vulnerability in Turbovnc TurboVNC server code contains stack buffer overflow vulnerability in commit prior to cea98166008301e614e0d36776bf9435a536136e. | 9.8 |
2019-10-29 | CVE-2019-15679 | Tightvnc | Out-of-bounds Write vulnerability in Tightvnc 1.3.10 TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. | 9.8 |
2019-10-29 | CVE-2019-15678 | Tightvnc | Out-of-bounds Write vulnerability in Tightvnc 1.3.10 TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can potentially result code execution.. | 9.8 |
2019-10-29 | CVE-2019-10749 | Sequelizejs | SQL Injection vulnerability in Sequelizejs Sequelize sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. | 9.8 |
2019-10-29 | CVE-2019-10748 | Sequelizejs | SQL Injection vulnerability in Sequelizejs Sequelize Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. | 9.8 |
2019-10-29 | CVE-2019-10211 | Postgresql | Unspecified vulnerability in Postgresql Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. | 9.8 |
2019-10-29 | CVE-2012-1187 | Bitlbee | Improper Check for Dropped Privileges vulnerability in Bitlbee 3.0.4 Bitlbee does not drop extra group privileges correctly in unix.c | 9.8 |
2019-10-29 | CVE-2010-3375 | Qtparted Project | Improper Input Validation vulnerability in Qtparted Project Qtparted 0.4.59 qtparted has insecure library loading which may allow arbitrary code execution | 9.8 |
2019-10-29 | CVE-2009-3887 | Ytnef Project | Path Traversal vulnerability in Ytnef Project Ytnef ytnef has directory traversal | 9.8 |
2019-10-28 | CVE-2019-18189 | Trendmicro | Path Traversal vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) may allow an attacker to bypass authentication and log on to an affected product's management console as a root user. | 9.8 |
2019-10-28 | CVE-2019-17181 | Intrasrv Project | Classic Buffer Overflow vulnerability in Intrasrv Project Intrasrv 1.0 A remote SEH buffer overflow has been discovered in IntraSrv 1.0 (2007-06-03). | 9.8 |
2019-10-28 | CVE-2019-14450 | Repetier Server | Path Traversal vulnerability in Repetier-Server A directory traversal vulnerability was discovered in RepetierServer.exe in Repetier-Server 0.8 through 0.91 that allows for the creation of a user controlled XML file at an unintended location. | 9.8 |
2019-10-28 | CVE-2019-16897 | K7Computing | Improper Privilege Management vulnerability in K7Computing products In K7 Antivirus Premium 16.0.xxx through 16.0.0120; K7 Total Security 16.0.xxx through 16.0.0120; and K7 Ultimate Security 16.0.xxx through 16.0.0120, the module K7TSHlpr.dll improperly validates the administrative privileges of the user, allowing arbitrary registry writes in the K7AVOptn.dll module to facilitate escalation of privileges via inter-process communication with a service process. | 9.8 |
2019-10-28 | CVE-2019-11043 | PHP Canonical Debian Fedoraproject Tenable Redhat | Out-of-bounds Write vulnerability in multiple products In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. | 9.8 |
2019-10-28 | CVE-2010-4239 | Tiki | Improper Input Validation vulnerability in Tiki Tikiwiki Cms/Groupware 5.2 Tiki Wiki CMS Groupware 5.2 has Local File Inclusion | 9.8 |
2019-10-28 | CVE-2009-4899 | Pixelpost | SQL Injection vulnerability in Pixelpost 1.7.15 pixelpost 1.7.1 has SQL injection | 9.8 |
2019-10-28 | CVE-2002-2444 | Snoopy Project | Improper Input Validation vulnerability in Snoopy Project Snoopy 2.0.01 Snoopy before 2.0.0 has a security hole in exec cURL | 9.8 |
2019-10-28 | CVE-2019-14931 | Mitsubishielectric Inea | OS Command Injection vulnerability in multiple products An issue was discovered on Mitsubishi Electric Europe B.V. | 9.8 |
2019-10-28 | CVE-2019-14930 | Mitsubishielectric Inea | Use of Hard-coded Credentials vulnerability in multiple products An issue was discovered on Mitsubishi Electric Europe B.V. | 9.8 |
2019-10-28 | CVE-2019-14929 | Mitsubishielectric Inea | Insufficiently Protected Credentials vulnerability in multiple products An issue was discovered on Mitsubishi Electric Europe B.V. | 9.8 |
2019-10-28 | CVE-2019-14926 | Mitsubishielectric Inea | Use of Hard-coded Credentials vulnerability in multiple products An issue was discovered on Mitsubishi Electric Europe B.V. | 9.8 |
2019-10-28 | CVE-2019-16662 | Rconfig | OS Command Injection vulnerability in Rconfig 3.9.2 An issue was discovered in rConfig 3.9.2. | 9.8 |
2019-10-31 | CVE-2010-2783 | Redhat | Information Exposure vulnerability in Redhat Icedtea6 1.7 IcedTea6 before 1.7.4 allow unsigned apps to read and write arbitrary files, related to Extended JNLP Services. | 9.1 |
2019-10-31 | CVE-2010-2548 | Redhat | Incorrect Authorization vulnerability in Redhat Icedtea6 1.7 IcedTea6 before 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files. | 9.1 |
2019-10-31 | CVE-2009-5042 | Python Docutils Project Debian | Exposure of Resource to Wrong Sphere vulnerability in multiple products python-docutils allows insecure usage of temporary files | 9.1 |
95 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-10-31 | CVE-2019-5030 | Antennahouse | Out-of-bounds Write vulnerability in Antennahouse Rainbow PDF Office Server Document Converter 7.0.2019.0220 A buffer overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter V7.0 Pro MR1 (7,0,2019,0220). | 8.8 |
2019-10-31 | CVE-2013-2075 | Call CC | Classic Buffer Overflow vulnerability in Call-Cc Chicken Multiple buffer overflows in the (1) R5RS char-ready, (2) tcp-accept-ready, and (3) file-select procedures in Chicken through 4.8.0.3 allows attackers to cause a denial of service (crash) by opening a file descriptor with a large integer value. | 8.8 |
2019-10-31 | CVE-2013-2024 | Call CC Debian | OS Command Injection vulnerability in multiple products OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0. | 8.8 |
2019-10-31 | CVE-2019-18423 | XEN Debian Fedoraproject | Off-by-one Error vulnerability in multiple products An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. | 8.8 |
2019-10-31 | CVE-2019-18422 | XEN Debian Fedoraproject | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. | 8.8 |
2019-10-30 | CVE-2019-17323 | Clipsoft | XML Injection (aka Blind XPath Injection) vulnerability in Clipsoft Rexpert 1.0.0.527 ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation and execution via report print function of rexpert viewer with modified XML document. | 8.8 |
2019-10-30 | CVE-2019-18206 | Zucchetti | Cross-Site Request Forgery (CSRF) vulnerability in Zucchetti Infobusiness 4.4.1 A cross-site request forgery (CSRF) vulnerability in Zucchetti InfoBusiness before and including 4.4.1 allows arbitrary file upload. | 8.8 |
2019-10-30 | CVE-2019-18204 | Zucchetti | Unrestricted Upload of File with Dangerous Type vulnerability in Zucchetti Infobusiness 4.4.1 Zucchetti InfoBusiness before and including 4.4.1 allows any authenticated user to upload .php files in order to achieve code execution. | 8.8 |
2019-10-29 | CVE-2018-18931 | Trms | Improper Privilege Management vulnerability in Trms Carousel Digital Signage 7.0.4.104 An issue was discovered in the Tightrope Media Carousel digital signage product 7.0.4.104. | 8.8 |
2019-10-29 | CVE-2018-18930 | Trms | Unrestricted Upload of File with Dangerous Type vulnerability in Trms Carousel Digital Signage 7.0.4.104 The Tightrope Media Carousel digital signage product 7.0.4.104 contains an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. | 8.8 |
2019-10-29 | CVE-2018-18929 | Trms | Use of Hard-coded Credentials vulnerability in Trms Seneca HDN Firmware 7.0.4.104 The Tightrope Media Carousel Seneca HDn Windows-based appliance 7.0.4.104 is shipped with a default local administrator username and password. | 8.8 |
2019-10-29 | CVE-2019-9926 | Labkey | Cross-Site Request Forgery (CSRF) vulnerability in Labkey Server 19.1.0 An issue was discovered in LabKey Server 19.1.0. | 8.8 |
2019-10-29 | CVE-2019-3976 | Mikrotik | Path Traversal vulnerability in Mikrotik Routeros RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package's name field. | 8.8 |
2019-10-29 | CVE-2019-10208 | Postgresql | SQL Injection vulnerability in Postgresql A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. | 8.8 |
2019-10-29 | CVE-2019-4546 | IBM | Improper Privilege Management vulnerability in IBM products After installing the IBM Maximo Health- Safety and Environment Manager 7.6.1, a user is granted additional privileges that they are not normally allowed to access. | 8.8 |
2019-10-28 | CVE-2010-4241 | Tiki | Cross-Site Request Forgery (CSRF) vulnerability in Tiki Tikiwiki Cms/Groupware 5.2 Tiki Wiki CMS Groupware 5.2 has CSRF | 8.8 |
2019-10-28 | CVE-2019-18195 | Terra Master | Unspecified vulnerability in Terra-Master F2-210 Firmware 4.0.19 An issue was discovered on TerraMaster FS-210 4.0.19 devices. | 8.8 |
2019-10-28 | CVE-2019-16663 | Rconfig | OS Command Injection vulnerability in Rconfig 3.9.2 An issue was discovered in rConfig 3.9.2. | 8.8 |
2019-10-29 | CVE-2019-6848 | Schneider Electric | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580 CPU (BMEx58*) and Modicon M580 communication module (BMENOC0311, BMENOC0321) (see notification for version info), which could cause a Denial of Service attack on the PLC when sending specific data on the REST API of the controller/communication module. | 8.6 |
2019-10-29 | CVE-2011-1408 | Ikiwiki Debian | Link Following vulnerability in multiple products ikiwiki before 3.20110608 allows remote attackers to hijack root's tty and run symlink attacks. | 8.2 |
2019-11-01 | CVE-2005-2352 | GS GPL Project | Race Condition vulnerability in Gs-Gpl Project Gs-Gpl I race condition in Temp files was found in gs-gpl before 8.56 addons scripts. | 8.1 |
2019-11-01 | CVE-2013-4751 | Sensiolabs Fedoraproject Redhat | Improper Input Validation vulnerability in multiple products php-symfony2-Validator has loss of information during serialization | 8.1 |
2019-10-31 | CVE-2019-5150 | Youphptube | SQL Injection vulnerability in Youphptube 7.7 An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. | 8.1 |
2019-10-31 | CVE-2019-3421 | ZTW | Command Injection vulnerability in ZTW Zx297520V3 Firmware 7520V3V1.0.0B09P27 The 7520V3V1.0.0B09P27 version, and all earlier versions of ZTE product ZX297520V3 are impacted by a Command Injection vulnerability. | 8.0 |
2019-10-30 | CVE-2010-0737 | Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in Redhat Jboss Operations Network A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user. | 8.0 |
2019-11-01 | CVE-2013-4367 | Ovirt | Incorrect Permission Assignment for Critical Resource vulnerability in Ovirt Ovirt-Engine 3.2 ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'. | 7.8 |
2019-10-31 | CVE-2019-16675 | Phoenixcontact | Out-of-bounds Read vulnerability in Phoenixcontact Config+ and PC Worx Express An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. | 7.8 |
2019-10-31 | CVE-2018-3983 | Atlantiswordprocessor | Access of Uninitialized Pointer vulnerability in Atlantiswordprocessor Atlantis Word Processor 3.0.2.3/3.0.2.5 An exploitable uninitialized pointer vulnerability exists in the Word document parser of the the Atlantis Word Processor. | 7.8 |
2019-10-31 | CVE-2019-12612 | Bitdefender | Unspecified vulnerability in Bitdefender BOX Firmware An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that allows an attacker to pass arbitrary code to the BOX appliance via the web API. | 7.8 |
2019-10-30 | CVE-2010-0747 | Linbit | Incorrect Permission Assignment for Critical Resource vulnerability in Linbit Drbd8 2.6.26 drbd8 allows local users to bypass intended restrictions for certain actions via netlink packets, similar to CVE-2009-3725. | 7.8 |
2019-10-29 | CVE-2010-2061 | Rpcbind Project | Improper Input Validation vulnerability in Rpcbind Project Rpcbind 0.2.0 rpcbind 0.2.0 does not properly validate (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr, which can be created by an attacker before the daemon is started. | 7.8 |
2019-10-28 | CVE-2019-3636 | Mcafee | Cleartext Storage of Sensitive Information vulnerability in Mcafee Total Protection A File Masquerade vulnerability in McAfee Total Protection (MTP) version 16.0.R21 and earlier in Windows client allowed an attacker to read the plaintext list of AV-Scan exclusion files from the Windows registry, and to possibly replace excluded files with potential malware without being detected. | 7.8 |
2019-10-28 | CVE-2017-5731 | Tianocore | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tianocore Edk2 Bounds checking in Tianocompress before November 7, 2017 may allow an authenticated user to potentially enable an escalation of privilege via local access. | 7.8 |
2019-11-02 | CVE-2019-18665 | Secudos | Path Traversal vulnerability in Secudos Domos The Log module in SECUDOS DOMOS before 5.6 allows local file inclusion. | 7.5 |
2019-11-02 | CVE-2019-18661 | Fastweb | Improper Authentication vulnerability in Fastweb Fastgate Firmware 1.0.1B Fastweb FASTGate 1.0.1b devices allow partial authentication bypass by changing a certain check_pwd return value from 0 to 1. | 7.5 |
2019-11-01 | CVE-2019-6470 | ISC Redhat Opensuse | There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. | 7.5 |
2019-11-01 | CVE-2013-2227 | Glpi Project Debian | Improper Input Validation vulnerability in multiple products GLPI 0.83.7 has Local File Inclusion in common.tabs.php. | 7.5 |
2019-11-01 | CVE-2012-2979 | Freebsd | Incorrect Resource Transfer Between Spheres vulnerability in Freebsd Name Server Daemon FreeBSD NSD before 3.2.13 allows remote attackers to crash a NSD child server process (SIGSEGV) and cause a denial of service in the NSD server. | 7.5 |
2019-11-01 | CVE-2013-2600 | Miniupnp Project Debian | Information Exposure vulnerability in multiple products MiniUPnPd has information disclosure use of snprintf() | 7.5 |
2019-10-31 | CVE-2019-18230 | Honeywell | Missing Authentication for Critical Function vulnerability in Honeywell products Honeywell equIP and Performance series IP cameras, multiple versions, A vulnerability exists where the affected product allows unauthenticated access to audio streaming over HTTP. | 7.5 |
2019-10-31 | CVE-2019-18228 | Honeywell | Improper Input Validation vulnerability in Honeywell products Honeywell equIP series IP cameras Multiple equIP Series Cameras, A vulnerability exists in the affected products where a specially crafted HTTP packet request could result in a denial of service. | 7.5 |
2019-10-31 | CVE-2019-18227 | Advantech | XXE vulnerability in Advantech Wise-Paas/Rmm 3.3.29 Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. | 7.5 |
2019-10-31 | CVE-2019-16906 | Infosysta | Missing Authorization vulnerability in Infosysta In-App & Desktop Notifications 1.6.13J8 An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. | 7.5 |
2019-10-31 | CVE-2019-5043 | Allocation of Resources Without Limits or Throttling vulnerability in Google Nest CAM IQ Indoor Firmware 4620002 An exploitable denial-of-service vulnerability exists in the Weave daemon of the Nest Cam IQ Indoor, version 4620002. | 7.5 | |
2019-10-31 | CVE-2019-5010 | Python Opensuse Debian Redhat | NULL Pointer Dereference vulnerability in multiple products An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. | 7.5 |
2019-10-31 | CVE-2018-4002 | Cujo | Uncontrolled Recursion vulnerability in Cujo Smart Firewall Firmware 7003 An exploitable denial-of-service vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. | 7.5 |
2019-10-31 | CVE-2012-6122 | Call CC | Classic Buffer Overflow vulnerability in Call-Cc Chicken Buffer overflow in the thread scheduler in Chicken before 4.8.0.1 allows attackers to cause a denial of service (crash) by opening a file descriptor with a large integer value. | 7.5 |
2019-10-31 | CVE-2019-18421 | XEN Debian Fedoraproject Opensuse | Race Condition vulnerability in multiple products An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. | 7.5 |
2019-10-30 | CVE-2019-18635 | Themooltipass | NULL Pointer Dereference vulnerability in Themooltipass Moolticute An issue was discovered in Mooltipass Moolticute through v0.42.1 and v0.42.x-testing through v0.42.5-testing. | 7.5 |
2019-10-30 | CVE-2013-1391 | Huntcctv Capturecctv Hachi Novuscctv VSP | Improper Authentication vulnerability in multiple products Authentication bypass vulnerability in the the web interface in Hunt CCTV, Capture CCTV, Hachi CCTV, NoVus CCTV, and Well-Vision Inc DVR systems allows a remote attacker to retrieve the device configuration. | 7.5 |
2019-10-30 | CVE-2018-16417 | Arubanetworks Siemens | Command Injection vulnerability in multiple products Aruba Instant 4.x prior to 6.4.4.8-4.2.4.12, 6.5.x prior to 6.5.4.11, 8.3.x prior to 8.3.0.6, and 8.4.x prior to 8.4.0.1 allows Command injection. | 7.5 |
2019-10-30 | CVE-2019-15682 | Rdesktop | Out-of-bounds Read vulnerability in Rdesktop 1.8.4 RDesktop version 1.8.4 contains multiple out-of-bound access read vulnerabilities in its code, which results in a denial of service (DoS) condition. | 7.5 |
2019-10-30 | CVE-2019-7620 | Elastic | Unspecified vulnerability in Elastic Logstash Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. | 7.5 |
2019-10-30 | CVE-2018-5742 | ISC | Reachable Assertion vulnerability in ISC Bind 9.9.465/9.9.472 While backporting a feature for a newer branch of BIND9, RedHat introduced a path leading to an assertion failure in buffer.c:420. | 7.5 |
2019-10-30 | CVE-2018-5735 | Debian | Reachable Assertion vulnerability in Debian Linux 10.0/8.0/9.0 The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. | 7.5 |
2019-10-29 | CVE-2010-1678 | Osgeo | Improper Input Validation vulnerability in Osgeo Mapserver Mapserver 5.2, 5.4 and 5.6 before 5.6.5-2 improperly validates symbol index values during Mapfile parsing. | 7.5 |
2019-10-29 | CVE-2018-19151 | Qtum | Resource Exhaustion vulnerability in Qtum qtum through 0.16 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. | 7.5 |
2019-10-29 | CVE-2019-9757 | Labkey | XXE vulnerability in Labkey Server 19.1.0 An issue was discovered in LabKey Server 19.1.0. | 7.5 |
2019-10-29 | CVE-2019-6851 | Schneider Electric | Information Exposure vulnerability in Schneider-Electric products A CWE-538: File and Directory Information Exposure vulnerability exists in Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions), which could cause the disclosure of information from the controller when using TFTP protocol. | 7.5 |
2019-10-29 | CVE-2019-6850 | Schneider Electric | Information Exposure vulnerability in Schneider-Electric products A CWE-200: Information Exposure vulnerability exists in Modicon M580, Modicon BMENOC 0311, and Modicon BMENOC 0321, which could cause the disclosure of sensitive information when reading specific registers with the REST API of the controller/communication module. | 7.5 |
2019-10-29 | CVE-2019-6849 | Schneider Electric | Information Exposure vulnerability in Schneider-Electric products A CWE-200: Information Exposure vulnerability exists in Modicon M580, Modicon BMENOC 0311, and Modicon BMENOC 0321, which could cause the disclosure of sensitive information when using specific Modbus services provided by the REST API of the controller/communication module. | 7.5 |
2019-10-29 | CVE-2019-6845 | Schneider Electric | Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric products A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists in Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions), which could cause the disclosure of information when transferring applications to the controller using Modbus TCP protocol. | 7.5 |
2019-10-29 | CVE-2019-3979 | Mikrotik | Insufficient Verification of Data Authenticity vulnerability in Mikrotik Routeros RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below are vulnerable to a DNS unrelated data attack. | 7.5 |
2019-10-29 | CVE-2019-3978 | Mikrotik | Missing Authentication for Critical Function vulnerability in Mikrotik Routeros RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. | 7.5 |
2019-10-29 | CVE-2019-3977 | Mikrotik | Download of Code Without Integrity Check vulnerability in Mikrotik Routeros RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. | 7.5 |
2019-10-29 | CVE-2019-18608 | Cezerin | Unspecified vulnerability in Cezerin 0.33.0 Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. | 7.5 |
2019-10-29 | CVE-2019-18602 | Openafs Debian | Use of Uninitialized Resource vulnerability in multiple products OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to an information disclosure vulnerability because uninitialized scalars are sent over the network to a peer. | 7.5 |
2019-10-29 | CVE-2019-18601 | Openafs | Deserialization of Untrusted Data vulnerability in Openafs OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of service from unserialized data access because remote attackers can make a series of VOTE_Debug RPC calls to crash a database server within the SVOTE_Debug RPC handler. | 7.5 |
2019-10-29 | CVE-2019-15681 | Libvnc Project Canonical Debian Siemens | Improper Initialization vulnerability in multiple products LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. | 7.5 |
2019-10-29 | CVE-2019-15680 | Tightvnc | NULL Pointer Dereference vulnerability in Tightvnc 1.3.10 TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). | 7.5 |
2019-10-29 | CVE-2019-0210 | Apache Redhat Oracle | Out-of-bounds Read vulnerability in multiple products In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. | 7.5 |
2019-10-29 | CVE-2019-0205 | Apache Redhat Oracle | Infinite Loop vulnerability in multiple products In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. | 7.5 |
2019-10-29 | CVE-2012-2945 | Apache | Link Following vulnerability in Apache Hadoop 1.0.3 Hadoop 1.0.3 contains a symlink vulnerability. | 7.5 |
2019-10-29 | CVE-2012-0046 | Mediawiki | Information Exposure vulnerability in Mediawiki mediawiki allows deleted text to be exposed | 7.5 |
2019-10-29 | CVE-2011-4931 | GPW Project Debian | Weak Password Requirements vulnerability in multiple products gpw generates shorter passwords than required | 7.5 |
2019-10-29 | CVE-2009-3723 | Sangoma Debian | Incorrect Authorization vulnerability in multiple products asterisk allows calls on prohibited networks | 7.5 |
2019-10-29 | CVE-2019-4339 | IBM | Inadequate Encryption Strength vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2019-10-29 | CVE-2019-4314 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores sensitive information in cleartext within a resource that might be accessible to another control sphere. | 7.5 |
2019-10-28 | CVE-2019-18188 | Trendmicro | Command Injection vulnerability in Trendmicro Apex ONE 2019 Trend Micro Apex One could be exploited by an attacker utilizing a command injection vulnerability to extract files from an arbitrary zip file to a specific folder on the Apex One server, which could potentially lead to remote code execution (RCE). | 7.5 |
2019-10-28 | CVE-2019-18187 | Trendmicro | Path Traversal vulnerability in Trendmicro Officescan 11.0/Xg Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). | 7.5 |
2019-10-28 | CVE-2017-15725 | Devada | XXE vulnerability in Devada Dzone Answerhub An XML External Entity Injection vulnerability exists in Dzone AnswerHub. | 7.5 |
2019-10-28 | CVE-2012-5577 | Python Debian | Incorrect Default Permissions vulnerability in multiple products Python keyring lib before 0.10 created keyring files with world-readable permissions. | 7.5 |
2019-10-28 | CVE-2005-2349 | ZOO Project | Path Traversal vulnerability in ZOO Project ZOO 2.1027 Zoo 2.10 has Directory traversal | 7.5 |
2019-10-28 | CVE-2019-14927 | Mitsubishielectric Inea | Forced Browsing vulnerability in multiple products An issue was discovered on Mitsubishi Electric Europe B.V. | 7.5 |
2019-11-01 | CVE-2013-0165 | Redhat | Improper Input Validation vulnerability in Redhat Openshift cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in /tmp. | 7.3 |
2019-10-31 | CVE-2013-2012 | Autojump Project Debian | Improper Privilege Management vulnerability in multiple products autojump before 21.5.8 allows local users to gain privileges via a Trojan horse custom_install directory in the current working directory. | 7.3 |
2019-10-31 | CVE-2019-18368 | Jetbrains | Unspecified vulnerability in Jetbrains Toolbox In JetBrains Toolbox App before 1.15.5666 for Windows, privilege escalation was possible. | 7.3 |
2019-11-01 | CVE-2019-15588 | Sonatype | OS Command Injection vulnerability in Sonatype Nexus Repository Manager There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). | 7.2 |
2019-10-31 | CVE-2019-18396 | Technicolor | OS Command Injection vulnerability in Technicolor Td5130V2 Firmware Oifwv20 An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. | 7.2 |
2019-10-31 | CVE-2019-15710 | Fortiguard | OS Command Injection vulnerability in Fortiguard Fortiextender Firmware 4.1.1 An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below under CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands. | 7.2 |
2019-10-29 | CVE-2019-16647 | Maxthon | Unquoted Search Path or Element vulnerability in Maxthon Browser Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows. | 7.2 |
2019-10-29 | CVE-2011-2538 | Cisco | Injection vulnerability in Cisco Telepresence Video Communication Server Cisco Video Communications Server (VCS) before X7.0.3 contains a command injection vulnerability which allows remote, authenticated attackers to execute arbitrary commands. | 7.2 |
2019-10-31 | CVE-2018-4064 | Sierrawireless | Improper Authentication vulnerability in Sierrawireless Airlink Es450 Firmware 4.9.3 An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. | 7.1 |
2019-10-29 | CVE-2010-2064 | Rpcbind Project | Link Following vulnerability in Rpcbind Project Rpcbind 0.2.0 rpcbind 0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr. | 7.1 |
2019-10-29 | CVE-2019-10210 | Postgresql | Insufficiently Protected Credentials vulnerability in Postgresql Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file. | 7.0 |
109 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-10-31 | CVE-2019-18424 | XEN Debian Fedoraproject Opensuse | OS Command Injection vulnerability in multiple products An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. | 6.8 |
2019-11-02 | CVE-2019-18668 | Wpwham | Improper Handling of Exceptional Conditions vulnerability in Wpwham Currency Switcher for Woocommerce An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. | 6.5 |
2019-10-31 | CVE-2019-18229 | Advantech | SQL Injection vulnerability in Advantech Wise-Paas/Rmm 3.3.29 Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. | 6.5 |
2019-10-31 | CVE-2012-6123 | Call CC Debian | Improper Input Validation vulnerability in multiple products Chicken before 4.8.0 does not properly handle NUL bytes in certain strings, which allows an attacker to conduct "poisoned NUL byte attack." | 6.5 |
2019-10-31 | CVE-2010-2490 | Mumble Debian | Improper Input Validation vulnerability in multiple products Mumble: murmur-server has DoS due to malformed client query | 6.5 |
2019-10-31 | CVE-2019-18420 | XEN Debian Fedoraproject | Use of Externally-Controlled Format String vulnerability in multiple products An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via a VCPUOP_initialise hypercall. | 6.5 |
2019-10-30 | CVE-2010-0398 | Autokey Project | Link Following vulnerability in Autokey Project Autokey The init script in autokey before 0.61.3-2 allows local attackers to write to arbitrary files via a symlink attack. | 6.5 |
2019-10-30 | CVE-2019-17326 | Clipsoft | Unspecified vulnerability in Clipsoft Rexpert 1.0.0.527 ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to arbitrary file deletion by issuing a HTTP GET request with a specially crafted parameter. | 6.5 |
2019-10-30 | CVE-2019-17325 | Clipsoft | Unrestricted Upload of File with Dangerous Type vulnerability in Clipsoft Rexpert 1.0.0.527 ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to upload arbitrary local file via the ActiveX method in RexViewerCtrl30.ocx. | 6.5 |
2019-10-30 | CVE-2019-17324 | Clipsoft | Path Traversal vulnerability in Clipsoft Rexpert 1.0.0.527 ClipSoft REXPERT 1.0.0.527 and earlier version allows directory traversal by issuing a special HTTP POST request with ../ characters. | 6.5 |
2019-10-30 | CVE-2019-17322 | Clipsoft | Path Traversal vulnerability in Clipsoft Rexpert 1.0.0.527 ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation via a POST request with the parameter set to the file path to be written. | 6.5 |
2019-10-30 | CVE-2019-8235 | Magento | Authorization Bypass Through User-Controlled Key vulnerability in Magento An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. | 6.5 |
2019-10-29 | CVE-2019-6846 | Schneider Electric | Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric products A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause information disclosure when using the FTP protocol. | 6.5 |
2019-10-29 | CVE-2019-18611 | Mediawiki | Information Exposure vulnerability in Mediawiki Checkuser An issue was discovered in the CheckUser extension through 1.34 for MediaWiki. | 6.5 |
2019-10-29 | CVE-2019-4306 | IBM | Exposure of Resource to Wrong Sphere vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 specifies permissions for a security-critical resource which could lead to the exposure of sensitive information or the modification of that resource by unintended parties. | 6.5 |
2019-10-28 | CVE-2019-5536 | Vmware | Unspecified vulnerability in VMWare Esxi, Fusion and Workstation VMware ESXi (6.7 before ESXi670-201908101-SG and 6.5 before ESXi650-201910401-SG), Workstation (15.x before 15.5.0) and Fusion (11.x before 11.5.0) contain a denial-of-service vulnerability in the shader functionality. | 6.5 |
2019-10-28 | CVE-2019-14925 | Mitsubishielectric Inea | Incorrect Default Permissions vulnerability in multiple products An issue was discovered on Mitsubishi Electric Europe B.V. | 6.5 |
2019-11-02 | CVE-2019-18667 | Pfsense | Cross-site Scripting vulnerability in Pfsense Pfsense-Pkg-Freeradius3 /usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser. | 6.1 |
2019-11-01 | CVE-2013-4168 | Smokeping Debian Fedoraproject | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the start and end time fields. | 6.1 |
2019-11-01 | CVE-2019-18654 | AVG | Cross-site Scripting vulnerability in AVG Anti-Virus 19.3.3084 A Cross Site Scripting (XSS) issue exists in AVG AntiVirus (Internet Security Edition) 19.3.3084 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name. | 6.1 |
2019-11-01 | CVE-2019-18653 | Avast | Cross-site Scripting vulnerability in Avast Antivirus 19.3.2369 A Cross Site Scripting (XSS) issue exists in Avast AntiVirus (Free, Internet Security, and Premiere Edition) 19.3.2369 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name. | 6.1 |
2019-11-01 | CVE-2013-0186 | Redhat | Cross-site Scripting vulnerability in Redhat products Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 6.1 |
2019-11-01 | CVE-2010-3661 | Typo3 | Open Redirect vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend. | 6.1 |
2019-11-01 | CVE-2005-2350 | Websieve Project | Cross-site Scripting vulnerability in Websieve Project Websieve 0.62 Cross-site scripting (XSS) vulnerability in websieve v0.62 allows remote attackers to inject arbitrary web script or HTML code in the web user interface. | 6.1 |
2019-11-01 | CVE-2019-12752 | Symantec | Incorrect Default Permissions vulnerability in Symantec Sonar The Symantec SONAR component, prior to 12.0.2, may be susceptible to a tamper protection bypass vulnerability which could potentially allow an attacker to circumvent the existing tamper protection in use on the resident system. | 6.1 |
2019-11-01 | CVE-2019-6657 | F5 | Cross-site Scripting vulnerability in F5 products On BIG-IP 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the BIG-IP Configuration utility. | 6.1 |
2019-10-31 | CVE-2013-1951 | Mediawiki Debian | Cross-site Scripting vulnerability in multiple products A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names. | 6.1 |
2019-10-31 | CVE-2013-1931 | Mantisbt Fedoraproject | Cross-site Scripting vulnerability in multiple products A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14 allows remote attackers to inject arbitrary web script or HTML via a version, related to deleting a version. | 6.1 |
2019-10-31 | CVE-2019-18656 | Pimcore | Cross-site Scripting vulnerability in Pimcore 6.2.3 Pimcore 6.2.3 has XSS in the translations grid because bundles/AdminBundle/Resources/public/js/pimcore/settings/translations.js mishandles certain HTML elements. | 6.1 |
2019-10-31 | CVE-2019-17551 | Apakgroup | Cross-site Scripting vulnerability in Apakgroup Wholesale Floorplanning Finance 6.31.8.3/6.31.8.5 In Apak Wholesale Floorplanning Finance 6.31.8.3 and 6.31.8.5, an attacker can send an authenticated POST request with a malicious payload to /WFS/agreementView.faces allowing a stored XSS via the mainForm:loanNotesnotes:0:rich_text_editor_note_text parameter in the Notes section. | 6.1 |
2019-10-30 | CVE-2010-1673 | Ikiwiki | Cross-site Scripting vulnerability in Ikiwiki A cross-site scripting (XSS) vulnerability in ikiwiki before 3.20101112 allows remote attackers to inject arbitrary web script or HTML via a comment. | 6.1 |
2019-10-30 | CVE-2019-18205 | Zucchetti | Cross-site Scripting vulnerability in Zucchetti Infobusiness 4.4.1 Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Zucchetti InfoBusiness before and including 4.4.1. | 6.1 |
2019-10-30 | CVE-2018-18678 | SIR | Cross-site Scripting vulnerability in SIR Gnuboard GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board group extra contents" parameter, aka the adm/boardgroup_form_update.php gr_1~10 parameter. | 6.1 |
2019-10-29 | CVE-2019-13066 | Sahipro | Cross-site Scripting vulnerability in Sahipro Sahi PRO 8.0.0 Sahi Pro 8.0.0 has a script manager arena located at _s_/dyn/pro/DBReports with many different areas that are vulnerable to reflected XSS, by updating a script's Script Name, Suite Name, Base URL, Android, iOS, Scripts Run, Origin Machine, or Comment field. | 6.1 |
2019-10-29 | CVE-2018-10727 | Fabrikar | Cross-site Scripting vulnerability in Fabrikar Fabrik Reflected Cross-Site Scripting (XSS) vulnerability in the fabrik_referrer hidden field in the Fabrikar Fabrik component through v3.8.1 for Joomla! allows remote attackers to inject arbitrary web script via the HTTP Referer header. | 6.1 |
2019-10-29 | CVE-2011-0428 | Ikiwiki | Cross-site Scripting vulnerability in Ikiwiki Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow remote attackers to insert arbitrary JavaScript due to insufficient checking in comments. | 6.1 |
2019-10-28 | CVE-2010-4245 | Translatehouse | Cross-site Scripting vulnerability in Translatehouse Pootle pootle 2.0.5 has XSS via 'match_names' parameter | 6.1 |
2019-10-28 | CVE-2010-4240 | Tiki | Cross-site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware 5.2 Tiki Wiki CMS Groupware 5.2 has XSS | 6.1 |
2019-10-28 | CVE-2009-4900 | Pixelpost | Cross-site Scripting vulnerability in Pixelpost 1.7.15 pixelpost 1.7.1 has XSS | 6.1 |
2019-11-01 | CVE-2013-2255 | Redhat Openstack Debian | Improper Certificate Validation vulnerability in multiple products HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. | 5.9 |
2019-10-31 | CVE-2019-5023 | Opensrcsec | Missing Release of Resource after Effective Lifetime vulnerability in Opensrcsec Grsecurity and PAX An exploitable vulnerability exists in the grsecurity PaX patch for the function read_kmem, in PaX from version pax-linux-4.9.8-test1 to 4.9.24-test7, grsecurity official from version grsecurity-3.1-4.9.8-201702060653 to grsecurity-3.1-4.9.24-201704252333, grsecurity unofficial from version v4.9.25-unofficialgrsec to v4.9.74-unofficialgrsec. | 5.9 |
2019-10-31 | CVE-2019-18644 | Totaldefense | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Totaldefense Anti-Virus 11.5.2.28 The malware scan function in Total Defense Anti-virus 11.5.2.28 is vulnerable to a TOCTOU bug; consequently, symbolic link attacks allow privileged files to be deleted. | 5.9 |
2019-10-29 | CVE-2019-18603 | Openafs Debian | Use of Uninitialized Resource vulnerability in multiple products OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information leakage upon certain error conditions because uninitialized RPC output variables are sent over the network to a peer. | 5.9 |
2019-10-29 | CVE-2010-4237 | Mercurial | Improper Certificate Validation vulnerability in Mercurial Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack. | 5.9 |
2019-10-28 | CVE-2019-5538 | Vmware | Improper Certificate Validation vulnerability in VMWare Vcenter Server 6.5/6.7 Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over SCP. | 5.9 |
2019-10-28 | CVE-2019-5537 | Vmware | Improper Certificate Validation vulnerability in VMWare Vcenter Server 6.5/6.7 Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. | 5.9 |
2019-10-31 | CVE-2019-3419 | ZTE | Unspecified vulnerability in ZTE Zxmp M721 DX Firmware Zxmpm721V3.10P01B10M2Ncp A security vulnerability exists in a management port in the version of ZTE's ZXMP M721V3.10P01B10_M2NCP. | 5.7 |
2019-11-01 | CVE-2013-0180 | Redislabs | Improper Input Validation vulnerability in Redislabs Redis 2.6.0 Insecure temporary file vulnerability in Redis 2.6 related to /tmp/redis.ds. | 5.5 |
2019-11-01 | CVE-2013-0178 | Redislabs | Improper Input Validation vulnerability in Redislabs Redis Insecure temporary file vulnerability in Redis before 2.6 related to /tmp/redis-%p.vm. | 5.5 |
2019-11-01 | CVE-2005-2351 | Mutt Debian | Exposure of Resource to Wrong Sphere vulnerability in multiple products Mutt before 1.5.20 patch 7 allows an attacker to cause a denial of service via a series of requests to mutt temporary files. | 5.5 |
2019-11-01 | CVE-2013-3718 | Gnome Debian Redhat Opensuse | Improper Input Validation vulnerability in multiple products evince is missing a check on number of pages which can lead to a segmentation fault | 5.5 |
2019-10-31 | CVE-2019-18645 | Totaldefense | Link Following vulnerability in Totaldefense Anti-Virus 11.5.2.28 The quarantine restoration function in Total Defense Anti-virus 11.5.2.28 is vulnerable to symbolic link attacks, allowing files to be written to privileged directories. | 5.5 |
2019-10-30 | CVE-2010-0207 | Xpdfreader | Infinite Loop vulnerability in Xpdfreader Xpdf 3.0317/3.0413/3.044 In xpdf, the xref table contains an infinite loop which allows remote attackers to cause a denial of service (application crash) in xpdf-based PDF viewers. | 5.5 |
2019-10-30 | CVE-2010-0206 | Xpdfreader | NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 3.0317/3.0413/3.044 xpdf allows remote attackers to cause a denial of service (NULL pointer dereference and crash) in the way it processes JBIG2 PDF stream objects. | 5.5 |
2019-10-29 | CVE-2019-10743 | Archiver Project | Path Traversal vulnerability in Archiver Project Archiver All versions of archiver allow attacker to perform a Zip Slip attack via the "unarchive" functions. | 5.5 |
2019-10-29 | CVE-2016-4289 | Gmer | Out-of-bounds Write vulnerability in Gmer 2.1.19357 A stack based buffer overflow vulnerability exists in the method receiving data from SysTreeView32 control of the GMER 2.1.19357 application. | 5.5 |
2019-10-29 | CVE-2010-3373 | Grsecurity Debian | Improper Input Validation vulnerability in multiple products paxtest handles temporary files insecurely | 5.5 |
2019-10-29 | CVE-2019-4309 | IBM | Use of Hard-coded Credentials vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses hard coded credentials which could allow a local user to obtain highly sensitive information. | 5.5 |
2019-10-29 | CVE-2019-4307 | IBM | Insufficiently Protected Credentials vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores user credentials in plain in clear text which can be read by a local user. | 5.5 |
2019-10-28 | CVE-2010-3293 | Mailscanner | Improper Input Validation vulnerability in Mailscanner mailscanner can allow local users to prevent virus signatures from being updated | 5.5 |
2019-10-28 | CVE-2019-18466 | Libpod Project | Link Following vulnerability in Libpod Project Libpod An issue was discovered in Podman in libpod before 1.6.0. | 5.5 |
2019-11-02 | CVE-2019-18664 | Secudos | Cross-site Scripting vulnerability in Secudos Domos The Log module in SECUDOS DOMOS before 5.6 allows XSS. | 5.4 |
2019-11-01 | CVE-2010-3660 | Typo3 | Cross-site Scripting vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend. | 5.4 |
2019-11-01 | CVE-2019-18636 | Jitbit | Cross-site Scripting vulnerability in Jitbit .Net Forum 8.3.8 A cross-site scripting (XSS) vulnerability in Jitbit .NET Forum (aka ASP.NET forum) 8.3.8 allows remote attackers to inject arbitrary web script or HTML via the gravatar URL parameter. | 5.4 |
2019-10-31 | CVE-2013-1934 | Mantisbt Debian | Cross-site Scripting vulnerability in multiple products A cross-site scripting (XSS) vulnerability in the configuration report page (adm_config_report.php) in MantisBT 1.2.0rc1 before 1.2.14 allows remote authenticated users to inject arbitrary web script or HTML via a complex value. | 5.4 |
2019-10-31 | CVE-2013-1932 | Mantisbt | Cross-site Scripting vulnerability in Mantisbt 1.2.13 A cross-site scripting (XSS) vulnerability in the configuration report page (adm_config_report.php) in MantisBT 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via a project name. | 5.4 |
2019-10-30 | CVE-2019-18207 | Zucchetti | Cross-site Scripting vulnerability in Zucchetti Infobusiness 4.4.1 In Zucchetti InfoBusiness before and including 4.4.1, an authenticated user can inject client-side code due to improper validation of the Title field in the InfoBusiness Web Component. | 5.4 |
2019-10-29 | CVE-2019-9758 | Labkey | Cross-site Scripting vulnerability in Labkey Server 19.1.0 An issue was discovered in LabKey Server 19.1.0. | 5.4 |
2019-10-28 | CVE-2019-14928 | Mitsubishielectric Inea | Cross-site Scripting vulnerability in multiple products An issue was discovered on Mitsubishi Electric Europe B.V. | 5.4 |
2019-11-02 | CVE-2019-18659 | Ready | Authentication Bypass by Spoofing vulnerability in Ready Wireless Emergency Alerts The Wireless Emergency Alerts (WEA) protocol allows remote attackers to spoof a Presidential Alert because cryptographic authentication is not used, as demonstrated by MessageIdentifier 4370 in LTE System Information Block 12 (aka SIB12). | 5.3 |
2019-11-01 | CVE-2019-16908 | Infosysta | Information Exposure vulnerability in Infosysta In-App & Desktop Notifications 1.6.13J8 An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. | 5.3 |
2019-10-31 | CVE-2019-16907 | Infosysta | Missing Authorization vulnerability in Infosysta In-App & Desktop Notifications 1.6.13J8 An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. | 5.3 |
2019-10-31 | CVE-2012-6124 | Call CC | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Call-Cc Chicken A casting error in Chicken before 4.8.0 on 64-bit platform caused the random number generator to return a constant value. | 5.3 |
2019-10-31 | CVE-2019-18657 | Yandex | Injection vulnerability in Yandex Clickhouse ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function. | 5.3 |
2019-10-31 | CVE-2019-14356 | Coinkite | Information Exposure Through Discrepancy vulnerability in Coinkite Coldcard MK1 Firmware and Coldcard MK2 Firmware On Coldcard MK1 and MK2 devices, a side channel for the row-based OLED display was found. | 5.3 |
2019-10-31 | CVE-2019-18369 | Jetbrains | Incorrect Default Permissions vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible. | 5.3 |
2019-10-31 | CVE-2019-18367 | Jetbrains | Incorrect Default Permissions vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2019.1.2, a non-destructive operation could be performed by a user without the corresponding permissions. | 5.3 |
2019-10-31 | CVE-2019-18366 | Jetbrains | Incorrect Default Permissions vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2019.1.2, secure values could be exposed to users with the "View build runtime parameters and data" permission. | 5.3 |
2019-10-31 | CVE-2019-18363 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2019.1.2, access could be gained to the history of builds of a deleted build configuration under some circumstances. | 5.3 |
2019-10-31 | CVE-2019-18362 | Jetbrains | Unspecified vulnerability in Jetbrains MPS JetBrains MPS before 2019.2.2 exposed listening ports to the network. | 5.3 |
2019-10-31 | CVE-2019-18361 | Jetbrains | Unspecified vulnerability in Jetbrains Intellij Idea JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution. | 5.3 |
2019-10-31 | CVE-2019-18360 | Jetbrains | Unspecified vulnerability in Jetbrains HUB In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery. | 5.3 |
2019-10-31 | CVE-2018-21030 | Jupyter | Incorrect Authorization vulnerability in Jupyter Notebook Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. | 5.3 |
2019-10-30 | CVE-2010-0749 | Transmissionbt Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Transmission before 1.92 allows attackers to prevent download of a file by corrupted data during the endgame. | 5.3 |
2019-10-30 | CVE-2019-17321 | Clipsoft | Information Exposure vulnerability in Clipsoft Rexpert 1.0.0.527 ClipSoft REXPERT 1.0.0.527 and earlier version have an information disclosure issue. | 5.3 |
2019-10-30 | CVE-2019-7619 | Elastic | Unspecified vulnerability in Elastic Elasticsearch Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. | 5.3 |
2019-10-29 | CVE-2019-18612 | Mediawiki | Information Exposure vulnerability in Mediawiki Abusefilter An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. | 5.3 |
2019-10-29 | CVE-2019-4600 | IBM | Unspecified vulnerability in IBM API Connect IBM API Connect version V5.0.0.0 through 5.0.8.7 could reveal sensitive information to an attacker using a specially crafted HTTP request. | 5.3 |
2019-10-29 | CVE-2019-4311 | IBM | Incorrect Authorization vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 discloses sensitive information to unauthorized users. | 5.3 |
2019-10-28 | CVE-2019-17224 | Compal | Path Traversal vulnerability in Compal Ch7465Lg Firmware Ch7465Lgncip6.12.18.252P6Nosh The web interface of the Compal Broadband CH7465LG modem (version CH7465LG-NCIP-6.12.18.25-2p6-NOSH) is vulnerable to a /%2f/ path traversal attack, which can be exploited in order to test for the existence of a file pathname outside of the web root directory. | 5.3 |
2019-10-29 | CVE-2019-6847 | Schneider Electric | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the FTP service when upgrading the firmware with a version incompatible with the application in the controller using FTP protocol. | 4.9 |
2019-10-29 | CVE-2019-6844 | Schneider Electric | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service atack on the PLC when upgrading the controller with a firmware package containing an invalid web server image using FTP protocol. | 4.9 |
2019-10-29 | CVE-2019-6843 | Schneider Electric | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580 with firmware (version prior to V3.10), Modicon M340 (all firmware versions), and Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the controller with an empty firmware package using FTP protocol. | 4.9 |
2019-10-29 | CVE-2019-6842 | Schneider Electric | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with a missing web server image inside the package using FTP protocol. | 4.9 |
2019-10-29 | CVE-2019-6841 | Schneider Electric | Improper Handling of Exceptional Conditions vulnerability in Schneider-Electric products A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580 with firmware (version prior to V3.10), Modicon M340 (all firmware versions), and Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with no firmware image inside the package using FTP protocol. | 4.9 |
2019-10-30 | CVE-2019-12417 | Apache | Cross-site Scripting vulnerability in Apache Airflow A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | 4.8 |
2019-11-02 | CVE-2019-18673 | Shiftcrypto | Information Exposure Through Discrepancy vulnerability in Shiftcrypto Bitbox02 On SHIFT BitBox02 devices, a side channel for the row-based OLED display was found. | 4.6 |
2019-11-02 | CVE-2019-14360 | Hyundai PAY | Information Exposure Through Discrepancy vulnerability in Hyundai-Pay Hk-1000 On Hyundai Pay Kasse HK-1000 devices, a side channel for the row-based OLED display was found. | 4.6 |
2019-11-02 | CVE-2019-14358 | Archos | Information Exposure Through Discrepancy vulnerability in Archos Safe-T On Archos Safe-T devices, a side channel for the row-based OLED display was found. | 4.6 |
2019-10-31 | CVE-2019-16295 | Control Webpanel | Cross-site Scripting vulnerability in Control-Webpanel Webpanel 0.9.8.855 Stored XSS in filemanager2.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.885 exists via the cmd_arg parameter. | 4.6 |
2019-11-01 | CVE-2019-6658 | F5 | SQL Injection vulnerability in F5 Big-Ip Advanced Firewall Manager On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, 13.1.0-13.1.3.1, and 12.1.0-12.1.5, a vulnerability in the AFM configuration utility may allow any authenticated BIG-IP user to run an SQL injection attack. | 4.3 |
2019-11-01 | CVE-2019-16909 | Infosysta | Missing Authorization vulnerability in Infosysta In-App & Desktop Notifications 1.6.13J8 An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. | 4.3 |
2019-10-31 | CVE-2019-5095 | Tempo | Missing Authorization vulnerability in Tempo 4.10.0 An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. | 4.3 |
2019-10-31 | CVE-2013-1930 | Mantisbt Fedoraproject | Improper Input Validation vulnerability in multiple products MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues. | 4.3 |
2019-10-31 | CVE-2019-16251 | Yithemes | Unspecified vulnerability in Yithemes products plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options changes. | 4.3 |
2019-10-31 | CVE-2019-18365 | Jetbrains | Improper Privilege Management vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2019.1.4, reverse tabnabbing was possible on several pages. | 4.3 |
2019-10-29 | CVE-2019-5533 | Vmware | Incorrect Authorization vulnerability in VMWare Sd-Wan BY Velocloud In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. | 4.3 |
2019-10-29 | CVE-2019-4330 | IBM | Reliance on Cookies without Validation and Integrity Checking vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 does not set the secure attribute for cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session. | 4.3 |
2019-10-29 | CVE-2019-4329 | IBM | Unspecified vulnerability in IBM Security Guardium BIG Data Intelligence 4.0 IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. | 4.3 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-10-31 | CVE-2013-1945 | Ruby Lang | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Ruby-Lang Ruby193 ruby193 uses an insecure LD_LIBRARY_PATH setting. | 3.3 |
2019-10-29 | CVE-2019-10209 | Postgresql | Out-of-bounds Read vulnerability in Postgresql Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan. | 2.2 |