Weekly Vulnerabilities Reports > November 4 to 10, 2019
Overview
394 new vulnerabilities reported during this period, including 66 critical vulnerabilities and 148 high severity vulnerabilities. This weekly summary report vulnerabilities in 651 products from 139 vendors including Magento, Debian, Redhat, Qualcomm, and Typo3. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Resource Exhaustion", "Information Exposure", and "Out-of-bounds Write".
- 322 reported vulnerabilities are remotely exploitables.
- 10 reported vulnerabilities have public exploit available.
- 116 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 237 reported vulnerabilities are exploitable by an anonymous user.
- Magento has the most reported vulnerabilities, with 64 reported vulnerabilities.
- Qualcomm has the most reported critical vulnerabilities, with 19 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
66 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-11-07 | CVE-2019-16872 | Portainer | Unspecified vulnerability in Portainer Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4). | 9.9 |
2019-11-08 | CVE-2019-18623 | Energycap | Improper Privilege Management vulnerability in Energycap Escalation of privileges in EnergyCAP 7 through 7.5.6 allows an attacker to access data. | 9.8 |
2019-11-08 | CVE-2019-18835 | Matrix | Insufficient Verification of Data Authenticity vulnerability in Matrix Synapse Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. | 9.8 |
2019-11-08 | CVE-2008-7291 | GRI Project Debian | Exposure of Resource to Wrong Sphere vulnerability in multiple products gri before 2.12.18 generates temporary files in an insecure way. | 9.8 |
2019-11-07 | CVE-2007-6745 | Clamav Debian | clamav 0.91.2 suffers from a floating point exception when using ScanOLE2. | 9.8 |
2019-11-07 | CVE-2019-18818 | Strapi | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Strapi strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. | 9.8 |
2019-11-07 | CVE-2013-1751 | Twiki | Improper Input Validation vulnerability in Twiki TWiki before 5.1.4 allows remote attackers to execute arbitrary shell commands by sending a crafted '%MAKETEXT{}%' parameter value containing Perl backtick characters. | 9.8 |
2019-11-07 | CVE-2010-2476 | Syscp Project | Improper Input Validation vulnerability in Syscp Project Syscp 1.4.2.1 syscp 1.4.2.1 allows attackers to add arbitrary paths via the documentroot of a domain by appending a colon to it and setting the open basedir path to use that domain documentroot. | 9.8 |
2019-11-07 | CVE-2010-2447 | Gitolite | Improper Input Validation vulnerability in Gitolite gitolite before 1.4.1 does not filter src/ or hooks/ from path names. | 9.8 |
2019-11-07 | CVE-2019-11996 | HPE | Unspecified vulnerability in HPE Nimbleos Potential security vulnerabilities have been identified with HPE Nimble Storage systems in multi array group configurations. | 9.8 |
2019-11-07 | CVE-2011-2337 | Incorrect Type Conversion or Cast vulnerability in Google Blink A wrong type is used for a return value from strlen in WebKit in Google Chrome before Blink M12 on 64-bit platforms. | 9.8 | |
2019-11-07 | CVE-2019-18814 | Linux | Use After Free vulnerability in Linux Kernel An issue was discovered in the Linux kernel through 5.3.9. | 9.8 |
2019-11-07 | CVE-2019-18805 | Linux Opensuse Redhat Netapp Broadcom | Integer Overflow or Wraparound vulnerability in multiple products An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. | 9.8 |
2019-11-06 | CVE-2019-12419 | Apache Oracle | Incorrect Authorization vulnerability in multiple products Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. | 9.8 |
2019-11-06 | CVE-2019-5644 | Gatech | Missing Authentication for Critical Function vulnerability in Gatech Computing for Good'S Basic Laboratory Information System 3.3/3.4/3.5 Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may alter several facets of a user account, including promoting any user to an administrator. | 9.8 |
2019-11-06 | CVE-2019-5617 | Gatech | Missing Authentication for Critical Function vulnerability in Gatech Computing for Good'S Basic Laboratory Information System 3.3/3.4 Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.4 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may change the password of any administrator-level user. | 9.8 |
2019-11-06 | CVE-2019-2332 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption while accessing the memory as payload size is not validated before access in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2019-2331 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Possible Integer overflow because of subtracting two integers without checking if the result would overflow or not in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2019-2325 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Out of boundary access due to token received from ADSP and is used without validation as an index into the array in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2019-2324 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products When ADSP is compromised, the audio port index that`s returned from ADSP might be out of the valid range and leads to out of boundary access in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 845 / SD 850, SD 855, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2019-2323 | Qualcomm | DEPRECATED: Use of Uninitialized Resource vulnerability in Qualcomm products Lack of check to ensure crypto engine data passed by user is initialized can result in bus error in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2019-2302 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products While processing vendor command which contains corrupted channel count, an integer overflow occurs and finally will lead to heap overflow. | 9.8 |
2019-11-06 | CVE-2019-2285 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Out of bound write issue is observed while giving information about properties that have been set so far for playing video in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130 | 9.8 |
2019-11-06 | CVE-2019-2283 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Improper validation of read and write index of tx and rx fifo`s before calculating pointer can lead to out-of-bound access in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2019-2258 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Improper validation of array index causes OOB write and then leads to memory corruption in MMCP in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130 | 9.8 |
2019-11-06 | CVE-2019-2249 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Kernel can do a memory read from arbitrary address passed by user during execution of a syscall in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in IPQ8074, MDM9205, MDM9650, QCA8081, QCS605, SD 427, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130 | 9.8 |
2019-11-06 | CVE-2019-10565 | Qualcomm | Double Free vulnerability in Qualcomm products Double free issue can happen when sensor power settings is freed by some thread while another thread try to access. | 9.8 |
2019-11-06 | CVE-2019-10542 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Buffer over-read may occur when downloading a corrupted firmware file that has chunk length in header which doesn`t match the contents in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 845 / SD 850, SDX20 | 9.8 |
2019-11-06 | CVE-2019-10541 | Qualcomm | Use of Uninitialized Resource vulnerability in Qualcomm products Dereference on uninitialized buffer can happen when parsing FLV clip with corrupted codec specific data in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20 | 9.8 |
2019-11-06 | CVE-2019-10534 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Null-pointer dereference can occur while accessing the super index entry when it is not been allocated in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20 | 9.8 |
2019-11-06 | CVE-2019-10533 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Out of bound access due to improper validation of array index cause the index table entry to get corrupt in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20 | 9.8 |
2019-11-06 | CVE-2019-10531 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Incorrect reading of system image resulting in buffer overflow when size of system image is increased in Snapdragon Auto, Snapdragon Mobile, Snapdragon Wearables in MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SDM439 | 9.8 |
2019-11-06 | CVE-2019-10528 | Qualcomm | Use After Free vulnerability in Qualcomm products Use after free issue in kernel while accessing freed mdlog session info and its attributes after closing the session in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 730, SD 820, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2019-10522 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products While playing the clip which is nonstandard buffer overflow can occur while parsing in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20 | 9.8 |
2019-11-06 | CVE-2019-10505 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Out of bound access while processing a non-standard IE measurement request with length crossing past the size of frame in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 9.8 |
2019-11-06 | CVE-2011-4628 | Typo3 | Improper Authentication vulnerability in Typo3 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authentication mechanisms in the backend through a crafted request. | 9.8 |
2019-11-06 | CVE-2010-2446 | Ruby Rbot | Improper Input Validation vulnerability in Ruby-Rbot Rbot Rbot Reaction plugin allows command execution | 9.8 |
2019-11-06 | CVE-2019-12918 | Quest | SQL Injection vulnerability in Quest Kace Systems Management Appliance 9.1.317 Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. | 9.8 |
2019-11-06 | CVE-2016-4401 | Arubanetworks | Insufficiently Protected Credentials vulnerability in Arubanetworks Clearpass Aruba ClearPass Policy Manager before 6.5.7 and 6.6.x before 6.6.2 allows attackers to obtain database credentials. | 9.8 |
2019-11-06 | CVE-2007-0899 | Clamav Debian | Out-of-bounds Write vulnerability in multiple products There is a possible heap overflow in libclamav/fsg.c before 0.100.0. | 9.8 |
2019-11-06 | CVE-2019-18784 | Salesagility | SQL Injection vulnerability in Salesagility Suitecrm SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection. | 9.8 |
2019-11-06 | CVE-2006-4243 | Linux Vserver | Improper Privilege Management vulnerability in Linux-Vserver 1.9.0 linux vserver 2.6 before 2.6.17 suffers from privilege escalation in remount code. | 9.8 |
2019-11-06 | CVE-2006-3100 | Termpkg Project | Classic Buffer Overflow vulnerability in Termpkg Project Termpkg 3.3 termpkg 3.3 suffers from buffer overflow. | 9.8 |
2019-11-06 | CVE-2006-0062 | Sillycycle | Missing Authentication for Critical Function vulnerability in Sillycycle Xlockmore 5.13 xlockmore 5.13 allows potential xlock bypass when FVWM switches to the same virtual desktop as a new Gaim window. | 9.8 |
2019-11-06 | CVE-2006-0061 | Sillycycle | Missing Authentication for Critical Function vulnerability in Sillycycle Xlockmore 5.13/5.22 xlockmore 5.13 and 5.22 segfaults when using libpam-opensc and returns the underlying xsession. | 9.8 |
2019-11-06 | CVE-2019-8158 | Magento | XML Injection (aka Blind XPath Injection) vulnerability in Magento An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 9.8 |
2019-11-06 | CVE-2019-8149 | Magento | Insufficient Session Expiration vulnerability in Magento Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 9.8 |
2019-11-06 | CVE-2019-8144 | Magento | Unspecified vulnerability in Magento 2.3.0/2.3.1/2.3.2 A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 9.8 |
2019-11-06 | CVE-2019-8136 | Magento | Unspecified vulnerability in Magento An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 9.8 |
2019-11-06 | CVE-2019-8135 | Magento | Injection vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 9.8 |
2019-11-05 | CVE-2019-8121 | Magento | Unspecified vulnerability in Magento An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 9.8 |
2019-11-05 | CVE-2011-1460 | Incorrect Type Conversion or Cast vulnerability in Google Blink WebKit in Google Chrome before Blink M11 contains a bad cast to RenderBlock when anonymous blocks are renderblocks. | 9.8 | |
2019-11-05 | CVE-2011-1134 | S9Y | Unrestricted Upload of File with Dangerous Type vulnerability in S9Y Serendipity Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager. | 9.8 |
2019-11-05 | CVE-2019-18780 | Veritas | Command Injection vulnerability in Veritas products An arbitrary command injection vulnerability in the Cluster Server component of Veritas InfoScale allows an unauthenticated remote attacker to execute arbitrary commands as root or administrator. | 9.8 |
2019-11-05 | CVE-2005-2354 | NVU | Unspecified vulnerability in NVU 0.99 Nvu 0.99+1.0pre uses an old copy of Mozilla XPCOM which can result in multiple security issues. | 9.8 |
2019-11-05 | CVE-2019-17211 | Mbed | Integer Overflow or Wraparound vulnerability in Mbed 5.13.2/5.14.0 An integer overflow was discovered in the CoAP library in Arm Mbed OS 5.14.0. | 9.8 |
2019-11-05 | CVE-2019-17212 | Mbed | Improper Validation of Array Index vulnerability in Mbed 5.13.2/5.14.0 Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5.14.0. | 9.8 |
2019-11-04 | CVE-2015-8980 | PHP Gettext Project Opensuse Redhat Fedoraproject | Improper Input Validation vulnerability in multiple products The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code. | 9.8 |
2019-11-04 | CVE-2013-4409 | Reviewboard Fedoraproject Redhat | Improper Input Validation vulnerability in multiple products An eval() vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests. | 9.8 |
2019-11-04 | CVE-2019-18663 | ISL | SQL Injection vulnerability in ISL Arp-Guard 4.0.05 A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter. | 9.8 |
2019-11-04 | CVE-2013-2260 | Cryptocat Project | Insufficient Entropy vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22: Cryptocat.random() Function Array Key has Entropy Weakness | 9.8 |
2019-11-04 | CVE-2013-2259 | Cryptocat Project | Improper Input Validation vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 has Arbitrary Code Execution on Firefox Conversation Overview | 9.8 |
2019-11-04 | CVE-2013-4103 | Cryptocat Project | Improper Input Validation vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 has Remote Script Injection due to improperly sanitizing user input | 9.8 |
2019-11-07 | CVE-2007-3915 | Mandriva | Exposure of Resource to Wrong Sphere vulnerability in Mandriva Mondo 2.24 Mondo 2.24 has insecure handling of temporary files. | 9.1 |
2019-11-06 | CVE-2014-3180 | Linux | Out-of-bounds Read vulnerability in multiple products In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. | 9.1 |
2019-11-04 | CVE-2013-4102 | Cryptocat Project | Use of Insufficiently Random Values vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 strophe.js Math.random() Random Number Generator Weakness | 9.1 |
148 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-11-09 | CVE-2018-1721 | IBM | XML Injection (aka Blind XPath Injection) vulnerability in IBM Cognos Analytics 11.0.0/11.1.0 IBM Cognos Analytics 11.0 and 11.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. | 8.8 |
2019-11-08 | CVE-2019-3426 | ZTE | Improper Input Validation vulnerability in ZTE Zxupn-9000E Firmware The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZXUPN-9000E are impacted by the input validation vulnerability. | 8.8 |
2019-11-08 | CVE-2019-3425 | ZTE | Incorrect Permission Assignment for Critical Resource vulnerability in ZTE Zxupn-9000E Firmware The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZXUPN-9000E are impacted by vulnerability of permission and access control. | 8.8 |
2019-11-08 | CVE-2019-17661 | Admincolumns | Improper Neutralization of Formula Elements in a CSV File vulnerability in Admincolumns Admin Columns 3.4.6 A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. | 8.8 |
2019-11-08 | CVE-2019-16205 | Broadcom | Use of Insufficiently Random Values vulnerability in Broadcom Brocade Sannav 1.1.0/1.1.1 A vulnerability, in Brocade SANnav versions before v2.0, could allow remote attackers to brute-force a valid session ID. | 8.8 |
2019-11-07 | CVE-2019-3465 | Xmlseclibs Project Debian Simplesamlphp | Improper Verification of Cryptographic Signature vulnerability in multiple products Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message. | 8.8 |
2019-11-07 | CVE-2019-17605 | Eyecomms | Authorization Bypass Through User-Controlled Key vulnerability in Eyecomms Eyecms 20191015 A mass assignment vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to take over another candidate's account (by also exploiting CVE-2019-17604) via a modified candidate id and an additional password parameter. | 8.8 |
2019-11-07 | CVE-2019-16877 | Portainer | Unspecified vulnerability in Portainer Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4). | 8.8 |
2019-11-07 | CVE-2019-12331 | Phpoffice | XXE vulnerability in PHPoffice PHPspreadsheet PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. | 8.8 |
2019-11-06 | CVE-2019-18411 | Zohocorp | Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Adselfservice Plus Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. | 8.8 |
2019-11-06 | CVE-2014-9013 | Wpmarketplace Project | Improper Input Validation vulnerability in Wpmarketplace Project Wpmarketplace 2.4.0 The ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin 2.4.0 for WordPress allows remote authenticated users to create arbitrary users and gain admin privileges via a request to wpmp_pp_ajax_call with an execution target of wp_insert_user. | 8.8 |
2019-11-06 | CVE-2019-18800 | Rakuten | Cleartext Transmission of Sensitive Information vulnerability in Rakuten Viber Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. | 8.8 |
2019-11-06 | CVE-2019-13079 | Quest | SQL Injection vulnerability in Quest Kace Systems Management Appliance 9.1.317 Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. | 8.8 |
2019-11-06 | CVE-2019-13078 | Quest | SQL Injection vulnerability in Quest Kace Systems Management Appliance 9.1.317 Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. | 8.8 |
2019-11-06 | CVE-2019-13076 | Quest | SQL Injection vulnerability in Quest Kace Systems Management Appliance 9.1.317 Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. | 8.8 |
2019-11-06 | CVE-2019-18650 | Joomla | Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.13. | 8.8 |
2019-11-06 | CVE-2019-8159 | Magento | OS Command Injection vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-06 | CVE-2019-8154 | Magento | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-06 | CVE-2019-8150 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-06 | CVE-2019-8137 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-06 | CVE-2019-8134 | Magento | SQL Injection vulnerability in Magento A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-06 | CVE-2019-8130 | Magento | SQL Injection vulnerability in Magento A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-05 | CVE-2019-8127 | Magento | SQL Injection vulnerability in Magento A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-05 | CVE-2019-8122 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 8.8 |
2019-11-05 | CVE-2019-8111 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-05 | CVE-2019-8110 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-05 | CVE-2019-8093 | Magento | Unrestricted Upload of File with Dangerous Type vulnerability in Magento An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.8 |
2019-11-05 | CVE-2019-17062 | Oxid Esales | Session Fixation vulnerability in Oxid-Esales Eshop An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. | 8.8 |
2019-11-05 | CVE-2013-6364 | Horde Debian | Cross-site Scripting vulnerability in multiple products Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book | 8.8 |
2019-11-04 | CVE-2010-3663 | Typo3 | Unrestricted Upload of File with Dangerous Type vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend. | 8.8 |
2019-11-04 | CVE-2010-3662 | Typo3 | SQL Injection vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend. | 8.8 |
2019-11-04 | CVE-2018-19031 | 360 | Command Injection vulnerability in 360 products A command injection vulnerability exists when the authorized user passes crafted parameter to background process in the router. | 8.8 |
2019-11-09 | CVE-2009-4011 | DTC XEN Project | Race Condition vulnerability in Dtc-Xen Project Dtc-Xen dtc-xen 0.5.x before 0.5.4 suffers from a race condition where an attacker could potentially get a bash access as xenXX user on the dom0, and then access a potentially reuse an already opened VPS console. | 8.1 |
2019-11-06 | CVE-2019-10529 | Qualcomm | Use After Free vulnerability in Qualcomm products Possible use after free issue due to race condition while attempting to mark the entry pages as dirty using function set_page_dirty() in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 8.1 |
2019-11-06 | CVE-2006-4245 | Archivemail Project Debian | Race Condition vulnerability in multiple products archivemail 0.6.2 uses temporary files insecurely leading to a possible race condition. | 8.1 |
2019-11-04 | CVE-2019-13496 | Oneidentity | Improper Validation of Integrity Check Value vulnerability in Oneidentity Cloud Access Manager One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response. | 8.1 |
2019-11-05 | CVE-2019-8109 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 8.0 |
2019-11-09 | CVE-2019-5701 | Nvidia | Uncontrolled Search Path Element vulnerability in Nvidia Geforce Experience NVIDIA GeForce Experience, all versions prior to 3.20.0.118, contains a vulnerability when GameStream is enabled in which an attacker with local system access can load the Intel graphics driver DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service, information disclosure, or escalation of privileges through code execution. | 7.8 |
2019-11-09 | CVE-2019-5692 | Nvidia | Improper Validation of Array Index vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the product uses untrusted input when calculating or using an array index, which may lead to escalation of privileges or denial of service. | 7.8 |
2019-11-09 | CVE-2019-5691 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which a NULL pointer is dereferenced, which may lead to denial of service or escalation of privileges. | 7.8 |
2019-11-09 | CVE-2019-5690 | Nvidia | Out-of-bounds Write vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the size of an input buffer is not validated, which may lead to denial of service or escalation of privileges. | 7.8 |
2019-11-09 | CVE-2019-5689 | Nvidia | Unspecified vulnerability in Nvidia Geforce Experience NVIDIA GeForce Experience, all versions prior to 3.20.1, contains a vulnerability in the Downloader component in which a user with local system access can craft input that may allow malicious files to be downloaded and saved. | 7.8 |
2019-11-08 | CVE-2019-13539 | Medtronic | Inadequate Encryption Strength vulnerability in Medtronic products Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. | 7.8 |
2019-11-08 | CVE-2019-16207 | Broadcom | Use of Hard-coded Credentials vulnerability in Broadcom Brocade Sannav 1.1.0/1.1.1 Brocade SANnav versions before v2.0 use a hard-coded password, which could allow local authenticated attackers to access a back-end database and gain privileges. | 7.8 |
2019-11-07 | CVE-2008-3278 | Redhat | Insecure Default Initialization of Resource vulnerability in Redhat Frysk 20080805 frysk packages through 2008-08-05 as shipped in Red Hat Enterprise Linux 5 are built with an insecure RPATH set in the ELF header of multiple binaries in /usr/bin/f* (e.g. | 7.8 |
2019-11-06 | CVE-2019-5125 | Leadtools | Out-of-bounds Write vulnerability in Leadtools 20.0.0.0.0/20.0.2019.3.15 An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20. | 7.8 |
2019-11-06 | CVE-2019-5100 | Leadtools | Integer Overflow or Wraparound vulnerability in Leadtools 20.0.2019.3.15 An exploitable integer overflow vulnerability exists in the BMP header parsing functionality of LEADTOOLS 20. | 7.8 |
2019-11-06 | CVE-2019-5099 | Leadtools | Integer Underflow (Wrap or Wraparound) vulnerability in Leadtools 20.0.2019.3.15 An exploitable integer underflow vulnerability exists in the CMP-parsing functionality of LEADTOOLS 20. | 7.8 |
2019-11-06 | CVE-2019-5084 | Leadtools | Out-of-bounds Write vulnerability in Leadtools 20.0.2019.3.15 An exploitable heap out-of-bounds write vulnerability exists in the TIF-parsing functionality of LEADTOOLS 20. | 7.8 |
2019-11-06 | CVE-2019-2246 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Thread start can cause invalid memory writes to arbitrary memory location since the argument is passed by user to kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9205, MDM9640, MSM8996AU, QCA6574, QCS605, Qualcomm 215, SD 425, SD 427, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016, SXR1130 | 7.8 |
2019-11-06 | CVE-2019-10524 | Qualcomm | Use After Free vulnerability in Qualcomm products Lack of check for a negative value returned for get_clk is wrongly interpreted as valid pointer and lead to use after free in clk driver in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 7.8 |
2019-11-06 | CVE-2019-10512 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Payload size is not checked before using it as array index in audio in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130 | 7.8 |
2019-11-06 | CVE-2019-10502 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Possible stack overflow when an index equal to io buffer size is accessed in camera module in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDX24 | 7.8 |
2019-11-06 | CVE-2019-10496 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Lack of checking a variable received from driver and populating in Firmware data structure leads to buffer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130 | 7.8 |
2019-11-06 | CVE-2019-10491 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products ADSP can be compromised since it`s a general-purpose CPU processing untrusted data in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 7.8 |
2019-11-05 | CVE-2019-5089 | Investintech | Integer Overflow or Wraparound vulnerability in Investintech Able2Extract 14.0.7 An exploitable memory corruption vulnerability exists in Investintech Able2Extract Professional 4.0.7 x64. | 7.8 |
2019-11-05 | CVE-2019-5088 | Investintech | Out-of-bounds Write vulnerability in Investintech Able2Extract 14.0.7 An exploitable memory corruption vulnerability exists in Investintech Able2Extract Professional 14.0.7 x64. | 7.8 |
2019-11-05 | CVE-2019-18631 | Centrify | Deserialization of Untrusted Data vulnerability in Centrify products The Windows component of Centrify Authentication and Privilege Elevation Services 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1 (18.8), 3.5.2 (18.11), and 3.6.0 (19.6) does not properly handle an unspecified exception during use of partially trusted assemblies to serialize input data, which allows attackers to execute arbitrary code inside the Centrify process via (1) a crafted application that makes a pipe connection to the process and sends malicious serialized data or (2) a crafted Microsoft Management Console snap-in control file. | 7.8 |
2019-11-04 | CVE-2017-5333 | Icoutils Project Redhat Canonical Debian Opensuse | Integer Overflow or Wraparound vulnerability in multiple products Integer overflow in the extract_group_icon_cursor_resource function in b/wrestool/extract.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) or execute arbitrary code via a crafted executable file. | 7.8 |
2019-11-04 | CVE-2017-5332 | Icoutils Project Redhat Canonical Debian Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The extract_group_icon_cursor_resource in wrestool/extract.c in icoutils before 0.31.1 can access unallocated memory, which allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable. | 7.8 |
2019-11-04 | CVE-2017-5331 | Icoutils Project Canonical Debian Opensuse | Integer Overflow or Wraparound vulnerability in multiple products Integer overflow in the check_offset function in b/wrestool/fileread.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable. | 7.8 |
2019-11-04 | CVE-2013-4251 | Scipy Fedoraproject Redhat Debian | Improper Privilege Management vulnerability in multiple products The scipy.weave component in SciPy before 0.12.1 creates insecure temporary directories. | 7.8 |
2019-11-04 | CVE-2005-4890 | Sudo Project Debian Redhat | Improper Input Validation vulnerability in multiple products There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". | 7.8 |
2019-11-05 | CVE-2019-15966 | Cisco | Improper Input Validation vulnerability in Cisco Telepresence Advanced Media Gateway 1.1 A vulnerability in the web application of Cisco TelePresence Advanced Media Gateway could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.7 |
2019-11-05 | CVE-2019-3685 | Opensuse | Improper Certificate Validation vulnerability in Opensuse Open Build Service Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary | 7.7 |
2019-11-09 | CVE-2019-18840 | Wolfssl | Out-of-bounds Write vulnerability in Wolfssl 4.1.0/4.2.0/4.2.0C In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. | 7.5 |
2019-11-08 | CVE-2019-13543 | Medtronic | Use of Hard-coded Credentials vulnerability in Medtronic products Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. | 7.5 |
2019-11-08 | CVE-2019-12410 | Apache | Missing Initialization of Resource vulnerability in Apache Arrow While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. | 7.5 |
2019-11-08 | CVE-2019-12408 | Apache | Missing Initialization of Resource vulnerability in Apache Arrow 0.14.0/0.14.1 It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. | 7.5 |
2019-11-08 | CVE-2019-16208 | Broadcom | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Brocade Sannav 1.1.0/1.1.1 Password-based encryption (PBE) algorithm, of Brocade SANnav versions before v2.0, has a weakness in generating cryptographic keys that may allow an attacker to decrypt passwords used with several services (Radius, TACAS, etc.). | 7.5 |
2019-11-08 | CVE-2013-1889 | MOD Ruid2 Project | Improper Input Validation vulnerability in MOD Ruid2 Project MOD Ruid2 mod_ruid2 before 0.9.8 improperly handles file descriptors which allows remote attackers to bypass security using a CGI script to break out of the chroot. | 7.5 |
2019-11-08 | CVE-2019-10222 | Ceph Redhat Fedoraproject | Improper Handling of Exceptional Conditions vulnerability in multiple products A flaw was found in the Ceph RGW configuration with Beast as the front end handling client requests. | 7.5 |
2019-11-08 | CVE-2008-7272 | Getfiregpg | Cleartext Storage of Sensitive Information vulnerability in Getfiregpg Firegpg FireGPG before 0.6 handle user’s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users’s private key. | 7.5 |
2019-11-07 | CVE-2013-1809 | Gambas Project Debian | Link Following vulnerability in multiple products Gambas before 3.4.0 allows remote attackers to move or manipulate directory contents or perform symlink attacks due to the creation of insecure temporary directories. | 7.5 |
2019-11-07 | CVE-2013-1771 | Monkey Project | Information Exposure Through Log Files vulnerability in Monkey-Project Monkey The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on gentoo. | 7.5 |
2019-11-07 | CVE-2007-5743 | Viewvc Debian | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option. | 7.5 |
2019-11-07 | CVE-2010-2450 | Shibboleth Debian | Use of Password Hash With Insufficient Computational Effort vulnerability in multiple products The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. | 7.5 |
2019-11-07 | CVE-2010-2243 | Linux | Improper Input Validation vulnerability in Linux Kernel A vulnerability exists in kernel/time/clocksource.c in the Linux kernel before 2.6.34 where on non-GENERIC_TIME systems (GENERIC_TIME=n), accessing /sys/devices/system/clocksource/clocksource0/current_clocksource results in an OOPS. | 7.5 |
2019-11-07 | CVE-2019-18813 | Linux Canonical | Memory Leak vulnerability in multiple products A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8. | 7.5 |
2019-11-07 | CVE-2019-18812 | Linux | Memory Leak vulnerability in Linux Kernel A memory leak in the sof_dfsentry_write() function in sound/soc/sof/debug.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-c0a333d842ef. | 7.5 |
2019-11-07 | CVE-2019-18810 | Linux Canonical | Memory Leak vulnerability in multiple products A memory leak in the komeda_wb_connector_add() function in drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering drm_writeback_connector_init() failures, aka CID-a0ecd6fdbf5d. | 7.5 |
2019-11-07 | CVE-2019-18807 | Linux | Memory Leak vulnerability in Linux Kernel Two memory leaks in the sja1105_static_config_upload() function in drivers/net/dsa/sja1105/sja1105_spi.c in the Linux kernel before 5.3.5 allow attackers to cause a denial of service (memory consumption) by triggering static_config_buf_prepare_for_upload() or sja1105_inhibit_tx() failures, aka CID-68501df92d11. | 7.5 |
2019-11-07 | CVE-2019-16876 | Portainer | Path Traversal vulnerability in Portainer Portainer before 1.22.1 allows Directory Traversal. | 7.5 |
2019-11-07 | CVE-2019-18804 | Djvulibre Project Debian Fedoraproject Canonical Opensuse | NULL Pointer Dereference vulnerability in multiple products DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU::filter_fv at IW44EncodeCodec.cpp. | 7.5 |
2019-11-07 | CVE-2019-15004 | Atlassian | Path Traversal vulnerability in Atlassian Jira Service Desk The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. | 7.5 |
2019-11-06 | CVE-2009-5045 | Eclipse Debian | Information Exposure vulnerability in multiple products Dump Servlet information leak in jetty before 6.1.22. | 7.5 |
2019-11-06 | CVE-2011-1298 | Integer Overflow or Wraparound vulnerability in Google Blink An Integer Overflow exists in WebKit in Google Chrome before Blink M11 in the macOS WebCore::GraphicsContext::fillRect function. | 7.5 | |
2019-11-06 | CVE-2009-5050 | Konversation | Improper Input Validation vulnerability in Konversation konversation before 1.2.3 allows attackers to cause a denial of service. | 7.5 |
2019-11-06 | CVE-2019-6120 | Nicehash | Allocation of Resources Without Limits or Throttling vulnerability in Nicehash Miner An issue was discovered in NiceHash Miner before 2.0.3.0. | 7.5 |
2019-11-06 | CVE-2019-10488 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Null pointer dereference can occur while parsing invalid chunks while playing the nonstandard clip in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20 | 7.5 |
2019-11-06 | CVE-2010-2247 | Makepasswd Project | Insecure Default Initialization of Resource vulnerability in Makepasswd Project Makepasswd 1.10 makepasswd 1.10 default settings generate insecure passwords | 7.5 |
2019-11-06 | CVE-2011-4625 | Simplesamlphp Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages. | 7.5 |
2019-11-06 | CVE-2019-8155 | Magento | Cross-Site Request Forgery (CSRF) vulnerability in Magento Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. | 7.5 |
2019-11-05 | CVE-2019-8116 | Magento | Session Fixation vulnerability in Magento Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 7.5 |
2019-11-05 | CVE-2019-8112 | Magento | Insufficient Verification of Data Authenticity vulnerability in Magento A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 7.5 |
2019-11-05 | CVE-2018-19167 | Cloakcoin | Resource Exhaustion vulnerability in Cloakcoin CloakCoin through 2.2.2.0 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19166 | Peercoin | Resource Exhaustion vulnerability in Peercoin peercoin through 0.6.4 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19165 | Nebl | Resource Exhaustion vulnerability in Nebl Neblio neblio through 1.5.1 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19164 | Reddcoin | Resource Exhaustion vulnerability in Reddcoin reddcoin through 2.1.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19163 | Stratisplatform | Resource Exhaustion vulnerability in Stratisplatform Stratisx stratisX through 2.0.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19162 | Diviproject | Resource Exhaustion vulnerability in Diviproject Divi Divi through 4.0.5 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19161 | Alqo | Resource Exhaustion vulnerability in Alqo alqo through 4.1 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19160 | BIT Diamonds | Resource Exhaustion vulnerability in Bit.Diamonds Diamond Diamond through 3.0.1.2 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19159 | Luxcore | Resource Exhaustion vulnerability in Luxcore LUX lux through 5.2.2 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19157 | Phore | Resource Exhaustion vulnerability in Phore Phore through 1.3.3.1 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19156 | Pivx | Resource Exhaustion vulnerability in Pivx PIVX through 3.1.03 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. | 7.5 |
2019-11-05 | CVE-2018-19155 | Navcoin | Resource Exhaustion vulnerability in Navcoin navcoin through 4.3.0 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. | 7.5 |
2019-11-05 | CVE-2018-19154 | Htmlcoin | Resource Exhaustion vulnerability in Htmlcoin HTMLCOIN through 2.12 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. | 7.5 |
2019-11-05 | CVE-2018-19153 | Particl | Resource Exhaustion vulnerability in Particl particl through 0.17 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. | 7.5 |
2019-11-05 | CVE-2018-19152 | Emercoin | Resource Exhaustion vulnerability in Emercoin emercoin through 0.7 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. | 7.5 |
2019-11-05 | CVE-2019-10084 | Apache | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Impala In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to the IDs of active Impala queries or sessions can interact with those sessions or queries via a specially-constructed request and thereby potentially bypass authorization and audit mechanisms. | 7.5 |
2019-11-05 | CVE-2010-2222 | Redhat | NULL Pointer Dereference vulnerability in Redhat 389 Directory Server and Directory Server The _ger_parse_control function in Red Hat Directory Server 8 and the 389 Directory Server allows attackers to cause a denial of service (NULL pointer dereference) via a crafted search query. | 7.5 |
2019-11-05 | CVE-2019-1789 | Clamav | Out-of-bounds Read vulnerability in Clamav ClamAV versions prior to 0.101.2 are susceptible to a denial of service (DoS) vulnerability. | 7.5 |
2019-11-05 | CVE-2019-12625 | Clamav | Improper Resource Shutdown or Release vulnerability in Clamav ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability where an unauthenticated attacker can cause a denial of service condition by sending crafted messages to an affected system. | 7.5 |
2019-11-05 | CVE-2019-17598 | Lightbend | Inadequate Encryption Strength vulnerability in Lightbend Play Framework An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. | 7.5 |
2019-11-05 | CVE-2019-17221 | Phantomjs | Files or Directories Accessible to External Parties vulnerability in Phantomjs PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as demonstrated by an XMLHttpRequest for a file:// URI. | 7.5 |
2019-11-04 | CVE-2010-3668 | Typo3 | Injection vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl. | 7.5 |
2019-11-04 | CVE-2019-18178 | Amazon | Use After Free vulnerability in Amazon Freertos+Fat 160919A Real Time Engineers FreeRTOS+FAT 160919a has a use after free. | 7.5 |
2019-11-04 | CVE-2019-17210 | ARM | Improper Input Validation vulnerability in ARM Mbed-Mqtt and Mbed-Os A denial-of-service issue was discovered in the MQTT library in Arm Mbed OS 2017-11-02. | 7.5 |
2019-11-04 | CVE-2013-4105 | Cryptocat Project | Information Exposure vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 has Multiparty Encryption Scheme Information Disclosure | 7.5 |
2019-11-04 | CVE-2013-2257 | Cryptocat Project | Improper Restriction of Excessive Authentication Attempts vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.42 has Group Chat ECC Private Key Generation Brute Force Weakness | 7.5 |
2019-11-04 | CVE-2013-4104 | Cryptocat Project | Inadequate Encryption Strength vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 has weak encryption in the Socialist Millionnaire Protocol | 7.5 |
2019-11-04 | CVE-2013-2262 | Cryptocat Project | Information Exposure vulnerability in Cryptocat Project Cryptocat Cryptocat strophe.js before 2.0.22 has information disclosure | 7.5 |
2019-11-04 | CVE-2013-2261 | Cryptocat Project | Information Exposure vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 Chrome Extension 'img/keygen.gif' has Information Disclosure | 7.5 |
2019-11-04 | CVE-2019-18680 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel An issue was discovered in the Linux kernel 4.4.x before 4.4.195. | 7.5 |
2019-11-04 | CVE-2019-0350 | SAP | Unspecified vulnerability in SAP Hana Database 1.00/2.00 SAP HANA Database, versions 1.0, 2.0, allows an unauthorized attacker to send a malformed connection request, which crashes the indexserver of an SAP HANA instance, leading to Denial of Service | 7.5 |
2019-11-04 | CVE-2013-4100 | Cryptocat Project | Improper Input Validation vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 has Remote Denial of Service via username | 7.5 |
2019-11-04 | CVE-2013-4412 | Berlios Debian | NULL Pointer Dereference vulnerability in multiple products slim has NULL pointer dereference when using crypt() method from glibc 2.17 | 7.5 |
2019-11-08 | CVE-2019-16209 | Broadcom | Improper Certificate Validation vulnerability in Broadcom Brocade Sannav 1.1.0/1.1.1 A vulnerability, in The ReportsTrustManager class of Brocade SANnav versions before v2.0, could allow an attacker to perform a man-in-the-middle attack against Secure Sockets Layer(SSL)connections. | 7.4 |
2019-11-07 | CVE-2012-0051 | Tahoe Lafs Debian | Improper Input Validation vulnerability in multiple products Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attackers to corrupt mutable files or directories upon retrieval. | 7.4 |
2019-11-06 | CVE-2019-10495 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Arbitrary buffer write issue while processing sequence header during HEVC or AVC encoding. | 7.3 |
2019-11-08 | CVE-2019-17327 | Tmaxsoft | Path Traversal vulnerability in Tmaxsoft Jeus 7/8 JEUS 7 Fix#0~5 and JEUS 8Fix#0~1 versions contains a directory traversal vulnerability caused by improper input parameter check when uploading installation file in administration web page. | 7.2 |
2019-11-06 | CVE-2019-8156 | Magento | Server-Side Request Forgery (SSRF) vulnerability in Magento A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 7.2 |
2019-11-06 | CVE-2019-8231 | Magento | Unspecified vulnerability in Magento In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. | 7.2 |
2019-11-06 | CVE-2019-8230 | Magento | Unspecified vulnerability in Magento In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. | 7.2 |
2019-11-06 | CVE-2019-8229 | Magento | Unspecified vulnerability in Magento In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. | 7.2 |
2019-11-06 | CVE-2019-8151 | Magento | Server-Side Request Forgery (SSRF) vulnerability in Magento A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 7.2 |
2019-11-06 | CVE-2019-8141 | Magento | Deserialization of Untrusted Data vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 7.2 |
2019-11-05 | CVE-2019-8125 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. | 7.2 |
2019-11-05 | CVE-2019-8119 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 7.2 |
2019-11-05 | CVE-2019-8114 | Magento | Unrestricted Upload of File with Dangerous Type vulnerability in Magento A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 7.2 |
2019-11-05 | CVE-2019-8091 | Magento | Unspecified vulnerability in Magento A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. | 7.2 |
2019-11-05 | CVE-2019-16284 | HP | Unspecified vulnerability in HP products A potential security vulnerability has been identified in multiple HP products and versions which involves possible execution of arbitrary code during boot services that can result in elevation of privilege. | 7.2 |
2019-11-09 | CVE-2019-18845 | Patriotmemory | Improper Privilege Management vulnerability in Patriotmemory Viper RGB Firmware 1.0 The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, by mapping \Device\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection. | 7.1 |
2019-11-09 | CVE-2019-5697 | Nvidia | Unspecified vulnerability in Nvidia Virtual GPU Manager NVIDIA Virtual GPU Manager, all versions, contains a vulnerability in which it may grant a guest access to memory that it does not own, which may lead to information disclosure or denial of service. | 7.1 |
2019-11-04 | CVE-2013-4374 | Redhat | Exposure of Resource to Wrong Sphere vulnerability in Redhat products An insecurity temporary file vulnerability exists in RHQ Mongo DB Drift Server through 2013-09-25 when unpacking zipped files. | 7.1 |
2019-11-04 | CVE-2019-18684 | Sudo Project | Race Condition vulnerability in Sudo Project Sudo Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. | 7.0 |
2019-11-04 | CVE-2019-18683 | Linux Canonical Opensuse Netapp Broadcom Debian | Use After Free vulnerability in multiple products An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. | 7.0 |
173 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-11-06 | CVE-2019-8232 | Magento | Race Condition vulnerability in Magento In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification. | 6.6 |
2019-11-09 | CVE-2009-5004 | Apache | Improper Input Validation vulnerability in Apache Qpid-Cpp 1.0 qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 mechanism with a security layer is in use . | 6.5 |
2019-11-09 | CVE-2019-5694 | Nvidia | Uncontrolled Search Path Element vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver, R390 driver version, contains a vulnerability in NVIDIA Control Panel in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service or information disclosure through code execution. | 6.5 |
2019-11-09 | CVE-2019-4556 | IBM | Unspecified vulnerability in IBM Qradar Advisor With Watson IBM QRadar Advisor 1.0.0 through 2.4.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. | 6.5 |
2019-11-08 | CVE-2019-14860 | Redhat | Unspecified vulnerability in Redhat Fuse and Syndesis It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. | 6.5 |
2019-11-08 | CVE-2019-14824 | Fedoraproject Redhat Debian | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. | 6.5 |
2019-11-08 | CVE-2008-5083 | Redhat | Information Exposure vulnerability in Redhat Jboss Operations Network 2.1.0/2.1.2 In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON. | 6.5 |
2019-11-07 | CVE-2010-2449 | Gource | Improper Input Validation vulnerability in Gource Gource through 0.26 logs to a predictable file name (/tmp/gource-$UID.tmp), enabling attackers to overwrite an arbitrary file via a symlink attack. | 6.5 |
2019-11-07 | CVE-2010-2473 | Drupal | Improper Input Validation vulnerability in Drupal Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. | 6.5 |
2019-11-07 | CVE-2011-2336 | Improper Handling of Exceptional Conditions vulnerability in Google Blink M11 An issue exists in WebKit in Google Chrome before Blink M12. | 6.5 | |
2019-11-07 | CVE-2011-2807 | Improper Handling of Exceptional Conditions vulnerability in Google Blink M11/M12 Incorrect handling of timer information in Timer.cpp in WebKit in Google Chrome before Blink M13. | 6.5 | |
2019-11-07 | CVE-2011-2353 | Use After Free vulnerability in Google Blink M11/M12 Use after free vulnerability in documentloader in WebKit in Google Chrome before Blink M13 in DocumentWriter::replaceDocument function. | 6.5 | |
2019-11-07 | CVE-2019-16874 | Portainer | Unspecified vulnerability in Portainer Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4). | 6.5 |
2019-11-06 | CVE-2019-16401 | Samsung | Unspecified vulnerability in Samsung products Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow injection of AT+CIMI and AT+CGSN over Bluetooth, leaking sensitive information such as IMSI, IMEI, call status, call setup stage, internet service status, signal strength, current roaming status, battery level, and call held status. | 6.5 |
2019-11-06 | CVE-2019-16400 | Samsung | Unspecified vulnerability in Samsung products Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow attackers to send AT commands over Bluetooth, resulting in several Denial of Service (DoS) attacks. | 6.5 |
2019-11-06 | CVE-2019-12406 | Apache Oracle | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. | 6.5 |
2019-11-06 | CVE-2011-2808 | Improper Input Validation vulnerability in Google Blink M11/M12 A stale layout root is set as an input element in WebKit in Google Chrome before Blink M13 when a child of a keygen with autofocus is accessed. | 6.5 | |
2019-11-06 | CVE-2019-10504 | Qualcomm | Resource Exhaustion vulnerability in Qualcomm products Firmware not able to send EXT scan response to host within 1 sec due to resource consumption issue in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 845 / SD 850, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016 | 6.5 |
2019-11-06 | CVE-2011-4904 | Typo3 | Improper Input Validation vulnerability in Typo3 TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access control on ExtDirect calls which allows remote attackers to retrieve ExtDirect endpoint services. | 6.5 |
2019-11-06 | CVE-2011-4902 | Typo3 | Improper Input Validation vulnerability in Typo3 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to delete arbitrary files on the webserver. | 6.5 |
2019-11-06 | CVE-2011-4901 | Typo3 | Information Exposure vulnerability in Typo3 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database. | 6.5 |
2019-11-06 | CVE-2011-4900 | Typo3 Debian | Information Exposure vulnerability in multiple products TYPO3 before 4.5.4 allows Information Disclosure in the backend. | 6.5 |
2019-11-06 | CVE-2011-4627 | Typo3 | Information Exposure vulnerability in Typo3 TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend. | 6.5 |
2019-11-06 | CVE-2019-18799 | Sass Lang | NULL Pointer Dereference vulnerability in Sass-Lang Libsass LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser::parseCompoundSelector in parser_selectors.cpp. | 6.5 |
2019-11-06 | CVE-2019-18798 | Sass Lang | Out-of-bounds Read vulnerability in Sass-Lang Libsass LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::weaveParents in ast_sel_weave.cpp. | 6.5 |
2019-11-06 | CVE-2019-18797 | Sass Lang | Uncontrolled Recursion vulnerability in Sass-Lang Libsass LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp. | 6.5 |
2019-11-06 | CVE-2019-10218 | Samba Fedoraproject | Path Traversal vulnerability in multiple products A flaw was found in the samba client, all samba versions before samba 4.11.2, 4.10.10 and 4.9.15, where a malicious server can supply a pathname to the client with separators. | 6.5 |
2019-11-06 | CVE-2019-8143 | Magento | SQL Injection vulnerability in Magento A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 6.5 |
2019-11-06 | CVE-2019-8133 | Magento | Unspecified vulnerability in Magento A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 6.5 |
2019-11-05 | CVE-2019-8108 | Magento | Improper Authentication vulnerability in Magento Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 6.5 |
2019-11-05 | CVE-2019-8107 | Magento | Unspecified vulnerability in Magento An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 6.5 |
2019-11-05 | CVE-2011-1459 | Resource Exhaustion vulnerability in Google Blink The WebKit::WebPluginContainerImpl::handleEvent function in Google Chrome before Blink M11 allows an attacker to cause a denial of service (crash) via the htmlpluginelement.cpp plugin. | 6.5 | |
2019-11-05 | CVE-2019-8090 | Magento | Unspecified vulnerability in Magento An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 6.5 |
2019-11-05 | CVE-2019-1877 | Cisco | Improper Authentication vulnerability in Cisco Enterprise Chat and Email 11.6(1)Es9 A vulnerability in the HTTP API of Cisco Enterprise Chat and Email could allow an unauthenticated, remote attacker to download files attached through chat sessions. | 6.5 |
2019-11-05 | CVE-2010-3671 | Typo3 | Session Fixation vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session. | 6.5 |
2019-11-05 | CVE-2013-6275 | Horde Debian | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php. | 6.5 |
2019-11-05 | CVE-2013-6461 | Nokogiri Debian Redhat | XML Entity Expansion vulnerability in multiple products Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits | 6.5 |
2019-11-05 | CVE-2013-6460 | Nokogiri Debian Redhat | XML Entity Expansion vulnerability in multiple products Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents | 6.5 |
2019-11-05 | CVE-2019-10223 | Kubernetes Redhat | Information Exposure vulnerability in multiple products A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. | 6.5 |
2019-11-04 | CVE-2010-3664 | Typo3 | Information Exposure vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend. | 6.5 |
2019-11-04 | CVE-2019-13497 | Oneidentity | Cross-Site Request Forgery (CSRF) vulnerability in Oneidentity Cloud Access Manager One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests. | 6.5 |
2019-11-07 | CVE-2013-1429 | Debian Canonical | Link Following vulnerability in multiple products Lintian before 2.5.12 allows remote attackers to gather information about the "host" system using crafted symlinks. | 6.3 |
2019-11-07 | CVE-2019-3422 | ZTE | Information Exposure vulnerability in ZTE Mf910S Firmware The Sec Consult Security Lab reported an information disclosure vulnerability in MF910S product to ZTE PSIRT in October 2019. | 6.2 |
2019-11-09 | CVE-2009-2802 | Mantisbt | Cross-site Scripting vulnerability in Mantisbt 1.2.0/1.2.1 MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME types. | 6.1 |
2019-11-09 | CVE-2019-4645 | IBM | Cross-site Scripting vulnerability in IBM Cognos Analytics 11.0.0/11.1.0 IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. | 6.1 |
2019-11-09 | CVE-2019-4581 | IBM | Cross-site Scripting vulnerability in IBM Qradar Security Information and Event Manager 7.3.0/7.3.1/7.3.2 IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting. | 6.1 |
2019-11-09 | CVE-2019-4450 | IBM | Cross-site Scripting vulnerability in IBM I 7.2/7.3/7.4 IBM i 7.2, 7.3, and 7.4 for i is vulnerable to cross-site scripting. | 6.1 |
2019-11-08 | CVE-2019-10219 | Redhat Netapp Oracle | A vulnerability was found in Hibernate-Validator. | 6.1 |
2019-11-07 | CVE-2018-18674 | SIR | Cross-site Scripting vulnerability in SIR Gnuboard 5.3.1.9 GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board tail contents" parameter, aka the adm/board_form_update.php bo_content_tail parameter. | 6.1 |
2019-11-07 | CVE-2013-1426 | Mahara | Cross-site Scripting vulnerability in Mahara Cross-site Scripting (XSS) in Mahara before 1.5.9 and 1.6.x before 1.6.4 allows remote attackers to inject arbitrary web script or HTML via the TinyMCE editor. | 6.1 |
2019-11-07 | CVE-2010-2250 | Drupal | Cross-site Scripting vulnerability in Drupal Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | 6.1 |
2019-11-07 | CVE-2019-18816 | Popojicms | Cross-site Scripting vulnerability in Popojicms 2.0.1 po-admin/route.php?mod=post&act=edit in PopojiCMS 2.0.1 allows post[1][content]= stored XSS. | 6.1 |
2019-11-07 | CVE-2019-18815 | Popojicms | Open Redirect vulnerability in Popojicms 2.0.1 PopojiCMS 2.0.1 allows refer= Open Redirection. | 6.1 |
2019-11-07 | CVE-2019-17222 | Intelbras | Cross-site Scripting vulnerability in Intelbras WRN 150 Firmware 1.0.17 An issue was discovered on Intelbras WRN 150 1.0.17 devices. | 6.1 |
2019-11-06 | CVE-2009-5046 | Eclipse Debian | Cross-site Scripting vulnerability in multiple products JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22. | 6.1 |
2019-11-06 | CVE-2016-1000037 | Redhat Fedoraproject | Cross-site Scripting vulnerability in multiple products Pagure: XSS possible in file attachment endpoint | 6.1 |
2019-11-06 | CVE-2009-5049 | Mortbay Debian | Cross-site Scripting vulnerability in multiple products WebApp JSP Snoop page XSS in jetty though 6.1.21. | 6.1 |
2019-11-06 | CVE-2009-5048 | Mortbay | Cross-site Scripting vulnerability in Mortbay Jetty Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. | 6.1 |
2019-11-06 | CVE-2010-2471 | Drupal Debian | Open Redirect vulnerability in multiple products Drupal versions 5.x and 6.x has open redirection | 6.1 |
2019-11-06 | CVE-2011-4903 | Typo3 | Cross-site Scripting vulnerability in Typo3 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the RemoveXSS function. | 6.1 |
2019-11-06 | CVE-2011-4626 | Typo3 | Cross-site Scripting vulnerability in Typo3 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the "JSwindow" property of the typolink function. | 6.1 |
2019-11-06 | CVE-2017-18639 | Progress | Cross-site Scripting vulnerability in Progress Sitefinity CMS 10.0/4.2 Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title. | 6.1 |
2019-11-06 | CVE-2019-13077 | Quest | Cross-site Scripting vulnerability in Quest Kace Systems Management Appliance 9.1.317 Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the sam_detail_titled.php SAM_TYPE parameter) that allows an attacker to create a malicious link in order to attack authenticated users. | 6.1 |
2019-11-06 | CVE-2019-12917 | Quest | Cross-site Scripting vulnerability in Quest Kace Systems Management Appliance 9.1.317 A reflected XSS vulnerability exists in Quest KACE Systems Management Appliance Server Center 9.1.317 affecting the userui/software_library.php component via the PATH_INFO. | 6.1 |
2019-11-06 | CVE-2019-8233 | Magento | Cross-site Scripting vulnerability in Magento In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments. | 6.1 |
2019-11-06 | CVE-2019-8153 | Magento | Cross-site Scripting vulnerability in Magento A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 6.1 |
2019-11-05 | CVE-2019-6142 | Forcepoint | Cross-site Scripting vulnerability in Forcepoint Email Security and Security Manager It has been reported that XSS is possible in Forcepoint Email Security, versions 8.5 and 8.5.3. | 6.1 |
2019-11-05 | CVE-2011-1135 | S9Y | Cross-site Scripting vulnerability in S9Y Serendipity Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/ImageManager/manager.php. | 6.1 |
2019-11-05 | CVE-2011-1133 | S9Y | Cross-site Scripting vulnerability in S9Y Serendipity Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php. | 6.1 |
2019-11-05 | CVE-2010-3674 | Typo3 Debian | Cross-site Scripting vulnerability in multiple products TYPO3 before 4.4.1 allows XSS in the frontend search box. | 6.1 |
2019-11-05 | CVE-2010-3672 | Typo3 | Cross-site Scripting vulnerability in Typo3 TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea view helper in an extbase extension. | 6.1 |
2019-11-05 | CVE-2013-4107 | Cryptocat Project | Cross-site Scripting vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22: cryptocat.js handlePresence() has cross site scripting | 6.1 |
2019-11-04 | CVE-2014-3649 | Redhat | Cross-site Scripting vulnerability in Redhat Jboss Aerogear 1.0.0/20140919 JBoss AeroGear has reflected XSS via the password field | 6.1 |
2019-11-06 | CVE-2015-7276 | Technicolor | Use of Hard-coded Credentials vulnerability in Technicolor C2000T Firmware and C2100T Firmware Technicolor C2000T and C2100T uses hard-coded cryptographic keys. | 5.9 |
2019-11-05 | CVE-2013-5123 | Pypa Virtualenv Fedoraproject Redhat Debian | Improper Authentication vulnerability in multiple products The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. | 5.9 |
2019-11-05 | CVE-2013-5661 | ISC Nlnetlabs NIC Redhat | Authentication Bypass by Spoofing vulnerability in multiple products Cache Poisoning issue exists in DNS Response Rate Limiting. | 5.9 |
2019-11-05 | CVE-2019-1981 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the normalization functionality of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections. | 5.8 |
2019-11-05 | CVE-2019-1978 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the stream reassembly component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections. | 5.8 |
2019-11-09 | CVE-2009-0035 | Alsa Project | Link Following vulnerability in Alsa-Project Alsa 1.0.19 alsa-utils 1.0.19 and later versions allows local users to overwrite arbitrary files via a symlink attack via the /usr/bin/alsa-info and /usr/bin/alsa-info.sh scripts. | 5.5 |
2019-11-09 | CVE-2019-5696 | Nvidia | Incorrect Calculation of Buffer Size vulnerability in Nvidia Virtual GPU Manager NVIDIA Virtual GPU Manager, all versions, contains a vulnerability in which the provision of an incorrectly sized buffer by a guest VM leads to GPU out-of-bound access, which may lead to a denial of service. | 5.5 |
2019-11-09 | CVE-2019-5693 | Nvidia | Access of Uninitialized Pointer vulnerability in Nvidia GPU Driver NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) in which the program accesses or uses a pointer that has not been initialized, which may lead to denial of service. | 5.5 |
2019-11-08 | CVE-2019-16210 | Broadcom | Missing Encryption of Sensitive Data vulnerability in Broadcom Brocade Sannav 1.1.0/1.1.1 Brocade SANnav versions before v2.0, logs plain text database connection password while triggering support save. | 5.5 |
2019-11-08 | CVE-2019-16206 | Broadcom | Missing Encryption of Sensitive Data vulnerability in Broadcom Brocade Sannav 1.1.0/1.1.1 The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the ‘trace’ and the 'debug' logging level; which could allow a local authenticated attacker to access sensitive information. | 5.5 |
2019-11-08 | CVE-2019-3866 | Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in Redhat Openstack-Mistral An information-exposure vulnerability was discovered where openstack-mistral's undercloud log files containing clear-text information were made world readable. | 5.5 |
2019-11-08 | CVE-2013-1820 | Redhat Fedoraproject | Improper Input Validation vulnerability in multiple products tuned before 2.x allows local users to kill running processes due to insecure permissions with tuned's ktune service. | 5.5 |
2019-11-07 | CVE-2007-3732 | Linux | Unspecified vulnerability in Linux Kernel In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc calls a C function without ensuring that the segments are set properly. | 5.5 |
2019-11-07 | CVE-2019-18821 | Eximioussoft | Out-of-bounds Write vulnerability in Eximioussoft Logo Designer 3.82 Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x0000000000000053. | 5.5 |
2019-11-07 | CVE-2019-18820 | Eximioussoft | Out-of-bounds Write vulnerability in Eximioussoft Logo Designer 3.82 Eximious Logo Designer 3.82 has Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a78. | 5.5 |
2019-11-07 | CVE-2019-18819 | Eximioussoft | Out-of-bounds Write vulnerability in Eximioussoft Logo Designer 3.82 Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiVectorRender!StrokeText_Blend+0x00000000000003a7. | 5.5 |
2019-11-07 | CVE-2013-1425 | Ldap GIT Backup Project Debian | Incorrect Default Permissions vulnerability in multiple products ldap-git-backup before 1.0.4 exposes password hashes due to incorrect directory permissions. | 5.5 |
2019-11-07 | CVE-2019-18811 | Linux Fedoraproject Redhat | Memory Leak vulnerability in multiple products A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering sof_get_ctrl_copy_params() failures, aka CID-45c1380358b1. | 5.5 |
2019-11-07 | CVE-2019-18808 | Linux Fedoraproject Opensuse Canonical | Memory Leak vulnerability in multiple products A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247. | 5.5 |
2019-11-07 | CVE-2019-18806 | Linux | Memory Leak vulnerability in Linux Kernel A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. | 5.5 |
2019-11-06 | CVE-2010-4178 | Oracle Fedoraproject | Insufficiently Protected Credentials vulnerability in multiple products MySQL-GUI-tools (mysql-administrator) leaks passwords into process list after with launch of mysql text console | 5.5 |
2019-11-06 | CVE-2019-2275 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products While deserializing any key blob during key operations, buffer overflow could occur exposing partial key information if any key operations are invoked(Depends on CVE-2018-13907) in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS404, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130 | 5.5 |
2019-11-06 | CVE-2019-10515 | Qualcomm | Use After Free vulnerability in Qualcomm products DCI client which might be preemptively freed up might be accessed for transferring packets leading to kernel error in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 | 5.5 |
2019-11-06 | CVE-2014-8181 | Redhat | Improper Initialization vulnerability in Redhat Enterprise Linux and Enterprise MRG The kernel in Red Hat Enterprise Linux 7 and MRG-2 does not clear garbage data for SG_IO buffer, which may leaking sensitive information to userspace. | 5.5 |
2019-11-06 | CVE-2019-18786 | Linux Canonical | Use of Uninitialized Resource vulnerability in multiple products In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitialized in rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c, which could cause a memory disclosure problem. | 5.5 |
2019-11-05 | CVE-2019-1734 | Cisco | Unspecified vulnerability in Cisco Firepower Extensible Operating System A vulnerability in the implementation of a CLI diagnostic command in Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to view sensitive system files that should be restricted. | 5.5 |
2019-11-04 | CVE-2013-4280 | Redhat | Exposure of Resource to Wrong Sphere vulnerability in Redhat products Insecure temporary file vulnerability in RedHat vsdm 4.9.6. | 5.5 |
2019-11-04 | CVE-2013-4518 | Redhat | Information Exposure vulnerability in Redhat Update Infrastructure 2.1.3 RHUI (Red Hat Update Infrastructure) 2.1.3 has world readable PKI entitlement certificates | 5.5 |
2019-11-04 | CVE-2013-4423 | Redhat | Insufficiently Protected Credentials vulnerability in Redhat Cloudforms 3.0 CloudForms stores user passwords in recoverable format | 5.5 |
2019-11-09 | CVE-2019-4470 | IBM | Cross-site Scripting vulnerability in IBM Qradar Security Information and Event Manager 7.3.0/7.3.1/7.3.2 IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting. | 5.4 |
2019-11-09 | CVE-2019-4454 | IBM | Cross-site Scripting vulnerability in IBM Qradar Security Information and Event Manager 7.3.0/7.3.1/7.3.2 IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scripting. | 5.4 |
2019-11-07 | CVE-2019-16878 | Portainer | Cross-site Scripting vulnerability in Portainer Portainer before 1.22.1 has XSS (issue 2 of 2). | 5.4 |
2019-11-07 | CVE-2019-16873 | Portainer | Cross-site Scripting vulnerability in Portainer Portainer before 1.22.1 has XSS (issue 1 of 2). | 5.4 |
2019-11-06 | CVE-2011-4632 | Typo3 | Cross-site Scripting vulnerability in Typo3 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the tcemain flash message. | 5.4 |
2019-11-06 | CVE-2011-4631 | Typo3 | Cross-site Scripting vulnerability in Typo3 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the system extension recycler. | 5.4 |
2019-11-06 | CVE-2011-4630 | Typo3 | Cross-site Scripting vulnerability in Typo3 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the browse_links wizard. | 5.4 |
2019-11-06 | CVE-2011-4629 | Typo3 | Cross-site Scripting vulnerability in Typo3 Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to inject arbitrary web script or HTML via the admin panel. | 5.4 |
2019-11-06 | CVE-2019-13081 | Quest | Cross-site Scripting vulnerability in Quest Kace Systems Management Appliance 9.1.317 Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via the title field in the /common/ticket_associated_tickets.php service desk ticket functionality) that allows an authenticated user to execute arbitrary JavaScript in a service desk user's browser. | 5.4 |
2019-11-06 | CVE-2019-13080 | Quest | Cross-site Scripting vulnerability in Quest Kace Systems Management Appliance 9.1.317 Quest KACE Systems Management Appliance Server Center 9.1.317 has an XSS vulnerability (via an SVG image and HTML file) that allows an authenticated user to execute arbitrary JavaScript in an administrator's browser. | 5.4 |
2019-11-06 | CVE-2019-14833 | Samba Opensuse Fedoraproject | Weak Password Requirements vulnerability in multiple products A flaw was found in Samba, all versions starting samba 4.5.0 before samba 4.9.15, samba 4.10.10, samba 4.11.2, in the way it handles a user password change or a new password for a samba user. | 5.4 |
2019-11-06 | CVE-2019-8157 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8145 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8132 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8152 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8147 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8146 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8142 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8139 | Magento | Cross-site Scripting vulnerability in Magento 2.3.0/2.3.1/2.3.2 A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8138 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8131 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8129 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-06 | CVE-2019-8128 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-05 | CVE-2019-8120 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 5.4 |
2019-11-05 | CVE-2019-8117 | Magento | Cross-site Scripting vulnerability in Magento A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-05 | CVE-2019-8092 | Magento | Cross-site Scripting vulnerability in Magento A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 5.4 |
2019-11-04 | CVE-2010-3669 | Typo3 | Open Redirect vulnerability in Typo3 TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS and Open Redirection in the frontend login box. | 5.4 |
2019-11-04 | CVE-2010-3665 | Typo3 | Cross-site Scripting vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the Extension Manager. | 5.4 |
2019-11-09 | CVE-2019-4412 | IBM | Information Exposure vulnerability in IBM Cognos Controller IBM Cognos Controller stores sensitive information in URL parameters. | 5.3 |
2019-11-08 | CVE-2019-13557 | Philips | Information Exposure vulnerability in Philips Tasy EMR and Tasy Webportal In Tasy EMR, Tasy WebPortal Versions 3.02.1757 and prior, there is an information exposure vulnerability which may allow a remote attacker to access system and configuration information. | 5.3 |
2019-11-07 | CVE-2019-15003 | Atlassian | Path Traversal vulnerability in Atlassian Jira Service Desk The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via authorization bypass. | 5.3 |
2019-11-06 | CVE-2018-20853 | Mailpoet | Unspecified vulnerability in Mailpoet Newsletters An issue was discovered in the MailPoet Newsletters (aka wysija-newsletters) plugin before 2.8.2 for WordPress. | 5.3 |
2019-11-06 | CVE-2019-5643 | Gatech | Missing Authentication for Critical Function vulnerability in Gatech Computing for Good'S Basic Laboratory Information System 3.3/3.4/3.5 Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may enumerate the user names and facility names in use on a particular installation. | 5.3 |
2019-11-06 | CVE-2019-18674 | Joomla | Missing Authorization vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.13. | 5.3 |
2019-11-05 | CVE-2019-8123 | Magento | Unspecified vulnerability in Magento An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 5.3 |
2019-11-05 | CVE-2019-8118 | Magento | Cleartext Storage of Sensitive Information vulnerability in Magento Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts. | 5.3 |
2019-11-05 | CVE-2019-8113 | Magento | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Magento Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | 5.3 |
2019-11-05 | CVE-2019-1982 | Cisco | Incorrect Default Permissions vulnerability in Cisco products A vulnerability in the HTTP traffic filtering component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections. | 5.3 |
2019-11-05 | CVE-2019-1980 | Cisco | Improper Authentication vulnerability in Cisco products A vulnerability in the protocol detection component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections. | 5.3 |
2019-11-05 | CVE-2010-3673 | Typo3 | Information Exposure vulnerability in Typo3 TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API. | 5.3 |
2019-11-05 | CVE-2013-6365 | Horde Opensuse Debian | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions | 5.3 |
2019-11-05 | CVE-2013-4110 | Cryptocat Project | Information Exposure vulnerability in Cryptocat Project Cryptocat Cryptocat has an Unspecified Chat Participant User List Disclosure | 5.3 |
2019-11-04 | CVE-2010-3667 | Typo3 | Improper Input Validation vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Spam Abuse in the native form content element. | 5.3 |
2019-11-04 | CVE-2010-3666 | Typo3 | Use of Insufficiently Random Values vulnerability in Typo3 TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function. | 5.3 |
2019-11-04 | CVE-2013-2258 | Cryptocat Project | Unspecified vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 has Nickname User Impersonation | 5.3 |
2019-11-04 | CVE-2013-4101 | Cryptocat Project | Improper Input Validation vulnerability in Cryptocat Project Cryptocat Cryptocat before 2.0.22 Link Markup Decorator HTML Handling Weakness | 5.3 |
2019-11-07 | CVE-2019-6337 | HP | Unspecified vulnerability in HP products For the printers listed a maliciously crafted print file might cause certain HP Inkjet printers to assert. | 5.2 |
2019-11-06 | CVE-2019-14847 | Samba Opensuse Fedoraproject | NULL Pointer Dereference vulnerability in multiple products A flaw was found in samba 4.0.0 before samba 4.9.15 and samba 4.10.x before 4.10.10. | 4.9 |
2019-11-06 | CVE-2019-8140 | Magento | Unrestricted Upload of File with Dangerous Type vulnerability in Magento An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 4.9 |
2019-11-05 | CVE-2019-8126 | Magento | XXE vulnerability in Magento An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 4.9 |
2019-11-05 | CVE-2019-8124 | Magento | Unspecified vulnerability in Magento An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. | 4.9 |
2019-11-07 | CVE-2010-2472 | Drupal | Cross-site Scripting vulnerability in Drupal Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. | 4.8 |
2019-11-06 | CVE-2019-8228 | Magento | Cross-site Scripting vulnerability in Magento in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template. | 4.8 |
2019-11-06 | CVE-2019-8227 | Magento | Cross-site Scripting vulnerability in Magento In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML. | 4.8 |
2019-11-06 | CVE-2019-8148 | Magento | Cross-site Scripting vulnerability in Magento 2.3.0/2.3.1/2.3.2 A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 4.8 |
2019-11-05 | CVE-2019-8115 | Magento | Cross-site Scripting vulnerability in Magento A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. | 4.8 |
2019-11-05 | CVE-2010-3670 | Typo3 | Inadequate Encryption Strength vulnerability in Typo3 TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function. | 4.8 |
2019-11-08 | CVE-2019-13535 | Medtronic | Incorrect Permission Assignment for Critical Resource vulnerability in Medtronic products In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism does not apply read protection, allowing for full read access of the RFID security mechanism data. | 4.6 |
2019-11-08 | CVE-2019-13531 | Medtronic | Unspecified vulnerability in Medtronic products In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator. | 4.6 |
2019-11-07 | CVE-2019-18809 | Linux Debian Canonical Fedoraproject Opensuse | Memory Leak vulnerability in multiple products A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559. | 4.6 |
2019-11-09 | CVE-2019-5698 | Nvidia | Improper Validation of Array Index vulnerability in Nvidia Virtual GPU Manager NVIDIA Virtual GPU Manager, all versions, contains a vulnerability in the vGPU plugin, in which an input index value is incorrectly validated, which may lead to denial of service. | 4.4 |
2019-11-05 | CVE-2019-5068 | Mesa3D Opensuse Debian Canonical | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. | 4.4 |
2019-11-09 | CVE-2019-4509 | IBM | Incorrect Authorization vulnerability in IBM Qradar Security Information and Event Manager 7.3.0/7.3.1/7.3.2 IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to incorrect authorization in some components which could allow an authenticated user to obtain sensitive information. | 4.3 |
2019-11-09 | CVE-2019-4411 | IBM | Use of Insufficiently Random Values vulnerability in IBM Cognos Controller IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 could allow an authenticated user to obtain sensitive information due to easy to guess session identifier names. | 4.3 |
2019-11-09 | CVE-2019-4334 | IBM | Unspecified vulnerability in IBM Cognos Analytics 11.0.0/11.1.0 IBM Cognos Analytics 11.0 and 11.1 could reveal sensitive information to an authenticated user that could be used in future attacks against the system. | 4.3 |
2019-11-08 | CVE-2019-15005 | Atlassian | Missing Authorization vulnerability in Atlassian products The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. | 4.3 |
2019-11-07 | CVE-2013-1811 | Mantisbt Debian | Improper Input Validation vulnerability in multiple products An access control issue in MantisBT before 1.2.13 allows users with "Reporter" permissions to change any issue to "New". | 4.3 |
2019-11-07 | CVE-2019-3764 | Dell | Unspecified vulnerability in Dell Idrac7 Firmware, Idrac8 Firmware and Idrac9 Firmware Dell EMC iDRAC7 versions prior to 2.65.65.65, iDRAC8 versions prior to 2.70.70.70 and iDRAC9 versions prior to 3.36.36.36 contain an improper authorization vulnerability. | 4.3 |
2019-11-07 | CVE-2012-0049 | Openttd Debian Fedoraproject | Resource Exhaustion vulnerability in multiple products OpenTTD before 1.1.5 contains a Denial of Service (slow read attack) that prevents users from joining the server. | 4.3 |
2019-11-07 | CVE-2019-17604 | Eyecomms | Authorization Bypass Through User-Controlled Key vulnerability in Eyecomms Eyecms 20191015 An Insecure Direct Object Reference (IDOR) vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to change other candidates' personal information (first name, last name, email, CV, phone number, and all other personal information) by changing the value of the candidate id (the id parameter). | 4.3 |
2019-11-06 | CVE-2014-9014 | Wpmarketplace Project | Path Traversal vulnerability in Wpmarketplace Project Wpmarketplace 2.4.0 Directory traversal vulnerability in the ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketplace plugin before 2.4.1 for WordPress allows remote authenticated users to download arbitrary files via a .. | 4.3 |
7 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-11-06 | CVE-2019-6121 | Nicehash | Missing Authorization vulnerability in Nicehash Miner An issue was discovered in NiceHash Miner before 2.0.3.0. | 3.7 |
2019-11-09 | CVE-2009-3614 | Noping Debian | Improper Input Validation vulnerability in multiple products liboping 1.3.2 allows users reading arbitrary files upon the local system. | 3.3 |
2019-11-06 | CVE-2019-5642 | Rapid7 | Incorrect Permission Assignment for Critical Resource vulnerability in Rapid7 Metasploit 4.15.0/4.15.1/4.16.0 Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. | 3.3 |
2019-11-05 | CVE-2016-4983 | Dovecot Opensuse Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files. | 3.3 |
2019-11-09 | CVE-2009-3552 | Redhat | Improper Certificate Validation vulnerability in Redhat Enterprise Virtualization Manager 2.2 In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. | 3.1 |
2019-11-06 | CVE-2019-6122 | Nicehash | Information Exposure Through an Error Message vulnerability in Nicehash Miner A Username Enumeration via Error Message issue was discovered in NiceHash Miner before 2.0.3.0 because an "EMAIL DOES NOT EXIST" error message occurs whenever a submitted email address is incorrect, but there is a different error message for invalid credentials with a correct email address. | 3.1 |
2019-11-05 | CVE-2016-1000002 | Gnome Redhat Debian Opensuse | Information Exposure vulnerability in multiple products gdm3 3.14.2 and possibly later has an information leak before screen lock | 2.4 |