Weekly Vulnerabilities Reports > November 25 to December 1, 2019
Overview
376 new vulnerabilities reported during this period, including 29 critical vulnerabilities and 82 high severity vulnerabilities. This weekly summary report vulnerabilities in 302 products from 129 vendors including Google, Debian, Opensuse, Redhat, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Use After Free", "Information Exposure", and "Incorrect Permission Assignment for Critical Resource".
- 313 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 92 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 302 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 99 reported vulnerabilities.
- Debian has the most reported critical vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
29 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-11-27 | CVE-2019-18253 | Hitachienergy | Path Traversal vulnerability in Hitachienergy Relion 670 Firmware An attacker could use specially crafted paths in a specific request to read or delete files from Relion 670 Series (versions 1p1r26, 1.2.3.17, 2.0.0.10, RES670 2.0.0.4, 2.1.0.1, and prior) outside the intended directory. | 10.0 |
2019-11-27 | CVE-2011-2717 | Linux Redhat | Injection vulnerability in multiple products The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. | 10.0 |
2019-11-27 | CVE-2011-2523 | Vsftpd Project Debian | OS Command Injection vulnerability in multiple products vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp. | 10.0 |
2019-11-27 | CVE-2019-18184 | Crestron | OS Command Injection vulnerability in Crestron Dmc-Stro Firmware 1.0 Crestron DMC-STRO 1.0 devices allow remote command execution as root via shell metacharacters to the ping function. | 10.0 |
2019-11-26 | CVE-2019-18580 | Dell | Deserialization of Untrusted Data vulnerability in Dell EMC Storage Monitoring and Reporting 4.3.1 Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Java RMI Deserialization of Untrusted Data vulnerability. | 10.0 |
2019-11-26 | CVE-2019-12489 | Fastweb | OS Command Injection vulnerability in Fastweb Askey Rtv1907Vw Firmware 0.00.81 An issue was discovered on Fastweb Askey RTV1907VW 0.00.81_FW_200_Askey 2018-10-02 18:08:18 devices. | 10.0 |
2019-11-26 | CVE-2019-15958 | Cisco | Improper Input Validation vulnerability in Cisco Prime Infrastructure A vulnerability in the REST API of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the underlying operating system. | 10.0 |
2019-12-01 | CVE-2019-18609 | Rabbitmq C Project Fedoraproject Canonical Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. | 9.8 |
2019-11-29 | CVE-2019-14901 | Linux Fedoraproject Debian Canonical | Heap-based Buffer Overflow vulnerability in multiple products A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. | 9.8 |
2019-11-29 | CVE-2019-14897 | Linux Debian Canonical | Stack-based Buffer Overflow vulnerability in multiple products A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. | 9.8 |
2019-11-29 | CVE-2019-14895 | Linux Debian Canonical Fedoraproject Opensuse | Heap-based Buffer Overflow vulnerability in multiple products A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. | 9.8 |
2019-11-27 | CVE-2019-19330 | Haproxy Canonical Debian | Injection vulnerability in multiple products The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks. | 9.8 |
2019-11-27 | CVE-2019-14896 | Linux Redhat Fedoraproject Canonical Debian | Heap-based Buffer Overflow vulnerability in multiple products A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. | 9.8 |
2019-11-26 | CVE-2019-12526 | Squid Cache Canonical Fedoraproject Opensuse Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Squid before 4.9. | 9.8 |
2019-11-26 | CVE-2019-14842 | Redhat | Incorrect Conversion between Numeric Types vulnerability in Redhat Libnbd Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. | 9.8 |
2019-11-26 | CVE-2019-6675 | F5 | Improper Authentication vulnerability in F5 products BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. | 9.8 |
2019-11-25 | CVE-2019-5866 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds memory access in JavaScript in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 9.8 | |
2019-11-25 | CVE-2019-5870 | Use After Free vulnerability in Google Chrome Use after free in media in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2019-11-25 | CVE-2019-5850 | Use After Free vulnerability in Google Chrome Use after free in offline mode in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2019-11-27 | CVE-2012-2248 | Dhclient Project Debian | Improper Input Validation vulnerability in multiple products An issue was discovered in dhclient 4.3.1-6 due to an embedded path variable. | 9.3 |
2019-11-26 | CVE-2019-15286 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 9.3 |
2019-11-26 | CVE-2019-15284 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. | 9.3 |
2019-11-26 | CVE-2019-15595 | Ubiquiti | Unspecified vulnerability in Ubiquiti Unifi Video Controller A privilege escalation exists in UniFi Video Controller =<3.10.6 that would allow an attacker on the local machine to run arbitrary commands. | 9.3 |
2019-11-29 | CVE-2019-19391 | Luajit Moonjit Project | Type Confusion vulnerability in multiple products In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. | 9.1 |
2019-11-26 | CVE-2019-12523 | Squid Cache Canonical Fedoraproject Opensuse Debian | An issue was discovered in Squid before 4.9. | 9.1 |
2019-11-29 | CVE-2019-16767 | Inist | Unspecified vulnerability in Inist Ezmaster The admin sys mode is now conditional and dedicated for the special case. | 9.0 |
2019-11-27 | CVE-2017-12945 | Mersive | OS Command Injection vulnerability in Mersive Solstice Firmware Insufficient validation of user-supplied input for the Solstice Pod before 2.8.4 networking configuration enables authenticated attackers to execute arbitrary commands as root. | 9.0 |
2019-11-26 | CVE-2019-15271 | Cisco | Deserialization of Untrusted Data vulnerability in Cisco products A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. | 9.0 |
2019-11-25 | CVE-2012-6639 | Canonical Debian Suse | Improper Privilege Management vulnerability in multiple products An privilege elevation vulnerability exists in Cloud-init before 0.7.0 when requests to an untrusted system are submitted for EC2 instance data. | 9.0 |
82 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-11-27 | CVE-2019-10220 | Linux Debian Canonical | Path Traversal vulnerability in multiple products Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists. | 8.8 |
2019-11-27 | CVE-2019-14867 | Freeipa Fedoraproject | Resource Exhaustion vulnerability in multiple products A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. | 8.8 |
2019-11-26 | CVE-2019-17590 | Csrf Magic Project | Cross-Site Request Forgery (CSRF) vulnerability in CSRF Magic Project CSRF Magic 20160327 The csrf_callback function in the CSRF Magic library through 2016-03-27 is vulnerable to CSRF protection bypass as it allows one to tamper with the csrf token values. | 8.8 |
2019-11-25 | CVE-2019-5878 | Use After Free vulnerability in Google Chrome Use after free in V8 in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5877 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds memory access in JavaScript in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5876 | Use After Free vulnerability in Google Chrome Use after free in media in Google Chrome on Android prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5874 | Unspecified vulnerability in Google Chrome Insufficient filtering in URI schemes in Google Chrome on Windows prior to 77.0.3865.75 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5871 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in Skia in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5859 | Unspecified vulnerability in Google Chrome Insufficient filtering in URI schemes in Google Chrome on Windows prior to 76.0.3809.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5858 | Improper Input Validation vulnerability in Google Chrome Incorrect security UI in MacOS services integration in Google Chrome on OS X prior to 76.0.3809.87 allowed a local attacker to execute arbitrary code via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5856 | Improper Input Validation vulnerability in Google Chrome Insufficient policy enforcement in storage in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5854 | Integer Overflow or Wraparound vulnerability in Google Chrome Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 8.8 | |
2019-11-25 | CVE-2019-5853 | Incorrect Calculation vulnerability in Google Chrome Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-5851 | Use After Free vulnerability in Google Chrome Use after free in WebAudio in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13724 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds memory access in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13723 | Google Fedoraproject Opensuse Redhat | Use After Free vulnerability in multiple products Use after free in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2019-11-25 | CVE-2019-13721 | Use After Free vulnerability in Google Chrome Use after free in PDFium in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13720 | Google Opensuse | Use After Free vulnerability in multiple products Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2019-11-25 | CVE-2019-13700 | Google Opensuse | Out-of-bounds Write vulnerability in multiple products Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2019-11-25 | CVE-2019-13699 | Google Opensuse | Use After Free vulnerability in multiple products Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2019-11-25 | CVE-2019-13698 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds memory access in JavaScript in Google Chrome prior to 73.0.3683.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13696 | Use After Free vulnerability in Google Chrome Use after free in JavaScript in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13695 | Use After Free vulnerability in Google Chrome Use after free in audio in Google Chrome on Android prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13694 | Use After Free vulnerability in Google Chrome Use after free in WebRTC in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13693 | Use After Free vulnerability in Google Chrome Use after free in IndexedDB in Google Chrome prior to 77.0.3865.120 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13692 | Improper Input Validation vulnerability in Google Chrome Insufficient policy enforcement in reader mode in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass site isolation via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13688 | Use After Free vulnerability in Google Chrome Use after free in Blink in Google Chrome prior to 77.0.3865.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13687 | Use After Free vulnerability in Google Chrome Use after free in Blink in Google Chrome prior to 77.0.3865.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13686 | Use After Free vulnerability in Google Chrome Use after free in offline mode in Google Chrome prior to 77.0.3865.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13685 | Use After Free vulnerability in Google Chrome Use after free in sharing view in Google Chrome prior to 77.0.3865.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2019-11-25 | CVE-2019-13682 | Improper Preservation of Permissions vulnerability in Google Chrome Insufficient policy enforcement in external protocol handling in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | 8.8 | |
2019-11-26 | CVE-2019-16387 | Pega | Exposure of Resource to Wrong Sphere vulnerability in Pega Platform 8.3 PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. | 8.1 |
2019-11-26 | CVE-2019-16255 | Ruby Lang Debian Opensuse Oracle | Code Injection vulnerability in multiple products Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. | 8.1 |
2019-11-25 | CVE-2019-5881 | Out-of-bounds Read vulnerability in Google Chrome Out of bounds read in SwiftShader in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 8.1 | |
2019-11-25 | CVE-2019-5849 | Out-of-bounds Read vulnerability in Google Chrome Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 8.1 | |
2019-11-29 | CVE-2019-19396 | Omniosce | Improper Input Validation vulnerability in Omniosce Omnios illumos, as used in OmniOS Community Edition before r151030y, allows a kernel crash via an application with multiple threads calling sendmsg concurrently over a single socket, because uts/common/inet/ip/ip_attr.c mishandles conn_ixa dereferences. | 7.8 |
2019-11-29 | CVE-2019-18922 | Alliedtelesis | Path Traversal vulnerability in Alliedtelesis At-Gs950/8 Firmware A Directory Traversal in the Web interface of the Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047] allows unauthenticated attackers to read arbitrary system files via a GET request. | 7.8 |
2019-11-29 | CVE-2019-19377 | Linux Netapp | Use After Free vulnerability in multiple products In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c. | 7.8 |
2019-11-28 | CVE-2019-18276 | GNU Netapp Oracle | Improper Check for Dropped Privileges vulnerability in multiple products An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. | 7.8 |
2019-11-27 | CVE-2019-14812 | Artifex Fedoraproject | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. | 7.8 |
2019-11-27 | CVE-2019-10216 | Artifex Redhat | In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. | 7.8 |
2019-11-25 | CVE-2019-19252 | Linux | Out-of-bounds Read vulnerability in Linux Kernel vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a. | 7.8 |
2019-11-25 | CVE-2019-13706 | Google Opensuse | Out-of-bounds Write vulnerability in multiple products Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 7.8 |
2019-11-25 | CVE-2019-13702 | Google Opensuse | Improper Privilege Management vulnerability in multiple products Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable. | 7.8 |
2019-11-25 | CVE-2019-18675 | Linux | Integer Overflow or Wraparound vulnerability in Linux Kernel The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. | 7.8 |
2019-11-25 | CVE-2019-14815 | Linux Redhat Netapp | Heap-based Buffer Overflow vulnerability in multiple products A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver. | 7.8 |
2019-11-30 | CVE-2013-7484 | Zabbix | Inadequate Encryption Strength vulnerability in Zabbix 2.0.8/4.4.0 Zabbix before 5.0 represents passwords in the users table with unsalted MD5. | 7.5 |
2019-11-28 | CVE-2019-19372 | Rconfig | Path Traversal vulnerability in Rconfig A downloadFile.php download_file path traversal vulnerability in rConfig through 3.9.3 allows attackers to list files in arbitrary folders and potentially download files. | 7.5 |
2019-11-27 | CVE-2019-18247 | Hitachienergy | Improper Input Validation vulnerability in Hitachienergy Relion 650 Firmware and Relion 670 Firmware An attacker may use a specially crafted message to force Relion 650 series (versions 1.3.0.5 and prior) or Relion 670 series (versions 1.2.3.18, 2.0.0.11, 2.1.0.1 and prior) to reboot, which could cause a denial of service. | 7.5 |
2019-11-27 | CVE-2019-6665 | F5 | Unspecified vulnerability in F5 products On BIG-IP ASM 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.3.1, BIG-IQ 6.0.0 and 5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, an attacker with access to the device communication between the BIG-IP ASM Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow will be able to set up the proxy the same way and intercept the traffic. | 7.5 |
2019-11-26 | CVE-2011-1939 | Zend PHP Debian | SQL Injection vulnerability in multiple products SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6. | 7.5 |
2019-11-26 | CVE-2011-1933 | Jifty | SQL Injection vulnerability in Jifty::Dbi Project Jifty::Dbi SQL injection vulnerability in Jifty::DBI before 0.68. | 7.5 |
2019-11-26 | CVE-2019-17392 | Progress | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Progress Sitefinity Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. | 7.5 |
2019-11-26 | CVE-2019-16201 | Ruby Lang Debian | Improper Authentication vulnerability in multiple products WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. | 7.5 |
2019-11-26 | CVE-2019-18679 | Squid Cache Canonical Debian Fedoraproject | Information Exposure vulnerability in multiple products An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. | 7.5 |
2019-11-26 | CVE-2019-18676 | Squid Cache Canonical Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Squid 3.x and 4.x through 4.8. | 7.5 |
2019-11-26 | CVE-2019-6477 | ISC Fedoraproject | Resource Exhaustion vulnerability in multiple products With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. | 7.5 |
2019-11-26 | CVE-2019-19307 | Cesanta | Infinite Loop vulnerability in Cesanta Mongoose 6.16 An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop), or possibly cause an out-of-bounds write, by sending a crafted MQTT protocol packet. | 7.5 |
2019-11-26 | CVE-2019-19275 | Python | Out-of-bounds Read vulnerability in Python Typed AST 1.3.0/1.3.1 typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. | 7.5 |
2019-11-26 | CVE-2019-19274 | Python | Out-of-bounds Read vulnerability in Python Typed AST 1.3.0/1.3.1 typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. | 7.5 |
2019-11-26 | CVE-2011-4121 | Ruby Lang | Inadequate Encryption Strength vulnerability in Ruby-Lang Ruby The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. | 7.5 |
2019-11-26 | CVE-2011-4120 | Yubico Linux Debian | Improper Input Validation vulnerability in multiple products Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. | 7.5 |
2019-11-26 | CVE-2019-19270 | Proftpd Fedoraproject | Improper Certificate Validation vulnerability in multiple products An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. | 7.5 |
2019-11-26 | CVE-2011-3600 | Apache | XXE vulnerability in Apache Ofbiz The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. | 7.5 |
2019-11-26 | CVE-2019-18250 | ABB | Improper Authentication vulnerability in ABB products In all versions of ABB Power Generation Information Manager (PGIM) and Plant Connect, the affected product is vulnerable to authentication bypass, which may allow an attacker to remotely bypass authentication and extract credentials from the affected device. | 7.5 |
2019-11-26 | CVE-2019-11290 | Cloudfoundry | Information Exposure Through Log Files vulnerability in Cloudfoundry Cf-Deployment Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. | 7.5 |
2019-11-26 | CVE-2011-3584 | Guidestar | SQL Injection vulnerability in Guidestar WEC Discussion Forum The TYPO3 Core wec_discussion extension before 2.1.1 is vulnerable to SQL Injection due to improper sanitation of user-supplied input. | 7.5 |
2019-11-26 | CVE-2011-3583 | Typo3 | SQL Injection vulnerability in Typo3 It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. | 7.5 |
2019-11-25 | CVE-2019-19250 | Opentrade Project | SQL Injection vulnerability in Opentrade Project Opentrade 0.2.0 OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js. | 7.5 |
2019-11-25 | CVE-2019-19249 | Querytreeapp | Improper Input Validation vulnerability in Querytreeapp Querytree Controllers/InvitationsController.cs in QueryTree before 3.0.99-beta mishandles invitations. | 7.5 |
2019-11-25 | CVE-2019-19246 | Oniguruma Project PHP Fedoraproject Canonical Debian | Out-of-bounds Read vulnerability in multiple products Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c. | 7.5 |
2019-11-25 | CVE-2019-18374 | Broadcom | Improper Authentication vulnerability in Broadcom Symantec Critical System Protection 8.0.0 Symantec Critical System Protection (CSP), versions 8.0, 8.0 HF1 & 8.0 MP1, may be susceptible to an authentication bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing authentication controls. | 7.5 |
2019-11-25 | CVE-2012-5582 | Opendnssec | Improper Input Validation vulnerability in Opendnssec opendnssec misuses libcurl API | 7.5 |
2019-11-25 | CVE-2019-5880 | Information Exposure vulnerability in Google Chrome Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 7.4 | |
2019-11-25 | CVE-2019-13673 | Missing Authorization vulnerability in Google Chrome Insufficient data validation in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 7.4 | |
2019-11-25 | CVE-2019-13668 | Improper Preservation of Permissions vulnerability in Google Chrome Insufficient policy enforcement in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 7.4 | |
2019-11-25 | CVE-2019-13666 | Information Exposure Through Discrepancy vulnerability in Google Chrome Information leak in storage in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 7.4 | |
2019-11-26 | CVE-2019-16242 | Alcatelmobile | OS Command Injection vulnerability in Alcatelmobile Cingular Flip 2 Firmware B9Huah1 On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an engineering application named omamock that is vulnerable to OS command injection. | 7.2 |
2019-11-26 | CVE-2019-15997 | Cisco | OS Command Injection vulnerability in Cisco DNA Spaces: Connector A vulnerability in Cisco DNA Spaces: Connector could allow an authenticated, local attacker to perform a command injection attack and execute arbitrary commands on the underlying operating system as root. | 7.2 |
2019-11-26 | CVE-2019-15996 | Cisco | OS Command Injection vulnerability in Cisco DNA Spaces: Connector 2.0 A vulnerability in Cisco DNA Spaces: Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. | 7.2 |
2019-11-26 | CVE-2019-15986 | Cisco | Improper Input Validation vulnerability in Cisco Unity Express 9.0.6 A vulnerability in the CLI of Cisco Unity Express could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. | 7.2 |
2019-11-25 | CVE-2012-5617 | Gksu Polkit Project Fedoraproject | Improper Privilege Management vulnerability in multiple products gksu-polkit: permissive PolicyKit policy configuration file allows privilege escalation | 7.2 |
232 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-12-01 | CVE-2019-19469 | Zmanda | Cross-Site Request Forgery (CSRF) vulnerability in Zmanda Amanda 3.3.9 In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. | 6.8 |
2019-11-30 | CVE-2019-19468 | 10 Strike | Unrestricted Upload of File with Dangerous Type vulnerability in 10-Strike Free Photo Viewer 1.3 Free Photo Viewer 1.3 allows remote attackers to execute arbitrary code via a crafted BMP and/or TIFF file that triggers a malformed SEH, as demonstrated by a 0012ECB4 FreePhot.00425642 42200008 corrupt entry. | 6.8 |
2019-11-29 | CVE-2019-5225 | Huawei | Classic Buffer Overflow vulnerability in Huawei Mate 20 Firmware, P30 Firmware and P30 PRO Firmware P30, Mate 20, P30 Pro smartphones with software of versions earlier than ELLE-AL00B 9.1.0.193(C00E190R1P21), versions earlier than Hima-AL00B 9.1.0.135(C00E200R2P1), versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R1P12) have a buffer overflow vulnerability on several , the system does not properly validate certain length parameter which an application transports to kernel. | 6.8 |
2019-11-29 | CVE-2019-19378 | Linux | Out-of-bounds Write vulnerability in Linux Kernel 5.0.21 In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c. | 6.8 |
2019-11-27 | CVE-2011-2177 | Apache | Unspecified vulnerability in Apache Openoffice 3.3.0 OpenOffice.org v3.3 allows execution of arbitrary code with the privileges of the user running the OpenOffice.org suite tools. | 6.8 |
2019-11-26 | CVE-2011-3631 | Hardlink Project Debian Redhat | Integer Overflow or Wraparound vulnerability in multiple products Hardlink before 0.1.2 has multiple integer overflows leading to heap-based buffer overflows because of the way string lengths concatenation is done in the calculation of the required memory space to be used. | 6.8 |
2019-11-26 | CVE-2011-3630 | Hardlink Project Debian Redhat | Out-of-bounds Write vulnerability in multiple products Hardlink before 0.1.2 suffer from multiple stack-based buffer overflow flaws because of the way directory trees with deeply nested directories are processed. | 6.8 |
2019-11-26 | CVE-2019-18251 | Omron Teamviewer | In Omron CX-Supervisor, Versions 3.5 (12) and prior, Omron CX-Supervisor ships with Teamviewer Version 5.0.8703 QS. | 6.8 |
2019-11-25 | CVE-2019-16765 | Microsoft | Unspecified vulnerability in Microsoft Codeql 1.0.0 If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker's choosing may be executed on the user's behalf. | 6.8 |
2019-11-25 | CVE-2012-5631 | Freeipa | Reliance on Cookies without Validation and Integrity Checking vulnerability in Freeipa 3.0.0 ipa 3.0 does not properly check server identity before sending credential containing cookies | 6.8 |
2019-11-25 | CVE-2011-3351 | Openvas | Link Following vulnerability in Openvas Openvas-Scanner openvas-scanner before 2011-09-11 creates a temporary file insecurely when generating OVAL system characteristics document with the ovaldi integrated tool enabled. | 6.6 |
2019-11-27 | CVE-2019-15300 | Centreon | SQL Injection vulnerability in Centreon web A problem was found in Centreon Web through 19.04.3. | 6.5 |
2019-11-27 | CVE-2019-15298 | Centreon | OS Command Injection vulnerability in Centreon web A problem was found in Centreon Web through 19.04.3. | 6.5 |
2019-11-27 | CVE-2019-10195 | Freeipa Fedoraproject | Information Exposure Through Log Files vulnerability in multiple products A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. | 6.5 |
2019-11-26 | CVE-2019-7319 | Cloudera | Improper Privilege Management vulnerability in Cloudera CDH 6.0.0/6.0.1/6.1.0 An issue was discovered in Cloudera Hue 6.0.0 through 6.1.0. | 6.5 |
2019-11-26 | CVE-2019-4387 | IBM | SQL Injection vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1/6.0.2.0 IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.2.0 is vulnerable to SQL injection. | 6.5 |
2019-11-26 | CVE-2019-18457 | Gitlab | Improper Preservation of Permissions vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.8 through 12.4 when handling Security tokens.. | 6.5 |
2019-11-26 | CVE-2018-20090 | Cloudera | Incorrect Default Permissions vulnerability in Cloudera Data Science Workbench 1.4.0/1.4.1/1.4.2 An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. | 6.5 |
2019-11-26 | CVE-2017-7399 | Cloudera | Improper Privilege Management vulnerability in Cloudera Manager Cloudera Manager 5.8.x before 5.8.5, 5.9.x before 5.9.2, and 5.10.x before 5.10.1 allows a read-only Cloudera Manager user to discover the usernames of other users and elevate the privileges of those users. | 6.5 |
2019-11-26 | CVE-2018-17860 | Cloudera | Incorrect Default Permissions vulnerability in Cloudera CDH Cloudera CDH has Insecure Permissions because ALL cannot be revoked.This affects 5.x through 5.15.1 and 6.x through 6.0.1. | 6.5 |
2019-11-26 | CVE-2016-4572 | Cloudera | Incorrect Authorization vulnerability in Cloudera CDH In Cloudera CDH before 5.7.1, Impala REVOKE ALL ON SERVER commands do not revoke all privileges. | 6.5 |
2019-11-26 | CVE-2015-7831 | Cloudera | Improper Privilege Management vulnerability in Cloudera CDH In Cloudera Hue, there is privilege escalation by a read-only user when CDH 5.x brefore 5.4.9 is used. | 6.5 |
2019-11-26 | CVE-2019-15972 | Cisco | SQL Injection vulnerability in Cisco Unified Communications Manager A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. | 6.5 |
2019-11-26 | CVE-2019-15960 | Cisco | Unspecified vulnerability in Cisco Webex Meetings A vulnerability in the Webex Network Recording Admin page of Cisco Webex Meetings could allow an authenticated, remote attacker to elevate privileges in the context of the affected page. | 6.5 |
2019-11-26 | CVE-2019-15956 | Cisco | Unspecified vulnerability in Cisco Asyncos and web Security Appliance A vulnerability in the web management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform an unauthorized system reset on an affected device. | 6.5 |
2019-11-26 | CVE-2019-15288 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE), Cisco TelePresence Codec (TC), and Cisco RoomOS Software could allow an authenticated, remote attacker to escalate privileges to an unrestricted user of the restricted shell. | 6.5 |
2019-11-26 | CVE-2011-3609 | Redhat | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Jboss Application Server 7.0.0/7.0.1/7.0.2 A CSRF issue was found in JBoss Application Server 7 before 7.1.0. | 6.5 |
2019-11-25 | CVE-2019-5826 | Use After Free vulnerability in Google Chrome Use after free in IndexedDB in Google Chrome prior to 73.0.3683.86 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5825 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5879 | Incorrect Authorization vulnerability in Google Chrome Insufficient policy enforcement in extensions in Google Chrome prior to 77.0.3865.75 allowed an attacker who convinced a user to install a malicious extension to read local files via a crafted Chrome Extension. | 6.5 | |
2019-11-25 | CVE-2019-5872 | Use After Free vulnerability in Google Chrome Use after free in Mojo in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5869 | Use After Free vulnerability in Google Chrome Use after free in Blink in Google Chrome prior to 76.0.3809.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5867 | Out-of-bounds Read vulnerability in Google Chrome Out of bounds read in JavaScript in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5865 | Missing Authorization vulnerability in Google Chrome Insufficient policy enforcement in navigations in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5862 | Improper Input Validation vulnerability in Google Chrome Insufficient data validation in AppCache in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5857 | Out-of-bounds Write vulnerability in Google Chrome Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5855 | Integer Overflow or Wraparound vulnerability in Google Chrome Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 6.5 | |
2019-11-25 | CVE-2019-5852 | Improper Input Validation vulnerability in Google Chrome Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5848 | Cleartext Storage of Sensitive Information vulnerability in Google Chrome Incorrect font handling in autofill in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5847 | Out-of-bounds Write vulnerability in Google Chrome Inappropriate implementation in JavaScript in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-5842 | Use After Free vulnerability in Google Chrome Use after free in Blink in Google Chrome prior to 75.0.3770.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-17403 | Nokia | Unrestricted Upload of File with Dangerous Type vulnerability in Nokia Impact Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. | 6.5 |
2019-11-25 | CVE-2019-13713 | Google Opensuse | Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2019-11-25 | CVE-2019-13709 | Google Opensuse | Authentication Bypass by Spoofing vulnerability in multiple products Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | 6.5 |
2019-11-25 | CVE-2019-13697 | Information Exposure Through an Error Message vulnerability in Google Chrome Insufficient policy enforcement in performance APIs in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-13683 | Improper Handling of Exceptional Conditions vulnerability in Google Chrome Insufficient policy enforcement in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-13678 | Unspecified vulnerability in Google Chrome Incorrect data validation in downloads in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-13677 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Chrome Insufficient policy enforcement in site isolation in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass site isolation via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-13670 | Out-of-bounds Write vulnerability in Google Chrome Insufficient data validation in JavaScript in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-13665 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Chrome Insufficient filtering in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass multiple file download protection via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-13664 | Origin Validation Error vulnerability in Google Chrome Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-13662 | Incorrect Default Permissions vulnerability in Google Chrome Insufficient policy enforcement in navigations in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | 6.5 | |
2019-11-25 | CVE-2019-10213 | Redhat | Improper Output Neutralization for Logs vulnerability in Redhat Openshift Container Platform 4.1/4.2 OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. | 6.5 |
2019-11-25 | CVE-2019-10174 | Infinispan Redhat Netapp | Unsafe Reflection vulnerability in multiple products A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. | 6.5 |
2019-11-29 | CVE-2015-3406 | Module Signature Project Canonical | Incorrect Conversion between Numeric Types vulnerability in multiple products The PGP signature parsing in Module::Signature before 0.74 allows remote attackers to cause the unsigned portion of a SIGNATURE file to be treated as the signed portion via unspecified vectors. | 6.4 |
2019-11-27 | CVE-2013-2625 | Otrs Debian Opensuse | Improper Privilege Management vulnerability in multiple products An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19, OTRS ITSM before 3.2.3, 3.1.8, and 3.0.7, and FAQ before 2.2.3, 2.1.4, and 2.0.8. | 6.4 |
2019-11-26 | CVE-2019-15845 | Ruby Lang Canonical | Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. | 6.4 |
2019-11-25 | CVE-2015-1396 | GNU Debian | Path Traversal vulnerability in multiple products A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. | 6.4 |
2019-11-27 | CVE-2016-1000110 | Python Debian Fedoraproject | Open Redirect vulnerability in multiple products The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests. | 6.1 |
2019-11-26 | CVE-2019-18677 | Squid Cache Canonical Fedoraproject | Cross-Site Request Forgery (CSRF) vulnerability in multiple products An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). | 6.1 |
2019-11-26 | CVE-2019-14857 | Openidc | Open Redirect vulnerability in Openidc MOD Auth Openidc A flaw was found in mod_auth_openidc before version 2.4.0.1. | 6.1 |
2019-11-25 | CVE-2019-17632 | Eclipse | Cross-site Scripting vulnerability in Eclipse Jetty 9.4.21/9.4.22/9.4.23 In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. | 6.1 |
2019-11-25 | CVE-2019-13714 | Google Opensuse | Code Injection vulnerability in multiple products Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | 6.1 |
2019-11-25 | CVE-2019-14891 | Kubernetes Fedoraproject Redhat | Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. | 6.0 |
2019-11-29 | CVE-2019-5218 | Huawei | Improper Authentication vulnerability in Huawei Band 2 Firmware and Band 3 Firmware There is an insufficient authentication vulnerability in Huawei Band 2 and Honor Band 3. | 5.8 |
2019-11-26 | CVE-2019-18451 | Gitlab | Open Redirect vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. | 5.8 |
2019-11-26 | CVE-2019-15688 | Kaspersky | Open Redirect vulnerability in Kaspersky products Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component did not adequately inform the user about the threat of redirecting to an untrusted site. | 5.8 |
2019-11-26 | CVE-2019-15686 | Kaspersky | Unspecified vulnerability in Kaspersky products Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component allowed an attacker remotely disable various anti-virus protection features. | 5.8 |
2019-12-01 | CVE-2019-19479 | Opensc Project Debian Fedoraproject | Out-of-bounds Read vulnerability in multiple products An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. | 5.5 |
2019-11-30 | CVE-2019-19462 | Linux Netapp Canonical Opensuse Debian | NULL Pointer Dereference vulnerability in multiple products relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result. | 5.5 |
2019-11-29 | CVE-2019-19451 | Gnome Fedoraproject Opensuse | Infinite Loop vulnerability in multiple products When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. | 5.5 |
2019-11-29 | CVE-2019-14865 | GNU | Privilege Defined With Unsafe Actions vulnerability in GNU Grub2 A flaw was found in the grub2-set-bootflag utility of grub2. | 5.5 |
2019-11-26 | CVE-2019-18446 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. | 5.5 |
2019-11-26 | CVE-2019-15995 | Cisco | SQL Injection vulnerability in Cisco DNA Spaces: Connector A vulnerability in the web UI of Cisco DNA Spaces: Connector could allow an authenticated, remote attacker to execute arbitrary SQL queries. | 5.5 |
2019-11-26 | CVE-2011-3617 | Tahoe Lafs Debian | Incorrect Authorization vulnerability in multiple products Tahoe-LAFS v1.3.0 through v1.8.2 could allow unauthorized users to delete immutable files in some cases. | 5.5 |
2019-11-25 | CVE-2019-5868 | Use After Free vulnerability in Google Chrome Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 5.5 | |
2019-11-25 | CVE-2019-5860 | Use After Free vulnerability in Google Chrome Use after free in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 5.5 | |
2019-11-25 | CVE-2019-13707 | Google Opensuse | Improper Input Validation vulnerability in multiple products Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application. | 5.5 |
2019-11-25 | CVE-2019-10207 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. | 5.5 |
2019-11-26 | CVE-2019-19306 | Zoho | Cross-site Scripting vulnerability in Zoho Lead Magnet 1.6.9.1 The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName. | 5.4 |
2019-11-26 | CVE-2019-19206 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr Erp/Crm 10.0.3 Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture. | 5.4 |
2019-11-26 | CVE-2011-3606 | Redhat | Cross-site Scripting vulnerability in Redhat Jboss Application Server 7.0.0/7.0.1/7.0.2 A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. | 5.4 |
2019-11-26 | CVE-2019-16254 | Ruby Lang Debian | Injection vulnerability in multiple products Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. | 5.3 |
2019-11-26 | CVE-2019-18678 | Squid Cache Canonical Debian Fedoraproject | HTTP Request Smuggling vulnerability in multiple products An issue was discovered in Squid 3.x and 4.x through 4.8. | 5.3 |
2019-11-25 | CVE-2019-13711 | Google Opensuse | Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 5.3 |
2019-11-25 | CVE-2019-13684 | Information Exposure Through Discrepancy vulnerability in Google Chrome Inappropriate implementation in JavaScript in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 5.3 | |
2019-11-25 | CVE-2019-13680 | Unspecified vulnerability in Google Chrome Inappropriate implementation in TLS in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof client IP address to websites via crafted TLS connections. | 5.3 | |
2019-11-25 | CVE-2019-13660 | Unspecified vulnerability in Google Chrome UI spoofing in Chromium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof notifications via a crafted HTML page. | 5.3 | |
2019-11-30 | CVE-2019-19464 | CBC | Missing Encryption of Sensitive Data vulnerability in CBC GEM 9.24.1 The CBC Gem application before 9.24.1 for Android and before 9.26.0 for iOS has Unencrypted Analytics. | 5.0 |
2019-11-30 | CVE-2019-19463 | Huami | Missing Encryption of Sensitive Data vulnerability in Huami MI FIT 4.0.10 The Anhui Huami Mi Fit application before 4.0.11 for Android has an Unencrypted Update Check. | 5.0 |
2019-11-29 | CVE-2015-2060 | Cabextract Linux | Path Traversal vulnerability in Cabextract cabextract before 1.6 does not properly check for leading slashes when extracting files, which allows remote attackers to conduct absolute directory traversal attacks via a malformed UTF-8 character that is changed to a UTF-8 encoded slash. | 5.0 |
2019-11-29 | CVE-2019-5232 | Huawei | Use of Insufficiently Random Values vulnerability in Huawei Vp9630 Firmware, Vp9650 Firmware and Vp9660 Firmware There is a use of insufficiently random values vulnerability in Huawei ViewPoint products. | 5.0 |
2019-11-28 | CVE-2019-19379 | Misp | Unspecified vulnerability in Misp 2.4.118 In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data. | 5.0 |
2019-11-27 | CVE-2019-6672 | F5 | Unspecified vulnerability in F5 Big-Ip Advanced Firewall Manager On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, and 13.1.0-13.1.3.1, when bad-actor detection is configured on a wildcard virtual server on platforms with hardware-based sPVA, the performance of the BIG-IP AFM system is degraded. | 5.0 |
2019-11-27 | CVE-2019-6671 | F5 | Missing Release of Resource after Effective Lifetime vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.3.1, under certain conditions tmm may leak memory when processing packet fragments, leading to resource starvation. | 5.0 |
2019-11-27 | CVE-2019-6669 | F5 | Unspecified vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.1-11.6.5.1, undisclosed traffic flow may cause TMM to restart under some circumstances. | 5.0 |
2019-11-27 | CVE-2019-6666 | F5 | Unspecified vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, and 13.1.0-13.1.1.4, the TMM process may produce a core file when an upstream server or cache sends the BIG-IP an invalid age header value. | 5.0 |
2019-11-27 | CVE-2019-6674 | F5 | Unspecified vulnerability in F5 SSL Orchestrator On F5 SSL Orchestrator 15.0.0-15.0.1 and 14.0.0-14.1.2, TMM may crash when processing SSLO data in a service-chaining configuration. | 5.0 |
2019-11-27 | CVE-2019-15705 | Fortinet | Improper Input Validation vulnerability in Fortinet Fortios An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS versions 6.2.1 and below, and 6.0.6 and below may allow an unauthenticated remote attacker to crash the SSL VPN service by sending a crafted POST request. | 5.0 |
2019-11-27 | CVE-2011-2480 | Freebsd Netbsd | Information Exposure vulnerability in Freebsd Information Disclosure vulnerability in the 802.11 stack, as used in FreeBSD before 8.2 and NetBSD when using certain non-x86 architectures. | 5.0 |
2019-11-27 | CVE-2011-2207 | Gnupg Redhat Debian | Improper Certificate Validation vulnerability in multiple products dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate. | 5.0 |
2019-11-26 | CVE-2011-4310 | Cmsmadesimple | Improper Input Validation vulnerability in Cmsmadesimple CMS Made Simple The news module in CMSMS before 1.9.4.3 allows remote attackers to corrupt new articles. | 5.0 |
2019-11-26 | CVE-2019-18456 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. | 5.0 |
2019-11-26 | CVE-2019-18455 | Gitlab | Infinite Loop vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11 through 12.4 when building Nested GraphQL queries. | 5.0 |
2019-11-26 | CVE-2019-18452 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. | 5.0 |
2019-11-26 | CVE-2019-18459 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. | 5.0 |
2019-11-26 | CVE-2019-18460 | Gitlab | Information Exposure vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4 in the Comments Search feature provided by the Elasticsearch integration. | 5.0 |
2019-11-26 | CVE-2016-5724 | Cloudera | Information Exposure vulnerability in Cloudera CDH Cloudera CDH before 5.9 has Potentially Sensitive Information in Diagnostic Support Bundles. | 5.0 |
2019-11-26 | CVE-2015-6495 | Cloudera | Information Exposure vulnerability in Cloudera Manager There is Sensitive Information in Cloudera Manager before 5.4.6 Diagnostic Support Bundles. | 5.0 |
2019-11-26 | CVE-2019-14853 | Python Ecdsa Project | Improper Handling of Exceptional Conditions vulnerability in Python-Ecdsa Project Python-Ecdsa An error-handling flaw was found in python-ecdsa before version 0.13.3. | 5.0 |
2019-11-26 | CVE-2011-4082 | Phpldapadmin Project Debian | Resource Exhaustion vulnerability in multiple products A local file inclusion flaw was found in the way the phpLDAPadmin before 0.9.8 processed certain values of the "Accept-Language" HTTP header. | 5.0 |
2019-11-26 | CVE-2019-19272 | Proftpd | NULL Pointer Dereference vulnerability in Proftpd An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. | 5.0 |
2019-11-26 | CVE-2019-19271 | Proftpd | Improper Certificate Validation vulnerability in Proftpd An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. | 5.0 |
2019-11-26 | CVE-2019-15998 | Cisco | Missing Authorization vulnerability in Cisco IOS XR 6.5.1/6.5.2/6.5.3 A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over SSH of an affected device. | 5.0 |
2019-11-26 | CVE-2019-15990 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an unauthenticated, remote attacker to view information displayed in the web-based management interface. | 5.0 |
2019-11-26 | CVE-2019-15988 | Cisco | Improper Input Validation vulnerability in Cisco Email Security Appliance Firmware A vulnerability in the antispam protection mechanisms of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. | 5.0 |
2019-11-26 | CVE-2019-15987 | Cisco | Improper Authentication vulnerability in Cisco products A vulnerability in web interface of the Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to guess account usernames. | 5.0 |
2019-11-26 | CVE-2011-3624 | Ruby Lang | Injection vulnerability in Ruby-Lang Ruby 1.8.7/1.9.2 Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. | 5.0 |
2019-11-26 | CVE-2011-3596 | Polipo Project Debian | Reachable Assertion vulnerability in multiple products Polipo before 1.0.4.1 suffers from a DoD vulnerability via specially-crafted HTTP POST / PUT request. | 5.0 |
2019-11-25 | CVE-2019-15629 | Trendmicro | Information Exposure vulnerability in Trendmicro Password Manager Trend Micro Password Manager versions 3.x, 5.0, and 5.1 for Android is affected by a FLAG_MISUSE vulnerability that could be exploited to allow the application to share information to third-party applications on the device. | 5.0 |
2019-11-25 | CVE-2019-19244 | Sqlite Canonical Oracle Siemens | sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. | 5.0 |
2019-11-25 | CVE-2019-17406 | Nokia | Path Traversal vulnerability in Nokia Impact Nokia IMPACT < 18A has path traversal that may lead to RCE if chained with CVE-2019-1743 | 5.0 |
2019-11-25 | CVE-2012-5535 | Gnome Fedoraproject | Information Exposure vulnerability in multiple products gnome-system-log polkit policy allows arbitrary files on the system to be read | 5.0 |
2019-11-30 | CVE-2019-19269 | Proftpd Fedoraproject Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. | 4.9 |
2019-11-27 | CVE-2019-6668 | F5 | Improper Privilege Management vulnerability in F5 Big-Ip Access Policy Manager The BIG-IP APM Edge Client for macOS bundled with BIG-IP APM 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.1.0-13.1.1.5, 12.1.0-12.1.5, and 11.5.1-11.6.5 may allow unprivileged users to access files owned by root. | 4.9 |
2019-11-25 | CVE-2012-5644 | Libuser Project Debian Fedoraproject Redhat | Information Exposure vulnerability in multiple products libuser has information disclosure when moving user's home directory | 4.9 |
2019-11-29 | CVE-2019-5271 | Huawei | Unspecified vulnerability in Huawei Myna Firmware There is an information leak vulnerability in Huawei smart speaker Myna. | 4.8 |
2019-11-29 | CVE-2019-5268 | Huawei | Improper Input Validation vulnerability in Huawei products Some Huawei home routers have an input validation vulnerability. | 4.8 |
2019-11-27 | CVE-2019-18660 | Linux Redhat Canonical Fedoraproject Opensuse | Information Exposure vulnerability in multiple products The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. | 4.7 |
2019-12-01 | CVE-2019-19481 | Opensc Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Opensc Project Opensc 0.19.0/0.20.0 An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. | 4.6 |
2019-12-01 | CVE-2019-19480 | Opensc Project | Operation on a Resource after Expiration or Release vulnerability in Opensc Project Opensc An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. | 4.6 |
2019-11-29 | CVE-2019-5269 | Huawei | Unspecified vulnerability in Huawei products Some Huawei home routers have an improper authorization vulnerability. | 4.6 |
2019-11-27 | CVE-2011-2515 | Packagekit Project Debian Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code. | 4.6 |
2019-11-27 | CVE-2011-2187 | Xscreensaver Project Debian | Missing Authentication for Critical Function vulnerability in multiple products xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication. | 4.6 |
2019-11-26 | CVE-2019-16241 | Alcatelmobile | Exposure of Resource to Wrong Sphere vulnerability in Alcatelmobile Cingular Flip 2 Firmware B9Huah1 On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, PIN authentication can be bypassed by creating a special file within the /data/local/tmp/ directory. | 4.6 |
2019-11-25 | CVE-2019-10224 | Fedoraproject | Information Exposure vulnerability in Fedoraproject 389 Directory Server A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. | 4.6 |
2019-11-29 | CVE-2019-5210 | Huawei | Improper Validation of Array Index vulnerability in Huawei Nova 5 Firmware and Nova 5I PRO Firmware Nova 5i pro and Nova 5 smartphones with versions earlier than 9.1.1.190(C00E190R6P2)and Versions earlier than 9.1.1.175(C00E170R3P2) have an improper validation of array index vulnerability. | 4.4 |
2019-11-27 | CVE-2019-19319 | Linux Opensuse Redhat | Use After Free vulnerability in multiple products In the Linux kernel before 5.2, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call, aka CID-345c0dbf3a30. | 4.4 |
2019-11-26 | CVE-2019-16001 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Webex Meetings and Webex Teams A vulnerability in the loading mechanism of specific dynamic link libraries in Cisco Webex Teams for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. | 4.4 |
2019-11-29 | CVE-2015-0837 | Gnupg Debian | Information Exposure Through Discrepancy vulnerability in multiple products The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack." | 4.3 |
2019-11-29 | CVE-2015-1855 | Ruby Lang Debian Puppet | Improper Input Validation vulnerability in multiple products verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. | 4.3 |
2019-11-29 | CVE-2019-5227 | Huawei | Improper Input Validation vulnerability in Huawei products P30, P30 Pro, Mate 20 smartphones with software of versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1), versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R2P1), versions earlier than Hima-AL00B 9.1.0.135(C00E133R2P1) and HiSuite with versions earlier than HiSuite 9.1.0.305 have a version downgrade vulnerability. | 4.3 |
2019-11-29 | CVE-2019-5224 | Huawei | Out-of-bounds Read vulnerability in Huawei P30 Firmware P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R1P21) have an out of bounds read vulnerability. | 4.3 |
2019-11-29 | CVE-2019-5212 | Huawei | Incorrect Permission Assignment for Critical Resource vulnerability in Huawei P20 Firmware There is an improper access control vulnerability in Huawei Share. | 4.3 |
2019-11-29 | CVE-2019-5211 | Huawei | Improper Input Validation vulnerability in Huawei P20 Firmware The Huawei Share function of P20 phones with versions earlier than Emily-L29C 9.1.0.311 has an improper file management vulnerability. | 4.3 |
2019-11-29 | CVE-2019-5226 | Huawei | Improper Input Validation vulnerability in Huawei products P30, P30 Pro, Mate 20 smartphones with software of versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1), versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R2P1), versions earlier than Hima-AL00B 9.1.0.135(C00E133R2P1) and HiSuite with versions earlier than HiSuite 9.1.0.305 have a version downgrade vulnerability. | 4.3 |
2019-11-29 | CVE-2019-19388 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.4.1 A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter. | 4.3 |
2019-11-29 | CVE-2019-19387 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.4.1 A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter. | 4.3 |
2019-11-29 | CVE-2019-19386 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.4.1 A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter. | 4.3 |
2019-11-29 | CVE-2019-19385 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.4.1 A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter. | 4.3 |
2019-11-29 | CVE-2019-19384 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.4.1 A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter. | 4.3 |
2019-11-28 | CVE-2019-19375 | Octopus | Cross-Site Request Forgery (CSRF) vulnerability in Octopus Deploy In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. | 4.3 |
2019-11-27 | CVE-2019-6673 | F5 | Unspecified vulnerability in F5 products On versions 15.0.0-15.0.1 and 14.0.0-14.1.2, when the BIG-IP is configured in HTTP/2 Full Proxy mode, specifically crafted requests may cause a disruption of service provided by the Traffic Management Microkernel (TMM). | 4.3 |
2019-11-27 | CVE-2019-6667 | F5 | Resource Exhaustion vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.1.0-13.1.1.5, 12.1.0-12.1.4.1, and 11.5.1-11.6.5, under certain conditions, TMM may consume excessive resources when processing traffic for a Virtual Server with the FIX (Financial Information eXchange) profile applied. | 4.3 |
2019-11-27 | CVE-2019-19367 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.4.1 A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | 4.3 |
2019-11-27 | CVE-2019-19366 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.4.1 A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter. | 4.3 |
2019-11-27 | CVE-2014-3875 | Ulli Horlacher | Cross-site Scripting vulnerability in Ulli Horlacher FEX 2011205 The addto parameter to fup in Frams' Fast File EXchange (F*EX, aka fex) before fex-2014053 allows remote attackers to conduct cross-site scripting (XSS) attacks | 4.3 |
2019-11-27 | CVE-2019-19242 | Sqlite Canonical Redhat Oracle Siemens | NULL Pointer Dereference vulnerability in multiple products SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. | 4.3 |
2019-11-27 | CVE-2019-19329 | Wikimedia | Cross-site Scripting vulnerability in Wikimedia Wikidata Query GUI In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07, when mathematical expressions in results are displayed directly, arbitrary JavaScript execution can occur, aka XSS. | 4.3 |
2019-11-27 | CVE-2019-19328 | Wikimedia | Cross-site Scripting vulnerability in Wikimedia Wikidata Query GUI ui/editor/tooltip/Rdf.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection in tooltips for entities. | 4.3 |
2019-11-27 | CVE-2019-19327 | Wikimedia | Cross-site Scripting vulnerability in Wikimedia Wikidata Query GUI ui/ResultView.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection when reporting the number of results and number of milliseconds. | 4.3 |
2019-11-27 | CVE-2019-19308 | Gnome | NULL Pointer Dereference vulnerability in Gnome Gnome-Font-Viewer 3.34.0 In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.34.0, there is a NULL pointer dereference while parsing a TTF font file that lacks a name section (due to a g_strconcat call that returns NULL). | 4.3 |
2019-11-26 | CVE-2019-16388 | Pega | Forced Browsing vulnerability in Pega Platform 8.3 PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. | 4.3 |
2019-11-26 | CVE-2019-16386 | Pega | Forced Browsing vulnerability in Pega Platform PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. | 4.3 |
2019-11-26 | CVE-2019-16195 | Centreon | Cross-site Scripting vulnerability in Centreon Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 allows XSS via myAccount alias and name fields. | 4.3 |
2019-11-26 | CVE-2019-18454 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. | 4.3 |
2019-11-26 | CVE-2019-19129 | Afterlogic | Cross-site Scripting vulnerability in Afterlogic Aurora and Webmail PRO Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name. | 4.3 |
2019-11-26 | CVE-2019-16243 | Alcatelmobile | Missing Authentication for Critical Function vulnerability in Alcatelmobile Cingular Flip 2 Firmware B9Huah1 On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. | 4.3 |
2019-11-26 | CVE-2019-15687 | Kaspersky | Information Exposure vulnerability in Kaspersky products Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component was vulnerable to remote disclosure of various information about the user's system (like Windows version and version of the product, host unique ID). | 4.3 |
2019-11-26 | CVE-2019-15685 | Kaspersky | Unspecified vulnerability in Kaspersky products Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component allowed an attacker remotely disable such product's security features as private browsing and anti-banner. | 4.3 |
2019-11-26 | CVE-2015-9539 | Fast Secure Contact Form Project | Cross-site Scripting vulnerability in Fast Secure Contact Form Project Fast Secure Contact Form The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows fs_contact_form1[welcome] XSS. | 4.3 |
2019-11-26 | CVE-2011-4090 | S9Y | Cross-site Scripting vulnerability in S9Y Serendipity Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation. | 4.3 |
2019-11-26 | CVE-2019-16002 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Sd-Wan Firmware A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. | 4.3 |
2019-11-26 | CVE-2019-15994 | Cisco | Cross-site Scripting vulnerability in Cisco Stealthwatch Enterprise 6.10.2 A vulnerability in the web-based management interface of Cisco Stealthwatch Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. | 4.3 |
2019-11-26 | CVE-2019-15971 | Cisco | Insufficient Verification of Data Authenticity vulnerability in Cisco Email Security Appliance Firmware A vulnerability in the MP3 detection engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured content filters on the device. | 4.3 |
2019-11-26 | CVE-2011-4076 | Openstack | Information Exposure vulnerability in Openstack Nova OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). | 4.3 |
2019-11-26 | CVE-2019-15973 | Cisco | Cross-site Scripting vulnerability in Cisco Industrial Network Director and Network Level Service A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected application. | 4.3 |
2019-11-26 | CVE-2011-3374 | Debian | Improper Verification of Cryptographic Signature vulnerability in Debian Advanced Package Tool and Debian Linux It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. | 4.3 |
2019-11-25 | CVE-2019-10771 | Iobroker | Cross-site Scripting vulnerability in Iobroker Iobroker.Web Characters in the GET url path are not properly escaped and can be reflected in the server response. | 4.3 |
2019-11-25 | CVE-2011-3373 | Drupal | Cross-site Scripting vulnerability in Drupal Views Builk Operations Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used. | 4.3 |
2019-11-25 | CVE-2011-3355 | Gnome Linux | Missing Encryption of Sensitive Data vulnerability in Gnome Evolution-Data-Server3 3.0.3/3.2.1 evolution-data-server3 3.0.3 through 3.2.1 used insecure (non-SSL) connection when attempting to store sent email messages into the Sent folder, when the Sent folder was located on the remote server. | 4.3 |
2019-11-25 | CVE-2011-4924 | Zope | Cross-site Scripting vulnerability in Zope Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. | 4.3 |
2019-11-25 | CVE-2019-15684 | Google Kaspersky | Kaspersky Protection extension for web browser Google Chrome prior to 30.112.62.0 was vulnerable to unauthorized access to its features remotely that could lead to removing other installed extensions. | 4.3 |
2019-11-25 | CVE-2019-5875 | Unspecified vulnerability in Google Chrome Insufficient data validation in downloads in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-5873 | Unspecified vulnerability in Google Chrome Insufficient policy validation in navigation in Google Chrome on iOS prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-5864 | Incorrect Authorization vulnerability in Google Chrome Insufficient data validation in CORS in Google Chrome prior to 76.0.3809.87 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. | 4.3 | |
2019-11-25 | CVE-2019-5861 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Chrome Insufficient data validation in Blink in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to bypass anti-clickjacking policy via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-17405 | Nokia | Cross-site Scripting vulnerability in Nokia Impact Nokia IMPACT < 18A: has Reflected self XSS | 4.3 |
2019-11-25 | CVE-2019-13719 | Google Opensuse | Insecure Storage of Sensitive Information vulnerability in multiple products Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13718 | Google Opensuse | Insufficient data validation in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | 4.3 |
2019-11-25 | CVE-2019-13717 | Google Opensuse | Insecure Storage of Sensitive Information vulnerability in multiple products Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13716 | Google Opensuse | Incorrect Authorization vulnerability in multiple products Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13715 | Google Opensuse | Authentication Bypass by Spoofing vulnerability in multiple products Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | 4.3 |
2019-11-25 | CVE-2019-13710 | Google Opensuse | Insufficient validation of untrusted input in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13708 | Google Opensuse | Authentication Bypass by Spoofing vulnerability in multiple products Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13705 | Google Opensuse | Improper Privilege Management vulnerability in multiple products Insufficient policy enforcement in extensions in Google Chrome prior to 78.0.3904.70 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. | 4.3 |
2019-11-25 | CVE-2019-13704 | Google Opensuse | Authentication Bypass by Spoofing vulnerability in multiple products Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13703 | Google Opensuse | Authentication Bypass by Spoofing vulnerability in multiple products Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13701 | Google Opensuse | Authentication Bypass by Spoofing vulnerability in multiple products Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 |
2019-11-25 | CVE-2019-13691 | Unspecified vulnerability in Google Chrome Insufficient validation of untrusted input in navigation in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13681 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Chrome Insufficient data validation in downloads in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13676 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Chrome Insufficient policy enforcement in Chromium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13675 | Improper Input Validation vulnerability in Google Chrome Insufficient data validation in extensions in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to disable extensions via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13674 | Unspecified vulnerability in Google Chrome IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | 4.3 | |
2019-11-25 | CVE-2019-13671 | Unspecified vulnerability in Google Chrome UI spoofing in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof security UI via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13669 | Unspecified vulnerability in Google Chrome Incorrect data validation in navigation in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13667 | Unspecified vulnerability in Google Chrome Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 77.0.3865.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13663 | Unspecified vulnerability in Google Chrome IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | 4.3 | |
2019-11-25 | CVE-2019-13661 | Unspecified vulnerability in Google Chrome UI spoofing in Chromium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof notifications via a crafted HTML page. | 4.3 | |
2019-11-25 | CVE-2019-13659 | Unspecified vulnerability in Google Chrome IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | 4.3 | |
2019-11-25 | CVE-2012-5518 | Ovirt | Improper Certificate Validation vulnerability in Ovirt Vdsm vdsm: certificate generation upon node creation allowing vdsm to start and serve requests from anyone who has a matching key (and certificate) | 4.3 |
2019-11-25 | CVE-2019-10214 | Buildah Project Libpod Project Redhat Skopeo Project Opensuse | Insufficiently Protected Credentials vulnerability in multiple products The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. | 4.3 |
2019-11-29 | CVE-2019-16766 | Labdigital | Unspecified vulnerability in Labdigital Wagtail-2Fa When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. | 4.0 |
2019-11-28 | CVE-2019-19376 | Octopus | Improper Input Validation vulnerability in Octopus Deploy In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. | 4.0 |
2019-11-26 | CVE-2011-1934 | Lilo Project Debian | Information Exposure vulnerability in multiple products lilo-uuid-diskid causes lilo.conf to be world-readable in lilo 23.1. | 4.0 |
2019-11-26 | CVE-2019-18453 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.6 through 12.4 in the add comments via email feature. | 4.0 |
2019-11-26 | CVE-2019-18450 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. | 4.0 |
2019-11-26 | CVE-2019-18449 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. | 4.0 |
2019-11-26 | CVE-2019-18448 | Gitlab | Information Exposure vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 12.4. | 4.0 |
2019-11-26 | CVE-2019-18447 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 12.4. | 4.0 |
2019-11-26 | CVE-2019-18458 | Gitlab | Improper Preservation of Permissions vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition through 12.4. | 4.0 |
2019-11-26 | CVE-2019-18463 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition through 12.4. | 4.0 |
2019-11-26 | CVE-2019-18462 | Gitlab | Improper Privilege Management vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. | 4.0 |
2019-11-26 | CVE-2019-18461 | Gitlab | Information Exposure vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. | 4.0 |
2019-11-26 | CVE-2015-9538 | Imagely | Path Traversal vulnerability in Imagely Nextgen Gallery The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Directory Traversal in path selection. | 4.0 |
2019-11-26 | CVE-2019-14856 | Redhat Opensuse | Improper Authentication vulnerability in multiple products ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None | 4.0 |
2019-11-26 | CVE-2016-3192 | Cloudera | Cleartext Storage of Sensitive Information vulnerability in Cloudera Manager Cloudera Manager 5.x before 5.7.1 places Sensitive Data in cleartext Readable Files. | 4.0 |
2019-11-26 | CVE-2016-3131 | Cloudera | Incorrect Authorization vulnerability in Cloudera CDH Cloudera CDH before 5.6.1 allows authorization bypass via direct internal API calls. | 4.0 |
2019-11-26 | CVE-2011-4350 | Yaws Debian | Path Traversal vulnerability in multiple products Yaws 1.91 has a directory traversal vulnerability in the way certain URLs are processed. | 4.0 |
2019-11-26 | CVE-2019-15276 | Cisco | Improper Input Validation vulnerability in Cisco Wireless LAN Controller Software A vulnerability in the web interface of Cisco Wireless LAN Controller Software could allow a low-privileged, authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 4.0 |
2019-11-25 | CVE-2019-10217 | Redhat | Information Exposure vulnerability in Redhat Ansible A flaw was found in ansible 2.8.0 before 2.8.4. | 4.0 |
2019-11-25 | CVE-2019-17404 | Nokia | Path Traversal vulnerability in Nokia Impact Nokia IMPACT < 18A: allows full path disclosure | 4.0 |
33 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-11-26 | CVE-2011-3632 | Hardlink Project Debian Redhat | Link Following vulnerability in multiple products Hardlink before 0.1.2 operates on full file system objects path names which can allow a local attacker to use this flaw to conduct symlink attacks. | 3.6 |
2019-11-25 | CVE-2018-2025 | IBM | Incorrect Default Permissions vulnerability in IBM products IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments 7.1 and 8.1 creates directories/files in the CIT sub directory that are read/writable by everyone. | 3.6 |
2019-11-25 | CVE-2019-14822 | Ibus Project Redhat Canonical Oracle | Missing Authorization vulnerability in multiple products A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. | 3.6 |
2019-11-27 | CVE-2019-13936 | Siemens | Cross-site Scripting vulnerability in Siemens Polarion 19.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a persistent XSS vulnerability. | 3.5 |
2019-11-27 | CVE-2019-13935 | Siemens | Cross-site Scripting vulnerability in Siemens Polarion 19.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a reflected XSS vulnerability. | 3.5 |
2019-11-27 | CVE-2019-13934 | Siemens | Cross-site Scripting vulnerability in Siemens Polarion 19.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a reflected XSS vulnerability. | 3.5 |
2019-11-26 | CVE-2019-14449 | Cloudera | Cross-site Scripting vulnerability in Cloudera Manager An issue was discovered in Cloudera Manager 5.x before 5.16.2, 6.0.x before 6.0.2, and 6.1.x before 6.1.1. | 3.5 |
2019-11-26 | CVE-2016-9271 | Cloudera | Cross-site Scripting vulnerability in Cloudera Manager Cloudera Manager 5.7.x before 5.7.6, 5.8.x before 5.8.4, and 5.9.x before 5.9.1 allows XSS in the help search feature. | 3.5 |
2019-11-26 | CVE-2015-9537 | Imagely | Cross-site Scripting vulnerability in Imagely Nextgen Gallery The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XSS issues involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template. | 3.5 |
2019-11-26 | CVE-2015-4457 | Cloudera | Cross-site Scripting vulnerability in Cloudera Manager Multiple cross-site scripting (XSS) vulnerabilities in the Cloudera Manager UI before 5.4.3 allow remote authenticated users to inject arbitrary web script or HTML using unspecified vectors. | 3.5 |
2019-11-26 | CVE-2016-6353 | Cloudera | Incorrect Authorization vulnerability in Cloudera CDH Cloudera Search in CDH before 5.7.0 allows unauthorized document access because Solr Queries by document id can bypass Sentry document-level security via the RealTimeGetHandler. | 3.5 |
2019-11-26 | CVE-2019-15968 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager (Unified CDM) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. | 3.5 |
2019-11-26 | CVE-2019-18241 | Philips | Inadequate Encryption Strength vulnerability in Philips products In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all versions, and IntelliBridge EC80 Hub all versions, the SSH server running on the affected products is configured to allow weak ciphers. | 3.3 |
2019-11-25 | CVE-2019-13679 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Chrome Insufficient policy enforcement in PDFium in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to show print dialogs via a crafted PDF file. | 3.3 | |
2019-11-25 | CVE-2012-5630 | Libuser Project Fedoraproject Redhat | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products libuser 0.56 and 0.57 has a TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees. | 3.3 |
2019-11-25 | CVE-2012-5521 | Quagga Debian Redhat | Reachable Assertion vulnerability in multiple products quagga (ospf6d) 0.99.21 has a DoS flaw in the way the ospf6d daemon performs routes removal | 3.3 |
2019-11-25 | CVE-2019-14825 | Theforeman | Cleartext Storage of Sensitive Information vulnerability in Theforeman Katello A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. | 2.7 |
2019-11-27 | CVE-2016-4980 | Ethz Fedoraproject Redhat | Use of Insufficiently Random Values vulnerability in multiple products A password generation weakness exists in xquest through 2016-06-13. | 2.5 |
2019-11-29 | CVE-2019-5309 | Huawei | Improper Restriction of Excessive Authentication Attempts vulnerability in Huawei Honor Play Firmware Honor play smartphones with versions earlier than 9.1.0.333(C00E333R1P1T8) have an information disclosure vulnerability in certain Huawei . | 2.1 |
2019-11-29 | CVE-2019-5308 | Huawei | Unspecified vulnerability in Huawei Mate 20 RS Firmware Mate 20 RS smartphones with versions earlier than 9.1.0.135(C786E133R3P1) have an improper authorization vulnerability. | 2.1 |
2019-11-29 | CVE-2019-5247 | Huawei | Classic Buffer Overflow vulnerability in Huawei Atlas 300 Firmware and Atlas 500 Firmware Huawei Atlas 300, Atlas 500 have a buffer overflow vulnerability. | 2.1 |
2019-11-29 | CVE-2019-5263 | Huawei | Improper Restriction of Excessive Authentication Attempts vulnerability in Huawei Hisuite and Hwbackup HiSuite with 9.1.0.305 and earlier versions and 9.1.0.305(MAC) and earlier versions and HwBackup with earlier versions before 9.1.1.308 have a brute forcing encrypted backup data vulnerability. | 2.1 |
2019-11-28 | CVE-2019-19318 | Linux Opensuse Canonical Debian Netapp | Use After Free vulnerability in multiple products In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsem_down_write_slowpath use-after-free because (in rwsem_can_spin_on_owner in kernel/locking/rwsem.c) rwsem_owner_flags returns an already freed pointer, | 2.1 |
2019-11-27 | CVE-2019-6670 | F5 | Cleartext Storage of Sensitive Information vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.1-11.6.5, vCMP hypervisors are incorrectly exposing the plaintext unit key for their vCMP guests on the filesystem. | 2.1 |
2019-11-27 | CVE-2012-6655 | Accountsservice Project Opensuse Debian Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products An issue exists AccountService 0.6.37 in the user_change_password_authorized_cb() function in user.c which could let a local users obtain encrypted passwords. | 2.1 |
2019-11-26 | CVE-2019-14890 | Redhat | Cleartext Storage of Sensitive Information vulnerability in Redhat Ansible Tower 3.6.0 A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license. | 2.1 |
2019-11-26 | CVE-2019-15967 | Cisco | Unspecified vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, local attacker to enable audio recording without notifying users. | 2.1 |
2019-11-25 | CVE-2019-4406 | IBM | Improper Input Validation vulnerability in IBM Spectrum Protect Backup-Archive Client IBM Spectrum Protect Backup-Archive Client 7.1 and 8.1 may be vulnerable to a denial of service attack due to a timing issue between client and server TCP/IP communications. | 2.1 |
2019-11-25 | CVE-2019-16764 | Powauth | Unspecified vulnerability in Powauth Powassent The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. | 2.1 |
2019-11-25 | CVE-2012-5640 | Acme | NULL Pointer Dereference vulnerability in Acme Thttpd thttpd has a local DoS vulnerability via specially-crafted .htpasswd files | 2.1 |
2019-11-25 | CVE-2012-5527 | Claws Mail | Insufficiently Protected Credentials vulnerability in Claws-Mail Vcalendar Claws Mail vCalendar plugin: credentials exposed on interface | 2.1 |
2019-11-25 | CVE-2012-5578 | Python | Incorrect Default Permissions vulnerability in Python Keyring Python keyring has insecure permissions on new databases allowing world-readable files to be created | 2.1 |
2019-11-29 | CVE-2014-3591 | Gnupg Debian | Information Exposure vulnerability in multiple products Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication. | 1.9 |