Weekly Vulnerabilities Reports > December 30, 2019 to January 5, 2020
Overview
260 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 40 high severity vulnerabilities. This weekly summary report vulnerabilities in 310 products from 128 vendors including Gitlab, Debian, Redhat, Fedoraproject, and Gpac. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Information Exposure", "NULL Pointer Dereference", and "Cross-Site Request Forgery (CSRF)".
- 237 reported vulnerabilities are remotely exploitables.
- 7 reported vulnerabilities have public exploit available.
- 111 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 204 reported vulnerabilities are exploitable by an anonymous user.
- Gitlab has the most reported vulnerabilities, with 34 reported vulnerabilities.
- Debian has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
17 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-01-03 | CVE-2014-8516 | Cloudfastpath | Unrestricted Upload of File with Dangerous Type vulnerability in Cloudfastpath Netcharts Server Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors. | 10.0 |
2020-01-03 | CVE-2012-5878 | Bulbsecurity | OS Command Injection vulnerability in Bulbsecurity Smartphone Pentest Framework 0.1.2/0.1.3/0.1.4 Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the hostingPath parameter to (1) SEAttack.pl or (2) CSAttack.pl in frameworkgui/ or the (3) appURLPath parameter to frameworkgui/attachMobileModem.pl. | 10.0 |
2019-12-31 | CVE-2013-7070 | Fibranet | Injection vulnerability in Fibranet Monitorix The handle_request function in lib/HTTPServer.pm in Monitorix before 3.3.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the URI. | 10.0 |
2019-12-31 | CVE-2019-3984 | Amazon | OS Command Injection vulnerability in Amazon Blink XT2 Sync Module Firmware Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when the device retrieves updates scripts from the internet. | 10.0 |
2019-12-30 | CVE-2019-10774 | PHP Shellcommand Project | OS Command Injection vulnerability in PHP-Shellcommand Project PHP-Shellcommand php-shellcommand versions before 1.6.1 have a command injection vulnerability. | 10.0 |
2020-01-03 | CVE-2019-20330 | Fasterxml Oracle Debian Netapp | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | 9.8 |
2020-01-03 | CVE-2020-5312 | Python Canonical Debian Fedoraproject | Classic Buffer Overflow vulnerability in multiple products libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. | 9.8 |
2020-01-03 | CVE-2020-5311 | Python Debian Canonical Fedoraproject | Classic Buffer Overflow vulnerability in multiple products libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. | 9.8 |
2020-01-02 | CVE-2016-1000027 | Vmware | Deserialization of Untrusted Data vulnerability in VMWare Spring Framework Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. | 9.8 |
2020-01-02 | CVE-2014-0048 | Docker Apache | Improper Input Validation vulnerability in multiple products An issue was found in Docker before 1.6.0. | 9.8 |
2020-01-02 | CVE-2019-10158 | Infinispan Redhat | Session Fixation vulnerability in multiple products A flaw was found in Infinispan through version 9.4.14.Final. | 9.8 |
2019-12-30 | CVE-2019-17621 | Dlink | OS Command Injection vulnerability in Dlink products The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network. | 9.8 |
2020-01-03 | CVE-2019-11993 | HP | Unspecified vulnerability in HP products A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. | 9.4 |
2019-12-30 | CVE-2019-19735 | Mfscripts | Use of Password Hash With Insufficient Computational Effort vulnerability in Mfscripts Yetishare class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes (based only on microtime), which allows an attacker to guess the hash and set the password within a few hours by bruteforcing. | 9.1 |
2020-01-05 | CVE-2019-20155 | Determine | Improper Input Validation vulnerability in Determine Contract Lifecycle Management 5.4 An issue was discovered in report_edit.jsp in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. | 9.0 |
2020-01-02 | CVE-2020-5179 | Comtechtel | OS Command Injection vulnerability in Comtechtel Stampede Fx-1010 Firmware 7.4.3 Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to execute arbitrary OS commands by navigating to the Diagnostics Ping page and entering shell metacharacters in the Target IP address field. | 9.0 |
2019-12-31 | CVE-2019-20197 | Nagios | OS Command Injection vulnerability in Nagios XI 5.6.9 In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account. | 9.0 |
40 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-01-05 | CVE-2019-20004 | Intelbras | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Intelbras IWR 3000N Firmware 1.8.7 An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. | 8.8 |
2020-01-03 | CVE-2020-5496 | Fontforge Opensuse | Out-of-bounds Write vulnerability in multiple products FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c. | 8.8 |
2020-01-03 | CVE-2020-5395 | Fontforge Fedoraproject Opensuse | Use After Free vulnerability in multiple products FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c. | 8.8 |
2020-01-03 | CVE-2020-5310 | Python Canonical Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. | 8.8 |
2019-12-30 | CVE-2019-19737 | Mfscripts | Cross-Site Request Forgery (CSRF) vulnerability in Mfscripts Yetishare MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks. | 8.8 |
2019-12-30 | CVE-2019-19734 | Mfscripts | SQL Injection vulnerability in Mfscripts Yetishare _account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. | 8.8 |
2020-01-03 | CVE-2012-5693 | Bulbsecurity | OS Command Injection vulnerability in Bulbsecurity Smartphone Pentest Framework 0.1.2 Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddressTB parameter to (1) remoteAttack.pl or (2) guessPassword.pl in frameworkgui/; the filename parameter to (3) CSAttack.pl or (4) SEAttack.pl in frameworkgui/; the phNo2Attack parameter to (5) CSAttack.pl or (6) SEAttack.pl in frameworkgui/; the (7) platformDD2 parameter to frameworkgui/SEAttack.pl; the (8) agentURLPath or (9) agentControlKey parameter to frameworkgui/attach2agents.pl; or the (10) controlKey parameter to frameworkgui/attachMobileModem.pl. | 8.3 |
2020-01-03 | CVE-2019-5304 | Huawei | Classic Buffer Overflow vulnerability in Huawei products Some Huawei products have a buffer error vulnerability. | 7.8 |
2019-12-31 | CVE-2019-20172 | Serenityos | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Serenityos Kernel/VM/MemoryManager.cpp in SerenityOS before 2019-12-30 does not reject syscalls with pointers into the kernel-only virtual address space, which allows local users to gain privileges by overwriting a return address that was found on the kernel stack. | 7.8 |
2019-12-30 | CVE-2012-5645 | Freeciv Fedoraproject | Resource Exhaustion vulnerability in multiple products A denial of service flaw was found in the way the server component of Freeciv before 2.3.4 processed certain packets. | 7.8 |
2020-01-05 | CVE-2019-19911 | Python Debian Fedoraproject Canonical | Integer Overflow or Wraparound vulnerability in multiple products There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. | 7.5 |
2020-01-05 | CVE-2019-19628 | Gitlab | Path Traversal vulnerability in Gitlab In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. | 7.5 |
2020-01-04 | CVE-2020-5499 | Apache | Unspecified vulnerability in Apache Rust SGX SDK Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. | 7.5 |
2020-01-03 | CVE-2014-8337 | Helpdezk | Unrestricted Upload of File with Dangerous Type vulnerability in Helpdezk Unrestricted file upload vulnerability in includes/classes/uploadify-v2.1.4/uploadify.php in HelpDEZk 1.0.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. | 7.5 |
2020-01-03 | CVE-2019-11994 | HP | Path Traversal vulnerability in HP products A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. | 7.5 |
2020-01-03 | CVE-2019-19088 | Gitlab | Path Traversal vulnerability in Gitlab Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal. | 7.5 |
2020-01-02 | CVE-2014-0011 | Tigervnc | Out-of-bounds Write vulnerability in Tigervnc Multiple heap-based buffer overflows in the ZRLE_DECODE function in common/rfb/zrleDecode.h in TigerVNC before 1.3.1, when NDEBUG is enabled, allow remote VNC servers to cause a denial of service (vncviewer crash) and possibly execute arbitrary code via vectors related to screen image rendering. | 7.5 |
2020-01-02 | CVE-2013-3941 | Xnview | Out-of-bounds Write vulnerability in Xnview Xjp2.dll in XnView before 2.13 allows remote attackers to execute arbitrary code via (1) the Csiz parameter in a SIZ marker, which triggers an incorrect memory allocation, or (2) the lqcd field in a QCD marker in a crafted JPEG2000 file, which leads to a heap-based buffer overflow. | 7.5 |
2020-01-02 | CVE-2019-20218 | Sqlite Debian Canonical Oracle | Improper Handling of Exceptional Conditions vulnerability in multiple products selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error. | 7.5 |
2020-01-02 | CVE-2019-20213 | Dlink | Incorrect Authorization vulnerability in Dlink products D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php. | 7.5 |
2019-12-31 | CVE-2004-2776 | Goscript Project | Unspecified vulnerability in Goscript Project Goscript 2.0 go.cgi in GoScript 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) query string or (2) artarchive parameter. | 7.5 |
2019-12-31 | CVE-2018-19834 | Bombba Project | Improper Authentication vulnerability in Bombba Project Bombba The quaker function of a smart contract implementation for BOMBBA (BOMB), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | 7.5 |
2019-12-31 | CVE-2018-19833 | DDQ Project | Improper Authentication vulnerability in DDQ Project DDQ The owned function of a smart contract implementation for DDQ, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | 7.5 |
2019-12-31 | CVE-2018-19832 | Newinteltechmedia Project | Improper Authentication vulnerability in Newinteltechmedia Project Newinteltechmedia The NETM() function of a smart contract implementation for NewIntelTechMedia (NETM), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | 7.5 |
2019-12-31 | CVE-2018-19831 | Cryptbond Network Project | Improper Authentication vulnerability in Cryptbond Network Project Cryptbond Network The ToOwner() function of a smart contract implementation for Cryptbond Network (CBN), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | 7.5 |
2019-12-31 | CVE-2018-19830 | Business Alliance Financial Circle Project | Missing Authorization vulnerability in Business Alliance Financial Circle Project Business Alliance Financial Circle The UBSexToken() function of a smart contract implementation for Business Alliance Financial Circle (BAFC), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function is public (by default) and does not check the caller's identity. | 7.5 |
2019-12-31 | CVE-2019-20176 | Pureftpd Fedoraproject | Resource Exhaustion vulnerability in multiple products In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the listdir function in ls.c. | 7.5 |
2019-12-31 | CVE-2019-20175 | Qemu | Improper Check for Unusual or Exceptional Conditions vulnerability in Qemu An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. | 7.5 |
2019-12-31 | CVE-2019-7478 | Sonicwall | SQL Injection vulnerability in Sonicwall Global Management System A vulnerability in GMS allow unauthenticated user to SQL injection in Webservice module. | 7.5 |
2019-12-30 | CVE-2019-13445 | ROS | Integer Overflow or Wraparound vulnerability in ROS Ros-Comm An issue was discovered in the ROS communications-related packages (aka ros_comm or ros-melodic-ros-comm) through 1.14.3. | 7.5 |
2019-12-30 | CVE-2019-19739 | Mfscripts | Missing Encryption of Sensitive Data vulnerability in Mfscripts Yetishare MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag on session cookies, allowing the cookie to be sent over cleartext channels. | 7.5 |
2019-12-30 | CVE-2019-17558 | Apache Oracle | Injection vulnerability in multiple products Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. | 7.5 |
2019-12-30 | CVE-2019-16535 | Yandex | Integer Underflow (Wrap or Wraparound) vulnerability in Yandex Clickhouse In all versions of ClickHouse before 19.14, an OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol. | 7.5 |
2019-12-30 | CVE-2019-20085 | TVT | Path Traversal vulnerability in TVT Nvms-1000 Firmware TVT NVMS-1000 devices allow GET /.. | 7.5 |
2019-12-31 | CVE-2019-18568 | Avira | Unspecified vulnerability in Avira Free Antivirus 15.0.1907.1514 Avira Free Antivirus 15.0.1907.1514 is prone to a local privilege escalation through the execution of kernel code from a restricted user. | 7.2 |
2019-12-31 | CVE-2013-4161 | Gksu Polkit Project Fedoraproject | Improper Privilege Management vulnerability in multiple products gksu-polkit-0.0.3-6.fc18 was reported as fixing the issue in CVE-2012-5617 but the patch was improperly applied and it did not fixed the security issue. | 7.2 |
2019-12-30 | CVE-2019-19470 | Tinywall | Deserialization of Untrusted Data vulnerability in Tinywall Unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITY\SYSTEM for a local attacker. | 7.2 |
2019-12-30 | CVE-2019-19732 | Mfscripts | SQL Injection vulnerability in Mfscripts Yetishare translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. | 7.2 |
2020-01-03 | CVE-2020-1785 | Huawei | Improper Input Validation vulnerability in Huawei products Mate 10 Pro;Honor V10;Honor 10;Nova 4 smartphones have a denial of service vulnerability. | 7.1 |
2020-01-03 | CVE-2020-5313 | Python Debian Canonical Fedoraproject | Out-of-bounds Read vulnerability in multiple products libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. | 7.1 |
188 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-12-30 | CVE-2013-2016 | Qemu Debian Novell | Improper Privilege Management vulnerability in multiple products A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. | 6.9 |
2020-01-03 | CVE-2019-5064 | Opencv Oracle | Out-of-bounds Write vulnerability in multiple products An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV, before version 4.2.0. | 6.8 |
2020-01-03 | CVE-2019-5063 | Opencv Oracle | Out-of-bounds Write vulnerability in multiple products An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV 4.1.0. | 6.8 |
2020-01-03 | CVE-2019-19261 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF. | 6.8 |
2020-01-02 | CVE-2013-3939 | Xnview | Out-of-bounds Write vulnerability in Xnview xnview.exe in XnView before 2.13 does not properly handle RLE strip lengths during processing of RGB files, which allows remote attackers to execute arbitrary code via the RLE strip size field in a RGB file, which leads to an unexpected sign extension error and a heap-based buffer overflow. | 6.8 |
2020-01-02 | CVE-2013-3937 | Xnview | Out-of-bounds Write vulnerability in Xnview Heap-based buffer overflow in xnview.exe in XnView before 2.13 allows remote attackers to execute arbitrary code via the biBitCount field in a BMP file. | 6.8 |
2020-01-02 | CVE-2013-3247 | Xnview | Out-of-bounds Write vulnerability in Xnview Heap-based buffer overflow in xnview.exe in XnView before 2.03 allows remote attackers to execute arbitrary code via a crafted RLE compressed layer in an XCF file. | 6.8 |
2020-01-02 | CVE-2013-3246 | Xnview | Out-of-bounds Write vulnerability in Xnview Stack-based buffer overflow in xnview.exe in XnView before 2.03 allows remote attackers to execute arbitrary code via a crafted image layer in an XCF file. | 6.8 |
2020-01-02 | CVE-2013-3946 | Extensis | Out-of-bounds Write vulnerability in Extensis Mrsid Heap-based buffer overflow in the MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via a levels header. | 6.8 |
2020-01-02 | CVE-2013-3945 | Extensis | Improper Input Validation vulnerability in Extensis Mrsid The MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via a nband tag. | 6.8 |
2020-01-02 | CVE-2013-3944 | Extensis | Out-of-bounds Write vulnerability in Extensis Mrsid Stack-based buffer overflow in the MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via an IMAGE tag. | 6.8 |
2020-01-02 | CVE-2019-20219 | Miniupnp Project | Out-of-bounds Read vulnerability in Miniupnp Project Ngiflib 0.4 ngiflib 0.4 has a heap-based buffer over-read in GifIndexToTrueColor in ngiflib.c. | 6.8 |
2020-01-02 | CVE-2013-3935 | Opsview | Cross-Site Request Forgery (CSRF) vulnerability in Opsview and Opsview Core Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors. | 6.8 |
2020-01-02 | CVE-2019-20205 | Libsixel Project | Integer Overflow or Wraparound vulnerability in Libsixel Project Libsixel 1.8.4 libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. | 6.8 |
2019-12-31 | CVE-2019-9197 | Unity3D | OS Command Injection vulnerability in Unity3D Unity Editor The com.unity3d.kharma protocol handler in Unity Editor 2018.3 allows remote attackers to execute arbitrary code. | 6.8 |
2019-12-30 | CVE-2019-20140 | Libsixel Project | Out-of-bounds Write vulnerability in Libsixel Project Libsixel 1.8.4 An issue was discovered in libsixel 1.8.4. | 6.8 |
2019-12-30 | CVE-2019-20094 | Libsixel Project | Out-of-bounds Write vulnerability in Libsixel Project Libsixel 1.8.4 An issue was discovered in libsixel 1.8.4. | 6.8 |
2019-12-30 | CVE-2019-20090 | Axiosys | Use After Free vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 6.8 |
2019-12-30 | CVE-2019-20089 | Gopro | Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.3 GoPro GPMF-parser 1.2.3 has an heap-based buffer over-read in GPMF_SeekToSamples in GPMF_parse.c for the size calculation. | 6.8 |
2019-12-30 | CVE-2019-20088 | Gopro | Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.3 GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GetPayload in GPMF_mp4reader.c. | 6.8 |
2019-12-30 | CVE-2019-20087 | Gopro | Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.3 GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GPMF_seekToSamples in GPMF-parse.c for the "matching tags" feature. | 6.8 |
2019-12-30 | CVE-2019-20086 | Gopro | Out-of-bounds Read vulnerability in Gopro Gpmf-Parser 1.2.3 GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GPMF_Next in GPMF_parser.c. | 6.8 |
2019-12-30 | CVE-2019-20079 | VIM Canonical | Use After Free vulnerability in multiple products The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory. | 6.8 |
2020-01-05 | CVE-2019-20337 | Advanced Real Estate Script Project | SQL Injection vulnerability in Advanced Real Estate Script Project Advanced Real Estate Script 4.0.9 In PHP Scripts Mall advanced-real-estate-script 4.0.9, the news_edit.php news_id parameter is vulnerable to SQL Injection. | 6.5 |
2020-01-03 | CVE-2019-5846 | Google Opensuse | Out-of-bounds Write vulnerability in multiple products Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
2020-01-03 | CVE-2019-5845 | Google Opensuse | Out-of-bounds Write vulnerability in multiple products Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
2020-01-03 | CVE-2019-5844 | Google Opensuse | Out-of-bounds Write vulnerability in multiple products Out of bounds access in SwiftShader in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
2020-01-03 | CVE-2019-3768 | EMC | XXE vulnerability in EMC RSA Authentication Manager RSA Authentication Manager versions prior to 8.4 P7 contain an XML Entity Injection Vulnerability. | 6.5 |
2020-01-03 | CVE-2019-13766 | Use After Free vulnerability in Google Chrome Use-after-free in accessibility in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2020-01-03 | CVE-2019-13765 | Improper Initialization vulnerability in Google Chrome Use-after-free in content delivery manager in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2020-01-03 | CVE-2014-5140 | Loadedcommerce | SQL Injection vulnerability in Loadedcommerce Loaded7 The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book. | 6.5 |
2020-01-02 | CVE-2013-3932 | Jomres | SQL Injection vulnerability in Jomres 7.3.0 SQL injection vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to execute arbitrary SQL commands via the id parameter in an editProfile action to administrator/index.php. | 6.5 |
2020-01-02 | CVE-2010-3782 | OBS Server Suse | Incorrect Authorization vulnerability in multiple products obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation. | 6.5 |
2019-12-31 | CVE-2015-5591 | Zenphoto | SQL Injection vulnerability in Zenphoto SQL injection vulnerability in Zenphoto before 1.4.9 allow remote administrators to execute arbitrary SQL commands. | 6.5 |
2019-12-31 | CVE-2019-12273 | Outsystems | Cross-Site Request Forgery (CSRF) vulnerability in Outsystems OutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. | 6.5 |
2019-12-31 | CVE-2019-7479 | Sonicwall | Improper Privilege Management vulnerability in Sonicwall Sonicos and Sonicosv A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode. | 6.5 |
2019-12-30 | CVE-2018-20501 | Gitlab | Missing Authorization vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 6.5 |
2019-12-30 | CVE-2013-0196 | Redhat | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Openshift 1.2 A CSRF issue was found in OpenShift Enterprise 1.2. | 6.5 |
2019-12-30 | CVE-2019-16790 | Tiny File Manager Project | Unrestricted Upload of File with Dangerous Type vulnerability in Tiny File Manager Project Tiny File Manager In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. | 6.5 |
2019-12-30 | CVE-2019-4343 | IBM Netapp | Incorrect Authorization vulnerability in multiple products IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which could allow an attacker to transfer private information. | 6.5 |
2020-01-03 | CVE-2020-1871 | Huawei | Insufficiently Protected Credentials vulnerability in Huawei Usg9500 Firmware USG9500 with software of V500R001C30SPC100; V500R001C30SPC200; V500R001C30SPC600; V500R001C60SPC500; V500R005C00SPC100; V500R005C00SPC200 have an improper credentials management vulnerability. | 6.4 |
2020-01-02 | CVE-2019-14859 | Python Ecdsa Project Redhat | Improper Verification of Cryptographic Signature vulnerability in multiple products A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. | 6.4 |
2019-12-31 | CVE-2019-7162 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Adselfservice Plus 5.6 An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. | 6.4 |
2019-12-30 | CVE-2018-20499 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 6.4 |
2020-01-02 | CVE-2019-10205 | Redhat | Insufficiently Protected Credentials vulnerability in Redhat Quay 3.0.0 A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. | 6.3 |
2020-01-04 | CVE-2020-5497 | Mitreid | Cross-site Scripting vulnerability in Mitreid Connect The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. | 6.1 |
2019-12-30 | CVE-2019-20141 | Laborator | Cross-site Scripting vulnerability in Laborator Neon 2.0 An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter. | 6.1 |
2019-12-30 | CVE-2019-19738 | Mfscripts | Cross-site Scripting vulnerability in Mfscripts Yetishare log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | 6.1 |
2019-12-30 | CVE-2019-19736 | Mfscripts | Incorrect Permission Assignment for Critical Resource vulnerability in Mfscripts Yetishare MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting. | 6.1 |
2019-12-30 | CVE-2019-19733 | Mfscripts | Cross-site Scripting vulnerability in Mfscripts Yetishare _get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. | 6.1 |
2019-12-31 | CVE-2019-10229 | Mailstore | Insufficient Session Expiration vulnerability in Mailstore and Mailstore Server An issue was discovered in MailStore Server (and Service Provider Edition) 9.x through 11.x before 11.2.2. | 6.0 |
2020-01-04 | CVE-2015-9540 | Chamilo | Open Redirect vulnerability in Chamilo LMS Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503. | 5.8 |
2020-01-03 | CVE-2019-20329 | Openlambda Project | Improper Input Validation vulnerability in Openlambda Project Openlambda 20190910 OpenLambda 2019-09-10 allows DNS rebinding attacks against the OL server for the REST API on TCP port 5000. | 5.8 |
2020-01-02 | CVE-2019-20225 | Mybb | Open Redirect vulnerability in Mybb MyBB before 1.8.22 allows an open redirect on login. | 5.8 |
2019-12-30 | CVE-2019-20071 | Netis Systems | Cross-Site Request Forgery (CSRF) vulnerability in Netis-Systems Dl4343 Firmware On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs. | 5.8 |
2020-01-03 | CVE-2019-19260 | Gitlab | Unspecified vulnerability in Gitlab GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2). | 5.5 |
2020-01-02 | CVE-2019-20208 | Gpac Debian | Out-of-bounds Write vulnerability in multiple products dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow. | 5.5 |
2019-12-31 | CVE-2019-14466 | Gosa Project Debian | Deserialization of Untrusted Data vulnerability in multiple products The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie. | 5.5 |
2019-12-31 | CVE-2019-20170 | Gpac Debian | Release of Invalid Pointer or Reference vulnerability in multiple products An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 5.5 |
2019-12-31 | CVE-2019-20165 | Gpac Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 5.5 |
2019-12-31 | CVE-2019-20163 | Gpac Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 5.5 |
2019-12-31 | CVE-2019-20162 | Gpac Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 5.5 |
2019-12-31 | CVE-2019-20161 | Gpac Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 5.5 |
2019-12-30 | CVE-2019-19032 | Xmlblueprint | XXE vulnerability in Xmlblueprint XMLBlueprint through 16.191112 is affected by XML External Entity Injection. | 5.5 |
2019-12-30 | CVE-2019-19031 | Edit XML | XXE vulnerability in Edit-Xml Easy XML Editor 1.7.8 Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. | 5.5 |
2019-12-30 | CVE-2019-20096 | Linux Debian Canonical | Memory Leak vulnerability in multiple products In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b. | 5.5 |
2019-12-30 | CVE-2019-20093 | Podofo Project Fedoraproject | NULL Pointer Dereference vulnerability in multiple products The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file, because of ImageExtractor.cpp. | 5.5 |
2020-01-02 | CVE-2019-20204 | Postieplugin | Cross-site Scripting vulnerability in Postieplugin Postie The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element. | 5.4 |
2019-12-30 | CVE-2019-19806 | Mfscripts | Information Exposure Through an Error Message vulnerability in Mfscripts Yetishare _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 displays a message indicating whether an email address is configured for the account name provided. | 5.3 |
2019-12-30 | CVE-2019-19805 | Mfscripts | Information Exposure Through Discrepancy vulnerability in Mfscripts Yetishare _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 takes a different amount of time to return depending on whether an email address is configured for the account name provided. | 5.3 |
2020-01-05 | CVE-2019-19629 | Gitlab | Information Exposure vulnerability in Gitlab In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration. | 5.0 |
2020-01-05 | CVE-2019-19314 | Gitlab | Cleartext Storage of Sensitive Information vulnerability in Gitlab GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext. | 5.0 |
2020-01-05 | CVE-2019-19313 | Gitlab | Improper Input Validation vulnerability in Gitlab GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. | 5.0 |
2020-01-05 | CVE-2019-19312 | Gitlab | Information Exposure vulnerability in Gitlab GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. | 5.0 |
2020-01-03 | CVE-2019-19959 | Sqlite Canonical | ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind. | 5.0 |
2020-01-03 | CVE-2019-19258 | Gitlab | Information Exposure vulnerability in Gitlab GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control. | 5.0 |
2020-01-03 | CVE-2019-19257 | Gitlab | Information Exposure vulnerability in Gitlab GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2). | 5.0 |
2020-01-03 | CVE-2019-19256 | Gitlab | Information Exposure vulnerability in Gitlab GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control. | 5.0 |
2020-01-03 | CVE-2019-19254 | Gitlab | Information Exposure vulnerability in Gitlab GitLab Community Edition (CE) and Enterprise Edition (EE). | 5.0 |
2020-01-02 | CVE-2013-3620 | Supermicro Citrix | Insufficiently Protected Credentials vulnerability in multiple products Hardcoded WSMan credentials in Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before 3.15 (SMT_X9_315) and firmware for Supermicro X8 generation motherboards before SMT X8 312. | 5.0 |
2020-01-02 | CVE-2019-10775 | Ecstatic Project | Resource Exhaustion vulnerability in Ecstatic Project Ecstatic ecstatic have a denial of service vulnerability. | 5.0 |
2020-01-02 | CVE-2019-20203 | Postieplugin | Authentication Bypass by Spoofing vulnerability in Postieplugin Postie The Authorized Addresses feature in the Postie plugin 1.9.40 for WordPress allows remote attackers to publish posts by spoofing the From information of an email message. | 5.0 |
2019-12-31 | CVE-2013-4357 | Eglibc Novell Debian Canonical Fedoraproject | Classic Buffer Overflow vulnerability in multiple products The eglibc package before 2.14 incorrectly handled the getaddrinfo() function. | 5.0 |
2019-12-31 | CVE-2019-9668 | Rovinbhandari FTP Project | Improper Input Validation vulnerability in Rovinbhandari FTP Project Rovinbhandari FTP 20120328 An issue was discovered in rovinbhandari FTP through 2012-03-28. | 5.0 |
2019-12-31 | CVE-2019-7751 | Ricoh | Path Traversal vulnerability in Ricoh Fusionpro VDP A directory traversal and local file inclusion vulnerability in FPProducerInternetServer.exe in Ricoh MarcomCentral, formerly PTI Marketing, FusionPro VDP before 10.0 allows a remote attacker to list or enumerate sensitive contents of files. | 5.0 |
2019-12-30 | CVE-2018-20507 | Gitlab | Missing Authentication for Critical Function vulnerability in Gitlab An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 5.0 |
2019-12-30 | CVE-2018-20495 | Gitlab | Information Exposure vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 5.0 |
2019-12-30 | CVE-2018-20494 | Gitlab | Incorrect Authorization vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 5.0 |
2019-12-30 | CVE-2018-20489 | Gitlab | Improper Authentication vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 5.0 |
2019-12-30 | CVE-2013-0264 | Redhat | Improper Certificate Validation vulnerability in Redhat MRG Management Console R5310 An import error was introduced in Cumin in the code refactoring in r5310. | 5.0 |
2019-12-30 | CVE-2012-5663 | Openbsd | Incomplete Cleanup vulnerability in Openbsd Textproc/Isearch The isearch package (textproc/isearch) before 1.47.01nb1 uses the tempnam() function to create insecure temporary files into a publicly-writable area (/tmp). | 5.0 |
2019-12-30 | CVE-2019-20149 | Kind OF Project | Exposure of Resource to Wrong Sphere vulnerability in Kind-Of Project Kind-Of 6.0.2 ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. | 5.0 |
2019-12-30 | CVE-2019-13465 | ROS | Unspecified vulnerability in ROS Ros-Comm An issue was discovered in the ROS communications-related packages (aka ros_comm or ros-melodic-ros-comm) through 1.14.3. | 5.0 |
2019-12-30 | CVE-2018-1682 | IBM | Information Exposure vulnerability in IBM Watston Studio Local 1.2.3 IBM Watson Studio Local 1.2.3 could disclose sensitive information over the network that an attacked could use in further attacks against the system. | 5.0 |
2019-12-30 | CVE-2019-20138 | Http Authentication Library Project | Inadequate Encryption Strength vulnerability in Http Authentication Library Project Http Authentication Library The HTTP Authentication library before 2019-12-27 for Nim has weak password hashing because the default algorithm for libsodium's crypto_pwhash_str is not used. | 5.0 |
2019-12-30 | CVE-2019-20095 | Linux Opensuse Netapp | Memory Leak vulnerability in multiple products mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. | 4.9 |
2020-01-05 | CVE-2020-5306 | Codologic | Cross-site Scripting vulnerability in Codologic Codoforum 4.8.3 Codoforum 4.8.3 allows XSS via a post using parameters display name, title name, or content. | 4.8 |
2019-12-31 | CVE-2011-3585 | Samba Redhat | Race Condition vulnerability in multiple products Multiple race conditions in the (1) mount.cifs and (2) umount.cifs programs in Samba 3.6 allow local users to cause a denial of service (mounting outage) via a SIGKILL signal during a time window when the /etc/mtab~ file exists. | 4.7 |
2020-01-02 | CVE-2013-4532 | Qemu Canonical Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. | 4.6 |
2020-01-05 | CVE-2019-20154 | Determine | Cross-site Scripting vulnerability in Determine Contract Lifecycle Management 5.4 An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) v5.4. | 4.3 |
2020-01-05 | CVE-2019-20077 | Typesettercms | Cross-Site Request Forgery (CSRF) vulnerability in Typesettercms Typesetter 5.1 The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. | 4.3 |
2020-01-05 | CVE-2019-20336 | Advanced Real Estate Script Project | Cross-site Scripting vulnerability in Advanced Real Estate Script Project Advanced Real Estate Script 4.0.9 In PHP Scripts Mall advanced-real-estate-script 4.0.9, the search-results.php searchtext parameter is vulnerable to XSS. | 4.3 |
2020-01-04 | CVE-2019-20334 | Nasm | Uncontrolled Recursion vulnerability in Nasm Netwide Assembler 2.14.02 In Netwide Assembler (NASM) 2.14.02, stack consumption occurs in expr# functions in asm/eval.c. | 4.3 |
2020-01-03 | CVE-2019-9542 | Telos | Cross-site Scripting vulnerability in Telos Automated Message Handling System : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itemlookup.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. | 4.3 |
2020-01-03 | CVE-2019-9541 | Telos | Cross-site Scripting vulnerability in Telos Automated Message Handling System : Information Exposure vulnerability in itemlookup.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. | 4.3 |
2020-01-03 | CVE-2019-9540 | Telos | Cross-site Scripting vulnerability in Telos Automated Message Handling System : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in prefs.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. | 4.3 |
2020-01-03 | CVE-2019-9539 | Telos | Cross-site Scripting vulnerability in Telos Automated Message Handling System : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ModalWindowPopup.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. | 4.3 |
2020-01-03 | CVE-2019-9538 | Telos | Cross-site Scripting vulnerability in Telos Automated Message Handling System : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the LDAP cbURL parameter of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. | 4.3 |
2020-01-03 | CVE-2019-9537 | Telos | Cross-site Scripting vulnerability in Telos Automated Message Handling System : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uploaditem.asp of Telos Automated Message Handling System allows a remote attacker to inject arbitrary script into an AMHS session. | 4.3 |
2020-01-03 | CVE-2014-5516 | Konakart | Cross-Site Request Forgery (CSRF) vulnerability in Konakart Cross-site request forgery (CSRF) vulnerability in the Storefront Application in DS Data Systems KonaKart before 7.3.0.0 allows remote attackers to hijack the authentication of administrators for requests that change a user email address via an unspecified GET request. | 4.3 |
2020-01-03 | CVE-2014-4196 | Bssys | Cross-site Scripting vulnerability in Bssys RBS Bs-Client 3.17.9 Cross-site scripting (XSS) vulnerability in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client 3.17.9 allows remote attackers to inject arbitrary web script or HTML via the colorstyle parameter. | 4.3 |
2020-01-03 | CVE-2014-10398 | Bssys | Cross-site Scripting vulnerability in Bssys RBS Bs-Client. Retail Client 2.4/2.5 Multiple cross-site scripting (XSS) vulnerabilities in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client. | 4.3 |
2020-01-03 | CVE-2012-4451 | Zend Fedoraproject Redhat | Cross-site Scripting vulnerability in multiple products Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper. | 4.3 |
2020-01-02 | CVE-2014-8182 | Openldap Debian | Off-by-one Error vulnerability in multiple products An off-by-one error leading to a crash was discovered in openldap 2.4 when processing DNS SRV messages. | 4.3 |
2020-01-02 | CVE-2014-6275 | Fusionforge Debian | Information Exposure vulnerability in multiple products FusionForge before 5.3.2 use scripts that run under the shared Apache user, which is also used by project homepages by default. | 4.3 |
2020-01-02 | CVE-2013-1642 | Realtime Projects | Cross-site Scripting vulnerability in Realtime-Projects Quixplorer Multiple cross-site scripting (XSS) vulnerabilities in QuiXplorer before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) dir, (2) item, (3) order, (4) searchitem, (5) selitems[], or (6) srt parameter to index.php or (7) the QUERY_STRING to index.php. | 4.3 |
2020-01-02 | CVE-2013-1420 | GET Simple | Cross-site Scripting vulnerability in Get-Simple Getsimple CMS Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. | 4.3 |
2020-01-02 | CVE-2013-0737 | Boltwire | Cross-site Scripting vulnerability in Boltwire Cross-site scripting (XSS) vulnerability in BoltWire 3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the fieldnames parameter. | 4.3 |
2020-01-02 | CVE-2014-3590 | Redhat | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Satellite 6.0 Versions of Foreman as shipped with Red Hat Satellite 6 does not check for a correct CSRF token in the logout action. | 4.3 |
2020-01-02 | CVE-2014-0245 | Redhat | Race Condition vulnerability in Redhat Jboss Portal 6.2.0 It was found that the implementation of the GTNSubjectCreatingInterceptor class in gatein-wsrp was not thread safe. | 4.3 |
2020-01-02 | CVE-2014-0183 | Redhat | Cross-site Scripting vulnerability in Redhat Subscription Asset Manager 1.4.0 Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering. | 4.3 |
2020-01-02 | CVE-2013-7351 | Shaarli Project | Cross-site Scripting vulnerability in Shaarli Project Shaarli Multiple cross-site scripting (XSS) vulnerabilities in index.php in Shaarli allow remote attackers to inject arbitrary web script or HTML via the URL to the (1) showRSS, (2) showATOM, or (3) showDailyRSS function; a (4) file name to the importFile function; or (5) vectors related to bookmarks. | 4.3 |
2020-01-02 | CVE-2014-4553 | Spreadshirt RSS 3D Cube Flash Gallery Project | Cross-site Scripting vulnerability in Spreadshirt-Rss-3D-Cube-Flash-Gallery Project Spreadshirt-Rss-3D-Cube-Flash-Gallery 2014 Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress allows remote attackers to execute arbitrary web script or HTML via unspecified parameters. | 4.3 |
2020-01-02 | CVE-2013-7486 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.2.2/7.4.0 Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. | 4.3 |
2020-01-02 | CVE-2013-7485 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.2.2/7.4.0 Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message. | 4.3 |
2020-01-02 | CVE-2013-7062 | Plone | Cross-site Scripting vulnerability in Plone Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. | 4.3 |
2020-01-02 | CVE-2013-6242 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. | 4.3 |
2020-01-02 | CVE-2014-0161 | Ovirt Engine SDK Python Project | Improper Certificate Validation vulnerability in Ovirt-Engine-Sdk-Python Project Ovirt-Engine-Sdk-Python ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. | 4.3 |
2020-01-02 | CVE-2013-3619 | Supermicro Citrix | Use of Hard-coded Credentials vulnerability in multiple products Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before SMT_X9_317 and firmware for Supermicro X8 generation motherboards before SMT X8 312 contain harcoded private encryption keys for the (1) Lighttpd web server SSL interface and the (2) Dropbear SSH daemon. | 4.3 |
2020-01-02 | CVE-2014-0104 | Clusterlabs | Improper Certificate Validation vulnerability in Clusterlabs Fence-Agents In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates. | 4.3 |
2020-01-02 | CVE-2013-4752 | Sensiolabs Fedoraproject | Cross-site Scripting vulnerability in multiple products Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. | 4.3 |
2020-01-02 | CVE-2019-14863 | Angularjs Redhat | Cross-site Scripting vulnerability in multiple products There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. | 4.3 |
2020-01-02 | CVE-2019-14862 | Knockoutjs Redhat Oracle | Cross-site Scripting vulnerability in multiple products There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. | 4.3 |
2020-01-02 | CVE-2013-3936 | Opsview | Cross-site Scripting vulnerability in Opsview and Opsview Core Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML. | 4.3 |
2020-01-02 | CVE-2019-20223 | Sitracker | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, the id parameter is affected by XSS on all endpoints that use this parameter, a related issue to CVE-2012-2235. | 4.3 |
2020-01-02 | CVE-2019-20222 | Sitracker | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, the Short Application Name and Application Name inputs in the config.php page are affected by XSS. | 4.3 |
2020-01-02 | CVE-2019-20221 | Sitracker | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, Load Plugins input in the config.php page is affected by XSS. | 4.3 |
2020-01-02 | CVE-2019-20220 | Sitracker | Cross-site Scripting vulnerability in Sitracker Support Incident Tracker 3.67 In Support Incident Tracker (SiT!) 3.67, the search_id parameter in the search_incidents_advanced.php page is affected by XSS. | 4.3 |
2019-12-31 | CVE-2019-20202 | Ezxml Project | Release of Invalid Pointer or Reference vulnerability in Ezxml Project Ezxml An issue was discovered in ezXML 0.8.3 through 0.8.6. | 4.3 |
2019-12-31 | CVE-2019-20201 | Ezxml Project | XML Injection (aka Blind XPath Injection) vulnerability in Ezxml Project Ezxml An issue was discovered in ezXML 0.8.3 through 0.8.6. | 4.3 |
2019-12-31 | CVE-2019-20200 | Ezxml Project | Out-of-bounds Read vulnerability in Ezxml Project Ezxml An issue was discovered in ezXML 0.8.3 through 0.8.6. | 4.3 |
2019-12-31 | CVE-2019-20199 | Ezxml Project | NULL Pointer Dereference vulnerability in Ezxml Project Ezxml An issue was discovered in ezXML 0.8.3 through 0.8.6. | 4.3 |
2019-12-31 | CVE-2019-20198 | Ezxml Project | Uncontrolled Recursion vulnerability in Ezxml Project Ezxml An issue was discovered in ezXML 0.8.3 through 0.8.6. | 4.3 |
2019-12-31 | CVE-2015-5595 | Zenphoto | Cross-Site Request Forgery (CSRF) vulnerability in Zenphoto Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption). | 4.3 |
2019-12-31 | CVE-2015-5593 | Zenphoto | Cross-site Scripting vulnerability in Zenphoto The sanitize_string function in Zenphoto before 1.4.9 does not properly sanitize HTML tags, which allows remote attackers to perform a cross-site scripting (XSS) attack by wrapping a payload in "<<script></script>script>payload<script></script></script>", or in an image tag, with the payload as the onerror event. | 4.3 |
2019-12-31 | CVE-2015-5592 | Zenphoto | Cross-site Scripting vulnerability in Zenphoto Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allows remote attackers to conduct cross-site scripting (XSS) attacks. | 4.3 |
2019-12-31 | CVE-2013-7071 | Fibranet | Cross-site Scripting vulnerability in Fibranet Monitorix Cross-site scripting (XSS) vulnerability in the handle_request function in lib/HTTPServer.pm in Monitorix before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | 4.3 |
2019-12-31 | CVE-2019-10227 | IT Novum | Cross-site Scripting vulnerability in It-Novum Openitcockpit openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component. | 4.3 |
2019-12-31 | CVE-2019-9554 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS 3.1.12 In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. | 4.3 |
2019-12-31 | CVE-2019-9553 | Bolt | Cross-site Scripting vulnerability in Bolt 3.6.4 Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and CVE-2018-19933. | 4.3 |
2019-12-31 | CVE-2019-9207 | Paessler | Cross-site Scripting vulnerability in Paessler Prtg Network Monitor 7.1.3.3378 PRTG Network Monitor v7.1.3.3378 allows XSS via the /search.htm searchtext parameter. | 4.3 |
2019-12-31 | CVE-2019-9206 | Paessler | Cross-site Scripting vulnerability in Paessler Prtg Network Monitor 7.1.3.3378 PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm errormsg or loginurl parameter. | 4.3 |
2019-12-31 | CVE-2018-14476 | Metalgenix | Cross-site Scripting vulnerability in Metalgenix Genixcms 1.1.5 GeniXCMS 1.1.5 has XSS via the dbuser or dbhost parameter during step 1 of installation. | 4.3 |
2019-12-31 | CVE-2019-20171 | Gpac Debian | Memory Leak vulnerability in multiple products An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-31 | CVE-2019-20169 | Gpac | Use After Free vulnerability in Gpac 0.8.0/0.9.0 An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-31 | CVE-2019-20168 | Gpac | Use After Free vulnerability in Gpac 0.8.0/0.9.0 An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-31 | CVE-2019-20167 | Gpac | NULL Pointer Dereference vulnerability in Gpac 0.8.0/0.9.0 An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-31 | CVE-2019-20166 | Gpac | NULL Pointer Dereference vulnerability in Gpac 0.8.0/0.9.0 An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-31 | CVE-2019-20164 | Gpac | NULL Pointer Dereference vulnerability in Gpac 0.8.0/0.9.0 An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-31 | CVE-2019-20160 | Gpac | Out-of-bounds Write vulnerability in Gpac 0.8.0/0.9.0 An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-31 | CVE-2019-20159 | Gpac | Missing Release of Resource after Effective Lifetime vulnerability in Gpac 0.8.0/0.9.0 An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. | 4.3 |
2019-12-30 | CVE-2018-7859 | Dlink | Cross-site Scripting vulnerability in Dlink products A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit. | 4.3 |
2019-12-30 | CVE-2019-20092 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 4.3 |
2019-12-30 | CVE-2019-20091 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 1.5.1.0 An issue was discovered in Bento4 1.5.1.0. | 4.3 |
2019-12-30 | CVE-2019-20076 | Netis Systems | Cross-site Scripting vulnerability in Netis-Systems Dl4343 Firmware On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration). | 4.3 |
2019-12-30 | CVE-2019-20075 | Netis Systems | Cross-site Scripting vulnerability in Netis-Systems Dl4343 Firmware On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic). | 4.3 |
2019-12-30 | CVE-2019-20073 | Netis Systems | Cross-site Scripting vulnerability in Netis-Systems Dl4343 Firmware On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration). | 4.3 |
2019-12-30 | CVE-2019-20072 | Netis Systems | Cross-site Scripting vulnerability in Netis-Systems Dl4343 Firmware On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration). | 4.3 |
2019-12-30 | CVE-2019-20070 | Netis Systems | Cross-site Scripting vulnerability in Netis-Systems Dl4343 Firmware On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration). | 4.3 |
2020-01-05 | CVE-2019-20153 | Determine | XXE vulnerability in Determine Contract Lifecycle Management 5.4 An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. | 4.0 |
2020-01-03 | CVE-2019-19310 | Gitlab | Insufficiently Protected Credentials vulnerability in Gitlab GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure. | 4.0 |
2020-01-03 | CVE-2019-19309 | Gitlab | Information Exposure vulnerability in Gitlab GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control. | 4.0 |
2020-01-03 | CVE-2019-19263 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions. | 4.0 |
2020-01-03 | CVE-2019-19262 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions. | 4.0 |
2020-01-03 | CVE-2019-19259 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). | 4.0 |
2020-01-03 | CVE-2019-19255 | Gitlab | Unspecified vulnerability in Gitlab GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access Control. | 4.0 |
2020-01-03 | CVE-2019-19087 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2). | 4.0 |
2020-01-03 | CVE-2019-19086 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2). | 4.0 |
2020-01-02 | CVE-2014-0169 | Redhat | Incorrect Authorization vulnerability in Redhat Jboss Enterprise Application Platform 6.0.0 In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. | 4.0 |
2020-01-02 | CVE-2019-14864 | Redhat Debian Opensuse | Improper Output Neutralization for Logs vulnerability in multiple products Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. | 4.0 |
2019-12-31 | CVE-2019-12837 | Gencat | Information Exposure vulnerability in Gencat Portal D'Acces A LA Universitat 1.7.5 The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attackers to get personal information of all registered students via several API endpoints. | 4.0 |
2019-12-30 | CVE-2018-20498 | Gitlab | Incorrect Authorization vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 4.0 |
2019-12-30 | CVE-2018-20497 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 4.0 |
2019-12-30 | CVE-2018-20493 | Gitlab | Incorrect Authorization vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 4.0 |
2019-12-30 | CVE-2018-20488 | Gitlab | Information Exposure vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 4.0 |
2019-12-30 | CVE-2019-4655 | IBM | Improper Input Validation vulnerability in IBM MQ and MQ Appliance IBM MQ 9.1.0.0, 9.1.0.1, 9.1.0.2, 9.1.0.3, 9.1.1, 9.1.2, and 9.1.3 is vulnerable to a denial of service attack that would allow an authenticated user to reset client connections due to an error within the Data Conversion routine. | 4.0 |
2019-12-30 | CVE-2019-15024 | Yandex | Unspecified vulnerability in Yandex Clickhouse In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. | 4.0 |
2019-12-30 | CVE-2019-20074 | Netis Systems | Improper Privilege Management vulnerability in Netis-Systems Dl4343 Firmware On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page. | 4.0 |
15 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-12-31 | CVE-2019-19927 | Linux Opensuse | Out-of-bounds Read vulnerability in multiple products In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. | 3.6 |
2020-01-05 | CVE-2020-5305 | Codologic | Cross-site Scripting vulnerability in Codologic Codoforum 4.8.3 Codoforum 4.8.3 allows XSS in the admin dashboard via a name field of a new user, i.e., on the Manage Users screen. | 3.5 |
2020-01-03 | CVE-2019-19311 | Gitlab | Cross-site Scripting vulnerability in Gitlab GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields. | 3.5 |
2020-01-02 | CVE-2013-3931 | Jomres | Cross-site Scripting vulnerability in Jomres 7.3.0 Cross-site scripting (XSS) vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to inject arbitrary web script or HTML via the property_name parameter, related to editing property details. | 3.5 |
2019-12-31 | CVE-2019-9556 | Fiberhomegroup | Cross-site Scripting vulnerability in Fiberhomegroup An5506-04-F Firmware Rp2669 FiberHome an5506-04-f RP2669 devices have XSS. | 3.5 |
2019-12-31 | CVE-2019-12186 | Sylius | Cross-site Scripting vulnerability in Sylius Grid An issue was discovered in Sylius products. | 3.5 |
2019-12-30 | CVE-2018-20496 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 3.5 |
2019-12-30 | CVE-2018-20491 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 3.5 |
2019-12-30 | CVE-2018-20490 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. | 3.5 |
2019-12-30 | CVE-2019-4623 | IBM | Cross-site Scripting vulnerability in IBM Cognos Analytics 11.0.0/11.1.0 IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. | 3.5 |
2019-12-30 | CVE-2019-20139 | Nagios | Cross-site Scripting vulnerability in Nagios XI 5.6.9 In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. | 3.5 |
2020-01-03 | CVE-2019-19441 | Huawei | Information Exposure vulnerability in Huawei P30 Firmware HUAWEI P30 smart phones with versions earlier than 10.0.0.166(C00E66R1P11) have an information leak vulnerability. | 3.3 |
2019-12-30 | CVE-2012-5476 | Openstack Debian | Information Exposure vulnerability in multiple products Within the RHOS Essex Preview (2012.2) of the OpenStack dashboard package, the file /etc/quantum/quantum.conf is world readable which exposes the admin password and token value. | 2.1 |
2019-12-30 | CVE-2012-5474 | Redhat Openstack Debian Fedoraproject | Missing Encryption of Sensitive Data vulnerability in multiple products The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret key value. | 2.1 |
2019-12-30 | CVE-2019-4335 | IBM | Insufficiently Protected Credentials vulnerability in IBM Watson Studio Local 1.2.3 IBM Watson Studio Local 1.2.3 stores key files in the user's home directory which could be obtained by another local user. | 2.1 |