N/A — N/A
|
Google Chrome before 3.0 does not properly handle XML documents, which allows remote attackers to obtain sensitive information via a crafted web site. |
2020-02-06 |
not yet calculated |
CVE-2010-3917
MISC
MISC |
N/A — N/A
|
statusnet through 2010 allows attackers to spoof syslog messages via newline injection attacks. |
2020-02-07 |
not yet calculated |
CVE-2010-4658
MISC
MISC |
N/A — N/A
|
A cross-site scripting (XSS) vulnerability in Smoothwall Express 3. |
2020-02-07 |
not yet calculated |
CVE-2011-1084
MISC |
N/A — N/A
|
CSRF vulnerability in Smoothwall Express 3. |
2020-02-07 |
not yet calculated |
CVE-2011-1085
MISC |
N/A — N/A
|
Cross-site scripting (XSS) vulnerability in admin/system.html in Openfiler 2.3 allows remote attackers to inject arbitrary web script or HTML via the device parameter. |
2020-02-07 |
not yet calculated |
CVE-2011-1086
MISC
MISC
MISC |
N/A — N/A
|
OpenVAS Manager v2.0.3 allows plugin remote code execution. |
2020-02-06 |
not yet calculated |
CVE-2011-1597
MISC |
N/A — N/A
|
Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin. |
2020-02-08 |
not yet calculated |
CVE-2011-3642
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities in mintNanny. |
2020-02-07 |
not yet calculated |
CVE-2012-1566
MISC |
N/A — N/A
|
LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities in mintUpdate. |
2020-02-07 |
not yet calculated |
CVE-2012-1567
MISC
MISC |
N/A — N/A
|
Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email. |
2020-02-06 |
not yet calculated |
CVE-2012-2593
MISC
MISC |
N/A — N/A
|
Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action. |
2020-02-08 |
not yet calculated |
CVE-2012-4029
MISC
MISC
MISC |
N/A — N/A
|
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors. |
2020-02-08 |
not yet calculated |
CVE-2012-4381
MISC
MISC
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
The CSS parser (khtml/css/cssparser.cpp) in Konqueror in KDE 4.7.3 allows remote attackers to cause a denial of service (crash) and possibly read memory via a crafted font face source, related to “type confusion.” |
2020-02-08 |
not yet calculated |
CVE-2012-4512
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
The Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with the “access basic_webmail” permission to read arbitrary users’ email addresses. |
2020-02-08 |
not yet calculated |
CVE-2012-5570
MISC
MISC
MISC
CONFIRM |
N/A — N/A
|
Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens. |
2020-02-04 |
not yet calculated |
CVE-2012-5618
MISC
MISC |
N/A — N/A
|
Command Injection vulnerability exists via a CSRF in DD-WRT 24-sp2 from specially crafted configuration values containing shell meta-characters, which could let a remote malicious user cause a Denial of Service. |
2020-02-06 |
not yet calculated |
CVE-2012-6297
BUGTRAQ
MISC
FULLDISC
MISC |
N/A — N/A
|
A vulnerability exists in HCView (aka Hardcoreview) 1.4 due to a write access violation with a GIF file. |
2020-02-06 |
not yet calculated |
CVE-2012-6306
MISC
MISC |
N/A — N/A
|
A vulnerability exists in JPEGsnoop 1.5.2 due to an unspecified issue in JPEG file handling, which could let a malicious user execute arbitrary code |
2020-02-06 |
not yet calculated |
CVE-2012-6307
MISC
MISC |
N/A — N/A
|
A vulnerability exists in Arctic Torrent 1.4 via unspecified vectors in .torrent file handling, which could let a malicious user cause a Denial of Service. |
2020-02-06 |
not yet calculated |
CVE-2012-6309
MISC |
N/A — N/A
|
An Authentication vulnerability exists in NETGEAR WGR614 v7 and v9 due to a hardcoded credential used for serial programming, a related issue to CVE-2006-1002. |
2020-02-06 |
not yet calculated |
CVE-2012-6340
MISC
MISC
MISC |
N/A — N/A
|
An Information Disclosure vulnerability exists in the my config file in NEtGEAR WGR614 v7 and v9, which could let a malicious user recover all previously used passwords on the device, for both the control panel and WEP/WPA/WPA2, in plaintext. This is a different issue than CVE-2012-6340. |
2020-02-06 |
not yet calculated |
CVE-2012-6341
MISC
MISC |
N/A — N/A
|
File Disclosure in SMF (SimpleMachines Forum) <= 2.0.3: Forum admin can read files such as the database config. |
2020-02-07 |
not yet calculated |
CVE-2013-0192
MISC
MISC
MISC |
N/A — N/A
|
Cisco ACE A2(3.6) allows log retention DoS. |
2020-02-07 |
not yet calculated |
CVE-2013-1202
MISC |
N/A — N/A
|
webcalendar before 1.2.7 shows the reason for a failed login (e.g., “no such user”). |
2020-02-04 |
not yet calculated |
CVE-2013-1422
MISC
MISC
MISC |
N/A — N/A
|
WordPress Super Cache Plugin 1.3 has XSS. |
2020-02-07 |
not yet calculated |
CVE-2013-2008
MISC
MISC
MISC |
N/A — N/A
|
WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution |
2020-02-07 |
not yet calculated |
CVE-2013-2009
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
Brother MFC-9970CDW 1.10 devices with Firmware L contain a Frameable response (Clickjacking) vulnerability which could allow remote attackers to obtain sensitive information. |
2020-02-05 |
not yet calculated |
CVE-2013-2675
MISC
XF
BID |
N/A — N/A
|
Brother MFC-9970CDW 1.10 firmware L devices contain an information disclosure vulnerability which allows remote attackers to view private IP addresses and other sensitive information. |
2020-02-04 |
not yet calculated |
CVE-2013-2676
MISC
XF
BID |
N/A — N/A
|
Linksys WRT310Nv2 2.0.0.1 is vulnerable to XSS. |
2020-02-07 |
not yet calculated |
CVE-2013-3067
MISC
MISC
MISC |
N/A — N/A
|
An Authentication Bypass vulnerability in Belkin N300 (F7D7301v1) router allows remote attackers to bypass authentication using “Javascript debugging.” |
2020-02-07 |
not yet calculated |
CVE-2013-3091
MISC
MISC
MISC |
N/A — N/A
|
D-Link DIR865L v1.03 suffers from an “Unauthenticated Hardware Linking” vulnerability. |
2020-02-07 |
not yet calculated |
CVE-2013-3096
MISC
MISC
MISC |
N/A — N/A
|
The web interface in VideoLAN VLC media player before 2.0.7 has no access control which allows remote attackers to view directory listings via the ‘dir’ command or issue other commands without authenticating. |
2020-02-06 |
not yet calculated |
CVE-2013-3564
MISC |
N/A — N/A
|
Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. |
2020-02-06 |
not yet calculated |
CVE-2013-3568
EXPLOIT-DB
BID
XF |
N/A — N/A
|
vTiger CRM 5.3 and 5.4: ‘files’ Upload Folder Arbitrary PHP Code Execution Vulnerability |
2020-02-07 |
not yet calculated |
CVE-2013-3591
MISC
MISC
MISC
MISC |
N/A — N/A
|
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability |
2020-02-07 |
not yet calculated |
CVE-2013-3628
MISC
MISC
MISC
MISC |
N/A — N/A
|
ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution |
2020-02-07 |
not yet calculated |
CVE-2013-3629
MISC
MISC
MISC
MISC |
N/A — N/A
|
ProjectPier 0.8.8 has stored XSS |
2020-02-07 |
not yet calculated |
CVE-2013-3635
MISC |
N/A — N/A
|
ProjectPier 0.8.8 has a Remote Information Disclosure Weakness because of the lack of the HttpOnly cookie flag |
2020-02-07 |
not yet calculated |
CVE-2013-3636
MISC
MISC
MISC |
N/A — N/A
|
ProjectPier 0.8.8 does not use the Secure flag for cookies |
2020-02-07 |
not yet calculated |
CVE-2013-3637
MISC |
N/A — N/A
|
SQL injection vulnerability in Boonex Dolphin before 7.1.3 allows remote authenticated users to execute arbitrary SQL commands via the ‘pathes’ parameter in ‘categories.php’. |
2020-02-06 |
not yet calculated |
CVE-2013-3638
BID
XF |
N/A — N/A
|
The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information. |
2020-02-06 |
not yet calculated |
CVE-2013-4166
CONFIRM
MISC
MISC
CONFIRM
CONFIRM |
N/A — N/A
|
opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities |
2020-02-07 |
not yet calculated |
CVE-2013-4334
MISC
MISC |
N/A — N/A
|
opOpenSocialPlugin 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6: Multiple XML External Entity Injection Vulnerabilities |
2020-02-07 |
not yet calculated |
CVE-2013-4335
MISC
MISC
MISC |
N/A — N/A
|
RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165. |
2020-02-06 |
not yet calculated |
CVE-2013-4521
CONFIRM
MISC
CONFIRM |
N/A — N/A
|
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user. |
2020-02-06 |
not yet calculated |
CVE-2013-4572
MISC
MISC
CONFIRM
MISC |
N/A — N/A
|
The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875. |
2020-02-06 |
not yet calculated |
CVE-2014-10399
MISC
MISC
MISC |
N/A — N/A
|
The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875. |
2020-02-06 |
not yet calculated |
CVE-2014-10400
MISC
MISC
MISC |
N/A — N/A
|
Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick before 6.8.8-5 might allow remote attackers to execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-2030. |
2020-02-06 |
not yet calculated |
CVE-2014-1958
CONFIRM
CONFIRM
CONFIRM
CONFIRM
MISC
MISC
MISC |
N/A — N/A
|
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947. |
2020-02-06 |
not yet calculated |
CVE-2014-2030
CONFIRM
CONFIRM
CONFIRM
MISC
MISC
MISC
MISC
CONFIRM |
N/A — N/A
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity. |
2020-02-08 |
not yet calculated |
CVE-2014-2225
MISC
MISC |
N/A — N/A
|
The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10300 and CVE-2014-10400 were SPLIT from this ID. |
2020-02-06 |
not yet calculated |
CVE-2014-2875
MISC
MISC
MISC |
N/A — N/A
|
A vulnerability exists in Sphider Search Engine prior to 1.3.6 due to exec calls in admin/spiderfuncs.php, which could let a remote malicious user execute arbitrary code. |
2020-02-07 |
not yet calculated |
CVE-2014-5087
MISC
MISC |
N/A — N/A
|
A vulnerability exits in Status2K 2.5 Server Monitoring Software via the multies parameter to includes/functions.php, which could let a malicious user execute arbitrary PHP code. |
2020-02-07 |
not yet calculated |
CVE-2014-5091
MISC
MISC
MISC
MISC |
N/A — N/A
|
A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs. |
2020-02-07 |
not yet calculated |
CVE-2014-5278
MISC
MISC
MISC |
N/A — N/A
|
A CSRF Vulnerability exists in Kemp Load Master before 7.0-18a via unspecified vectors in administrative pages. |
2020-02-07 |
not yet calculated |
CVE-2014-5288
MISC
MISC |
N/A — N/A
|
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code. |
2020-02-07 |
not yet calculated |
CVE-2014-5468
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11.8.3 via the poll_name parameter in the firewall/policy script. |
2020-02-07 |
not yet calculated |
CVE-2014-6413
MISC
MISC
MISC
MISC |
N/A — N/A
|
A Code Execution vulnerability exists in Android prior to 4.4.0 related to the addJavascriptInterface method and the accessibility and accessibilityTraversal objects, which could let a remote malicious user execute arbitrary code. |
2020-02-07 |
not yet calculated |
CVE-2014-7224
MISC
MISC
MISC
MISC |
N/A — N/A
|
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet. |
2020-02-08 |
not yet calculated |
CVE-2014-7863
MISC
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
Buffer overflow in the Reclaim function in Tianocore EDK2 before SVN 16280 allows physically proximate attackers to gain privileges via a long variable name. |
2020-02-06 |
not yet calculated |
CVE-2014-8271
MISC
MISC |
N/A — N/A
|
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014. |
2020-02-08 |
not yet calculated |
CVE-2014-8739
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
Multiple cross-site scripting (XSS) vulnerabilities in Open-School Community Edition 2.2 allow remote attackers to inject arbitrary web script or HTML via the YII_CSRF_TOKEN HTTP cookie or the StudentDocument, StudentCategories, StudentPreviousDatas parameters to index.php. |
2020-02-08 |
not yet calculated |
CVE-2014-9126
MISC |
N/A — N/A
|
Open-School Community Edition 2.2 does not properly restrict access to the export functionality, which allows remote authenticated users to obtain sensitive information via the r parameter with the value export to index.php. |
2020-02-08 |
not yet calculated |
CVE-2014-9127
MISC |
N/A — N/A
|
Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search. |
2020-02-08 |
not yet calculated |
CVE-2014-9470
MISC
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
A vulnerability exists in nw.js before 0.11.3 when calling nw methods from normal frames, which has an unspecified impact. |
2020-02-07 |
not yet calculated |
CVE-2014-9530
CONFIRM |
N/A — N/A
|
Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src, or (8) clipboard_dest parameters in an addImages action to wp-admin/admin-ajax.php. |
2020-02-08 |
not yet calculated |
CVE-2015-1394
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to wp-admin/admin.php. |
2020-02-08 |
not yet calculated |
CVE-2015-2062
MISC
MISC
MISC
MISC |
N/A — N/A
|
Multiple cross-site scripting (XSS) vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) ctrl, (2) t90001_0_theform_selection, (3) _scroll, (4) tableName, (5) parent, (6) circuit, (7) return, (8) xname, or (9) mpTransactionId parameter. |
2020-02-08 |
not yet calculated |
CVE-2015-2207
MISC
MISC |
N/A — N/A
|
An Information Disclosure vulnerability exists in HP SiteScope 11.2 and 11.3 on Windows, Linux and Solaris, HP Asset Manager 9.30 through 9.32, 9.40 through 9.41, 9.50, and Asset Manager Cloudsystem Chargeback 9.40, which could let a remote malicious user obtain sensitive information. This is the TLS vulnerability known as the RC4 cipher Bar Mitzvah vulnerability. |
2020-02-04 |
not yet calculated |
CVE-2015-2802
CONFIRM
CONFIRM
MISC
MISC
MISC |
N/A — N/A
|
Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain access by leveraging situations in which this warning was not heeded. NOTE: the vendor states “The user is presented with clear warnings on the GUI that they should set usernames and passwords.” |
2020-02-06 |
not yet calculated |
CVE-2015-2909
MISC
MISC |
N/A — N/A
|
Multiple SQL injection vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) ctrl, (2) h____%2427, (3) h____%2439, (4) param0, (5) param1, (6) param2, (7) param3, (8) param4, (9) filter_INSERT_COUNT, (10) filter_MINOR_FALLOUT, (11) filter_UPDATE_COUNT, (12) sort, or (13) sessid parameter. |
2020-02-08 |
not yet calculated |
CVE-2015-3423
MISC
MISC |
N/A — N/A
|
Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to cause a denial of service (network-communications outage) via a crafted packet. |
2020-02-05 |
not yet calculated |
CVE-2015-5626
CONFIRM
MISC |
N/A — N/A
|
Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to cause a denial of service (process outage) via a crafted packet. |
2020-02-05 |
not yet calculated |
CVE-2015-5627
CONFIRM
MISC |
N/A — N/A
|
Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and earlier, CENTUM CS 3000 R3.09.50 and earlier, CENTUM CS 3000 Entry R3.09.50 and earlier, CENTUM VP R5.04.20 and earlier, CENTUM VP Entry R5.04.20 and earlier, ProSafe-RS R3.02.10 and earlier, Exaopc R3.72.00 and earlier, Exaquantum R2.85.00 and earlier, Exaquantum/Batch R2.50.30 and earlier, Exapilot R3.96.10 and earlier, Exaplog R3.40.00 and earlier, Exasmoc R4.03.20 and earlier, Exarqe R4.03.20 and earlier, Field Wireless Device OPC Server R2.01.02 and earlier, PRM R3.12.00 and earlier, STARDOM VDS R7.30.01 and earlier, STARDOM OPC Server for Windows R3.40 and earlier, FAST/TOOLS R10.01 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.04 and earlier, and FieldMate R1.01 or R1.02 allows remote attackers to execute arbitrary code via a crafted packet. |
2020-02-05 |
not yet calculated |
CVE-2015-5628
CONFIRM
MISC |
N/A — N/A
|
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. |
2020-02-08 |
not yet calculated |
CVE-2015-5741
MISC
MISC
MISC
MISC
MISC
MISC
MISC |
N/A — N/A
|
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/. |
2020-02-06 |
not yet calculated |
CVE-2015-6000
MISC
MISC
MISC |
N/A — N/A
|
nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion). |
2020-02-06 |
not yet calculated |
CVE-2016-1544
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
N/A — N/A
|
coders/meta.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. |
2020-02-06 |
not yet calculated |
CVE-2016-7523
MISC
MISC
MISC
MISC |
N/A — N/A
|
coders/meta.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. |
2020-02-06 |
not yet calculated |
CVE-2016-7524
MISC
MISC
MISC
CONFIRM
CONFIRM
CONFIRM |
N/A — N/A
|
MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party’s roster as another user, which will also garner associated privileges, via crafted XMPP packets. |
2020-02-06 |
not yet calculated |
CVE-2016-9928
CONFIRM
MISC
MISC
MISC
CONFIRM
CONFIRM
CONFIRM
MISC |
N/A — N/A
|
phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, “database.php” does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary system commands on the server. |
2020-02-04 |
not yet calculated |
CVE-2019-10784
MISC |
N/A — N/A
|
network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the “execSync()” argument. |
2020-02-04 |
not yet calculated |
CVE-2019-10786
MISC |
N/A — N/A
|
im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the “exec” argument. The cmd argument used within index.js, can be controlled by user without any sanitization. |
2020-02-04 |
not yet calculated |
CVE-2019-10787
CONFIRM
MISC |
N/A — N/A
|
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the “exec” argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the “exec” function. |
2020-02-04 |
not yet calculated |
CVE-2019-10788
CONFIRM
MISC |
N/A — N/A
|
Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences. |
2020-02-08 |
not yet calculated |
CVE-2019-11481
MISC
MISC |
N/A — N/A
|
Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport that allowed a user to cause core files to be written in arbitrary directories. |
2020-02-08 |
not yet calculated |
CVE-2019-11482
MISC
MISC |
N/A — N/A
|
Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. |
2020-02-08 |
not yet calculated |
CVE-2019-11483
MISC
MISC |
N/A — N/A
|
Kevin Backhouse discovered an integer overflow in bson_ensure_space, as used in whoopsie. |
2020-02-08 |
not yet calculated |
CVE-2019-11484
MISC
MISC |
N/A — N/A
|
Sander Bos discovered Apport’s lock file was in a world-writable director which allowed all users to prevent crash handling. |
2020-02-08 |
not yet calculated |
CVE-2019-11485
MISC
MISC |
N/A — N/A
|
The Fujitsu TLS library allows a man-in-the-middle attack. This affects Interstage Application Development Cycle Manager V10 and other versions, Interstage Application Server V12 and other versions, Interstage Business Application Manager V2 and other versions, Interstage Information Integrator V11 and other versions, Interstage Job Workload Server V8, Interstage List Works V10 and other versions, Interstage Studio V12 and other versions, Interstage Web Server Express V11, Linkexpress V5, Safeauthor V3, ServerView Resource Orchestrator V3, Systemwalker Cloud Business Service Management V1, Systemwalker Desktop Keeper V15, Systemwalker Desktop Patrol V15, Systemwalker IT Change Manager V14, Systemwalker Operation Manager V16 and other versions, Systemwalker Runbook Automation V15 and other versions, Systemwalker Security Control V1, and Systemwalker Software Configuration Manager V15. |
2020-02-07 |
not yet calculated |
CVE-2019-13163
CONFIRM |
N/A — N/A
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8773. |
2020-02-08 |
not yet calculated |
CVE-2019-13333
MISC |
N/A — N/A
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8774. |
2020-02-08 |
not yet calculated |
CVE-2019-13334
MISC |
N/A — N/A
|
Possible use after free issue while CRM is accessing the link pointer from device private data due to lack of resource protection in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, MDM9206, MDM9207C, MDM9607, QCS605, SDM429W, SDX24, SM8150, SXR1130 |
2020-02-07 |
not yet calculated |
CVE-2019-14088
CONFIRM
MISC |
N/A — N/A
|
An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503. |
2020-02-05 |
not yet calculated |
CVE-2019-15126
CONFIRM |
N/A — N/A
|
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate |
2020-02-07 |
not yet calculated |
CVE-2019-15604
MISC
CONFIRM |
N/A — N/A
|
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed |
2020-02-07 |
not yet calculated |
CVE-2019-15605
MISC
FEDORA
CONFIRM |
N/A — N/A
|
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons |
2020-02-07 |
not yet calculated |
CVE-2019-15606
MISC
CONFIRM |
N/A — N/A
|
Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle. |
2020-02-04 |
not yet calculated |
CVE-2019-15610
MISC
MISC |
N/A — N/A
|
Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications. |
2020-02-04 |
not yet calculated |
CVE-2019-15611
MISC
MISC |
N/A — N/A
|
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset. |
2020-02-04 |
not yet calculated |
CVE-2019-15612
MISC
MISC |
N/A — N/A
|
A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes. |
2020-02-04 |
not yet calculated |
CVE-2019-15613
MISC
MISC |
N/A — N/A
|
Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files. |
2020-02-04 |
not yet calculated |
CVE-2019-15614
MISC
MISC |
N/A — N/A
|
A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past. |
2020-02-04 |
not yet calculated |
CVE-2019-15615
MISC
MISC |
N/A — N/A
|
Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long. |
2020-02-04 |
not yet calculated |
CVE-2019-15616
MISC
MISC |
N/A — N/A
|
A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login. |
2020-02-04 |
not yet calculated |
CVE-2019-15617
MISC
MISC |
N/A — N/A
|
Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project. |
2020-02-04 |
not yet calculated |
CVE-2019-15619
MISC
MISC
MISC
MISC |
N/A — N/A
|
Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link. |
2020-02-04 |
not yet calculated |
CVE-2019-15621
MISC
MISC |
N/A — N/A
|
Not strictly enough sanitization in the Nextcloud Android app 3.6.0 allowed an attacker to get content information from protected tables when using custom queries. |
2020-02-04 |
not yet calculated |
CVE-2019-15622
MISC
MISC |
N/A — N/A
|
Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders. |
2020-02-04 |
not yet calculated |
CVE-2019-15624
MISC
MISC |
N/A — N/A
|
A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow an user with low privilege to run system commands under root privilege via injecting specially crafted “ExportLogs” type IPC client requests to the fctsched process. |
2020-02-06 |
not yet calculated |
CVE-2019-15711
MISC
CONFIRM |
N/A — N/A
|
A Denial of service (DoS) vulnerability in FortiClient for Linux 6.2.1 and below may allow an user with low privilege to cause FortiClient processes running under root privilege crashes via sending specially crafted IPC client requests to the fctsched process due the nanomsg not been correctly validated. |
2020-02-06 |
not yet calculated |
CVE-2019-16152
MISC
CONFIRM |
N/A — N/A
|
A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow a user with low privilege to overwrite system files as root with arbitrary content through system backup file via specially crafted “BackupConfig” type IPC client requests to the fctsched process. Further more, FortiClient for Linux 6.2.2 and below allow low privilege user write the system backup file under root privilege through GUI thus can cause root system file overwrite. |
2020-02-07 |
not yet calculated |
CVE-2019-16155
MISC
CONFIRM |
N/A — N/A
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8775. |
2020-02-08 |
not yet calculated |
CVE-2019-17135
MISC |
N/A — N/A
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8776. |
2020-02-08 |
not yet calculated |
CVE-2019-17136
MISC |
N/A — N/A
|
The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected. |
2020-02-07 |
not yet calculated |
CVE-2019-17268
MISC
CONFIRM |
N/A — N/A
|
A stack buffer overflow vulnerability in FortiClient for Linux 6.2.1 and below may allow a user with low privilege to cause FortiClient processes running under root priviledge crashes via sending specially crafted “StartAvCustomScan” type IPC client requests to the fctsched process due the argv data not been well sanitized. |
2020-02-06 |
not yet calculated |
CVE-2019-17652
MISC
CONFIRM |
N/A — N/A
|
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers’ installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system. |
2020-02-07 |
not yet calculated |
CVE-2019-18988
MISC
MISC
MISC
MISC |
N/A — N/A
|
On Samsung mobile devices with O(8.0) and P(9.0) software and an Exynos 8895 chipset, RKP (aka the Samsung Hypervisor EL2 implementation) allows arbitrary memory write operations. The Samsung ID is SVE-2019-16265. |
2020-02-04 |
not yet calculated |
CVE-2019-19273
CONFIRM |
N/A — N/A
|
Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing. |
2020-02-07 |
not yet calculated |
CVE-2019-19356
MISC |
N/A — N/A
|
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. |
2020-02-06 |
not yet calculated |
CVE-2019-19800
MISC
MISC
MISC |
N/A — N/A
|
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. |
2020-02-02 |
not yet calculated |
CVE-2019-20446
MISC |
N/A — N/A
|
IBM Cloud Automation Manager 3.2.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 168644. |
2020-02-05 |
not yet calculated |
CVE-2019-4616
XF
CONFIRM |
N/A — N/A
|
IBM Security Identity Manager 7.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 171511. |
2020-02-04 |
not yet calculated |
CVE-2019-4675
XF
CONFIRM |
N/A — N/A
|
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. |
2020-02-03 |
not yet calculated |
CVE-2019-9501
MISC
CERT-VN |
N/A — N/A
|
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. |
2020-02-03 |
not yet calculated |
CVE-2019-9502
MISC
CERT-VN |
N/A — N/A
|
A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system. |
2020-02-07 |
not yet calculated |
CVE-2020-1700
SUSE
CONFIRM |
N/A — N/A
|
It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb. |
2020-02-07 |
not yet calculated |
CVE-2020-1708
CONFIRM |
N/A — N/A
|
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. |
2020-02-07 |
not yet calculated |
CVE-2020-1768
CONFIRM |
N/A — N/A
|
A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). |
2020-02-05 |
not yet calculated |
CVE-2020-3118
MISC
CISCO |
N/A — N/A
|
A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability exists because the Cisco Discovery Protocol parser does not properly validate input for certain fields in a Cisco Discovery Protocol message. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. An successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). |
2020-02-05 |
not yet calculated |
CVE-2020-3119
MISC
CISCO |
N/A — N/A
|
A vulnerability in the Cisco Discovery Protocol implementation for Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a missing check when the affected software processes Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to exhaust system memory, causing the device to reload. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). |
2020-02-05 |
not yet calculated |
CVE-2020-3120
MISC
CISCO |
N/A — N/A
|
A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition. |
2020-02-05 |
not yet calculated |
CVE-2020-3123
CISCO |
N/A — N/A
|
A Remote Code Execution(RCE) vulnerability exists in some designated applications in ServiSign security plugin, as long as the interface is captured, attackers are able to launch RCE and executes arbitrary command on target system via malicious crafted scripts. |
2020-02-03 |
not yet calculated |
CVE-2020-3925
CONFIRM |
N/A — N/A
|
Dell EMC ECS versions prior to 3.4.0.1 contain an XSS vulnerability. A remote authenticated malicious user could exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. |
2020-02-06 |
not yet calculated |
CVE-2020-5317
MISC |
N/A — N/A
|
Dell EMC Isilon OneFS versions 8.1.2, 8.1.0.4, 8.1.0.3, and 8.0.0.7 contain a vulnerability in some configurations. An attacker may exploit this vulnerability to gain access to restricted files. The non-RAN HTTP and WebDAV file-serving components have a vulnerability wherein when either are enabled, and Basic Authentication is enabled for either or both components, files are accessible without authentication. |
2020-02-06 |
not yet calculated |
CVE-2020-5318
MISC |
N/A — N/A
|
Dell EMC Unity, Dell EMC Unity XT, and Dell EMC UnityVSA versions prior to 5.0.2.0.5.009 contain a Denial of Service vulnerability on NAS Server SSH implementation that is used to provide SFTP service on a NAS server. A remote unauthenticated attacker may potentially exploit this vulnerability and cause a Denial of Service (Storage Processor Panic) by sending an out of order SSH protocol sequence. |
2020-02-06 |
not yet calculated |
CVE-2020-5319
MISC |
N/A — N/A
|
MikroTik WinBox before 3.21 is vulnerable to a path traversal vulnerability that allows creation of arbitrary files wherevere WinBox has write permissions. WinBox is vulnerable to this attack if it connects to a malicious endpoint or if an attacker mounts a man in the middle attack. |
2020-02-06 |
not yet calculated |
CVE-2020-5720
MISC |
N/A — N/A
|
On BIG-IP 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.0-11.6.5.1, the tmm crashes under certain circumstances when using the connector profile if a specific sequence of connections are made. |
2020-02-06 |
not yet calculated |
CVE-2020-5854
CONFIRM |
N/A — N/A
|
A stack buffer overflow vulnerability exists in the way MiniSNMPD version 1.4 handles multiple connections. A specially timed sequence of SNMP connections can trigger a stack overflow, resulting in a denial of service. To trigger this vulnerability, an attacker needs to simply initiate multiple connections to the server. |
2020-02-04 |
not yet calculated |
CVE-2020-6060
MISC |
N/A — N/A
|
Schmid ZI 620 V400 VPN 090 routers allow an attacker to execute OS commands as root via shell metacharacters to an entry on the SSH subcommand menu, as demonstrated by ping. |
2020-02-06 |
not yet calculated |
CVE-2020-6760
MISC |
N/A — N/A
|
A path traversal vulnerability in the Bosch Video Management System (BVMS) FileTransferService allows an authenticated remote attacker to read arbitrary files from the Central Server. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch BVMS Viewer versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable BVMS version is installed. |
2020-02-06 |
not yet calculated |
CVE-2020-6767
CONFIRM |
N/A — N/A
|
A path traversal vulnerability in the Bosch Video Management System (BVMS) NoTouch deployment allows an unauthenticated remote attacker to read arbitrary files from the Central Server. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch BVMS Viewer versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable BVMS version is installed. |
2020-02-07 |
not yet calculated |
CVE-2020-6768
CONFIRM |
N/A — N/A
|
Missing Authentication for Critical Function in the Bosch Video Streaming Gateway (VSG) allows an unauthenticated remote attacker to retrieve and set arbitrary configuration data of the Video Streaming Gateway. A successful attack can impact the confidentiality and availability of live and recorded video data of all cameras configured to be controlled by the VSG as well as the recording storage associated with the VSG. This affects Bosch Video Streaming Gateway versions 6.45 <= 6.45.08, 6.44 <= 6.44.022, 6.43 <= 6.43.0023 and 6.42.10 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable VSG version is installed with BVMS. This affects Bosch DIVAR IP 2000 <= 3.62.0019 and DIVAR IP 5000 <= 3.80.0039 if the corresponding port 8023 has been opened in the device's firewall. |
2020-02-07 |
not yet calculated |
CVE-2020-6769
CONFIRM |
N/A — N/A
|
Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute arbitrary code on the system. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000 and DIVAR IP 7000 if a vulnerable BVMS version is installed. |
2020-02-07 |
not yet calculated |
CVE-2020-6770
CONFIRM |
N/A — N/A
|
It is possible to unmask credentials and other sensitive information on ?unprotected? project files, which may allow an attacker to remotely access the C-More Touch Panels EA9 series: firmware versions prior to 6.53 and manipulate system configurations. |
2020-02-05 |
not yet calculated |
CVE-2020-6969
MISC |
N/A — N/A
|
mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently. |
2020-02-04 |
not yet calculated |
CVE-2020-7221
MISC
CONFIRM
MISC |
N/A — N/A
|
pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2.1 allows unauthenticated denial of service. |
2020-02-06 |
not yet calculated |
CVE-2020-7920
MISC
MISC
MISC
MISC |
N/A — N/A
|
An issue was discovered in OpServices OpMon 9.3.2. Without authentication, it is possible to read server files (e.g., /etc/passwd) due to the use of the nmap -iL (aka input file) option. |
2020-02-06 |
not yet calculated |
CVE-2020-7953
MISC
MISC |
N/A — N/A
|
An issue was discovered in OpServices OpMon 9.3.2. Starting from the apache user account, it is possible to perform privilege escalation through the lack of correct configuration in the server’s sudoers file, which by default allows the execution of programs (e.g. nmap) without the need for a password with sudo. |
2020-02-06 |
not yet calculated |
CVE-2020-7954
MISC
MISC |
N/A — N/A
|
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim. |
2020-02-04 |
not yet calculated |
CVE-2020-8115
MISC
MISC |
N/A — N/A
|
An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. |
2020-02-04 |
not yet calculated |
CVE-2020-8118
MISC
MISC |
N/A — N/A
|
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. |
2020-02-04 |
not yet calculated |
CVE-2020-8121
MISC
MISC |
N/A — N/A
|
A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received. |
2020-02-04 |
not yet calculated |
CVE-2020-8122
MISC
MISC |
N/A — N/A
|
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. |
2020-02-04 |
not yet calculated |
CVE-2020-8124
MISC |
N/A — N/A
|
A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don’t fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15). |
2020-02-07 |
not yet calculated |
CVE-2020-8126
MISC |
N/A — N/A
|
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. |
2020-02-06 |
not yet calculated |
CVE-2020-8608
MISC
MISC
MISC |
N/A — N/A
|
An issue was discovered in OpServices OpMon 9.3.2 that allows Remote Code Execution . |
2020-02-06 |
not yet calculated |
CVE-2020-8636
MISC |
N/A — N/A
|
An issue was discovered in Simplejobscript.com SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is job_id. The function is getJobApplicationsByJobId(). The file is _lib/class.JobApplication.php. |
2020-02-07 |
not yet calculated |
CVE-2020-8645
MISC |
N/A — N/A
|
An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field. |
2020-02-07 |
not yet calculated |
CVE-2020-8654
MISC |
N/A — N/A
|
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7. |
2020-02-07 |
not yet calculated |
CVE-2020-8655
MISC |
N/A — N/A
|
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php. |
2020-02-07 |
not yet calculated |
CVE-2020-8656
MISC |
N/A — N/A
|
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. |
2020-02-06 |
not yet calculated |
CVE-2020-8657
MISC |
N/A — N/A
|
The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts. |
2020-02-06 |
not yet calculated |
CVE-2020-8771
MISC
MISC |
N/A — N/A
|
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in. |
2020-02-06 |
not yet calculated |
CVE-2020-8772
MISC
MISC |
N/A — N/A
|
Synaptive Medical ClearCanvas ImageServer 3.0 Alpha allows XSS (and HTML injection) via the Default.aspx UserName parameter. NOTE: the issues/227 reference does not imply that the affected product can be downloaded from GitHub. It was simply a convenient location for a public bug report. |
2020-02-07 |
not yet calculated |
CVE-2020-8788
MISC |
N/A — N/A
|
Biscom Secure File Transfer (SFT) before 5.1.1071 and 6.0.1xxx before 6.0.1005 allows Remote Code Execution on the server. |
2020-02-07 |
not yet calculated |
CVE-2020-8796
MISC |
N/A — N/A
|
The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE before 3.25.60 allow local non-privileged users (including low-integrity level processes) to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITYSYSTEM privileges, via a function call such as MmMapIoSpace. |
2020-02-07 |
not yet calculated |
CVE-2020-8808
MISC
MISC |
N/A — N/A
|
ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated users to change other users’ profile pictures. |
2020-02-07 |
not yet calculated |
CVE-2020-8811
MISC |
N/A — N/A
|
** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert malicious JavaScript on the WYSIWYG editor. NOTE: the vendor’s perspective is that this is “not a bug.” |
2020-02-07 |
not yet calculated |
CVE-2020-8812
MISC |
