National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 124,374 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2019-10446

Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM.

Published: October 16, 2019; 10:15:12 AM -04:00
(not available)
CVE-2019-10445

A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.

Published: October 16, 2019; 10:15:12 AM -04:00
(not available)
CVE-2019-10444

Jenkins Bumblebee HP ALM Plugin 4.1.3 and earlier unconditionally disabled SSL/TLS and hostname verification for connections to HP ALM.

Published: October 16, 2019; 10:15:12 AM -04:00
(not available)
CVE-2019-10443

Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Published: October 16, 2019; 10:15:12 AM -04:00
(not available)
CVE-2019-10442

A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Published: October 16, 2019; 10:15:12 AM -04:00
(not available)
CVE-2019-10441

A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

Published: October 16, 2019; 10:15:12 AM -04:00
(not available)
CVE-2019-10440

Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Published: October 16, 2019; 10:15:12 AM -04:00
(not available)
CVE-2019-10439

A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Published: October 16, 2019; 10:15:11 AM -04:00
(not available)
CVE-2019-10438

A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Published: October 16, 2019; 10:15:11 AM -04:00
(not available)
CVE-2019-10437

A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Published: October 16, 2019; 10:15:11 AM -04:00
(not available)
CVE-2019-10436

An arbitrary file read vulnerability in Jenkins Google OAuth Credentials Plugin 0.9 and earlier allowed attackers able to configure jobs and credentials in Jenkins to obtain the contents of any file on the Jenkins master.

Published: October 16, 2019; 10:15:11 AM -04:00
(not available)
CVE-2019-4031

IBM Workload Scheduler Distributed 9.2, 9.3, 9.4, and 9.5 contains a vulnerability that could allow a local user to write files as root in the file system, which could allow the attacker to gain root privileges. IBM X-Force ID: 155997.

Published: October 16, 2019; 09:15:11 AM -04:00
(not available)
CVE-2019-17627

The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This affects the Yale ZEN-R lock and unspecified other locks.

Published: October 16, 2019; 08:15:12 AM -04:00
(not available)
CVE-2019-17626

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

Published: October 16, 2019; 08:15:12 AM -04:00
(not available)
CVE-2019-17625

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element.

Published: October 16, 2019; 08:15:11 AM -04:00
(not available)
CVE-2019-17624

In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. For example, by sending ct.c_char 1000 times, an attacker can cause a denial of service (application crash) or possibly have unspecified other impact.

Published: October 16, 2019; 07:15:15 AM -04:00
(not available)
CVE-2016-11016

NETGEAR JNR1010 devices before 1.0.0.32 allow webproc?getpage= XSS.

Published: October 16, 2019; 07:15:13 AM -04:00
(not available)
CVE-2016-11015

NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter.

Published: October 16, 2019; 07:15:13 AM -04:00
(not available)
CVE-2016-11014

NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case.

Published: October 16, 2019; 07:15:13 AM -04:00
(not available)
CVE-2019-13392

A reflected Cross-Site Scripting (XSS) vulnerability in MindPalette NateMail 3.0.15 allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.

Published: October 15, 2019; 08:15:10 PM -04:00
(not available)