National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 124,726 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-16991

In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.

Published: October 21, 2019; 12:15:18 PM -04:00
(not available)
CVE-2019-16989

In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.

Published: October 21, 2019; 12:15:18 PM -04:00
(not available)
CVE-2019-16988

In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.

Published: October 21, 2019; 12:15:18 PM -04:00
(not available)
CVE-2019-16987

In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.

Published: October 21, 2019; 12:15:18 PM -04:00
(not available)
CVE-2019-16986

In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)

Published: October 21, 2019; 12:15:18 PM -04:00
(not available)
CVE-2019-16985

In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.

Published: October 21, 2019; 12:15:18 PM -04:00
(not available)
CVE-2019-16984

In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS.

Published: October 21, 2019; 12:15:17 PM -04:00
(not available)
CVE-2019-16983

In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS.

Published: October 21, 2019; 12:15:17 PM -04:00
(not available)
CVE-2019-16982

In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

Published: October 21, 2019; 12:15:17 PM -04:00
(not available)
CVE-2019-16981

In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.

Published: October 21, 2019; 12:15:17 PM -04:00
(not available)
CVE-2019-16990

In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.

Published: October 21, 2019; 11:15:10 AM -04:00
(not available)
CVE-2019-16980

In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection.

Published: October 21, 2019; 11:15:10 AM -04:00
(not available)
CVE-2019-16979

In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

Published: October 21, 2019; 11:15:10 AM -04:00
(not available)
CVE-2019-16978

In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.

Published: October 21, 2019; 11:15:10 AM -04:00
(not available)
CVE-2019-16530

Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution.

Published: October 21, 2019; 10:15:11 AM -04:00
(not available)
CVE-2019-18218

cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

Published: October 21, 2019; 01:15:10 AM -04:00
(not available)
CVE-2019-18217

ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.

Published: October 21, 2019; 12:15:10 AM -04:00
(not available)
CVE-2019-17409

Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.

Published: October 20, 2019; 09:15:10 PM -04:00
(not available)
CVE-2019-16862

Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.

Published: October 20, 2019; 09:15:10 PM -04:00
(not available)
CVE-2019-10716

An Information Disclosure issue in Verodin Director 3.5.3.1 and earlier reveals usernames and passwords of integrated security technologies via a /integrations.json JSON REST API request.

Published: October 20, 2019; 08:15:14 PM -04:00
(not available)