National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 127,151 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2019-4611

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.

Published: December 09, 2019; 06:15:11 PM -05:00
(not available)
CVE-2019-4428

IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162807.

Published: December 09, 2019; 06:15:11 PM -05:00
(not available)
CVE-2019-19230

An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.

Published: December 09, 2019; 04:15:11 PM -05:00
(not available)
CVE-2013-0342

The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.

Published: December 09, 2019; 04:15:10 PM -05:00
(not available)
CVE-2015-7892

Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in the Samsung m2m1shot driver framework, as used in Samsung S6 Edge, allows local users to have unspecified impact via a large data.buf_out.num_planes value in an ioctl call.

Published: December 09, 2019; 03:15:09 PM -05:00
(not available)
CVE-2015-3425

Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.

Published: December 09, 2019; 03:15:09 PM -05:00
(not available)
CVE-2015-3424

SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.

Published: December 09, 2019; 03:15:09 PM -05:00
(not available)
CVE-2014-0242

mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.

Published: December 09, 2019; 03:15:09 PM -05:00
(not available)
CVE-2019-19646

pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.

Published: December 09, 2019; 02:15:14 PM -05:00
(not available)
CVE-2019-19603

SQLite 3.30.1, during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name, as demonstrated by the sqlite_ substring.

Published: December 09, 2019; 02:15:14 PM -05:00
(not available)
CVE-2019-18190

Trend Micro Security (Consumer) 2020 (v16.x) is affected by a vulnerability in where null pointer dereference errors result in the crash of application, which could potentially lead to possible unsigned code execution under certain circumstances.

Published: December 09, 2019; 02:15:14 PM -05:00
(not available)
CVE-2015-1853

chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.

Published: December 09, 2019; 02:15:14 PM -05:00
(not available)
CVE-2015-0841

Off-by-one error in the readBuf function in listener.cpp in libcapsinetwork and monopd before 0.9.8, allows remote attackers to cause a denial of service (crash) via a long line.

Published: December 09, 2019; 02:15:14 PM -05:00
(not available)
CVE-2019-19687

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

Published: December 09, 2019; 01:15:09 PM -05:00
(not available)
CVE-2019-18380

Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication.

Published: December 09, 2019; 01:15:09 PM -05:00
(not available)
CVE-2019-19685

RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.

Published: December 09, 2019; 12:15:12 PM -05:00
(not available)
CVE-2019-19684

nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin.

Published: December 09, 2019; 12:15:12 PM -05:00
(not available)
CVE-2019-19683

RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs.

Published: December 09, 2019; 12:15:12 PM -05:00
(not available)
CVE-2019-19682

nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a "feature" because the affected components are an HTML content editor.

Published: December 09, 2019; 12:15:12 PM -05:00
(not available)
CVE-2019-14251

An issue was discovered in T24 in TEMENOS Channels R15.01. The login page presents JavaScript functions to access a document on the server once successfully authenticated. However, an attacker can leverage downloadDocServer() to traverse the file system and access files or directories that are outside of the restricted directory because WealthT24/GetImage is used with the docDownloadPath and uploadLocation parameters.

Published: December 09, 2019; 12:15:11 PM -05:00
(not available)